Security on GCP Day 1

Google Front End can detect when an attack is taking place and can drop or throttle traffic associated with that attack.

A single Google data center has many times the bandwidth of even a large DoS attack, enabling it to simply absorb the extra load.

Application-aware defense is not currently supported on Google Cloud, although support for this is planned in the very near future.

Cloud Identity can work with any domain name that is able to receive email.

Your organization must use Google Workspace services in order to use Cloud Identity.

You cannot use both Cloud Identity and Google Workspace services to manage your users across your domain.

A Google Workspace or Cloud Identity account can be associated with more than one Organization.

Help simplify provisioning and deprovisioning user accounts.

Completely replace an Active Directory or LDAP service.

Enable two-way data synchronization between Google Cloud and AD/LDAP accounts.

Enable SSO between Cloud Identity and GCP

Requiring 2-Step Verification (2SV) is only recommended for super-admin accounts.

You should have no more than three Organization admins.

Avoid managing permissions on an individual user basis where possible.

Organization Admins should never remove the default Organization-level permissions from users after account creation.

A policy is a collection of access statements attached to a resource.

An organization policy can only be applied to the organization node.

A less restrictive parent policy will not override a more restrictive child resource policy.

A Policy binding binds a list of members to a role.

You must use one of the 3 pre-configured “Google-managed profiles” to specify the level of compatibility appropriate for your application.

Google Cloud load balancers require, and will only accept, a Google-managed SSL Cert.

The Google-managed profile, COMPATIBLE, allows clients which support out-of-date SSL features.

If no SSL policy is set, the SSL policy is automatically set to the most constrained policy, which is RESTRICTED.

Org viewer, Project owner

Org viewer, Project viewer

Org admin, Project browser

Project owner, Network admin

Create a workload identity pool in your Google Cloud project and get short-lived Google Cloud access token

Create a service account key using the Google Cloud console to first establish the identity of the on premise server

Authenticate using the Google Cloud SDK from the on premise server to deliver keys to the application.

Assign a Google-managed service account to the HR app to have Google automatically deliver the credentials

A rule that allows all outbound connections

A rule that denies all inbound connections

A rule that blocks all inbound port 25 connections

A rule that blocks all outbound connections

A rule that allows all inbound port 80 connections

Create a Cloud Storage ACL that allows read-only access from the Compute Engine instance's IP address and allows the application to read from the bucket without credentials.

Use a service account with read-only access to the Cloud Storage bucket, and store the credentials to the service account in the config of the application on the Compute Engine instance.

Use a service account with read-only access to the Cloud Storage bucket to retrieve the credentials from the instance metadata.

Encrypt the data in the Cloud Storage bucket using Cloud KMS, and allow the application to decrypt the data with the KMS key.