Saturday, March 18, 2023

Google Professional Cloud Security Engineer Exam Prep notes - Part 4

 Google API Private Access

Private Google Access is configured at the subnet level and allows subnetworks to access GCP services privately. The resources in the subnet can access Google services without an external IP, for eg: Cloud storage, Youtube, etc. It offers better security as the exposure to outside networks is reduced, thereby minimizing the possibilities of data interception and attacks.

Google cloud service accounts

 These accounts are used for service-to-service authentication. For eg: an application in compute engine can use a service account to access a storage account 

Two types of service accounts - Google-managed service accounts & user-managed service accounts

In Google-managed service accounts, the private and public keys are managed by Google. Each key can be used for a max of two weeks. Private keys of google managed keys are never directly accessible and the platform itself manages the key rotation process

With user-managed keys, only public keys are stored in Google. users should manage the private key , keeping them secure and also for key rotation. For key rotation, you can create up to 10 user-managed service account keys per service

IAM policies and conditions

IAM policy can be considered as a statement of access permissions attached to a resource. Components of policy are a set of roles and role members. Resources inherit policies from the parent resource. Policies specific to a resource are a combination of parent policy and policies assigned to that resource. It is important to note that a least restrictive parent policy will override a more restrictive resource-specific policy. 

 IAM policies have role bindings that bind an IAM principle to a specific role. IAM conditions can be used to specify attribute-based access, ie either allow or deny access based on specific attributes and if the configured conditions are met. These conditions can either be resource or request-specific. For eg: allow access only to cloud SQL service with a specific name prefix

Organization policies 

Organizational policies provide centralized control over all projects in an organization. They can be set on organizations, folders, and projects. You can configure constraints to implement restrictions on Google services. These restrictions will be applied to the specific resource at which it is applied and all its descendants. There are two types of constraints - lists and booleans

Sample usage of list constraint is to create a list of VMs restricted from having external IPs. Enabling and disabling features such as nested virtualization, serial port access, service account creation, etc are boolean constraints. You can also configure at each resource hierarchy node whether you want to inherit the policies from the parent node. 

Difference between organization policies and IAM policies

Organization policies are used to define the "what" ie what restrictions you want to implement on your resources

IAM policies are focussed on the "Who", ie who is authorized to take specific actions on resources based on assigned permissions



Post a Comment

Total Pageviews

About Me

Cloud Solutions expert with 17+ years of experience in IT industry with expertise in Multi cloud technologies and solid background in Datacentre management & Virtualization. Versatile technocrat with experience in cloud technical presales, advisory, innovation , evangelisation and project delivery. Currently working with Google as Infra modernization specialist, enabling customers on their digital transformation journey . I enjoy sharing my experiences in my blog, but the opinions expressed in this blog are my own and does not represent those of people, institutions or organizations that I may be associated with in professional or personal capacity, unless explicitly stated.

Search This Blog

Powered by Blogger.