GCP IAM Flashcards

1
Q

What is IAM?

A

Who can do what and what resourc. It is GCP’s identity and access manage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In GCP IAM what is a member?

A

A member is a ‘who’, this can be a person or a service account.
Service account = Application access
People =
- Google account
- Google group
- G Suite Domain
- Google identity domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Can a GCP IAM member be a google account?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Can a GCP IAM Service account be a google account?

A

No, an application can be a service account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a google account?

A

It is a person interaction with Google and can be a Gmail account or can be a non-google account associated with a google account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a google group?

A

It is a collection of google accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a G Suit Domain

A

Is a virtual group of domain users, it can not be used for individual identity but you can set permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In GCP IAM, what is the hierarchy structure?

A

Organizations
Folders
Projets
Resoiurces

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In GCP IAM, what is the main structure of IAS objects

A

Permissions -> Roles -> Policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a GCP IAM permission?

A

It is a resource based permission, compute.instanceAdmin.v1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a GCP IAM role?

A

A role is a collection of permissions, 100% completely different than AWS role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a GCP IAM policy?

A

It is a collection of roles and it is where a member (users) can become

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When using GCP IAS, how can we think of IAS applied to an organization or an organization child?

A

Who
What they can do
Resources they can do it on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How can we think of GCP IAM?

A

Members (who) are granted permissions and roles to GCP services (resource)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In GCP IAM what is a service account?

A

It is a software application or service calling GCP, software application uses the service account to call GCP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

In GCP ISA what is the permission format?

A

service.resource.action
compute.instance.delete

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

In GCP IAM can you give me an example of a permission?

A

compute.rinstance.delete

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Can you asign a permission direct to a member?

A

No, permissions are applied a role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a GCP IAM primitive role?

A

Includes owner, editor and viewer roles and existed before Cloud IAM. These roles (owner, editor and viewer) apply only to the project level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a GCP IAM role?

A

provide granular access servcies in GCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a GCP IAM custom role?

A

You cna build a custum role with your own permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What will the GCP prinitive role ‘Viewer’ allow you to do?

A

Read only and view resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What will the GCP prinitive role ‘Editior’ allow you to do?

A

Edit resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What will the GCP prinitive role ‘Owner’ allow you to do?

A

All editor permissions and,
- Manage roles and permissions
- Setup billing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Can a member/user be granted multipal roles?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

In GCP IAM, give an example of a predefined role?

A

roles/appEngine.appAdmin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

In the following GCP IAM) role ‘roles/appEngine.appAdmin’, what will role enable you to do?

A

This role will give you admin permissions to theGCP App Engine.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is a GCP IAM Policy?

A

An GCP IAM policy is a coletcion of GCP roles, a GCP IAM policy is not the same as a AWS policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What you set a policy at the orgnizational level of GCP, will projects and resources inherate this policy?

A

Yes, as the orgnization is at the higest level all child resources inherate this policy. Resources inheriat from it parent.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

If i give admin access at the orgnizational level and then give less rights at the project or resource level, will the user have less rights or admin rights?

A

Admin rights, the rights at the more pareent level will apply.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are the 3 roles used in GCP IAM?

A

Primitive, Predefined, Custom?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is a member?

A

People
-Google account
-Google group
-Cloud identity domain
-G Suit domain

33
Q

What is a Role?

A

It is a collection of permissions.

34
Q

What is a permission?

A

It defines if you have access to a resource or not.

35
Q

What is a Cloud identity domain?

A

It is an orgnizatiuonal level domian, at root.

36
Q

What is the format of a permission

A

-service.resource.verb
-compute.instance.delete

37
Q

I need to asign permission directly to a user, can I do this?

A

No, permissions are asigned to roles

38
Q

What are the 3 GCP IAM role types?

A

-Primitive
-Predefined
-Custom

39
Q

What is a predefined GCP IAM role?

A

It is a more granular role then primitive role and has more granularity.

40
Q

What is a primitive GCP IAM role?

A

It is an Owner, View, Editor role, no granular permissions.

41
Q

What is a GCP IAM custom role?

A

It is a role you can create with you own permissions.

42
Q

What is a GCP IAM service account?

A

It is an account attached to an application.

43
Q

What is ba GCP IAM policy?

A

A policy is a collection of roles, the policy is asigned to a member.

44
Q

Can a pareent policy overule a child policy?

A

Yes, 100%

45
Q

I have a perant and child GCP IAM policies, whitch policy has final say?

A

Parent, fi there was deny rule in parent then there permission would be denied.

46
Q

Do child policies inherate from parent?

A

Yes, 100%

47
Q

Can I have a more restrictive Parent policy overide permisisons in child policy?

A

Yes, 100%

48
Q

What is a custom GCP role?

A

It is a collection of permissions?

49
Q

I need to give a group of users a set of permissions, what do I need to create?

A

A role and assign a policy

50
Q

What is a GCP IAM Object?

A

All users, resources, etc are IAM objects.

51
Q

Do all members in the organization role have access to the resources allowed by the role?

A

The organization role has permissions that enable every member the is part of the organizational role to access a resource.

52
Q

I need to give everyone in my organization access to a resource, how can I enable this?

A

Create a custom role with the set of permissions you need and assign the role to the org..

53
Q

I need to give everyone in my organization access to a resource, how can I enable this?

A

Create a custom role with the set of permissions you need and assign the role to the domain member automatically created that refers to everyone in the organization.

54
Q

By default everyone can create projects in an organization, how can we fix this so an admin is the only one that can create projects?

A

Remove the automatically created org member.

55
Q

What are the two types of GCP service accounts available?

A

-Google-Managed
–Represent Google services and are automatically granted an IAM role
–Most times invisible to the user.
-User-Managed
–Created by you and based on enabled API’s
Both automatic created and user created.

56
Q

How is User-managed service account authenticated by google?

A

API Key

57
Q

What is a service account?

A

A service account is a special google account that belongs to your application or instance (VM). The application or the VM assumes the identity so users are not involved.
-Service accounts can have zero or more key pairs to authenticate with Google.

58
Q

I need to access an Cloud Storage bucket file form the bash CLI in a Compute instance, this will involve both read and write. How can I enable this access?

A

When you create an instance (VM) you are automatically assigned a service account. This service account has a set of scopes that enable it to access the GCP API’s. The instance (VM) assumes this service account identity and can access the Cloud Storage bucket provided the scope has been set with the corretc read/write/full permissions.

59
Q

Should I use primitive or predefined roles?

A

Use predefined roles, this way you only give them the least access as possible.

60
Q

When I create a microservice with two services (app componets), should I give each one the same service account?

A

No, it is important to ensure you use the least privilege and give each of the services in the microservice a separate service account with only the access they need.

61
Q

Can a child policy overrule a parent policy?

A

No a child policy can not overrule a child policy.

62
Q

When assigning service account scope, what should I be doing for least privilege?

A

Allowing access for only API’s needed to perform job function.

63
Q

What IAM role is used when creating a service account

A

Service Account Admin

64
Q

What do I need to do regularly to ensure service account security is maintained for user managed keys?

A

Rotate the service keys

65
Q

Do I need to rotate GCP managed service account keys?

A

No

66
Q

Can you assign a policy to a folder?

A

Yes

67
Q

Are IAM Policies inherited down or up?

A

Down Org -> Folders -> Project -> Resource

68
Q

For an organization level, what is the role that can change policies?

A

Organization policy administrator
The Identity and Access Management role roles/orgpolicy.policyAdmin enables an administrator to manage organization policies. Users must be organization policy administrators to change or override organization policies.

To set, change, or delete an organization policy, you must have the Organization Policy Administrator role.

69
Q

What is the role of Organization policy administrator?

A

Responsible for admin policies.

70
Q

What can an owner do?

A

Manage members (invite, delete, etc)
Manage projects
Deploy applications
Modify code
Configure services
BUT CAN NOT DO BILLING RELATED ACTIVITIES LIKE A BILLING ADMIN CAN.

71
Q

What can a editor do?

A

Deploy applications
Modify code
Configure services

72
Q

Can I use custom roles at the folder level?

A

No, you can only use custom roles at the project or org level

73
Q

Can I apply different roles to a service account?

A

Yes, this enables you to restrict the service account to only access what is needed.

74
Q

Can I deny access to a project resource through IAM when I have give the permission at the ORG level?

A

No, you cannot deny permissions lo down in hierarchy when you have give them high up.

75
Q

I have an Owner role applied at the organization level, will the owner role have any effect?

A

No, Owner roles will only have an effect the the project level as the owner role has no permissions at levels above project.

76
Q

Should I use primitive or predefined rules?

A

I should use predefined rules where possible as they are more granular.

77
Q

What is an organization policy used for?

A
  • Centralize control to configure restrictions on how your organization’s resources can be used.
  • Define and establish guardrails for your development teams to stay within compliance boundaries.

-Help project owners and their teams move quickly without worry of breaking compliance.

78
Q

Do descendants policies inherit from parents?

A

Yes