Google Cloud — Security Command Center
Guide to Google Cloud Security Command Center covering threat detection, vulnerability scanning, asset inventory, security health analytics, and finding management..
20+ years shipping production infrastructure and CI/CD at scale. Lessons pulled from things that broke in production.
- ✓Google Cloud organization with admin access, gcloud CLI installed and configured, Python 3.8+ with google-cloud-securitycenter and google-cloud-storage libraries, basic knowledge of IAM and GCP resource hierarchy, familiarity with Pub/Sub and Cloud Functions
Security Command Center is like having a specialized tool that handles the heavy lifting so you don't have to build and manage the underlying infrastructure yourself — it just works with Google Cloud.
Security Command Center (SCC) is GCP's centralized security and risk management platform. It provides visibility into your cloud assets, detects misconfigurations and vulnerabilities, and surfaces active threats. As organizations adopt multi-project architectures, SCC becomes essential for maintaining a unified security posture across the entire organization.
Why Security Command Center Exists
Google Cloud Security Command Center (SCC) is not a dashboard you open once a quarter. It's a continuous monitoring and risk assessment platform that aggregates findings from over 150 Google-managed services and third-party integrations. In production, we've seen teams treat SCC as a passive report generator, only to miss active exfiltration because they never configured real-time notifications. SCC's value is in its ability to surface misconfigurations, vulnerabilities, and threats in near real-time, but only if you wire it into your incident response pipeline. Without proper integration, SCC becomes a noise generator. The platform supports two tiers: Standard (free, limited to asset inventory and basic findings) and Premium (paid, adds threat detection, event threat detection, and container threat detection). For any production environment handling sensitive data, Premium is non-negotiable. The cost is trivial compared to the cost of a breach.
Asset Discovery and Inventory Management
SCC automatically discovers and inventories all Google Cloud resources within your organization, including projects, folders, Compute Engine instances, Cloud Storage buckets, and IAM policies. This inventory is the foundation for all security analysis. However, the default discovery can be slow—up to 24 hours for new resources. In production, we force a rescan after provisioning critical infrastructure using the API. Asset inventory also surfaces relationships, like which service accounts have access to which buckets, which is invaluable for attack path analysis. One common pitfall is that SCC does not discover resources in projects that are not part of the organization hierarchy. Ensure all projects are under the organization node. Also, note that asset inventory is updated every 12-24 hours by default; for real-time needs, use the Asset Inventory API directly with a watcher.
Understanding Findings and Severity Levels
Findings are the core of SCC—they represent potential security issues detected by various services. Each finding has a severity (CRITICAL, HIGH, MEDIUM, LOW), a category (e.g., OPEN_BUCKET, WEAK_SSL, MALWARE), and a source (e.g., Security Health Analytics, Event Threat Detection, Container Threat Detection). In production, the volume of findings can be overwhelming. We mute LOW and MEDIUM findings that are known false positives (e.g., a test bucket that is intentionally public). But never mute CRITICAL or HIGH without a documented exception. Findings also have a state (ACTIVE, INACTIVE) and can be marked as resolved. Use the mute feature to reduce noise, but ensure you have a process to periodically review muted findings. The SCC API allows you to list, update, and set mute configurations programmatically, which is essential for automation.
Security Health Analytics: Misconfiguration Detection
Security Health Analytics (SHA) is the built-in scanner that checks your cloud resources against Google's security best practices. It covers over 150 detectors, including open firewall ports, public buckets, IAM role misuse, and encryption settings. SHA runs continuously and generates findings when it detects violations. In production, we've found that SHA is excellent for catching low-hanging fruit like public buckets or overly permissive firewall rules. However, it has limitations: it cannot detect custom misconfigurations (e.g., a specific IAM role that violates your internal policy). For that, you need custom detectors via Event Threat Detection or third-party tools. SHA findings are categorized by severity, but we've seen MEDIUM findings that are actually critical in context (e.g., a firewall rule allowing SSH from 0.0.0.0/0 on a bastion host). Always review findings in context.
Event Threat Detection: Real-Time Threat Monitoring
Event Threat Detection (ETD) monitors your cloud logs in real time for suspicious activity, such as malware, cryptocurrency mining, and data exfiltration. It uses machine learning and threat intelligence to detect anomalies. ETD is a Premium-tier feature and requires enabling log export to a BigQuery dataset or Pub/Sub. In production, ETD is your first line of defense against active attacks. However, it generates a high volume of alerts, many of which are benign (e.g., a developer running a script that downloads a known malware sample for testing). We've learned to create suppression rules for known good activities. ETD also supports custom threat detection using YARA rules, which is powerful for detecting proprietary malware. One critical configuration: ensure ETD is enabled for all projects in the organization, not just a subset. Attackers often pivot to less monitored projects.
Container Threat Detection: Securing GKE Workloads
Container Threat Detection (CTD) monitors your Google Kubernetes Engine (GKE) clusters for threats at the container and node level. It detects privilege escalation, malicious binaries, and suspicious network connections. CTD is a Premium feature and requires the Security Command Center API to be enabled on the cluster. In production, CTD is essential for any GKE cluster running untrusted workloads. However, it has a performance impact—it runs as a DaemonSet on each node. We've seen teams disable CTD on clusters with high resource utilization, which is a mistake. Instead, allocate additional resources to the node pool. CTD also integrates with GKE's audit logging to provide context. One common issue: CTD may flag legitimate administrative tools like kubectl exec as suspicious. Tune the sensitivity or create exceptions for known admin activities.
Automating Remediation with Cloud Functions and SCC API
SCC findings are only useful if you act on them. In production, we automate remediation using Cloud Functions triggered by Pub/Sub notifications from SCC. For example, when a finding of type OPEN_BUCKET is created, a Cloud Function can automatically make the bucket private. However, automation must be careful: not all public buckets are misconfigurations. We use a tagging strategy: buckets with label 'public-allowed=true' are exempt. The SCC API allows you to update findings (e.g., mark as resolved) and mute them. We also automate the creation of mute rules for known false positives. The key is to have a feedback loop: if an automated remediation fails, it should create a new finding or alert. This pattern reduces mean time to remediation (MTTR) from days to minutes.
Integrating SCC with SIEM and Incident Response
SCC findings should feed into your existing SIEM (e.g., Splunk, Chronicle) and incident response platform (e.g., Jira, PagerDuty). The recommended approach is to export findings to Pub/Sub, then use a subscriber to forward them. In production, we've seen teams pipe all findings directly to PagerDuty, causing alert fatigue. Instead, filter by severity and category. For example, only CRITICAL findings go to PagerDuty; HIGH findings go to a Slack channel; MEDIUM and LOW go to a weekly report. Also, enrich findings with context from your CMDB (e.g., resource owner, environment). This reduces time to triage. One advanced pattern: use SCC's findings as triggers for automated playbooks in your SOAR platform. For example, a CRITICAL finding for a compromised VM could trigger an automatic isolation of the VM.
Cost Management and Optimization of SCC Premium
SCC Premium is priced per resource per month, with different rates for compute, storage, and other resources. In production, costs can escalate quickly if you have many projects. We've seen monthly bills of $10k+ for large organizations. To optimize, start by enabling SCC Premium only on projects that contain sensitive data or are production-facing. Use the SCC dashboard to monitor costs and identify which resources are driving charges. Also, consider using the Standard tier for development projects. Another cost-saving measure is to use mute rules to suppress findings that don't require Premium features (e.g., if you only need asset inventory, Standard may suffice). However, be careful: disabling Premium on a project also disables ETD and CTD, which are critical for security. We recommend a risk-based approach: classify projects into tiers (e.g., critical, high, medium, low) and enable Premium accordingly.
Advanced: Custom Detectors and Threat Intelligence
SCC allows you to create custom detectors using YARA rules for ETD and custom modules for SHA. This is essential for detecting organization-specific threats, such as proprietary malware or policy violations. In production, we've built custom YARA rules to detect data exfiltration patterns unique to our application. However, custom detectors require careful tuning to avoid false positives. We recommend starting with a small set of rules and iterating based on feedback. Also, integrate SCC with external threat intelligence feeds (e.g., Recorded Future, VirusTotal) to enrich findings. This can be done via Cloud Functions that query the threat intel API and update the finding with additional context. One advanced pattern: use SCC's findings to trigger a Cloud Function that queries VirusTotal for file hashes and adds reputation data to the finding. This reduces investigation time.
Compliance Reporting and Audit Readiness
SCC provides built-in compliance reports for standards like CIS, PCI DSS, and NIST. These reports are generated from SHA findings and can be exported to BigQuery for custom analysis. In production, we use SCC to continuously monitor compliance posture and generate weekly reports for auditors. However, SCC's compliance coverage is not exhaustive. For example, it does not cover all PCI DSS requirements. We supplement with manual checks and third-party tools. One key feature is the ability to export findings to BigQuery, which allows you to run custom queries to demonstrate compliance. For example, you can query for all findings related to encryption at rest. We also use SCC's asset inventory to generate a list of all resources and their compliance status. This is invaluable during audits.
Operational Runbook: Daily, Weekly, and Monthly Tasks
To keep SCC effective, establish a regular operational cadence. Daily: review CRITICAL and HIGH findings, triage new ones, and ensure automated remediation worked. Weekly: review muted findings to ensure they are still valid, update suppression rules, and check for new false positives. Monthly: review custom detectors, update YARA rules, and assess SCC costs. Also, conduct a quarterly review of SCC configuration: ensure all projects are covered, notification channels are working, and IAM permissions are correct. In production, we've seen teams neglect these tasks, leading to stale findings and missed threats. Automate as much as possible: use Cloud Scheduler to trigger weekly reports and send them to a Slack channel. The key is to make SCC a living part of your security operations, not a set-it-and-forget-it tool.
| File | Command / Code | Purpose |
|---|---|---|
| enable-scc-premium.sh | gcloud services enable securitycenter.googleapis.com | Why Security Command Center Exists |
| force_asset_refresh.py | from google.cloud import securitycenter | Asset Discovery and Inventory Management |
| list_critical_findings.py | from google.cloud import securitycenter | Understanding Findings and Severity Levels |
| list-sha-findings.sh | gcloud scc findings list \ | Security Health Analytics |
| enable-etd.sh | gcloud services enable eventthreatdetection.googleapis.com \ | Event Threat Detection |
| enable-ctd.sh | gcloud container clusters update my-cluster \ | Container Threat Detection |
| auto_remediate_open_bucket.py | from google.cloud import storage | Automating Remediation with Cloud Functions and SCC API |
| scc_to_siem.py | def forward_to_siem(event, context): | Integrating SCC with SIEM and Incident Response |
| estimate-scc-cost.sh | gcloud scc assets list \ | Cost Management and Optimization of SCC Premium |
| custom_yara_rule.yar | rule CustomExfilPattern { | Advanced |
| compliance_query.sql | SELECT | Compliance Reporting and Audit Readiness |
| weekly_report.sh | REPORT_DATE=$(date +%Y-%m-%d) | Operational Runbook |
Key takeaways
Common mistakes to avoid
3 patternsNot understanding security command center pricing model
Using default settings without tuning for security command center
Missing IAM permissions and service account configuration
Interview Questions on This Topic
What is Security Command Center and when would you use it?
Frequently Asked Questions
20+ years shipping production infrastructure and CI/CD at scale. Lessons pulled from things that broke in production.
That's Google Cloud. Mark it forged?
6 min read · try the examples if you haven't