Monday, January 30, 2023

Google Professional Cloud Security Engineer Exam Prep notes - Part 2

  This blog covers review notes for logging, DNS security & Google Cloud web Security Scanner Service


1. Aggregated sinks
Sinks can be constructed with the "includeChildren" parameter set to "True" for cloud organisation / folders. The logs from these organizations , folders , projects or billing accounts can be routed to these sinks.
2. DNS security extension
DNS Security Extensions (DNSSEC) is the security protocol that enables authentication of DNS data. It is a DNS protocol extension that adds an additional degree of security by enabling users to digitally sign their DNS records, making it more challenging for attackers to tamper with DNS data. Customers can enable DNSSEC on Google Cloud's Cloud DNS service to safeguard their domains from unauthorized alterations.

3. Google Cloud web Security Scanner Service
To find common vulnerabilities in web applications, such as those listed in the OWASP Top 10, customers can use the Google cloud web security scanner service. It has the ability to scan App Engine-based applications as well as those hosted on other systems like Compute Engine or Kubernetes Engine. It can help identify vulnerabilities like cross-site scripting(XSS), SQL injection and missing security headers. Though not a replacement for security review or penetration testing, it can be used in conjunction with such measures to check for new vulnerabilities
Share:

Google Professional Cloud Security Engineer Exam Prep notes - Part 1

Key points to review before the exam about firewalls, container best practices and DDoS protection


1. Firewall default rules:
Following rules are created with lowest priority and will be applicable if not overridden by a higher priority rule

  • All default outbound traffic is allowed(Refer the following document for exceptions: https://cloud.google.com/vpc/docs/firewalls#blockedtraffic)
  • All ingress traffic is blocked
2. Disable Public IP and Private Google Access if you want to ensure that compute Engine does not have access to Internet or Google APIs and services
3. Container best practices:

  • Package single app or piece of software as a container. An application with unique parent process but different possible child processes qualifies for this
  • Run a PID1 and register Signal handlers
  • Enable process namespace sharing in Kubernetes
  • Use a specialized init system
  • Optimize for Docker build cache
  • Remove unnecessary tools
  • Build the smallest image possible using the smallest base image, creating images with common layers and reducing clutter
  • Enable image scanning for vulnerability
  • Tag images using options like semantic versioning and Git commit hash
  • Avoid public images if you have stringent security requirements

4. SYN Flood protection
As part of its DDoS protection services, Google Cloud Armor provides protection against SYN floods. It enables you to design unique policies that specify how to manage incoming traffic depending on different factors like IP address or location. You can also set rate restrictions with Cloud Armor to guard against incoming traffic floods
5. Cloud Identity-Aware proxy usage
Google Cloud Identity-Aware Proxy (IAP) enables you to protect access to apps running on Google Cloud Platform (GCP) by using Identity and Access Management (IAM) to identify and authorize users. IAP functions by intercepting requests coming into your application and verifying the user's identity. IAP permits the request to proceed if the user has successfully authenticated and been granted access to the application. If the request is not approved, IAP returns a 403 (forbidden) response
Any application that is accessible via a public or private load balancer, such as Compute Engine instances, Kubernetes Engine clusters, and App Engine applications, can be secured using IAP. You can also protect applications hosted in other clouds or on-premises with the service. IAP also offers TCP forwarding which can protect SSH and RDP access for your VMs
IAP can intercept incoming request to your application and verify identity of the user by checking JWT in cases where JWT assertion is used to authenticate user and contains information and claims that the user wants to transmit
Share:

Blogs in Medium.com - 2022

Do checkout some of  my blogs that I published in Medium.com in 2022 in Google Cloud Community



This is a blog series on Google Cloud DevOps , and how Devops is done the Google way. I have authored Part 2 of the blog series that talks about Compute options for Kubernetes



This is a blog series on Google Cloud Anthos and how it can help scale your applications transcending geographic and cloud boundaries. I have authored Part 6 of this blog series that explains how Multi-Cluster Ingress can be enabled for Anthos



This is a blog series that focusses on the constructs of hosting SAP workloads on Google cloud. I have authored Part 1 of the  blog series that covers the fundamentals of SAP on Google cloud




Share:

Total Pageviews

About Me

Cloud Solutions expert with 17+ years of experience in IT industry with expertise in Multi cloud technologies and solid background in Datacentre management & Virtualization. Versatile technocrat with experience in cloud technical presales, advisory, innovation , evangelisation and project delivery. Currently working with Google as Infra modernization specialist, enabling customers on their digital transformation journey . I enjoy sharing my experiences in my blog, but the opinions expressed in this blog are my own and does not represent those of people, institutions or organizations that I may be associated with in professional or personal capacity, unless explicitly stated.

Search This Blog

Powered by Blogger.