Google API Private Access
Private Google Access is configured at the subnet level and allows subnetworks to access GCP services privately. The resources in the subnet can access Google services without an external IP, for eg: Cloud storage, Youtube, etc. It offers better security as the exposure to outside networks is reduced, thereby minimizing the possibilities of data interception and attacks.
Google cloud service accounts
These accounts are used for service-to-service authentication. For eg: an application in compute engine can use a service account to access a storage account
Two types of service accounts - Google-managed service accounts & user-managed service accounts
In Google-managed service accounts, the private and public keys are managed by Google. Each key can be used for a max of two weeks. Private keys of google managed keys are never directly accessible and the platform itself manages the key rotation process
With user-managed keys, only public keys are stored in Google. users should manage the private key , keeping them secure and also for key rotation. For key rotation, you can create up to 10 user-managed service account keys per service
IAM policies and conditions
IAM policy can be considered as a statement of access permissions attached to a resource. Components of policy are a set of roles and role members. Resources inherit policies from the parent resource. Policies specific to a resource are a combination of parent policy and policies assigned to that resource. It is important to note that a least restrictive parent policy will override a more restrictive resource-specific policy.
IAM policies have role bindings that bind an IAM principle to a specific role. IAM conditions can be used to specify attribute-based access, ie either allow or deny access based on specific attributes and if the configured conditions are met. These conditions can either be resource or request-specific. For eg: allow access only to cloud SQL service with a specific name prefix
Organization policies
Organizational policies provide centralized control over all projects in an organization. They can be set on organizations, folders, and projects. You can configure constraints to implement restrictions on Google services. These restrictions will be applied to the specific resource at which it is applied and all its descendants. There are two types of constraints - lists and booleans
Sample usage of list constraint is to create a list of VMs restricted from having external IPs. Enabling and disabling features such as nested virtualization, serial port access, service account creation, etc are boolean constraints. You can also configure at each resource hierarchy node whether you want to inherit the policies from the parent node.
Difference between organization policies and IAM policies
Organization policies are used to define the "what" ie what restrictions you want to implement on your resources
IAM policies are focussed on the "Who", ie who is authorized to take specific actions on resources based on assigned permissions
0 comments:
Post a Comment