Security Engineer Flashcards
What is a GKE network policy?
While Firewall Rules are a powerful security measure, and Kubernetes enables you to define even finer grained rules via Network Policies. Network Policies are used to limit intra-cluster communication. Network policies do not apply to pods attached to the host’s network namespace.
How can you restrict traffic with a GKE network policy?
By pod label or namespace
How are IAM and Kubernetes RBAC different?
RBAC is used for restricting access within a GKE cluster. There are no deny rules, only allow rules. IAM is higher level at the node and project level. They are used in conjunction in GKE.
What can Binary Authorization do?
With Binary Authorization you can whitelist container registries, require images to be signed by trusted authorities, and centrally enforce those policies
What does the Titan security chip do?
Enable trusted server boot
Which logs allow you to see if Google has accessed your data?
Access Transparency Logs
What can be used for authentication for GCP resources?
Either Google Sign-in or SAML/OIDC
Which roles are added when creating an org?
Existing users are granted project creator and billing account creator roles - remove these ASAP for people that don’t need them
What is an org policy?
An org policy is a configuration of restrictions, defined by configuring a constraint with restrictions, applied to the org node, folder, or projects
What are audit logs?
They are logs that record project-level permission changes
What scope do firewall rules have?
Global within a VPC
What are the implied firewall rules?
Allow all outgoing traffic, block all incoming traffic
What additional rules does the default VPC allow?
the default VPC allows internal, ssh, rdp, and icmp
What VPC traffic is always blocked?
Email ports and non-standard protocols
What firewall rule can be set to prevent exposing ports and protocols unnecessarily?
Set low priority firewall rule to deny all ports/protocols
Does private google API access resolve to a public or private IP address?
It is still resolved to a public IP address, but the traffic is all internal and private, and subnet must still have a route to the default-internet-gateway set
What are the Forseti modules?
Inventory, Scanner, Enforcer, Explain, and Notifier
What does Forseti Inventory do?
Saves an inventory snapshot of your GCP resources to Cloud SQL
What does Forseti Scanner do?
Regularly compares role-based access policies for your GCP resources
What does Forseti Enforcer do?
Uses policies you create to compare the current state to the desired state
What does Forseti Explain do?
Provides visibility into your cloud IAM policies
What does Forseti Notifier do?
Priovides ability to notify inventory summary and violations
What controls what a Compute Engine VM can access?
The VM service account or Scope (legacy). Scope is only used with the default service account.
What is the Compute Engine default service account?
It’s a project editor, used by default when creating a VM unless you delete the service account or disable it with a policy
What does a GCE scope control?
It controls access to APIs when using the default service account.
How do you enable SSH to linux VMs
Add ssh public key to project metadata to enable ssh access to all VMs, or to the VM directly. You can configure individual instances to NOT use project-wide keys.
How is data encrypted on GCP?
AES-256 with a key per storage block. The keys are then encrypted with AES-256 with a KEK.
What is the standard rotation schedule for KEKs?
90 days
What do customer managed keys allow you to do?
Allows you to manage the KEKs and generate keys, set rotation periods, and expire keys
Where are KEKs stored?
On Google KMS in a keyring. Each keyring can have multiple versions of a key.
What is a customer supplied key?
Google will never store your key, but you have to provide your own key when creating or using a storage resource
At what levels can you grant access to Cloud Storage with IAM?
Org, folder, project, or bucket level
What can ACLs be used for?
Granting access to objects and buckets
When should use use IAM vs ACLs for cloud storage access?
Usually use IAM and not ACL, unless you need really fine tuned access of objects
What is a signed URL?
Allows access to Cloud Storage without adding a user to an ACL or IAM, has a timeout
What is the other way to allow bucket upload without an ACL or IAM?
Signed Policy Documents specify what can uploaded to a bucket with a form POST
At what level can you grant BQ access?
Org, folder, project, or dataset through IAM
How can you restrict access to only a subset of a dataset?
Create an authorized view and share that
How do you configure an authorized view?
Create a second dataset, add a restricted view to the second dataset with access permissions to the first dataset
What are the ways to reduce the likelihood or effects of a DDOS attack?
Load balancing, reduce the attack surface, restrict to internal traffic only, manage with APIs, offload to CDN, and use products that protect against DDoS
What is the Cloud Security Scanner?
It scans for web security in App Engine and Compute Engine for cross-site scripting, flash injection, mixed content, clear text passwords, and insecure JS libraries
What does it scan?
App Engine and Compute Engine - every link it finds except for specifically exluded ones. It can even log in with provided credentials.
Where should you run the scanner?
In a test environment because it can generate load and change state
What is Cloud Identity-Aware Proxy?
Proxy that controls access to App Engine, GCE, or GKE, does both authn and authz
How does GCP protect against ransomware?
Automatically detects and blocks known attacks, scans files in Drive and G Suite tools
What is the DLP API?
Finds and redacts sensitive data in text and images
Which APIs can be used to detect inappropriate content?
DLP API, Vision API and Video Intelligence API
What does DNSSEC provide protection against?
Protects domains from spoofing and poisoning attacks
Which 3 places does DNSSEC need to be configured?
DNS zone must serve special DNSSEC records to authenticate the content, the top-level domain registry must have a record to authenticate a DNSKEY records in your zone, and the client must use a DNS resolver that validates DNSSEC-signed domains
