Security Flashcards

1
Q

What service can be used to manage access to GCP resources?

A

Cloud Identity and Access Management (IAM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the 4 components that make up the IAM model?

A
  1. Principals
  2. Roles
  3. Permissions
  4. Policies

A principal is normally a Google Account (user) or Service Account (application) identified by an email address. A role is a collection of permissions. A permission is an operation that can be performmed on a resource. Permissions cannot be assigned to principals directly, they must be assigned to roles. A policy is a collection of one or more role bindings and is attached to a resource. Each role binding binds a role to one or more principals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the 3 different IAM role types?

A
  1. Basic
  2. Predefined
  3. Custom

Basic roles are composed of: Viewer, Editor, and Owner. Viewer can only read, Editor can read and write, and Owner can read, write, control billing and access management (not recommended in production)

Predefined roles has over a 1000 distinct roles that can be chosen (recommended in production).

Custom roles allow you to customize the permissions that make up a role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Can Custom roles be applied at the folder level?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the 6 types of Principals and what do they represent?

A
  1. Google Account
  2. Service Account
  3. Google Group
  4. Google Workspace
  5. Google Identity
  6. All Users

A Google Account represents a user . A Sevice Account represents an application. A Google Group represents a group of Google Accounts and Service Accounts. Google Workspace represents all of the users in an organization. Google Identity represents all of the users in an organization but without the productivity tools offered by Workspace. All Users represents anyone on the internet.

Keep in mind, only Google Accounts and Service Accounts have credentials that can be used for authentication when making a request to a resource. Google Group, Workspace, and Indentity are just convenient ways to manage access controls at scale.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Are deny policies evaluated before or after allow policies? What are the implications?

A

Deny policies are evaluated before allow policies and are considered sticky. This means that a principal with a role containing a permission that was denied will not be able to perform that operation on a resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

In the context of the roles that have been granted to a service account, describe the relationship between the service account and the application that it is attached to.

A

An application that has a service account attached to it, will assume the roles of that service account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the 3 general ways for authenticating your application when makings requests to GCP resources?

A
  1. ADC
  2. Workload Identity Federation
  3. User Managed RSA keys

Client libraries use ADC to locate credentials. ADC allows you to authenticate your application in different environments without having to change any code.

Workload Identity Federation allows external applications or applications in your GKE cluster to use IAM policies to access GCP resources. This allows them to use client libraries for authentication and thus, eliminating the need for RSA keys.

RSA keys can be a security risk if not managed properly and should only be used as a last resort.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the 4 primary services offered by GCP to authenticate users?

A
  1. OAuth 2.0
  2. Firebase Authentication
  3. Identity Platform
  4. IAP

OAuth 2.0 is normally used if you need maximum control and are comfortable implementing your own logic.

Firebase Authentication is used whenever you need a managed authentication solution.

Identity Platform is more comprehensive than Firebase Authentication.

Identity-aware Proxy is an authentication and authorization service for internal users and eliminates the need of a VPN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When developing locally, how does Google recommend you authenticate your application when it needs to make requests to GCP resources?

A

Google recommends using the gcloud auth application-default login command. This places credentials in a well known location that is automatically accessible when using client libraries (ADC).

Remember, GKE is not used locally.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When using GKE, how does Google recommend authenticating your applications?

A

Googler recommends using Workload Identity Federation for GKE.

Workload Identity Federation allows applications in your GKE cluster to use IAM policies to access GCP resources. This allows them to use client libraries for authentication and thus, eliminating the need for RSA keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is ADC?

A

Application Default Credentials is a strategy for finding credentials and making them available to Client Libraries for authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the 3 steps that ADC can take to locate credentials?

A
  1. Searches the GOOGLE_APPLICATION_CREDENTIALS environment variable to see if it points to a credential file
  2. Searches the well known location in your file system for a credential file in case the gcloud auth application-default login command was used
  3. Automatically obtains credentials from a metadata server that is associated with the service account

Step 3 is the recommended way to obtain credentials in a production environment. step 1 and 2 can be used for development.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What role are Default Service Accounts given?

A

Editor. This is important to remember since this type of role is not recommended in production.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How often does Google recommend rotating keys?

A

Every 90 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Google Workspace?

A

Google Workspace is a suite of productivity tools for organizations. It’s the Google version of Office 365 for business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is IAP?

A

Identity-Aware Proxy is an authentication and authorization service for internal users that replaces the need to implement a VPN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How does IAP work?

A

IAP is normally used with a Cloud Load Balancer. When a request comes in, the load balancer checks if IAP is enabled for the requested service. If IAP is enabled, the request is routed to IAP and it checks for the user’s credentials in the browser. If no credentials exist, IAP will require the user to perform Google sign-in. If credentials are valid, IAP will check the user’s IAM roles to determine if the user is authorized to access the requested service. If authorized, the request goes through.

19
Q

Can IAP be used with identity providers other than Google?

A

Yes. However, this will require integrating with Cloud Identity Platform.

Please view: https://cloud.google.com/iap/docs/enable-external-identities

20
Q

What is Secret Manager?

A

Secret Manager is a service for securly storing passwords, keys, certificates, and other sensitive data.

21
Q

What is federated identity?

A

Federated identity is the process of linking a user’s identity across multiple identityproviders. This allows users to move from system to system without logging in to each one. Federated identity is what makes SSO possible.

22
Q

What are the 4 components that makeup the OAuth 2.0 model and how does it work?

A
  1. Resource Owner
  2. Client
  3. Authorization Server
  4. Resource Server

The Client requests a token from the Authorization Server. The Authorization Server asks the Resource Owner to grant the client permission to access the resource. Once permission is granted, the Authorization Server provides the Client an access token. The Client then makes a request to the Resource Server with that access token to gain access to the resource.

23
Q

As a best practice, what should you set the user to when writing a Dockerfile?

A

You should set the user to a nonroot user. This will prevent the user from having system administration permissions when the container is executed.

Dockerfile:

FROM ...
...
...
USER nonroot
24
Q

What is Cloud Artifact Analysis?

A

Cloud Artifact Analysis is a service that automatically scans artifacts in Artifact registry for vulnerabilities. A report of vulnerabilities found are made available through an API.

25
Q

What is the syntax used to represent permissions?

A

<service>.<resource>.<verb>

For example:
compute.instances.delete

26
Q

When using Cloud Secret Manager, are secrets created at the project level?

A

Yes.

27
Q

What are the 4 different ways to access secrets stored in Cloud Secret Manager?

A
  1. Cloud Console
  2. glcoud CLI
  3. Client libraries
  4. Cloud Code
28
Q

What is the difference between an “end user” and “internal user” in GCP?

A

An end user is a user that does not belong to your organization. An internal user is a user that belongs to your organization.

29
Q

What is Cloud Software Delivery Shield?

A

Software Delivery Shield is Google’s recommended solution for securing your entire CI/CD pipeline. Essentially, you use the components that Google suggests, and in aggregate, the solution is called Software Delivery Shield.

Development components:
1. Cloud Workstations
2. Cloud Code

CI/CD components:
1. Assured OSS
2. Artifact Registry
3. Artifact Analysis
4. Cloud Build
5. Cloud Deploy
6. Binary Authorization
7. Cloud Run
8. GKE

30
Q

How many IAM allow policies can be attached to a resource?

A

1

31
Q

For how long are Identity Platform sessions valid?

A

1 hour

32
Q

Are Kubernetes Service Accounts different than IAM Service Accounts?

A

Yes

33
Q

Are IAM policies set at higher level resources inherited by lower level resources?

A

Yes

34
Q

Do lower level resources with allow IAM policies override the allow IAM policies inherited from higher level resources?

A

No

35
Q

What are the 2 possible “targets” of a firewall rule?

A
  1. Tags
  2. Service accounts
36
Q

What are “Service Agents”?

A

Service Agents are another term for Google-managed service accounts.

37
Q

If you are not sure if a service account is being used and needs to be deleted, what does Google recommend doing first?

A

You should first disable the service account to see what impact it has in your project. If it turns out you still need the service account, you can easily re-enabled the service account.

38
Q

Each instance has a unique JSON Web Token (JWT) that includes details about the instance as well as Google’s RS256 signature. Your applications can verify the signature against Google’s public Oauth2 certificates to confirm the identity of the instance with which they have established a connection.

A
39
Q

All VMs have basic process utilization data available when they are created. However, installing the Ops Agent provides deeper insights into VM behavior.

A
40
Q

When you define an autoscaling policy for your group, you specify one or more signals that the autoscaler uses to scale the group

A
41
Q

If you enable predictive autoscaling to optimize your MIG for availability, the autoscaler forecasts future load based on historical data and scales out a MIG in advance of predicted load, so that new instances are ready to serve when the load arrives.

A
42
Q

For what 2 services can Health Checks be created for?

A
  1. Compute Engine Instance Groups
  2. Load Balancers
43
Q

Google Cloud accounts for bandwidth per virtual machine (VM) instance, not per virtual network interface (vNIC) or IP address.Neither additional virtual network interfaces (vNICs) nor additional IP addresses per vNIC increase ingress or egress bandwidth for a VM. For example, a C3 VM with 22 vCPUs is limited to 23 Gbps total egress bandwidth. If you configure the C3 VM with two vNICs, the VM is still limited to 23 Gbps total egress bandwidth, not 23 Gbps bandwidth per vNIC.

A
44
Q

Outbound bandwidth includes packets emitted by all of the VM’s NICs and data transferred to all persistent disks connected to the VM.

A