Security
Reader small image

You're reading from  Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Product typeBook
Published inAug 2023
PublisherPackt
ISBN-139781835468869
Edition1st Edition
Concepts
Information Security
Right arrow
Authors (2):
Ankush Chowdhary
Ankush Chowdhary
author image
Ankush Chowdhary

With an unwavering focus on technology spanning over two decades, Ankush remains genuinely dedicated to the ever-evolving realm of cybersecurity. Throughout his career, he has consistently upheld a deep commitment to assisting businesses on their journey towards modernization and embracing the digital age. His guidance has empowered numerous enterprises to prioritize and implement essential cybersecurity measures. He has had the privilege of being invited as a speaker at various global cybersecurity events, where he had the opportunity to share his insights and exert influence on key decision-makers concerning cloud security and policy matters. Driven by an authentic passion for education and mentorship, he derives immense satisfaction from guiding, teaching, and mentoring others within the intricate domain of cybersecurity. The intent behind writing this book has been a modest endeavor to achieve the same purpose.
Read more about Ankush Chowdhary

Prashant Kulkarni
Prashant Kulkarni
author image
Prashant Kulkarni

In his career, Prashant has worked directly with customers, helping them overcome different security challenges in various product areas. These experiences have made him passionate about continuous learning, especially in the fast-changing security landscape. Joining Google 4 years back, he expanded his knowledge of Cloud Security. He is thankful for the support of customers, the infosec community, and his peers that have sharpened his technical skills and improved his ability to explain complex security concepts in a user-friendly way. This book aims to share his experiences and insights, empowering readers to navigate the ever-evolving security landscape with confidence. In his free time, Prashant indulges in his passion for astronomy, marveling at the vastness and beauty of the universe.
Read more about Prashant Kulkarni

View More author details
Right arrow

6

Google Cloud Identity and Access Management

In this chapter, we will explore Google Cloud Identity and Access Management (IAM), an essential service to comprehend for the exam. With IAM, you can authorize cloud services, and assign appropriate access to users and applications. Acquiring a good understanding of IAM is crucial to ensure that your cloud implementation follows the principle of least privilege, restricting access to only what is necessary.

In this chapter, we will cover the following topics:

  • Overview of IAM
  • IAM roles and permissions
  • Service accounts
  • IAM policy bindings
  • IAM conditions
  • Cloud Storage, IAM, and ACLs
  • Logging and IAM APIs

Overview of IAM

In the previous chapter, we discussed Cloud Identity and its role in authentication, user management, and device management in Google Cloud and Google Workspace. Now, let us explore IAM, which focuses on authorization in Google Cloud. Authorization is a key principle of cloud computing, addressing various requirements and ensuring secure access to resources. Some of the problems it solves are the following:

  • How do I grant access to people and workloads?
  • How do I provide time-bound access?
  • How do I create service accounts with the least privilege?
  • How do I enable services in a particular project but not others?
  • How do I grant just the right access to users?
  • How do I operate in multi-cloud environments?
  • How do I find over-provisioned access?
  • How do I troubleshoot access issues?
Figure 6.1 – IAM overview

Figure 6.1 – IAM overview

In Figure 6.1, you can see how IAM works on the principle of who (identity) has what access...

Service accounts

Google Cloud service accounts are a critical part of the platform. A cloud resource or workload uses a specific type of account. To make API calls, an application deployed (for example, Compute Engine, App Engine, or GKE) or a workload (Dataproc, Dataflow, and so on) utilizes service accounts. Using a service account as an identity, the application can access cloud resources (either in the same or a different project) based on the role it has been assigned.

There are some main differences between a service account and a user account:

  • Service accounts have no ability to log in to the Cloud console like a normal user.
  • Public and private RSA key pairs are used to authenticate the service account and sign the API request.
  • A service account can be impersonated by a human or another service account.
  • Service accounts are not visible in Cloud Identity because they belong to the Google Cloud managed domain. While service accounts can be added to a Google...

IAM policy bindings

In Google Cloud, access is managed through an IAM policy binding. An IAM policy is attached to a particular resource (remember, a resource could be a service account). An IAM policy contains a collection of role bindings that associate with one or more principals.

Recall that a principal could be one or more of the following:

  • A Google account (a Gmail account is a form of Google account)
  • A service account
  • A Google group
  • A Google Workspace account
  • A Cloud Identity domain
  • All authenticated users
  • All users

IAM policy bindings (sometimes simply called bindings) associate a role to the principals both on the resource that the policy is attached to and on all the resource’s descendants (for example, a policy attached to a folder is applicable to all the resources underneath that folder).

Policy structure

IAM policies consist of role definitions and additional details. A role binding determines the resources that can...

Tag-based access control

Tags are key-value pairs that can be attached to organizations, folders, or projects. They are an IAM construct and differ from labels and network tags. Tags follow an inheritance model, where a tag applied at the organization level is inherited by child objects, but this inheritance can be overridden if needed. Conditional IAM roles can be granted based on specific tags assigned to a resource.

In the resource hierarchy, tags are automatically inherited, but you can attach an additional tag to a resource to prevent it from inheriting a specific tag value. Essentially, each tag on an organization or folder sets a default value, which can be overridden by tags on lower-level resources such as folders or projects. Once tags are attached to a resource, you can define conditions to grant access based on those tags.

Tag structure

Here are how tags are structured in IAM:

  • A tag is a key and value pair.
  • A permanent ID, which is globally unique and...

Cloud Storage ACLs

Cloud Storage provides separate access control in addition to IAM. There are two ways, in fact: a more uniform way of doing access control via IAM and a legacy way of doing access control via fine-grained ACLs. Object ACLs do not appear in the hierarchy of IAM policies, so be aware of how your Cloud Storage buckets are controlled. When evaluating who has access to one of your objects, make sure you check the ACLs for the object, in addition to checking your project- and bucket-level IAM policies. This could get very convoluted, so the recommendation is to use uniform access control using IAM in most cases.

Access Control Lists (ACLs)

You can use an ACL to determine who has access to your buckets and objects, as well as what level of access they have. ACLs are applied to specific buckets and objects in Cloud Storage. There are one or more entries in each ACL. An entry enables a certain user (or group) to carry out specific tasks. Each entry is made up of two...

IAM APIs

IAM uses the following API endpoints (regular OAuth access tokens either for a user or service account can be used to access these APIs):

  • Policies (v2)
  • Roles (query and get/list)
  • Organizations roles
  • Permissions
  • Projects
    • IAM policies (linting and querying)
    • Workload identity pools, operations, and providers
    • Permissions
    • Roles
    • Service accounts
    • Service account keys
  • Service account credentials
  • Security token services

Finally, let us look at various log files for IAM APIs. You will often start with these logs to troubleshoot an access issue.

IAM logging

Google Cloud IAM writes audit logs and admin logs to help with questions such as “Who did what, where, and when?” These logs are vitally important for audit and forensic capabilities.

For information on Admin Activity and Data Access read audit logs, please check the Google Cloud product documentation.

IAM audit logs use one of the following resource types:

  • api: A request to list information about multiple IAM roles or policies
  • audited_resource: A request to exchange credentials for a Google access token
  • iam_role: An IAM custom role
  • service_account: An IAM service account, or a service account key

Log name

Let us assume project_id = acme-project-id, folder_id = acme-folder, billing_account_id = 123456, and organization_id = 987654321:

 projects/acme-project-id/logs/cloudaudit.googleapis.com%2Factivity  projects/acme-project-id/logs/cloudaudit.googleapis.com%2Fdata_access  projects/ acme-project-id/logs /cloudaudit.googleapis...

Summary

In this chapter, we explored various powerful features of Cloud IAM, including principals, roles, IAM policies, and service accounts. We gained insights into effective service account key management and learned how to detect potential issues when keys are checked into Git. Additionally, we discovered the versatility of IAM conditions and adopted best practices for creating robust IAM policies. We also delved into Cloud Storage ACLs and their ability to provide fine-grained access control. Armed with this knowledge, you are now equipped to confidently set up IAM policies for any workloads in Google Cloud, troubleshoot access problems, and implement the recommended best practices we discussed. We even delved into advanced features such as IAM Policy Intelligence and WIF.

As we conclude this chapter on Google Cloud’s IAM features, the upcoming chapters will focus on exploring the robust network security capabilities of Google Cloud.

Further reading

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 7 of 19
Next Chapter
You have been reading a chapter from
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
Published in: Aug 2023Publisher: PacktISBN-13: 9781835468869
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Authors (2)

author image
Ankush Chowdhary

With an unwavering focus on technology spanning over two decades, Ankush remains genuinely dedicated to the ever-evolving realm of cybersecurity. Throughout his career, he has consistently upheld a deep commitment to assisting businesses on their journey towards modernization and embracing the digital age. His guidance has empowered numerous enterprises to prioritize and implement essential cybersecurity measures. He has had the privilege of being invited as a speaker at various global cybersecurity events, where he had the opportunity to share his insights and exert influence on key decision-makers concerning cloud security and policy matters. Driven by an authentic passion for education and mentorship, he derives immense satisfaction from guiding, teaching, and mentoring others within the intricate domain of cybersecurity. The intent behind writing this book has been a modest endeavor to achieve the same purpose.
Read more about Ankush Chowdhary

author image
Prashant Kulkarni

In his career, Prashant has worked directly with customers, helping them overcome different security challenges in various product areas. These experiences have made him passionate about continuous learning, especially in the fast-changing security landscape. Joining Google 4 years back, he expanded his knowledge of Cloud Security. He is thankful for the support of customers, the infosec community, and his peers that have sharpened his technical skills and improved his ability to explain complex security concepts in a user-friendly way. This book aims to share his experiences and insights, empowering readers to navigate the ever-evolving security landscape with confidence. In his free time, Prashant indulges in his passion for astronomy, marveling at the vastness and beauty of the universe.
Read more about Prashant Kulkarni

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages