Security on GCP Day 2

VMs without service accounts cannot run APIs.

Service accounts are a type of identity.

Virtual machine (VM) instances use service accounts to run API requests on your behalf.

Custom service accounts use "scopes" to control API access.

Always run critical VMs with default, scope-based service accounts.

Utilize projects and IAM roles to control access to your VMs.

Hardened custom images, once added to your Organization's resources, are then maintained by Google with automatic security patches and other updates.

Cloud Interconnect or Cloud VPN can be used to securely extend your data center network into Google Cloud projects.

Descendants of a targeted resource do not inherit the parent's Organization Policy.

Organization Policy Services allow centralized control for how your organization’s resources can be used.

To define an Organization Policy, you will choose and then define a constraint against either a Google Cloud service or a group of Google Cloud services.

Organization Policy Services are available at no cost to all Google Cloud Platform Customers

In most cases, you should use Access Control Lists (ACLs) instead of IAM permissions.

BigQuery data can be adequately secured using the default basic roles available in Google Cloud.

Do not use any personally identifiable information as object names.

One option to serve content securely to outside users is to use signed URLs.

It is always better to assign BigQuery roles to individuals as this will help to lower operational overhead.

A BigQuery Authorized View allows administrators to restrict users to viewing only subsets of a dataset.

Using IAM, you can grant users granular permissions to BigQuery tables, rows and columns.

BigQuery has its own list of assignable IAM roles.

Developers are commonly given a requirements document that clearly defines security requirements for the application.

Applications are the most common target of cyber attack.

"Injection Flaws" are the least frequently found application security issue.

Applications in general, including many web applications, do not need to properly protect sensitive user data.

Insecure logins.

Mixed HTTP and HTTPS content.

Outdated or insecure libraries.

Personalized data in object names.

User data in images.

In the form field

In the storage bucket

In the IAM console

In the endpoint configuration

True

False

Disable Workload Identity.

Restrict access between pods.

Upgrade your GKE infrastructure.

Use shielded GKE nodes.