Google Professional-Cloud-Security-Engineer - Google Cloud Certified - Professional Cloud Security Engineer

Customer-Managed Encryption Keys (CMEK):

CMEK allows you to manage encryption keys using Cloud Key Management Service (KMS). This gives you control over the lifecycle of the keys, including rotation, destruction, and auditing.

Set up a Cloud KMS key ring and create encryption keys that will be used to protect your data in BigQuery, Cloud SQL, and Cloud Storage.

Configure the services to use CMEK for encrypting data at rest, ensuring compliance with your organization's security policies.

Cloud External Key Manager (EKM):

Cloud EKM allows you to use keys managed by an external key management provider to encrypt data in Google Cloud services.

Integrate your external key management system with Google Cloud using supported protocols and APIs.

Configure your data warehouse services to use the external keys for encryption, ensuring that key management is handled outside of the Google Cloud environment.

Key Access Justifications:

Enable Key Access Justifications to provide visibility into why encryption keys are being accessed. This helps in monitoring and auditing key usage to ensure compliance and security.

Set up policies and logging to capture and review key access requests, providing insights into how and why keys are used.

Access Transparency and Approval:

Implement Access Transparency to gain visibility into Google’s access to your data and encryption keys.

Configure Access Approval to require explicit approval for Google support or engineering access to your data, adding an additional layer of security and control.

Objective: Prevent users from creating projects while allowing only the DevOps team to create projects.

Solution: Modify IAM roles and permissions.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the IAM & Admin page.

Step 3: At the organizational level, find and remove all users from the Project Creator role.

Step 4: Create or identify a group for the DevOps team.

Step 5: Assign the Project Creator role to the DevOps team group at the organizational level.

By removing all users from the Project Creator role and granting it only to the DevOps team, you ensure that only the designated team can create projects.

To ensure that the developers can view audit logs for the development environment and the security team can review all logs, you should grant IAM roles at the appropriate resource levels:

Grant logging.admin Role to the Security Team:

Assign the logging.admin role to the security team at the organization resource level.

This grants the security team full access to all logging data across the organization, including both production and development environments.

Grant logging.viewer Role to the Developer Team:

Assign the logging.viewer role to the developer team at the folder resource level that contains all the development projects.

This restricts the developers' access to only view logs in the development environment, ensuring they do not have access to production logs.

By using these roles and assigning them at the appropriate levels, you ensure that each team has the access they need while adhering to the principle of least privilege.

IAM Roles for Cloud Logging

Resource Hierarchy in Google Cloud

To prepare for migrating Google Cloud projects to a new organization node, it's crucial to ensure that the projects' current configurations and dependencies are appropriately managed. The two necessary preparation steps are:

Identify inherited Identity and Access Management (IAM) roles on projects to be migrated (C):

Projects inherit IAM roles from their parent resources. Identifying these roles is essential to understand the permissions and access levels that users have on the projects. This will help in ensuring that after migration, the appropriate roles and permissions are applied correctly.

Remove the specific migration projects from any VPC Service Controls perimeters and bridges (E):

VPC Service Controls provide security boundaries around your Google Cloud resources to mitigate data exfiltration risks. Before migrating the projects, they need to be removed from any existing VPC Service Controls perimeters and bridges to prevent any disruption in access or network communication. After migration, the projects can be added back to the necessary perimeters.

References

Google Cloud IAM documentation

VPC Service Controls documentation

The problem describes an application with two Cloud Run services (Service A - frontend, Service B - backend) and requires setting up IAM with the principle of least privilege. Service A calls Service B.

Principle of Least Privilege: This principle dictates that each entity (in this case, a Cloud Run service) should only have the minimum permissions necessary to perform its function.

Separate Service Accounts for Separate Services: To adhere to the principle of least privilege, it's best practice to assign a unique service account to each distinct service or component. This ensures that a compromise of one service account does not grant excessive permissions across other services. Service A needs permissions to run itself and to invoke Service B. Service B only needs permissions to run itself.Extract Reference: "Assign a service account to a Cloud Run service. The service account acts as the identity for your service and determines what permissions your revisions have when executing requests. It is a best practice to grant each service account only the permissions that are required to run the specific service (principle of least privilege)." (Google Cloud documentation: https://cloud.google.com/run/docs/configuring/service-accounts)

Authentication for Cloud Run Services: When one Cloud Run service (caller) needs to invoke another Cloud Run service (callee), the caller must be authorized to do so. This is typically achieved by assigning the roles/run.invoker role on the callee service to the caller's service account.Extract Reference: "To allow a service to invoke another service, grant the roles/run.invoker role on the called service to the caller's service account." (Google Cloud documentation: https://cloud.google.com/run/docs/securing/service-to-service)

Let's evaluate the options:

A. Create a new service account with the permissions to run service A and service B. Require authentication for service B. Permit only the new service account to call the backend. This violates the principle of least privilege by giving a single service account permissions for both services. If that service account were compromised, both services would be affected.

B. Create two separate service accounts. Grant one service account the permissions to execute service A, and grant the other service account the permissions to execute service B. Require authentication for service B. Permit only the service account for service A to call the back-end. This aligns perfectly with least privilege. Service A gets its own identity, Service B gets its own identity. Service A's service account is then granted run.invoker permissions on Service B, allowing it to call the backend while Service B requires authentication. This is the recommended approach.

C. Use the Compute Engine default service account to run service A and service B. Require authentication for service B. Permit only the default service account to call the backend. The Compute Engine default service account often has broad permissions (e.g., editor role in its project). Using it violates the principle of least privilege and is generally discouraged for production applications due to the potential for excessive permissions.

D. Create three separate service accounts. Grant one service account the permissions to execute service A. Grant the second service account the permissions to run service B. Grant the third service account the permissions to communicate between both services A and B. Require authentication for service B. Call the back-end by authenticating with a service account key for the third service account. This introduces unnecessary complexity with a third service account just for communication. More critically, using a service account key for authentication is generally discouraged in Cloud Run environments where ADC (Application Default Credentials) can be used, as managing keys securely becomes an operational overhead and security risk. Cloud Run services automatically use their attached service accounts for authentication when making calls to other Google Cloud services, including other Cloud Run services.

Therefore, option B is the best solution, adhering to the principle of least privilege and Google Cloud best practices for Cloud Run service-to-service authentication.

To grant an IAM user access to HTTPS resources protected by Identity-Aware Proxy (IAP), you should assign the IAP-Secured Web App User role.

IAP-Secured Web App User (C):

This role grants the necessary permissions for a user to access web applications secured by IAP. It includes permissions to access the IAP-secured resources, ensuring that users can authenticate and gain the appropriate access based on the policies defined in IAP.

Assigning this role ensures that users have the right level of access to protected web resources, aligned with the security controls enforced by IAP.

References

Identity-Aware Proxy Documentation

IAP Roles and Permissions

Comprehensive and Detailed Explanation From Exact Extract:

To ensure servers do not have any direct communication with the public internet, they must be configured without a public IP address.

VPC and Private Subnet: A Virtual Private Cloud (VPC) network provides the isolated, internal network structure. A subnet is the logical partition within the VPC.

Private IP Address: Assigning only a private IP address to the database servers ensures they can only communicate internally within the VPC (or connected on-premises networks) and cannot directly connect to or be connected from the public internet.

Extracts:

"Resources in a VPC network can be assigned two types of IP addresses: internal (private) and external (public). If a VM is not assigned an external IP address, it can only communicate internally with other resources in the VPC network..." (Source 6.1)

Option A and C involve assigning a public IP address, which violates the "no direct communication with the public internet" rule. Option D uses NAT to provide outbound internet connectivity, which also violates the requirement.

For a client concerned about the control of their encryption keys and not wanting to store these keys within the same cloud service provider (CSP) as the data, the following solutions are suitable:

Customer-supplied encryption keys (A):

With customer-supplied encryption keys, clients manage their own encryption keys outside of Google Cloud and supply them to encrypt and decrypt data. This ensures that the keys are not stored in Google Cloud, providing full control over the key management process.

Cloud External Key Manager (D):

Cloud External Key Manager (EKM) allows clients to integrate an external key management system (KMS) with Google Cloud services. This setup enables the client to keep their encryption keys outside Google Cloud while still allowing the data to be encrypted and decrypted within Google Cloud services. This method offers an additional layer of security and control over the encryption keys.

These options provide robust solutions for clients requiring external key management and enhanced control over their encryption processes.

References

Customer-Supplied Encryption Keys

Cloud External Key Manager

Objective: Understand the security characteristics of VPC peering.

Security Characteristics:

Non-transitive Peering: VPC peering connections are non-transitive. This means that peering is strictly between two VPC networks. If VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot communicate with VPC C unless a direct peering connection is established.

Inter-Organization Peering: VPC peering allows you to connect VPC networks across different Google Cloud Platform organizations, facilitating private communication between distinct organizational units.

These characteristics ensure controlled and secure connectivity between VPC networks while preventing unintended data exposure.

Firewall Rule Analysis: Analyze the existing VPC firewall rules to identify any rules that might allow traffic between VM instances based on the same service account.

Priority Check: Check the priority of these rules. A rule with a priority lower than 1000 (such as 999) will take precedence over your tag-based rules.

Service Account Configuration: Since your VM instances are deployed without any service account customization, they are likely using the default service account. A firewall rule allowing traffic between instances using this default service account will override the tag-based rules if it has a higher priority.

Testing and Validation: Disable or adjust the priority of the rule with priority 999 to test if the tag-based segmentation works correctly. Validate that the traffic is segmented according to your intended configuration. References:

Google Cloud - VPC Firewall Rules

Google Cloud - Service Accounts