VMs without service accounts cannot run APIs.

Service accounts are a type of identity.

Virtual machine (VM) instances use service accounts to run API requests on your behalf.

Custom service accounts use "scopes" to control API access.

Always run critical VMs with default, scope-based service accounts.

Utilize projects and IAM roles to control access to your VMs.

Hardened custom images, once added to your Organization's resources, are then maintained by Google with automatic security patches and other updates.

Cloud Interconnect or Cloud VPN can be used to securely extend your data center network into Google Cloud projects.

Descendants of a targeted resource do not inherit the parent's Organization Policy.

Organization Policy Services allow centralized control for how your organization’s resources can be used.

To define an Organization Policy, you will choose and then define a constraint against either a Google Cloud service or a group of Google Cloud services.

Access can be granted to Cloud Storage at the organization, folder, project, or bucket levels.

It is possible to remove a permission from a lower level that was granted at a higher level.

Using IAM permissions alone gives you control over your projects and buckets, but does not give control over individual objects.

A user needs permission from both IAM or an ACL in order to access a bucket or object.

In most cases, you should use Access Control Lists (ACLs) instead of IAM permissions.

BigQuery data can be adequately secured using the default basic roles available in Google Cloud.

Do not use any personally identifiable information as object names.

One option to serve content securely to outside users is to use signed URLs.

It is always better to assign BigQuery roles to individuals as this will help to lower operational overhead.

A BigQuery Authorized View allows administrators to restrict users to viewing only subsets of a dataset.

Using IAM, you can grant users granular permissions to BigQuery tables, rows and columns.

BigQuery has its own list of assignable IAM roles.