Security Flashcards
What service can be used to manage access to GCP resources?
Cloud Identity and Access Management (IAM)
What are the 4 components that make up the IAM model?
- Principals
- Roles
- Permissions
- Policies
A principal is normally a Google Account (user) or Service Account (application) identified by an email address. A role is a collection of permissions. A permission is an operation that can be performmed on a resource. Permissions cannot be assigned to principals directly, they must be assigned to roles. A policy is a collection of one or more role bindings and is attached to a resource. Each role binding binds a role to one or more principals.
What are the 3 different IAM role types?
- Basic
- Predefined
- Custom
Basic roles are composed of: Viewer, Editor, and Owner. Viewer can only read, Editor can read and write, and Owner can read, write, control billing and access management (not recommended in production)
Predefined roles has over a 1000 distinct roles that can be chosen (recommended in production).
Custom roles allow you to customize the permissions that make up a role.
Can Custom roles be applied at the folder level?
No
What are the 6 types of Principals and what do they represent?
- Google Account
- Service Account
- Google Group
- Google Workspace
- Google Identity
- All Users
A Google Account represents a user . A Sevice Account represents an application. A Google Group represents a group of Google Accounts and Service Accounts. Google Workspace represents all of the users in an organization. Google Identity represents all of the users in an organization but without the productivity tools offered by Workspace. All Users represents anyone on the internet.
Keep in mind, only Google Accounts and Service Accounts have credentials that can be used for authentication when making a request to a resource. Google Group, Workspace, and Indentity are just convenient ways to manage access controls at scale.
Are deny policies evaluated before or after allow policies? What are the implications?
Deny policies are evaluated before allow policies and are considered sticky. This means that a principal with a role containing a permission that was denied will not be able to perform that operation on a resource.
In the context of the roles that have been granted to a service account, describe the relationship between the service account and the application that it is attached to.
An application that has a service account attached to it, will assume the roles of that service account.
What are the 3 general ways for authenticating your application when makings requests to GCP resources?
- ADC
- Workload Identity Federation
- User Managed RSA keys
Client libraries use ADC to locate credentials. ADC allows you to authenticate your application in different environments without having to change any code.
Workload Identity Federation allows external applications or applications in your GKE cluster to use IAM policies to access GCP resources. This allows them to use client libraries for authentication and thus, eliminating the need for RSA keys.
RSA keys can be a security risk if not managed properly and should only be used as a last resort.
What are the 4 primary services offered by GCP to authenticate users?
- OAuth 2.0
- Firebase Authentication
- Identity Platform
- IAP
OAuth 2.0 is normally used if you need maximum control and are comfortable implementing your own logic.
Firebase Authentication is used whenever you need a managed authentication solution.
Identity Platform is more comprehensive than Firebase Authentication.
Identity-aware Proxy is an authentication and authorization service for internal users and eliminates the need of a VPN.
When developing locally, how does Google recommend you authenticate your application when it needs to make requests to GCP resources?
Google recommends using the gcloud auth application-default login
command. This places credentials in a well known location that is automatically accessible when using client libraries (ADC).
Remember, GKE is not used locally.
When using GKE, how does Google recommend authenticating your applications?
Googler recommends using Workload Identity Federation for GKE.
Workload Identity Federation allows applications in your GKE cluster to use IAM policies to access GCP resources. This allows them to use client libraries for authentication and thus, eliminating the need for RSA keys.
What is ADC?
Application Default Credentials is a strategy for finding credentials and making them available to Client Libraries for authentication.
What are the 3 steps that ADC can take to locate credentials?
- Searches the
GOOGLE_APPLICATION_CREDENTIALS
environment variable to see if it points to a credential file - Searches the well known location in your file system for a credential file in case the
gcloud auth application-default login
command was used - Automatically obtains credentials from a metadata server that is associated with the service account
Step 3 is the recommended way to obtain credentials in a production environment. step 1 and 2 can be used for development.
What role are Default Service Accounts given?
Editor. This is important to remember since this type of role is not recommended in production.
How often does Google recommend rotating keys?
Every 90 days
What is Google Workspace?
Google Workspace is a suite of productivity tools for organizations. It’s the Google version of Office 365 for business.
What is IAP?
Identity-Aware Proxy is an authentication and authorization service for internal users that replaces the need to implement a VPN.