Google Professional Cloud Security Engineer Exam Prep notes - Part 2

  This blog covers review notes for logging, DNS security & Google Cloud web Security Scanner Service

1. Aggregated sinks

Sinks can be constructed with the "includeChildren" parameter set to "True" for cloud organisation / folders. The logs from these organizations , folders , projects or billing accounts can be routed to these sinks.

2. DNS security extension

DNS Security Extensions (DNSSEC) is the security protocol that enables authentication of DNS data. It is a DNS protocol extension that adds an additional degree of security by enabling users to digitally sign their DNS records, making it more challenging for attackers to tamper with DNS data. Customers can enable DNSSEC on Google Cloud's Cloud DNS service to safeguard their domains from unauthorized alterations.

3. Google Cloud web Security Scanner Service

To find common vulnerabilities in web applications, such as those listed in the OWASP Top 10, customers can use the Google cloud web security scanner service. It has the ability to scan App Engine-based applications as well as those hosted on other systems like Compute Engine or Kubernetes Engine. It can help identify vulnerabilities like cross-site scripting(XSS), SQL injection and missing security headers. Though not a replacement for security review or penetration testing, it can be used in conjunction with such measures to check for new vulnerabilities

Read More

Google Professional Cloud Security Engineer Exam Prep notes - Part 1

Key points to review before the exam about firewalls, container best practices and DDoS protection

1. Firewall default rules:

Following rules are created with lowest priority and will be applicable if not overridden by a higher priority rule

• All default outbound traffic is allowed(Refer the following document for exceptions: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic)
• All ingress traffic is blocked

2. Disable Public IP and Private Google Access if you want to ensure that compute Engine does not have access to Internet or Google APIs and services

3. Container best practices:

• Package single app or piece of software as a container. An application with unique parent process but different possible child processes qualifies for this
• Run a PID1 and register Signal handlers
• Enable process namespace sharing in Kubernetes
• Use a specialized init system
• Optimize for Docker build cache
• Remove unnecessary tools
• Build the smallest image possible using the smallest base image, creating images with common layers and reducing clutter
• Enable image scanning for vulnerability
• Tag images using options like semantic versioning and Git commit hash
• Avoid public images if you have stringent security requirements

4. SYN Flood protection

As part of its DDoS protection services, Google Cloud Armor provides protection against SYN floods. It enables you to design unique policies that specify how to manage incoming traffic depending on different factors like IP address or location. You can also set rate restrictions with Cloud Armor to guard against incoming traffic floods

5. Cloud Identity-Aware proxy usage

Google Cloud Identity-Aware Proxy (IAP) enables you to protect access to apps running on Google Cloud Platform (GCP) by using Identity and Access Management (IAM) to identify and authorize users. IAP functions by intercepting requests coming into your application and verifying the user's identity. IAP permits the request to proceed if the user has successfully authenticated and been granted access to the application. If the request is not approved, IAP returns a 403 (forbidden) response

Any application that is accessible via a public or private load balancer, such as Compute Engine instances, Kubernetes Engine clusters, and App Engine applications, can be secured using IAP. You can also protect applications hosted in other clouds or on-premises with the service. IAP also offers TCP forwarding which can protect SSH and RDP access for your VMs

IAP can intercept incoming request to your application and verify identity of the user by checking JWT in cases where JWT assertion is used to authenticate user and contains information and claims that the user wants to transmit

Read More

Blogs in Medium.com - 2022

Do checkout some of  my blogs that I published in Medium.com in 2022 in Google Cloud Community

Google Cloud DevOps Series : Google Cloud compute options for Kubernetes

This is a blog series on Google Cloud DevOps , and how Devops is done the Google way. I have authored Part 2 of the blog series that talks about Compute options for Kubernetes

Google Cloud Anthos Series : Anthos Multi-Cluster Ingress

This is a blog series on Google Cloud Anthos and how it can help scale your applications transcending geographic and cloud boundaries. I have authored Part 6 of this blog series that explains how Multi-Cluster Ingress can be enabled for Anthos

SAP on Google Cloud Series : The fundamentals

This is a blog series that focusses on the constructs of hosting SAP workloads on Google cloud. I have authored Part 1 of the  blog series that covers the fundamentals of SAP on Google cloud

Read More