Hi folks,

We're currently setting up our GCP solution following the security foundations guide (https://services.google.com/fh/files/misc/google-cloud-security-foundations-guide.pdf) as a baseline.

As part of this we have a logging project that all audit logs are routed to across the org. With SCC turned on in all our projects, one of the common findings across all of them are a number of MONITORING_SCANNER misconfigurations (e.g. firewall rule not monitored, custom role not monitored, etc).

As we are routing all of our audit logs to a log bucket in the logging project (as recommended by the security guide), we can set up metrics and alerting policies on this log bucket that will cover all projects present and future. However, the SCC scanners don't appear to be able to detect that we're doing centralised monitoring on audit logs.

As far as I can see, the only way we can stop SCC from reporting these findings is either:
a) Set up metrics and alerts in every project
b) Set them up in the logging project and mute the findings

Option a feels like a lot of overhead and repeated configuration (though we do IaC so we can automate it), and option b feels non-ideal because if something does get misconfigured it would be muted.

Is there a better way of handling this, or any guidance as to best practices?

Many thanks,
Sean