Google Cloud Professional Cloud Security Engineer LATEST EDITION 2024/25 GUARANTEED GRADE A+
8 views 0 purchase
Course
Google Cloud Professional Cloud Security Engineer
Institution
Google Cloud Professional Cloud Security Engineer
Resource Hierarchy
- Parent/Child Relationship structure
- Resembles a file system
- Top-down policy inheritance with policy controlled by IAM
- Each child object can only have one parent
- Org -> Folders (Optional) -> Projects -> Resources
Organization
- Root node
- Organization ...
Google Cloud Professional Cloud
Security Engineer LATEST EDITION
2024/25 GUARANTEED GRADE A+
Resource Hierarchy
- Parent/Child Relationship structure
- Resembles a file system
- Top-down policy inheritance with policy controlled by IAM
- Each child object can only have one parent
- Org -> Folders (Optional) -> Projects -> Resources
Organization
- Root node
- Organization Admin Role created - Full power to efit any/all
resources
Notable Organization Roles
- Org. Policy Admin: Broad control over all cloud resources
- Project Creator: Find-grained control of project creation
Folders (Optional)
- Grouping mechanism and isolation boundary; Grouping of other
folders and projects
- Used to model different legal entities, departments, and teams
within a company
Projects
- Core layer, required to do anything
- Basis for creating, enabling, and using all GCP services
Project Identifies
- Project ID: Globally Unique; chosen by you; immutable
- Project Number: auto-created/read-only, doesn't have to be unique,
chosen by you, immutable
- Project Name: Globally unique, chosen by GCP, immutable
Resources
- Everything created on GCP
Policies
- Can be placed at all layers of the hierarchy
- Inheritance is transitive and permissive parents overrule
restrictive child policies
Constraints
- Type of restrictions against a GCP service or a list of GCP
services
- Applied at the organization level
- Inherited by all its children folders and projects
,Cloud IAM
Lets you manage access controls by defining who can do what on which
resources
Google Account/Cloud Identity User (IAM)
Any email address that is associated with a Google account, including
gmail.com or other domains
Service Account (IAM)
- An account that belongs to your application instead of an
individual user
- Has no need for authentication
- Identified by its email address
Google Group (IAM)
A named collection of Google accounts/service accounts
GSuite Domain/Cloud Identity (IAM)
An organization domain name
allAuthenticatedUsers (IAM)
A special identifier that represents every authentication GCP account
(except anonymous users)
allUsers (IAM)
A special identifier that represents everyone, including anonymous
users
Primitive Roles
Roles that existed prior to IAM (Owner, Editor, Viewer)
Predefined Roles
IAM roles that give finer-grained access control than primitive roles
Custom Roles
User-defined roles you create to tailor permissions to the specific
needs of your organization
Policies (IAM)
- Needed in order to grant roles
- A collection of statements that defines who has what type of access
- Attached to a resources to enforce access controls whenever the
resources is accessed
- Represented by an IAM policy object
Google-Managed Service Account
Represents different Google Services, automatically granted IAM roles
User-Managed Service Accounts
- Created for/by you; based on enabled APIs in project
Keys (IAM)
- Access managed by account keys
- Default SA account keys are managed by Google; Custom SAs can use
user-managed custom keys
- Google maintains copy of public key for verifications and the
public/private key pair is yours to manage
,Scopes (IAM)
- Legacy method of granting permissions for default SAs on an
individual instance
- Grant per-instance permissions to other GCP resources via the
instance
Cloud Identity
Identity-as-a-Service; solutions for managing users, groups, and
security settings from a centralized location
Free Edition (Cloud Identity)
- INcludes core identity and endpoint management services
- Provides free, managed Google accounts to users who don't need
Google Workspace management
Permium Edition )Cloud Identity)
- Enterprise security, application management, and decide management
services
- Includes auto user provisioning, app allowlisting, and rules for
auto mobile device management
Single-Sign On (Cloud Identity)
SAML-based SSO via a third-party identity provider where Google acts
as the service provider (Google AD, LDAP using GCDS)
Multi-Factor Authentication (Cloud Identity)
Two-factor authentications; physical security key, Google prompt,
authenticator app, backup codes, text/call
Mobile Device Management (Cloud Identity)
- Enforce policies for personal/corporate devices
- Create whitelist of approved applications
- Require company-managed apps
Federate with On-Prem AD (Cloud Identity)
Cloud Identity maps (or federates) AD accounts to Cloud Identity
acccounts
Google Cloud Directory Sync (Cloud Identity)
Syncs data in Google domain with AD or LDAP server; Google users,
groups, and shared contacts are sync'd to match
VPC Network
- Virtual version of a network (software-defined network) contained
in a project
- Provide connections between resources in GCP, segmented into
subnets
- Subnets are regional resources and can span multiple zones
VPC Routing
- Defines paths for packet ingress/egress
- Firewall rules control traffic in/out of a VPC
- Private Google access is an option for internal communication only
- Connect with on-prem through Interconnect or VPN
, VPC Permissions
- Admin is secured through IAM
- VPC network backed into Compute Engine IAM roles (CE Admin and CE
Network Admin)
VPC Limitations
- Network must have at least one subnet before you can use it
- VPC networks only support IPv4 traffic unicast traffic
- No IPv6 traffic supported within the network
- IPv6 address supported for global load balancer
VPC Peering
Allows private connections across 2 VPC networks regardless of
whether or not they belong to the same project/organization
VPC Peering Restrictions
- A subnet CIDR range in one peered VPC cannot overlap with a static
route in another peered network
- Peering doesn't provide granular route controls to filter out which
subnet CIDR ranges are reachable
- Transitive peering is not supported
Shared VPC
Allows an organization to connect resources from multiple projects to
a common VPC network in order to communicate with the internal Google
network
Firewall Rules
- Allow/deny traffic to and from your VMs based on specific
configurations
- Always enforced
- Stateful
- Defined at the network (VPC) level but enforced at the instance
level
- 2 implied rules: allow egress (allow all outbound) and deny ingress
(deny all inbound)
Always Blocked Traffic
- GRE traffic
- Ports other than TCP, TDP, ICMP, IPIP
- Egress on TCP 25 (SMTP)
Always Allowed Traffic
- DHCP
- DNS
- NTP
- Instance Metadata (169.254.169.254)
Network Tags
- Text attributes for CE instances
- Allow you to apply firewall rules/routes to specific instances/set
of instances
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Allan100. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $14.99. You're not tied to anything after your purchase.