Security Command Center and Workload Identity
GCP has its own security platform — Security Command Center — and a mechanism for access without long-term secrets: Workload Identity. ZEUS uses both: it reads from SCC and authenticates through Workload Identity.
Security Command Center (SCC)
SCC is the central security console for an entire GCP organization. It combines three roles:
- CSPM — detection of misconfigs (Security Health Analytics),
- threat detection — Event Threat Detection, Container Threat Detection,
- vulnerability and sensitive-data management.
SCC generates findings in a single format, with mappings to standards (CIS, PCI DSS, NIST). Available in Standard and Premium/Enterprise tiers.
# Lista findings organizacji
gcloud scc findings list <org-id> \
--filter="state=\"ACTIVE\" AND severity=\"HIGH\""
# Źródła findings (Security Health Analytics, ETD, itd.)
gcloud scc sources list --organization=<org-id>
| SCC component | What it detects |
|---|---|
| Security Health Analytics | misconfigs (public bucket, open firewall) |
| Event Threat Detection | suspicious logins, exfiltration |
| Container Threat Detection | runtime threats in GKE |
| Web Security Scanner | web application vulnerabilities |
Workload Identity — keyless access
Service account JSON keys are the biggest risk in GCP (see lesson 02). Workload Identity Federation eliminates them: an external identity (e.g. from AWS, Azure, GitHub Actions or your own IdP) exchanges its token for short-lived GCP credentials, without storing any secret whatsoever.
# Pool i provider dla federacji tożsamości
gcloud iam workload-identity-pools create zeus-pool \
--location=global --display-name="ZEUS WIF pool"
gcloud iam workload-identity-pools providers create-oidc zeus-provider \
--location=global --workload-identity-pool=zeus-pool \
--issuer-uri="https://token.zeus.professnet.pl" \
--attribute-mapping="google.subject=assertion.sub"
Tip: Workload Identity is the gold standard for third-party access to GCP. No key = no secret to leak. If you see a service account with a JSON key used by an external integration — that is a candidate for migration to WIF.
How ZEUS sees it
ZEUS integrates with Security Command Center through the API: it pulls in findings (misconfigs and threats), so as not to duplicate scans Google has already performed, and pours them into the shared SecOps queue alongside alerts from Azure Defender and AWS GuardDuty. For authentication itself, ZEUS uses Workload Identity Federation — that is, it connects to GCP without any JSON key, giving the customer an example of a model, secretless integration.
In the final lesson of this track we will see the full anatomy of the ZEUS connector to GCP.