Introduction Flashcards
What is a Canonical Data Model (CDM)? When should we practice CDM or apply such?
Type of Data Model aiming to present data entities and relationships in the simplest possible form to integrate processes and systems.
Why? Improves processes and practices.
What is the following term (IaaS)?
Infrastructure as a Service.
What is the following term (PaaS)?
Platform as a Service.
What is the following term(SaaS)?
Software as a Service.
Why activate (MFA)?
Security for users within your system leveraging open source software in the GCPm enhancing security.
MFA requires more than one mechanism to authenticate a suer. this secures user logins from attackers exploiting stolen or weak credentials, default= not set.
Multi Factor Authentication, step 2 in Best Practices for admins utilizing Google Cloud Platform.
Define (IDaaS).
Cloud Identity is a stand alone Identity as a Service.
IDaaS gives Google Cloud users access to many of the identity managements features that the workspace provides.
A suite of secure cloud-native collaboration and production apps that can be enabled or disabled by user within the org and or on GCP.
Cloud identity management layer for (GCP).
Creates an Organizational node for your domain helping map the corporate structure and controls to GCP resources through resource hierarchy.
What is Cloud Custodian on GCP?
A Cloud Security Posture Management (CSPM) tool. CSPM tools evaluate your cloud configuration and identity configuration mistakes.
Enables Monitoring of cloud logs to detect threats and configuration changes.
Why use GCP Service: Identity and Access Management (IAM)?
Enforces least privilege access control to your cloud resources. Use IAM to restrict who is authenticated and authorized to utilize such sources.
What is KMS (GCP) and why utilize it?
Google Cloud Key Management Services engine (KMS) requires (ADP) for managing encryption keys for other Google cloud services that enterprises can use to implement functions for cryptography.
Vault Key Management Secrets engine provides distribution and lifecycle management features for cloud provider keys. (GCP CloudKeyMangServ).
KMS is also used for REST APIs that uses a key to encrypt, decrypt or sign data such as secrets for storage access and retrieval.
Creation of a key rings in cloud console, in the key ring name field enter desired name for your key ring, then select region zone location and create.
Manage cryptographic keys in the cloud as one would perform on a local or on premise.
What are Personas?
End2End scenario described earlier involves one persona:
- admin : a user with privileged permissions to
configure secrets engines.
Prerequisites: Vault Enterprise with Advanced Data Protection Module with versions greater than v 1.9.0.
- jQuery processor(jq) is required to pretty print JSON output.
Describe ./ jq capabilities and use cases.
jq is like SED for JSON data - slice and filter and map for transforming structured data with the same ease that SED, AWK, GREP within text.
jq is written in portable C, and has 0 runtime dependencies.
Download a single binary, SCP it to a far away machine of same type.
jq can mangle the data format you have into the one needed for change or wants within a shorter and simpler program.
What is (HSM) and why use it?
Hardware Security Module (HSM).
What is the strongest form of two factor authentication?
- Give example… (SMS)=? (OTO)=?
Security Key Enforcement ensures that admins use Security Keys to log in rather than second factors like SMS or OTP.
Use physical keys, as they send an encrypted signature rather than a code so logins cannot be phished.
Code:
“””
gcloud organizations get-iam-policy ORGANIZATION_ID
“””
After, enable SKE for configuring backup security keys.
How would you prevent the use of user managed service accounts keys?
GCP-managed keys are used by Cloud Platform services, such as App Engine and Compute Engine.
Google holds the key and rotates it automatically every week.
User-Managed Keys can be easily compromised by common dev practives within source code, downloands dir.
List all service accounts list in CL/terminal:
“"”gloud iam service-accounts list”””
