This chapter covers Security Command Center (SCC), Google Cloud's centralized security and risk management platform. For the ACE exam, you must understand SCC's core components: Security Health Analytics, Event Threat Detection, Container Threat Detection, and Web Security Scanner. Expect 2-3 exam questions on SCC topics, focusing on its capabilities, finding types, and how it integrates with other Google Cloud services like Cloud Logging and Pub/Sub. You will not be asked to configure SCC at depth, but you must know what it does, its pricing tiers, and how to remediate common findings.
Jump to a section
Security Command Center (SCC) is like hiring a 24/7 security guard for a corporate campus that has multiple buildings (Google Cloud projects). The guard continuously patrols, checks all doors and windows (scans for misconfigurations), watches security cameras (monitors logs and telemetry), and has a list of known intruder profiles (threat intelligence). When the guard spots a door left unlocked (a vulnerability like an open firewall port), they immediately log it in the incident report (create a finding). For high-severity issues, like a broken lock on the vault (a critical misconfiguration), the guard triggers an alarm that directly calls the security chief (Cloud Pub/Sub notification to Security Operations team). The guard also uses AI-powered facial recognition (threat detection) to spot a person whose face matches a known wanted criminal (malware signature) and immediately alerts the entire security team (automated response via Security Health Analytics and Event Threat Detection). Importantly, the guard maintains a centralized incident log (SCC dashboard) that provides a single pane of glass for all security events across the entire campus, rather than each building having its own separate guard with no coordination. This unified view is critical for compliance audits (e.g., PCI DSS, SOC 2) because it proves that all buildings are monitored consistently.
What is Security Command Center (SCC)?
Security Command Center (SCC) is Google Cloud's built-in security and risk management platform. It provides a centralized dashboard for detecting, preventing, and responding to threats across your Google Cloud organization. SCC ingests data from multiple sources – including Google Cloud services, third-party integrations, and partner technologies – to give you a unified view of your security posture.
SCC operates at two levels: the organization level (recommended for enterprise) and the project level. The organization-level SCC provides cross-project visibility, which is critical for compliance and governance. The exam expects you to know that SCC is enabled at the organization level to get the most value.
How SCC Works Internally
SCC collects and analyzes telemetry from several built-in services:
Security Health Analytics: Scans your Google Cloud resources (Compute Engine, Cloud Storage, IAM, etc.) against a set of security best practices. For example, it detects public buckets, firewall rules that allow 0.0.0.0/0 on SSH (port 22), and IAM roles that are overly permissive. Each detection is a finding.
Event Threat Detection (ETD): Analyzes Cloud Logging logs for suspicious activity, such as brute-force SSH attempts, cryptocurrency mining, and malware. ETD uses machine learning models to detect anomalies.
Container Threat Detection: Monitors Kubernetes clusters for threats like privilege escalation, reverse shells, and container escape attempts. It requires the Security Monitoring feature to be enabled on the cluster.
Web Security Scanner: Scans App Engine, Compute Engine, and GKE for common web vulnerabilities like XSS, Flash injection, and outdated libraries. It is a free, limited scanner.
SCC findings are stored in the Security Command Center API and can be exported to Cloud Pub/Sub for integration with SIEMs or automated remediation workflows. Findings have a severity (CRITICAL, HIGH, MEDIUM, LOW) and a category (e.g., PUBLIC_BUCKET_ACL, OPEN_FIREWALL).
Key Components and Defaults
Pricing Tiers: SCC offers two tiers: Standard (free) and Premium (paid). Standard includes Security Health Analytics and Web Security Scanner with limited features. Premium adds Event Threat Detection, Container Threat Detection, and additional Security Health Analytics capabilities like vulnerability scanning and sensitive data protection. The exam often asks which tier is needed for specific features.
Findings: Each finding has a name, category, source, severity, and state (ACTIVE or INACTIVE). ACTIVE findings are unresolved; INACTIVE means they've been muted or resolved.
Mute Findings: You can mute findings individually or via mute rules based on filters. Muted findings are excluded from active counts.
Notifications: Use Cloud Pub/Sub to send notifications for findings. Create a notification config that filters by severity or category.
IAM Roles: securitycenter.admin, securitycenter.viewer, and securitycenter.findingEditor are key roles. securitycenter.admin grants full access; viewer is read-only.
Configuration and Verification Commands
To enable SCC at the organization level:
gcloud organizations add-iam-policy-binding ORG_ID \
--member='user:admin@example.com' \
--role='roles/securitycenter.admin'To list findings:
gcloud scc findings list --organization=ORG_IDTo update a finding state:
gcloud scc findings update FINDING_NAME --state=INACTIVETo create a mute rule:
gcloud scc mute-configs create my-mute-rule \
--organization=ORG_ID \
--description='Mute low severity' \
--filter='severity="LOW"'Integration with Related Technologies
Cloud Logging: ETD reads logs from Cloud Logging. You must have audit logs enabled (Admin Read, Data Access) for ETD to work.
Cloud Pub/Sub: Notifications are sent via Pub/Sub. You create a topic and subscription, then configure SCC to publish findings to that topic.
Cloud Asset Inventory: SCC findings can be correlated with asset inventory data.
Partner Integrations: SCC integrates with third-party security tools like Splunk, Palo Alto Networks, and Qualys via the Security Command Center API.
Trap Patterns on the Exam
Confusing SCC Standard vs Premium: Standard includes Security Health Analytics and Web Security Scanner only. Premium includes Event Threat Detection and Container Threat Detection. A common wrong answer is that Event Threat Detection is available in Standard.
Believing SCC automatically remediates: SCC detects and alerts, but does not automatically fix issues. You must use Cloud Functions or other automation to remediate.
Thinking SCC works at the project level only: While you can enable SCC at the project level, organization-level is required for full features and cross-project visibility. The exam emphasizes organization-level deployment.
Misunderstanding findings vs logs: Findings are high-level alerts; logs are raw events. ETD generates findings from logs, but you cannot view logs directly in SCC – you need Cloud Logging.
Step-by-Step: How SCC Processes a Finding
Telemetry Collection: SCC's built-in scanners (e.g., Security Health Analytics) continuously scan your Google Cloud resources. For example, it checks all Cloud Storage buckets for public access.
Detection Engine: The scanner compares the resource configuration against a set of rules. If a bucket has allUsers as a member, it triggers a finding with category PUBLIC_BUCKET_ACL.
Finding Creation: SCC creates a finding object with details: resource name, category, severity (HIGH for public bucket), and state (ACTIVE). The finding is stored in the SCC API.
Notification (Optional): If you have configured a Pub/Sub notification, SCC publishes the finding to the topic. The Pub/Sub message includes the finding JSON.
Dashboard Update: The finding appears in the SCC dashboard. You can filter by severity, category, or project.
Remediation: You (or an automated process) take action, e.g., change the bucket ACL. After remediation, you mark the finding as INACTIVE or use a mute rule.
Step-by-Step: Enabling Event Threat Detection
Enable SCC Premium: At the organization level, enable the Premium tier. This activates ETD.
Enable Audit Logs: Ensure Admin Read and Data Access audit logs are enabled for the services you want to monitor. ETD reads these logs.
Configure Notification: Create a Pub/Sub topic and subscription. Then create a notification config in SCC with a filter (e.g., severity="HIGH").
Monitor Findings: ETD automatically generates findings for suspicious activities like ssh_brute_force, cryptomining, and malware. You can view them in the SCC dashboard.
Respond: Use Cloud Functions to automatically respond. For example, a function that listens to the Pub/Sub topic and isolates a compromised VM by removing its external IP.
Step-by-Step: Using Web Security Scanner
Enable SCC: Web Security Scanner is available in both Standard and Premium.
Configure Scanner: You can scan a specific App Engine service, Compute Engine instance, or GKE ingress. Define the starting URL.
Run Scan: The scanner crawls the URL and tests for vulnerabilities like XSS, mixed content, and outdated libraries.
View Findings: Findings appear in SCC with category XSS, MIXED_CONTENT, etc.
Remediate: Fix the code or configuration and re-scan.
Enable SCC at Organization Level
Navigate to the Security Command Center page in the Google Cloud Console. Click 'Enable' and select the organization. For full features, choose the Premium tier. This activates Security Health Analytics and Web Security Scanner immediately. For Event Threat Detection and Container Threat Detection, additional steps are needed. The organization-level enablement is critical for cross-project visibility and compliance reporting. Without organization-level, you cannot see findings across all projects in one dashboard.
Configure Security Health Analytics
Security Health Analytics runs automatically once SCC is enabled. It scans all supported resources across your projects. You can view findings in the 'Findings' tab. To reduce noise, create mute rules for low-severity findings. For example, mute all LOW severity findings globally. The scanner runs continuously, so new findings appear as soon as a misconfiguration is detected. You can also use the `gcloud scc findings list` command to query findings programmatically.
Enable Event Threat Detection (ETD)
ETD requires the Premium tier. Ensure that Cloud Logging is enabled and that audit logs are being collected. ETD analyzes logs for threats like brute force SSH, cryptocurrency mining, and malware. It uses machine learning to detect anomalies. Findings appear in SCC with categories like `ssh_brute_force`, `cryptomining`, and `malware`. You can configure notifications via Pub/Sub to send critical findings to a SIEM or trigger automated responses.
Set Up Pub/Sub Notifications
Create a Pub/Sub topic and subscription. Then, in SCC, create a notification config. Specify a filter to control which findings trigger notifications. For example, filter by severity=CRITICAL or category starts with 'OPEN_'. The notification config is associated with the organization or a project. When a matching finding is created, SCC publishes a JSON message to the topic. You can then use Cloud Functions or other subscribers to take action.
Remediate Findings and Automate
For each finding, determine the appropriate remediation. For example, a public bucket finding can be fixed by removing `allUsers` from the bucket ACL. You can automate this with Cloud Functions: a function triggered by Pub/Sub can parse the finding and call the Cloud Storage API to fix the ACL. After remediation, update the finding state to INACTIVE or use a mute rule. Regularly review findings to maintain a secure posture.
Enterprise Scenario 1: Compliance Monitoring for PCI DSS
A financial services company must comply with PCI DSS. They use SCC Premium to continuously monitor their Google Cloud environment. Security Health Analytics detects public Cloud Storage buckets, open firewall rules (e.g., port 22 open to 0.0.0.0/0), and overly permissive IAM roles. These findings are exported via Pub/Sub to a SIEM (Splunk) for audit trails. The security team has set up Cloud Functions that automatically remediate certain findings: for example, if a bucket becomes public, a function removes public access and logs the event. SCC's centralized dashboard provides the evidence needed for quarterly PCI audits. Without SCC, the team would have to manually check each project, which is error-prone and time-consuming.
Enterprise Scenario 2: Threat Detection for a SaaS Platform
A SaaS company runs workloads on GKE and Compute Engine. They enable SCC Premium to detect threats in real time. Event Threat Detection alerts them to a cryptocurrency mining incident: a container is using excessive CPU and network traffic matching known mining patterns. The finding includes the resource name and suspicious IP addresses. The security team has a Cloud Function that automatically shuts down the compromised VM and creates a support ticket. Container Threat Detection also catches a privilege escalation attempt in a Kubernetes pod. The team uses SCC's integration with Cloud Logging to drill down into the raw logs for forensic analysis. This proactive detection prevents billing spikes and data breaches.
Enterprise Scenario 3: Web Application Security Scanning
An e-commerce company uses App Engine for their web application. They enable Web Security Scanner (included in SCC Standard) to scan their application for common vulnerabilities. The scanner finds an XSS vulnerability in a product search endpoint. The finding is categorized as XSS with severity HIGH. The development team fixes the input validation and re-scans. The scanner also detects mixed content (HTTP resources loaded on HTTPS pages). The team updates the references to HTTPS. Regular scanning helps them maintain a secure application and pass penetration testing requirements for their insurance policy.
What the ACE Exam Tests on SCC (Objective 5.2)
The ACE exam expects you to:
Identify the capabilities of SCC (Security Health Analytics, Event Threat Detection, Container Threat Detection, Web Security Scanner).
Differentiate between Standard and Premium tiers.
Understand that SCC findings are generated by built-in scanners and can be exported via Pub/Sub.
Know that SCC can be enabled at the organization or project level, but organization-level is recommended.
Recognize that SCC does NOT automatically remediate – it only detects and alerts.
Common Wrong Answers and Why Candidates Choose Them
"SCC automatically fixes security issues." – This is wrong because SCC is a detection and notification tool, not a remediation tool. Candidates assume that because it's a "security command center," it can take action. The correct answer is that SCC detects issues; you must use other tools (e.g., Cloud Functions, manual steps) to fix them.
"Event Threat Detection is available in the Standard tier." – This is incorrect. ETD is a Premium feature. Candidates confuse it with Security Health Analytics, which is in Standard.
"SCC can only be enabled at the project level." – While you can enable it at the project level, the exam emphasizes organization-level for full features. Candidates may think project-level is sufficient, but the correct answer is organization-level.
"Web Security Scanner scans all resources automatically." – Web Security Scanner must be configured with a starting URL; it does not auto-scan everything. Candidates assume it works like Security Health Analytics.
Specific Numbers and Terms to Memorize
Tiers: Standard (free) includes Security Health Analytics and Web Security Scanner. Premium adds Event Threat Detection and Container Threat Detection.
Finding Categories: PUBLIC_BUCKET_ACL, OPEN_FIREWALL, SSH_BRUTE_FORCE, CRYPTOMINING, MALWARE, XSS.
Severities: CRITICAL, HIGH, MEDIUM, LOW.
IAM Roles: roles/securitycenter.admin, roles/securitycenter.viewer, roles/securitycenter.findingEditor.
Notification: Uses Cloud Pub/Sub.
Edge Cases and Exam Traps
If a question asks about detecting a container escape, the correct answer is Container Threat Detection (Premium).
If a question asks about scanning a web app for XSS, the answer is Web Security Scanner (available in both tiers).
If a question asks about monitoring for crypto mining, the answer is Event Threat Detection (Premium).
If a question asks about viewing findings across all projects, you must enable SCC at the organization level.
How to Eliminate Wrong Answers
If the question mentions "automatic remediation," eliminate that answer – SCC does not remediate.
If the question mentions "Event Threat Detection" and the scenario does not mention Premium, check if the answer implies it's free; it's not.
If the question asks for a tool to detect misconfigurations, think Security Health Analytics.
If the question asks for a tool to detect threats in logs, think Event Threat Detection.
SCC is a centralized security management platform that detects misconfigurations and threats across Google Cloud.
Security Health Analytics scans for misconfigurations (e.g., public buckets, open firewalls) and is included in both Standard and Premium tiers.
Event Threat Detection and Container Threat Detection are Premium-only features that analyze logs and container behavior for threats.
Web Security Scanner scans web applications for vulnerabilities like XSS and is available in both tiers.
SCC findings can be exported via Cloud Pub/Sub for integration with SIEMs or automated remediation.
SCC does NOT automatically remediate findings; you must take action manually or via automation.
Enable SCC at the organization level for cross-project visibility and full features.
These come up on the exam all the time. Here's how to tell them apart.
SCC Standard Tier
Free of charge
Includes Security Health Analytics and Web Security Scanner
Limited to configuration scanning and basic web scanning
No threat detection from logs or containers
Suitable for small projects with basic compliance needs
SCC Premium Tier
Paid tier (per-project or per-organization pricing)
Adds Event Threat Detection and Container Threat Detection
Includes advanced Security Health Analytics features (e.g., vulnerability scanning, sensitive data protection)
Provides real-time threat detection from logs and containers
Required for enterprise security operations and compliance
Mistake
SCC automatically fixes security misconfigurations.
Correct
SCC only detects and notifies; it does not take corrective action. You must use other services (e.g., Cloud Functions, manual changes) to remediate findings.
Mistake
Event Threat Detection is available in the free Standard tier.
Correct
Event Threat Detection requires the Premium tier. Standard tier includes only Security Health Analytics and Web Security Scanner.
Mistake
SCC can only be enabled at the project level.
Correct
SCC can be enabled at both project and organization levels, but organization-level is recommended for cross-project visibility and compliance.
Mistake
Web Security Scanner automatically scans all web resources in the project.
Correct
Web Security Scanner must be configured with a specific starting URL. It does not auto-discover all web resources.
Mistake
SCC findings are stored in Cloud Logging.
Correct
Findings are stored in the SCC API and displayed in the SCC dashboard. They are not stored in Cloud Logging, though ETD uses Cloud Logging as a source.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SCC Standard is free and includes Security Health Analytics (misconfiguration scanning) and Web Security Scanner. Premium is paid and adds Event Threat Detection (log analysis for threats like crypto mining and brute force), Container Threat Detection (Kubernetes threat detection), and advanced Security Health Analytics features (vulnerability scanning, sensitive data protection). For the ACE exam, remember that Event Threat Detection and Container Threat Detection are Premium-only.
No, SCC only detects and alerts on security issues. It does not automatically remediate. You must use other Google Cloud services (e.g., Cloud Functions triggered by Pub/Sub) or manual steps to fix findings. The exam tests this distinction – do not choose an answer that says SCC automatically fixes things.
You configure a notification config in SCC that publishes findings to a Cloud Pub/Sub topic. You can filter by severity, category, or resource. Then, you can have a subscriber (e.g., Cloud Function, SIEM) process the notifications. This is a common exam scenario – remember that Pub/Sub is the notification channel.
A finding is a high-level security alert generated by SCC (e.g., 'public bucket detected'). It includes metadata like severity and category. A log is a raw event from a resource (e.g., Cloud Logging entry). Event Threat Detection analyzes logs to create findings. Findings are stored in SCC; logs are stored in Cloud Logging. The exam may ask which service to use for raw log analysis – that's Cloud Logging, not SCC.
Yes, you can enable SCC at the project level, but it is not recommended for enterprise use. Organization-level SCC provides a single dashboard for all projects, cross-project findings, and better compliance reporting. The exam emphasizes organization-level enablement.
The `roles/securitycenter.viewer` role grants read-only access to findings. `roles/securitycenter.admin` grants full access (view, edit, mute). `roles/securitycenter.findingEditor` allows editing findings (e.g., changing state). The exam may ask which role to assign to a security analyst who only needs to view findings – answer is `securitycenter.viewer`.
No, you must specify a starting URL for the scan. The scanner crawls from that URL. It does not scan all resources automatically. The exam may present a scenario where a web app is not being scanned – the likely issue is that the scanner was not configured with the correct starting URL.
You've just covered Security Command Center (SCC) — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?