examlab .net The most efficient path to the most valuable certifications.
Support
In this note ≈ 18 min

SCC Premium: Findings and Assets

3,500 words · ≈ 18 min read ·

Master Security Command Center (SCC) Premium for asset discovery and finding management. Learn about Security Health Analytics, compliance reporting, and custom SHA rules.

Do 20 practice questions → Free · No signup · PSE

Introduction to Security Command Center (SCC) Premium

For a Professional Cloud Security Engineer (PSE), Security Command Center (SCC) is the primary security management and data risk platform for Google Cloud. While the Standard tier provides basic asset discovery and some threat detection, the Premium tier is essential for enterprise-grade security, offering continuous monitoring, misconfiguration detection, and advanced threat hunting.

SCC Premium provides a centralized dashboard to view assets and findings across your entire organization, making it the "single pane of glass" for your GCP security posture.

白話文解釋(Plain English Explanation)

1. The Building Inspector (Security Health Analytics)

Think of SHA as a building inspector who constantly walks through your skyscraper (GCP Organization). They check if the fire exits are blocked (Public buckets), if the wiring is up to code (Firewall rules), and if the doors are locked (MFA on service accounts). If they find an issue, they file a report (Finding).

2. The Smart Inventory System (Asset Inventory)

Imagine a massive warehouse with an automated inventory system. Every time a new box (VM, Bucket, SQL instance) is brought in or moved, the system logs its location, contents, and owner. You don't have to manually count items; the system always knows what you have and where it is.

3. The Noise-Canceling Headphones (Muting Findings)

If you are working in a construction zone, there is constant noise. Some noises are important (a warning siren), while others are just background (a truck idling). Muting findings in SCC is like using noise-canceling headphones to filter out the "idling trucks" (expected configurations) so you can focus on the "sirens" (critical risks).

Asset Inventory and Discovery

SCC automatically discovers assets across your Organization, Folders, and Projects.

  • Continuous Discovery: SCC scans your environment every few minutes for changes to resources.
  • Asset History: You can view the state of an asset at any point in time (up to 30 days) to see how its configuration or IAM policies have changed.
  • Discovery Scope: SCC can operate at the Organization level (recommended for full visibility) or the Project level.

Assets in SCC are the Google Cloud resources (VMs, Buckets, Datasets, etc.) and IAM policies that SCC monitors.

Security Health Analytics (SHA)

SHA is the "managed scanner" within SCC that identifies common misconfigurations.

  • Built-in Detectors: SHA comes with over 100 detectors that map to industry standards like CIS and PCI DSS.
  • Detection Categories:
    • PUBLIC_BUCKET_ACL: Cloud Storage bucket is publicly accessible.
    • NON_ORG_IAM_MEMBER: A user from outside the organization has been granted access.
    • OPEN_FIREWALL: A firewall rule allows traffic on all ports.

Custom SHA Rules

For specialized requirements, you can create Custom Security Health Analytics rules. These allow you to define your own security logic using CEL (Common Expression Language).

  • Example: Create a rule that triggers a finding if a GCE instance has a specific tag AND does not have a specific service account attached.

Managing the SCC Dashboard and Findings

A Finding is a record of a potential security issue or threat.

Prioritizing by Severity

Findings are categorized by severity:

  • Critical: Immediate action required (e.g., Active malware).
  • High: High risk of exploitation (e.g., Publicly accessible sensitive database).
  • Medium: Significant security gap (e.g., Logging disabled on a production resource).
  • Low: Minor issue or best practice recommendation.

Prioritizing by Attack Exposure Score

SCC Premium uses Attack Exposure Scores to help you prioritize. It calculates how reachable a resource is from the internet and how much damage could be done if it were compromised. A "High" severity finding on a resource with a high exposure score should be fixed first.

Findings are NOT automatically deleted when fixed. They transition from Active to Inactive state.

When a PSE scenario asks how to prioritize among thousands of findings, the correct answer combines Severity with Attack Exposure Score — not severity alone. A Medium-severity finding on an internet-reachable resource often outranks a Critical-severity finding on an isolated dev VM, because Attack Exposure Score factors in reachability from the internet and blast radius via Attack Paths.

Muting Findings and Managing Noise

Not every finding is a "bug." Sometimes a configuration is intentional.

  • Static Muting: Manually mute specific findings.
  • Mute Rules: Create rules to automatically mute findings based on criteria (e.g., "Mute all 'Open Firewall' findings in the 'Sandbox' project").
  • Workflow: Muting removes findings from the default view but keeps them in the database for auditing.

Compliance Reporting

SCC Premium maps findings directly to compliance frameworks:

  • CIS Google Cloud Computing Foundations Benchmark
  • PCI DSS
  • NIST 800-53
  • ISO 27001

Use the Compliance tab in the SCC dashboard to see your "Compliance Score" and identify which specific controls are failing across your entire organization.

A Mute Rule does not stop SHA from generating the finding — it only hides it from the default view. The finding still consumes detection cycles and remains in the database for audit. Candidates often pick "Mute Rule" as a way to "disable" a noisy detector; the correct way to actually stop generation is to disable the specific SHA detector module at the org or folder level. Mute is for noise filtering, not detector control.

SCC asset history retains state changes for up to 30 days, and continuous discovery rescans every few minutes. For auto-remediation pipelines, the testable pattern is: SHA Finding → Pub/Sub export → Cloud Functions → gcloud/API fix (e.g., revoke public bucket ACL). Memorize this 4-step chain — it appears verbatim in PSE remediation scenarios.

Visualizing Attack Paths

One of the most powerful features of SCC Premium is the Attack Path visualization.

  • It uses a graph-based engine to show how an attacker could move from a public-facing entry point (like a vulnerable VM) to a high-value target (like a BigQuery dataset containing PII).
  • This helps PSEs understand Lateral Movement risks.

Integrating Third-Party Sources

SCC is an open platform. You can integrate findings from:

  • Google Services: Cloud DLP, Forseti, Binary Authorization.
  • Third-Party Tools: CrowdStrike, Palo Alto Networks, Qualys.
  • Custom Sources: Use the SCC API to upload findings from your own internal security scanners.

CLI Commands for SCC

Listing Findings

gcloud scc findings list 1234567890 \
    --filter="state=\"ACTIVE\" AND severity=\"CRITICAL\""

Muting a Finding

gcloud scc findings update-markers 1234567890 \
    --finding=projects/my-project/sources/123/findings/abc \
    --set-mute=MUTE

Security Best Practices for PSE

  1. Enable SCC at the Organization Level: Project-level SCC lacks the global visibility needed for true security posture management.
  2. Automate Remediation: Use Cloud Pub/Sub to export SCC findings to Cloud Functions for automatic fixing (e.g., automatically removing public access from a bucket).
  3. Review Mute Rules Regularly: Ensure that mute rules haven't become "stale" or aren't hiding genuine risks.
  4. Focus on Attack Paths: Don't just fix individual findings; fix the "choke points" in the attack paths that protect multiple resources.

PSE Exam Scenarios

Scenario 1: Managing Noise in a Multi-Project Environment

"A security team is overwhelmed by thousands of 'Open Firewall' findings. Most of these are in Dev environments where wide access is allowed by policy. How should a PSE handle this in SCC?" Answer: Create a Mute Rule in SCC that targets the OPEN_FIREWALL category and filters for projects within the Development folder. This silences the noise in Dev while keeping production findings visible.

Scenario 2: Compliance Reporting for Auditors

"An auditor needs a report showing how many resources currently violate PCI DSS Requirement 1.3 (firewall configuration). How can SCC assist?" Answer: Use the Compliance dashboard in SCC. Filter by the PCI DSS framework and drill down into the specific requirement. You can then export the findings as a CSV or PDF for the auditor.

Summary Checklist

  • Understand the difference between SCC Standard and Premium.
  • Explain how Security Health Analytics identifies misconfigurations.
  • Define "Attack Exposure Score" and how it differs from Severity.
  • Describe the benefit of Attack Path visualization.
  • Know how to automate finding exports using Pub/Sub.

Official sources

More PSE topics