Topics c9c663610a6c40459464016ed8086051.md

• Compute Engine VM
  • Metadata
  • OS Login
  • Shielded VM vs. Confidential VM
• Storage Buckets
  • Storage Bucket Signed URLs:
  • Signed Policy Documents:
  • Retention Policy:
  • Locking Buckets:
• GCloud reserved IP’s
• Labels, Tags and network tags
• Hybrid Connectivity Options
• Service Account
• Load balancers
  • Comparison Table

• Security Related Services
  • Organization Policies
    • Important ones
  • (IAM) Identity & Access Management
    • Some IAM policy services
  • Identity-Aware Proxy (IAP)
  • Sensitive data protection / Data loss prevention
  • Secret Manager
  • Cloud KMS
    • Envelope Encryption
  • Security Command Center
  • DNSSEC
    • Implementation Steps
    • Limitations and Requirements
    • Resources for Enabling DNSSEC
    • Record Set Types Enhanced by DNSSEC
• VPC Network
  • Shared VPC
  • VPC Peering
  • VPC Service Controls
  • Access Context manager
• Logging & Monitoring
  • VPC Flow Logs and Packet Mirroring
  • Audit logs
    • Types of Audit Logs
  • Log Query Language
  • Log Analysis in Big Query
• Secure CI/CD Pipeline
• Security Foundation: Blueprint
• Best Practices
  • Authentication
  • Firewall rule
  • Compute Engine
  • Cloud Storage
  • BigQuery
• Some important documents to read
• Random Points to remember + Protecting projects with liens

Compute Engine VM

Metadata

• startup-script-url
• startup-script
• enable-oslogin
• ssh-keys

OS Login

Google Cloud's OS Login is a service that simplifies SSH access management for your virtual machines (VMs) on Compute Engine. It eliminates the need for traditional SSH keys and relies on your existing Google Cloud identity and IAM permissions for secure access.

Shielded VM vs. Confidential VM

Feature/Aspect	Shielded VM	Confidential VM
Purpose	Enhance security and integrity of VMs	Provide additional privacy by encrypting data in use
Protection Mechanism	Uses secure boot, vTPM, integrity monitoring	Uses hardware-based Trusted Execution Environment (TEE) for encryption during processing
Use Case	Protect against boot-level and kernel-level malware; ensure VM integrity	Protect sensitive data during computation, ideal for confidential data processing
Encryption	Ensures integrity, does not encrypt in-use data	Encrypts data in use, along with at-rest and in-transit encryption
Key Components	- Secure Boot - vTPM - Integrity Monitoring	- AMD SEV (Secure Encrypted Virtualization) - Intel SGX (Software Guard Extensions)
Suitable For	- General VM workloads requiring enhanced security - Workloads needing protection against rootkits and bootkits	- Highly sensitive data processing - Workloads requiring confidentiality in multi-tenant environments
Performance Impact	Minimal, mostly dependent on additional security checks	Some performance overhead due to encryption during computation
Configuration	- Enable Shielded VMs in VM configuration - Use Shielded VM images	- Use Confidential VM images - Configure Confidential VMs during setup
Compliance	Helps meet security compliance for data integrity and protection	Enhances compliance for data privacy regulations like GDPR, HIPAA by protecting data during use
Availability	Broad availability across many VM types and regions	Limited to specific VM types and regions, growing support
Cost	Standard VM pricing, possibly slight increase for security features	Higher cost due to additional encryption overhead and specialized hardware requirements

Storage Buckets

Storage Bucket Signed URLs:

• Signed URLs provide secure and temporary access to objects in Cloud Storage.
• They are generated using cryptographic signatures and can grant time-limited access to specific resources.
• Useful for sharing private resources securely with external users or applications.

Signed Policy Documents:

• Signed policy documents allow clients to upload objects directly to a bucket with predefined conditions and permissions.
• Clients sign a policy document containing upload conditions (e.g., object name, content type) using their private key.
• Helps in delegating upload permissions without sharing credentials.

Retention Policy:

• A retention policy specifies how long objects must be retained in a bucket before they can be deleted.
• Immutable objects can't be modified or deleted until the retention period expires, ensuring data integrity and compliance.
• Useful for regulatory compliance, data governance, and preventing accidental deletion.

Locking Buckets:

• Bucket locking allows you to set retention policies that prevent the deletion of objects, even by project owners and administrators.
• Once locked, a bucket's retention policy can't be reduced, ensuring data immutability and compliance with legal requirements.
• Provides an extra layer of data protection against accidental or malicious deletion.

GCloud reserved IP’s

• Google Cloud health checking systems (130.211.0.0/22 and 35.191.0.0/16)
• Gcloud IAP service IP range ( 35.235.240.0/20 )

Labels, Tags and network tags

Network Tags:

• Purpose: Used for assigning firewall rules to GCP resources.
• Scope: Network-specific (applied to VMs within a VPC network).
• Management: Defined and assigned independently of labels or tags.

Labels:

• Purpose: Organize and identify resources for easier management and billing.
• Scope: Flexible, can be applied to various GCP resources.
• Definition: User-defined key-value pairs with arbitrary values.
• Functionality: Primarily for search and categorization within GCP projects.
• Billing: Can be used to identify resources for cost allocation.

Tags (GCP Tags):

• Purpose: Advanced resource management and access control.
• Scope: Can be applied to various GCP resources.
• Definition: Admin-defined key-value pairs with predefined value sets.
• Management: Created and managed by project admins.
• Functionality:
  • Used for IAM conditions to define granular access control policies for resources.
  • Can be leveraged for cost analysis based on tag values.

Hybrid Connectivity Options

Connection	Provides	Capacity	Requirements	Access Type
VPN tunnel	Encrypted tunnel to VPC networks through the public internet	1.5–3 Gbps per tunnel	Remote VPN gateway	Internal IP addresses
Dedicated Interconnect	Dedicated, direct connection to VPC networks	10 Gbps or 100 Gbps per link	Connection in colocation facility	Internal IP addresses
Partner Interconnect	Dedicated bandwidth, connection to VPC network through a service provider	50 Mbps – 50 Gbps per connection	Service provider	Internal IP addresses
Cross-Cloud Interconnect	Dedicated physical connection between VPC network and network hosted by service provider	10 Gbps or 100 Gbps per connection	Primary and redundant ports (Google Cloud and remote cloud service provider)	Internal IP addresses

Service Account

Google Managed Examples:

• Format PROJECT_NUMBER@cloudservices.gserviceaccount.com
• Compute Engine Default: PROJECT_NUMBER-compute@developer.gserviceaccount.com
• App engine: PROJECT_ID@appspot.gserviceaccount.com

Load balancers

Comparison Table

Load Balancer Type	Use Case	Supported Traffic	Scope	Key Features
HTTP(S) Load Balancer	Global web applications	HTTP(S)	Global	Global load balancing, SSL termination, CDN integration
SSL Proxy Load Balancer	SSL offloading	SSL	Global	SSL termination, global distribution
TCP Proxy Load Balancer	Non-HTTPS TCP traffic	TCP	Global	TCP traffic, SSL termination, global distribution
Network Load Balancer	Low latency, high throughput applications	TCP/UDP	Regional	Layer 4 load balancing, regional scope
Internal HTTP(S) Load Balancer	Internal web applications, microservices	HTTP(S)	Regional	Internal traffic within VPC, regional scope
Internal TCP/UDP Load Balancer	Internal TCP/UDP traffic balancing	TCP/UDP	Regional	Internal traffic within VPC, regional scope

Security Related Services

Organization Policies

Important ones

Sure, here is the list in the requested format:

• Disable Default Network Creation (constraints/compute.skipDefaultNetworkCreation)
• Disable External IP for Compute VM (constraints/compute.vmExternalIpAccess)
• Disable Public Access to Storage Buckets (constraints/storage.publicAccessPrevention)
• Disable Service Account Key Creation (constraints/iam.disableServiceAccountKeyCreation)
• Disable Host Project Deletion (constraints/resourcemanager.preventDeletion)

(IAM) Identity & Access Management

In the Cloud IAM world, permissions are represented in the form:

<service>.<resource>.<verb>

Example: iam.roles.create , pubsub.topics.publish

IAM Roles format examples: roles/iam.organizationRoleAdmin , roles/iam.securityReviewer

Some IAM policy services

• IAM Policy simulator
• IAM polciy analyzer
• IAM polciy troubleshooter
• IAM recommendar

Identity-Aware Proxy (IAP)

Identity-Aware Proxy (IAP) is a Google Cloud service that intercepts web requests, authenticates users via Google Identity Service, and authorizes access only to specified users. It can add authenticated user information to request headers.

Usage:

• Restrict access to selected users without changing application code.

• Access user identity in the app using headers:

  pythonCopy code
  user_email = request.headers.get('X-Goog-Authenticated-User-Email')
  user_id = request.headers.get('X-Goog-Authenticated-User-ID')

Clearing Cookies:

• To clear IAP login cookies, append /_gcp_iap/clear_login_cookie to your home page URL, e.g., https://iap-example-999999.appspot.com/_gcp_iap/clear_login_cookie.

Sensitive data protection / Data loss prevention

Data Loss Prevention (DLP) API to inspect, redact, and de-identify sensitive data in Google Cloud.

Google Cloud Platform (GCP) offers various Data Loss Prevention (DLP) techniques to safeguard sensitive information.

De-identification transformations:

• Redaction: Deletes all or part of a detected sensitive value.
• Replacement: Replaces a detected sensitive value with a specified surrogate value.
• Masking: Replaces a number of characters of a sensitive value with a specified surrogate character, such as a hash (#) or asterisk (*).
• Crypto-based tokenization: Encrypts the original sensitive data value using a cryptographic key. Sensitive Data Protection supports several types of tokenization, including transformations that can be reversed, or "re-identified."
• Bucketing: "Generalizes" a sensitive value by replacing it with a range of values. (For example, replacing a specific age with an age range, or temperatures with ranges corresponding to "Hot," "Medium," and "Cold.")
• Date shifting: Shifts sensitive date values by a random amount of time.
• Time extraction: Extracts or preserves specified portions of date and time values.

The DLP API provides fast, scalable classification and optional redaction for sensitive data elements like credit card numbers, names, social security numbers, passport numbers, and phone numbers. The API supports text and images – just send data to the API or specify data stored on your Cloud Storage, BigQuery, and Cloud Datastore instances.

Secret Manager

Secret Manager is a Google Cloud service for securely storing and managing sensitive information such as API keys, passwords, and certificates.

Roles Needed:

• Secret Manager Admin: roles/secretmanager.admin – Full control over secrets.
• Secret Manager Secret Accessor: roles/secretmanager.secretAccessor – Access secret payloads.
• Secret Manager Viewer: roles/secretmanager.viewer – View secret metadata.

Cloud KMS

Cloud Key Management Service (Cloud KMS) is a Google Cloud service that allows you to manage cryptographic keys for your cloud services.

Roles Needed:

• Key Management Admin: roles/cloudkms.admin – Full control over key rings and keys.
• Key Encrypter/Decrypter: roles/cloudkms.cryptoKeyEncrypterDecrypter – Encrypt and decrypt data.
• Key Viewer: roles/cloudkms.viewer – View key metadata but not the key material.

Key Types:

• Google-managed keys: Automatically managed by Google Cloud.
• Customer-supplied encryption keys (CSEK): Keys provided and managed by the customer, not stored in Cloud KMS.
• Customer-managed encryption keys (CMEK): Keys created and managed in Cloud KMS, giving customers more control over key lifecycle.

Key Rotation:

• Symmetric Keys: Support automatic key rotation.
• Asymmetric Keys: Do not support automatic key rotation.

Envelope Encryption

https://cloud.google.com/kms/docs/envelope-encryption

Security Command Center

Security Command Center (SCC) is a comprehensive security management and data risk platform for Google Cloud, providing visibility into your assets and their security state.

Key Features:

• Asset Inventory: Centralized inventory of your Google Cloud assets.
• Vulnerability Management: Identifies vulnerabilities in your environment.
• Threat Detection: Detects active threats within your environment.
• Compliance Monitoring: Monitors compliance with security policies and standards.

Built-in Services:

1. Event Threat Detection:
   • Real-time detection of security threats such as malware, cryptomining, and suspicious activity.
   • Uses Google's threat intelligence to identify threats.
2. Security Health Analytics:
   • Identifies misconfigurations and vulnerabilities in your cloud resources.
   • Provides actionable security insights to improve your security posture.
3. Container Threat Detection:
   • Detects threats and vulnerabilities in Google Kubernetes Engine (GKE) clusters.
   • Analyzes container runtime behavior for anomalies.
4. Web Security Scanner:
   • Scans web applications for common vulnerabilities, such as cross-site scripting (XSS) and mixed content.
   • Provides detailed reports on security issues.
5. Access Approval:
   • Requires explicit approval for Google Cloud administrative actions.
   • Enhances security by ensuring critical actions are authorized.
6. Security Health Analytics:
   • Continuously scans for vulnerabilities and compliance issues.
   • Identifies security misconfigurations and compliance violations.

DNSSEC

• DNSSEC Authenticity: Authenticates responses to domain name lookups.
• Protection: Prevents spoofing and poisoning attacks, but does not provide privacy protections.

Implementation Steps

1. DNS Zone Configuration
   • Enable DNSSEC for the zone in Cloud DNS.
   • Cloud DNS manages DNSSEC keys (DNSKEY records) and the signing of zone data with resource record digital signatures (RRSIG records).
2. TLD Registry Configuration
   • Add a DS(Delegation Signer) record in your TLD registry to authenticate DNSKEY records.
   • Activate DNSSEC at your domain registrar.
3. DNS Resolver Configuration
   • Use a DNS resolver that validates DNSSEC-signed domains.
   • Enable validation for individual systems or local caching resolvers.

Limitations and Requirements

• Registrar and Registry Support: Both must support DNSSEC for your TLD.
  • Check registrar and TLD registry DNSSEC support.
  • Consider transferring domains to a registrar that supports DNSSEC if necessary.

Resources for Enabling DNSSEC

• DNSSEC Documentation: Refer to your domain registrar and TLD registry documentation.
• Community Tutorials: Follow domain registrar-specific instructions from the Google Cloud community.
• ICANN List: Confirm DNSSEC support using the ICANN list of domain registrars.

Record Set Types Enhanced by DNSSEC

• CAA Records: Control which public CAs(certificate authority) can generate certificates for your domain.
• IPSECKEY Records: Enable opportunistic encryption through IPsec tunnels.
• SSHFP Records: Enable SSH client applications to validate SSH servers.

VPC Network

Shared VPC

Shared VPC in Google Cloud allows multiple projects to share a common Virtual Private Cloud (VPC) network, enabling centralized network administration. This setup involves a host project that owns the VPC network and service projects that utilize the shared network resources. By leveraging Shared VPC, organizations can streamline network management, enforce consistent security policies, and optimize resource usage across different teams or departments, while maintaining separate billing and access controls for each project.

VPC Peering

VPC Peering establishes a direct, private networking connection between two VPC networks, allowing instances in each VPC to communicate as if they were part of the same network. This connection is set up by configuring peering connections on both VPC networks, facilitating low-latency, high-bandwidth communication without requiring external IP addresses or VPNs. Importantly, VPC Peering is not transitive; if VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A and VPC C cannot communicate through the peering connections. VPC Peering is particularly useful for enabling private, internal communication between different projects or environments within Google Cloud, offering a cost-effective and straightforward solution for inter-network connectivity.

VPC Service Controls

VPC Service Controls enhance security for Google Cloud services by defining security perimeters around resources and controlling access based on these boundaries. These controls are implemented through service perimeters and access levels, which govern who can access the services within the defined perimeters. By using VPC Service Controls, organizations can significantly reduce the risk of data breaches and exfiltration, ensuring that sensitive data remains protected. This setup is akin to a firewall around VM instances, providing a robust security layer that controls and monitors data access to maintain data security and compliance with regulatory requirements.

Access Context manager

The Access Context Manager in Google Cloud provides fine-grained access control based on attributes like resource labels, device status, and user identity for enforcing security policies.

e.g. accessing service restricted by vpc service control to access wihtin a project and we want to access from outside of that project like from our computer through google console then we can create access context and then add it to vpc service control

Logging & Monitoring

VPC Flow Logs and Packet Mirroring

VPC Flow Logs and Packet Mirroring are two distinct features in Google Cloud that provide insights into network traffic. VPC Flow Logs capture metadata about network traffic flowing to and from network interfaces in your VPC, such as source and destination IP addresses, protocol, and port information. This data is useful for network monitoring, troubleshooting, and security analysis. Packet Mirroring, on the other hand, provides a deeper level of inspection by capturing the actual packets of network traffic, allowing for full packet capture and analysis. This feature is ideal for use cases requiring detailed packet-level insights, such as intrusion detection and forensic analysis. The main difference between the two is that VPC Flow Logs offer summary-level metadata, while Packet Mirroring provides the full packet data, enabling comprehensive traffic analysis.

Audit logs

Types of Audit Logs

1. Admin Activity Logs: Records administrative actions that modify resources (e.g., create, update, delete).
2. Data Access Logs: Tracks accesses to data within resources (e.g., reading data, API calls).
3. System Event Logs: Captures system events within GCP (e.g., VM restarts, service disruptions).
4. Policy Denied Logs: Logs events where access was denied due to policy restrictions.

roles/logging.viewer : read-only access to Admin Activity, Policy Denied, and System Event audit logs

roles/logging.privateLogViewer : access to all logs in the _Required and _Default buckets, including Data Access logs

Data access audit logs are disabled by default except the big query.

Log Query Language

resource.type="gce_subnetwork"
log_name="projects/<INSERT_PROJECT_ID>/logs/compute.googleapis.com%2Fvpc_flows"
### some filters
jsonPayload.connection.src_ip="Internal_IP_Of_default_us_vm"
jsonPayload.connection.dest_port=22
jsonPayload.connection.dest_port=(80 OR 22)
jsonPayload.connection.protocol=17 # udp

Log Analysis in Big Query

#standardSQL
SELECT
   jsonPayload.connection.dest_ip,
   resource
FROM
   `flowlogs_dataset.compute_googleapis_com_vpc_flows*` WHERE
   jsonPayload.connection.dest_port = 22
LIMIT 1000

Secure CI/CD Pipeline

Security Foundation: Blueprint

Best Practices

Authentication

• avoid managing permissions on an individual user basis where possible
• you should have no more than 3 org admins

Firewall rule

• Model of least privilege
• Minimize direct exposure to/from the internet (try to avoid using 0.0.0.0/0)
• Prevent ports and protocols form being exposed unnecessarily
• Firewall naming convention: {direction}-{allow/deny}-{service}-{to/from-location}
• Consider service account firewall rules instead of tag-based rules.

Compute Engine

• Control access to resources with projects and IAM.
• Isolate machines using multiple networks.
• Securely connect to Google Cloud networks using VPNs or Cloud Interconnect.
• Monitor and audit logs regularly.
• Only allow VMS to be created from approved images.
• Use the Trusted Images Policy to enforce which images can be used in your organization.
• Harden custom OS images to help reduce the surface of vulnerability for the instance.
• Keep your deployed Compute Engine instances updated.
• Run VMS using custom service accounts with appropriate roles.
• Avoid using the default service account.

Cloud Storage

• Don't use personally identifiable information (PII) in bucket names.
• Don't use PII in object names, because object names appear in URLs.
• Set default object ACLs on buckets.
• Use signed URLs to provide access for users with no account.
• Don't allow buckets to be publicly writable.
• Use lifecycle rules to remove sensitive data that is no longer needed.

BigQuery

• Use IAM roles to separate who can create and manage Datasets versus who can process the data.
  • Be careful when giving all authenticated users access to data.
• Use authorized views to restrict access to sensitive data:
  • Principle of least privilege.
• Use the expiration settings to remove unneeded tables and partitions.

Some important documents to read

• Identity Management for Google Cloud
• Identity management products and features
• Connecting to Google Cloud: your networking options explained
• Cloud Security Basics (Playlist)
• https://cloud.google.com/compliance?hl=en
• https://cloud.google.com/apigee?hl=en
• Configure Private Google Access for on premise

Random Points to remember

• The VPC network to which your on-premises network is connected must have appropriate routes for either the private.googleapis.com or restricted.googleapis.com destination IP ranges. Check Configure Private Google Access for on premise for more details.

Protecting projects with liens

In Google Cloud Platform (GCP), a lien is a mechanism that prevents the deletion of critical resources like projects, billing accounts, or folders. It acts as a safeguard to ensure that important resources are not accidentally or maliciously removed.

 Note that removing a lien requires the resourcemanager.projects.updateLiens permission, which is part of the roles/owner and roles/resourcemanager.lienModifier roles.