Security

Question 1

What service can be used to manage access to GCP resources?

Answer 1

Cloud Identity and Access Management (IAM)

Question 2

What are the 4 components that make up the IAM model?

Answer 2

1. Principals
2. Roles
3. Permissions
4. Policies

A principal is normally a Google Account (user) or Service Account (application) identified by an email address. A role is a collection of permissions. A permission is an operation that can be performmed on a resource. Permissions cannot be assigned to principals directly, they must be assigned to roles. A policy is a collection of one or more role bindings and is attached to a resource. Each role binding binds a role to one or more principals.

Question 3

What are the 3 different IAM role types?

Answer 3

1. Basic
2. Predefined
3. Custom

Basic roles are composed of: Viewer, Editor, and Owner. Viewer can only read, Editor can read and write, and Owner can read, write, control billing and access management (not recommended in production)

Predefined roles has over a 1000 distinct roles that can be chosen (recommended in production).

Custom roles allow you to customize the permissions that make up a role.

Question 4

Can Custom roles be applied at the folder level?

Answer 4

No

Question 5

What are the 6 types of Principals and what do they represent?

Answer 5

1. Google Account
2. Service Account
3. Google Group
4. Google Workspace
5. Google Identity
6. All Users

A Google Account represents a user . A Sevice Account represents an application. A Google Group represents a group of Google Accounts and Service Accounts. Google Workspace represents all of the users in an organization. Google Identity represents all of the users in an organization but without the productivity tools offered by Workspace. All Users represents anyone on the internet.

Keep in mind, only Google Accounts and Service Accounts have credentials that can be used for authentication when making a request to a resource. Google Group, Workspace, and Indentity are just convenient ways to manage access controls at scale.

Question 6

Are deny policies evaluated before or after allow policies? What are the implications?

Answer 6

Deny policies are evaluated before allow policies and are considered sticky. This means that a principal with a role containing a permission that was denied will not be able to perform that operation on a resource.

Question 7

In the context of the roles that have been granted to a service account, describe the relationship between the service account and the application that it is attached to.

Answer 7

An application that has a service account attached to it, will assume the roles of that service account.

Question 8

What are the 3 general ways for authenticating your application when makings requests to GCP resources?

Answer 8

1. ADC
2. Workload Identity Federation
3. User Managed RSA keys

Client libraries use ADC to locate credentials. ADC allows you to authenticate your application in different environments without having to change any code.

Workload Identity Federation allows external applications or applications in your GKE cluster to use IAM policies to access GCP resources. This allows them to use client libraries for authentication and thus, eliminating the need for RSA keys.

RSA keys can be a security risk if not managed properly and should only be used as a last resort.

Question 9

What are the 4 primary services offered by GCP to authenticate users?

Answer 9

1. OAuth 2.0
2. Firebase Authentication
3. Identity Platform
4. IAP

OAuth 2.0 is normally used if you need maximum control and are comfortable implementing your own logic.

Firebase Authentication is used whenever you need a managed authentication solution.

Identity Platform is more comprehensive than Firebase Authentication.

Identity-aware Proxy is an authentication and authorization service for internal users and eliminates the need of a VPN.

Question 10

When developing locally, how does Google recommend you authenticate your application when it needs to make requests to GCP resources?

Answer 10

Google recommends using the gcloud auth application-default login command. This places credentials in a well known location that is automatically accessible when using client libraries (ADC).

Remember, GKE is not used locally.

Question 11

When using GKE, how does Google recommend authenticating your applications?

Answer 11

Googler recommends using Workload Identity Federation for GKE.

Workload Identity Federation allows applications in your GKE cluster to use IAM policies to access GCP resources. This allows them to use client libraries for authentication and thus, eliminating the need for RSA keys.

Question 12

What is ADC?

Answer 12

Application Default Credentials is a strategy for finding credentials and making them available to Client Libraries for authentication.

Question 13

What are the 3 steps that ADC can take to locate credentials?

Answer 13

1. Searches the GOOGLE_APPLICATION_CREDENTIALS environment variable to see if it points to a credential file
2. Searches the well known location in your file system for a credential file in case the gcloud auth application-default login command was used
3. Automatically obtains credentials from a metadata server that is associated with the service account

Step 3 is the recommended way to obtain credentials in a production environment. step 1 and 2 can be used for development.

Question 14

What role are Default Service Accounts given?

Answer 14

Editor. This is important to remember since this type of role is not recommended in production.

Question 15

How often does Google recommend rotating keys?

Answer 15

Every 90 days

Question 16

What is Google Workspace?

Answer 16

Google Workspace is a suite of productivity tools for organizations. It’s the Google version of Office 365 for business.

Question 17

What is IAP?

Answer 17

Identity-Aware Proxy is an authentication and authorization service for internal users that replaces the need to implement a VPN.

Question 18

How does IAP work?

Answer 18

IAP is normally used with a Cloud Load Balancer. When a request comes in, the load balancer checks if IAP is enabled for the requested service. If IAP is enabled, the request is routed to IAP and it checks for the user’s credentials in the browser. If no credentials exist, IAP will require the user to perform Google sign-in. If credentials are valid, IAP will check the user’s IAM roles to determine if the user is authorized to access the requested service. If authorized, the request goes through.

Question 19

Can IAP be used with identity providers other than Google?

Answer 19

Yes. However, this will require integrating with Cloud Identity Platform.

Please view: https://cloud.google.com/iap/docs/enable-external-identities

Question 20

What is Secret Manager?

Answer 20

Secret Manager is a service for securly storing passwords, keys, certificates, and other sensitive data.

Question 21

What is federated identity?

Answer 21

Federated identity is the process of linking a user’s identity across multiple identityproviders. This allows users to move from system to system without logging in to each one. Federated identity is what makes SSO possible.

Question 22

What are the 4 components that makeup the OAuth 2.0 model and how does it work?

Answer 22

1. Resource Owner
2. Client
3. Authorization Server
4. Resource Server

The Client requests a token from the Authorization Server. The Authorization Server asks the Resource Owner to grant the client permission to access the resource. Once permission is granted, the Authorization Server provides the Client an access token. The Client then makes a request to the Resource Server with that access token to gain access to the resource.

Question 23

As a best practice, what should you set the user to when writing a Dockerfile?

Answer 23

You should set the user to a nonroot user. This will prevent the user from having system administration permissions when the container is executed.

Dockerfile:

FROM ...
...
...
USER nonroot

Question 24

What is Cloud Artifact Analysis?

Answer 24

Cloud Artifact Analysis is a service that automatically scans artifacts in Artifact registry for vulnerabilities. A report of vulnerabilities found are made available through an API.

Question 25

What is the syntax used to represent permissions?

Answer 25

<service>.<resource>.<verb>

For example:
compute.instances.delete

Question 26

When using Cloud Secret Manager, are secrets created at the project level?

Answer 26

Yes.

Question 27

What are the 4 different ways to access secrets stored in Cloud Secret Manager?

Answer 27

1. Cloud Console
2. glcoud CLI
3. Client libraries
4. Cloud Code

Question 28

What is the difference between an “end user” and “internal user” in GCP?

Answer 28

An end user is a user that does not belong to your organization. An internal user is a user that belongs to your organization.

Question 29

What is Cloud Software Delivery Shield?

Answer 29

Software Delivery Shield is Google’s recommended solution for securing your entire CI/CD pipeline. Essentially, you use the components that Google suggests, and in aggregate, the solution is called Software Delivery Shield.

Development components:
1. Cloud Workstations
2. Cloud Code

CI/CD components:
1. Assured OSS
2. Artifact Registry
3. Artifact Analysis
4. Cloud Build
5. Cloud Deploy
6. Binary Authorization
7. Cloud Run
8. GKE

Question 30

How many IAM allow policies can be attached to a resource?

Answer 30

1

Question 31

For how long are Identity Platform sessions valid?

Answer 31

1 hour

Question 32

Are Kubernetes Service Accounts different than IAM Service Accounts?

Answer 32

Yes

Question 33

Are IAM policies set at higher level resources inherited by lower level resources?

Answer 33

Yes

Question 34

Do lower level resources with allow IAM policies override the allow IAM policies inherited from higher level resources?

Answer 34

No

Question 35

What are the 2 possible “targets” of a firewall rule?

Answer 35

1. Tags
2. Service accounts

Question 36

What are “Service Agents”?

Answer 36

Service Agents are another term for Google-managed service accounts.

Question 37

If you are not sure if a service account is being used and needs to be deleted, what does Google recommend doing first?

Answer 37

You should first disable the service account to see what impact it has in your project. If it turns out you still need the service account, you can easily re-enabled the service account.

Question 38

Each instance has a unique JSON Web Token (JWT) that includes details about the instance as well as Google’s RS256 signature. Your applications can verify the signature against Google’s public Oauth2 certificates to confirm the identity of the instance with which they have established a connection.

Question 39

All VMs have basic process utilization data available when they are created. However, installing the Ops Agent provides deeper insights into VM behavior.

Question 40

When you define an autoscaling policy for your group, you specify one or more signals that the autoscaler uses to scale the group

Question 41

If you enable predictive autoscaling to optimize your MIG for availability, the autoscaler forecasts future load based on historical data and scales out a MIG in advance of predicted load, so that new instances are ready to serve when the load arrives.

Question 42

For what 2 services can Health Checks be created for?

Answer 42

1. Compute Engine Instance Groups
2. Load Balancers

Question 43

Google Cloud accounts for bandwidth per virtual machine (VM) instance, not per virtual network interface (vNIC) or IP address.Neither additional virtual network interfaces (vNICs) nor additional IP addresses per vNIC increase ingress or egress bandwidth for a VM. For example, a C3 VM with 22 vCPUs is limited to 23 Gbps total egress bandwidth. If you configure the C3 VM with two vNICs, the VM is still limited to 23 Gbps total egress bandwidth, not 23 Gbps bandwidth per vNIC.

Question 44

Outbound bandwidth includes packets emitted by all of the VM’s NICs and data transferred to all persistent disks connected to the VM.