Not possible to enable Security Command Center Enterprise

[markusl]

Describe the bug

It looks like enabling SCC-E requires special handling for allowed_policy_member_domains. Using the recommended settings in FAST where iam.allowedPolicyMemberDomains is properly enforced, it is not possible to enable SCC-E. The activate button shows an error:

To Reproduce

Try to Activate SCC-E when the framework is enforcing iam.allowedPolicyMemberDomains.

Expected behavior

The framework should enable activating SCC-E using recommended security best practices.

Ideally, there are step-by-step instructions for the setup, and the framework includes the required Terraform code to allow organizations to fully utilize SCC-E.

Result
See previous image.

[ludoo]

Just disable the policy, enable SCC Enterprise, then re-enable it. The policy is either on or off, and it should be on on a new install.

[markusl]

@ludoo thanks for the quick answer! Is this procedure documented somewhere? How can I be sure nothing breaks after re-enabling it?

Best regards,
Markus

[ludoo]

Organization policies are not retroactive, this is the usual (hacky) way of dealing with a temporary exception. Another way would be to add the SCC service account to one of your Cloud Identity groups (I personally have never tried this but it should work).

I don't think there's explicit documentation for SCC, but temporary disablement is mention elsewhere in our documentation for similar use cases, AFAIR.

[markusl]

okay, thank you! :)

[ludoo]

Thanks for flagging Markus, I'll leave this open so we can properly document it in our stage docs.