Navigating Google Cloud Security: Key Components, Roles, and Best Practices
Navigating Google Cloud Security
Is this article for me?
If you are looking answers of these questions then continue reading.
- What are various components of GCP security architecture?
- What is overall hierarchy of GCP Security Components?
- What are Principal, Permission, Roles and Policies in GCP and how are they interconnected?
- Can you give examples of Permissions in GCP Security architecture?
- What are different types of resources available on GCP?
- Can you help me visualizing organization, folders and project of GCP?
Question: What are various components of GCP security architecture?
Google Cloud Platform (GCP) has a complex security architecture that consists of various components. Here’s a list of key components and their hierarchy in GCP’s security model:
1. Identity and Access Management (IAM)
- User: An individual or service account that accesses GCP resources.
- Service Account: A special type of account that belongs to your application or a virtual machine (VM), rather than to an individual user.
- Role: Defines a set of permissions. Roles can be:
- Primitive Roles: Basic roles (Owner, Editor, Viewer) applied at the project level.
- Predefined Roles: Roles created by Google with a specific set of permissions for a GCP service.
- Custom Roles: User-defined roles that contain a specific set of permissions.
- Policy: A binding of roles to users or service accounts at different resource levels (e.g., project, folder, or organization).
2. Resource Hierarchy
- Organization: The root node for GCP resources, representing your company or organization.
- Folders: Optional containers that can group projects for better organization and access control.
- Projects: The primary organizing entity for GCP resources. Each project has its own IAM policies, billing, and resources.
3. Security Controls
- VPC (Virtual Private Cloud): Defines a virtual network in GCP, which helps isolate resources and manage network security.
- Firewall Rules: Controls incoming and outgoing traffic to VM instances.
- Cloud Armor: Provides DDoS (Distributed Denial of Service) protection and web application firewall capabilities.
- Cloud Identity: A service that helps manage user identities and access to GCP services.
4. Data Security
- Encryption: GCP encrypts data at rest and in transit. Users can also manage their own encryption keys with Cloud Key Management Service (KMS).
- Cloud Storage: Offers options for data storage, including bucket-level permissions and lifecycle management.
- BigQuery: Has built-in security features, including access control and data encryption.
5. Monitoring and Auditing
- Cloud Audit Logs: Provides logs for admin activities, data access, and system events across GCP services.
- Cloud Security Command Center: A security management and data risk platform for GCP that provides visibility into your security posture.
6. Compliance and Governance
- Access Context Manager: Provides context-aware access controls based on user attributes and environment.
- Organization Policies: Allows you to set restrictions on how resources can be used within your organization.
Question: What is overall hierarchy of GCP Security Components?
- Organization
- Can contain multiple Folders
- Each Folder can contain multiple Projects
- Project
- Contains GCP resources (like VM instances, databases, etc.)
- Has IAM policies associated with it (Users/Service Accounts with Roles)
- Roles and Policies
- Roles define what users can do within a project, and policies govern the bindings of roles to users or service accounts.
Question: What are Principal, Permission, Roles and Policies in GCP and how are they interconnected?
In Google Cloud’s security architecture, “principals,” “policies,” and “roles” play key roles in the Identity and Access Management (IAM) system. Here’s how they fit in:
- Principals are entities that request access to resources in Google Cloud. A principal can be a user, group, service account, or even an application.
- Types of principals:
- Google Accounts: End-users with a Google identity (like Gmail).
- Service Accounts: Special accounts used by applications or virtual machines.
- Google Groups: A collection of Google accounts that can be treated as one.
- Cloud Identity or G Suite accounts: Managed user accounts within an organization.
- Workload Identity: Identities that can be mapped to external identities (e.g., Kubernetes).
- Types of principals:
-
Permissions are Fine-grained controls that define what actions a principal can perform on resources. Permissions are the building blocks of roles. For example, the “bigquery.tables.create” permission allows creating tables in BigQuery.
- Roles, define what actions a principal can perform on a resource.
- Types of roles:
- Basic Roles: These include primitive roles like
Owner
,Editor
, andViewer
. - Predefined Roles: Predefined sets of permissions for specific services (e.g.,
bigquery.user
,storage.objectViewer
). - Custom Roles: You can define custom roles with specific permissions tailored to the needs of your organization.
- Basic Roles: These include primitive roles like
- Types of roles:
- Policies
- Policies in GCP define which principals have which roles for a particular resource. IAM policies consist of bindings that associate roles with principals for resources.
- Policies apply at different levels of the resource hierarchy:
- Organization Level: Policies affect all resources within the organization.
- Folder Level: Policies apply to a group of projects.
- Project Level: Policies govern access to resources within a specific project.
- Resource Level: Policies can be set for individual resources like Cloud Storage buckets or BigQuery datasets.
Hierarchy of these Security Components:
- Resources (e.g., projects, buckets, datasets)
- Policies (attached to resources, defining role bindings)
- Roles (define a set of permissions)
- Principals (users or service accounts that are granted a role).
Policies specify which roles (permissions) principals are assigned for specific resources.
Question: Can you give examples of Permissions in GCP Security architecture?
Google Cloud permissions are extensive, as they cover a wide array of services like Compute Engine, BigQuery, Cloud Storage, and many more. Each service has its own set of permissions. When creating custom roles, you can select permissions from the Google Cloud permissions list to define specific access for principals.
Below is an example list of some commonly used permissions across a few key Google Cloud services:
- Compute Engine (GCE)
compute.instances.create
: Permission to create VM instances.compute.instances.start
: Permission to start a stopped instance.compute.instances.delete
: Permission to delete an instance.compute.networks.update
: Permission to update a network.compute.disks.attach
: Permission to attach a persistent disk to an instance.
- Cloud Storage
storage.buckets.create
: Permission to create storage buckets.storage.buckets.delete
: Permission to delete buckets.storage.objects.create
: Permission to upload an object to a bucket.storage.objects.get
: Permission to read an object’s metadata or contents.storage.objects.delete
: Permission to delete an object in a bucket.
- BigQuery
bigquery.tables.create
: Permission to create a new table in a dataset.bigquery.tables.get
: Permission to read metadata about a table.bigquery.tables.update
: Permission to update the schema or data of a table.bigquery.jobs.create
: Permission to submit a new query job.bigquery.datasets.create
: Permission to create a new dataset.
- Identity and Access Management (IAM)
iam.serviceAccounts.create
: Permission to create a new service account.iam.serviceAccounts.delete
: Permission to delete a service account.iam.roles.create
: Permission to create a new custom role.iam.roles.update
: Permission to update an existing role.iam.roles.list
: Permission to list all roles in a project.
- Cloud Pub/Sub
pubsub.topics.create
: Permission to create a new topic.pubsub.subscriptions.create
: Permission to create a new subscription.pubsub.subscriptions.consume
: Permission to receive messages from a subscription.pubsub.topics.publish
: Permission to publish messages to a topic.
- Cloud Functions
cloudfunctions.functions.create
: Permission to create a new function.cloudfunctions.functions.update
: Permission to update an existing function.cloudfunctions.functions.delete
: Permission to delete a function.
- Kubernetes Engine (GKE)
container.clusters.create
: Permission to create a new Kubernetes cluster.container.clusters.update
: Permission to update an existing cluster.container.clusters.delete
: Permission to delete a Kubernetes cluster.
- Cloud SQL
cloudsql.instances.create
: Permission to create a new Cloud SQL instance.cloudsql.instances.delete
: Permission to delete a Cloud SQL instance.cloudsql.instances.update
: Permission to update an existing instance.
- Cloud Run
run.services.create
: Permission to create a new service in Cloud Run.run.services.update
: Permission to update an existing service.run.services.delete
: Permission to delete a Cloud Run service.
- Cloud Logging
logging.logEntries.create
: Permission to write log entries.logging.logEntries.list
: Permission to list log entries in a project.logging.sinks.create
: Permission to create a new log sink.
For a comprehensive list of all permissions across Google Cloud services, you can refer to the official Google Cloud Permissions Reference. This document provides detailed permission sets for each Google Cloud service, making it easy to search and apply the required permissions based on your needs.
Question: What are different types of resources available on GCP?
In Google Cloud, principals are assigned roles and permissions to access resources. These resources are the objects or entities within a project or the cloud infrastructure that a principal (user, service account, etc.) can interact with. Below is a list of key resources that can be assigned to principals in Google Cloud:
Compute and Storage Resources
- Compute Engine
- Virtual Machines (VMs)
- Disks
- Snapshots
- Images
- Google Kubernetes Engine (GKE)
- Clusters
- Nodes
- Pods
- Namespaces
- Cloud Storage
- Buckets
- Objects (files within buckets)
- Persistent Disks
- Block storage for Compute Engine instances
- Cloud SQL
- Instances (e.g., MySQL, PostgreSQL databases)
- Databases
- Users
- BigQuery
- Datasets
- Tables
- Views
- Jobs (queries)
- Cloud Spanner
- Instances
- Databases
- Tables
- Firestore
- Databases
- Collections
- Documents
Networking Resources
- VPC (Virtual Private Cloud)
- Networks
- Subnets
- Firewalls
- Routes
- Cloud Load Balancing
- Load balancers (HTTP(S), TCP/UDP)
- Backends (backend services, instance groups)
- Cloud DNS
- Managed Zones
- DNS Records
- Cloud NAT
- NAT gateways for external access
- Cloud VPN
- VPN gateways
- Tunnels
Identity and Access Management (IAM) Resources
- IAM Policies
- Define role bindings between principals and resources
- Service Accounts
- Special accounts used by applications or VMs
- OAuth2 Credentials
- API keys, OAuth client IDs, service account keys
Data Analytics Resources
- Bigtable
- Instances
- Clusters
- Tables
- Dataproc
- Clusters (for Hadoop/Spark)
- Dataflow
- Jobs (streaming and batch data processing)
- Pub/Sub
- Topics
- Subscriptions
Artificial Intelligence and Machine Learning Resources
- AI Platform
- Models
- Jobs (training, prediction)
- Notebooks
- Vertex AI
- Datasets
- Models
- Endpoints
- Pipelines
Security Resources
- Secret Manager
- Secrets
- Versions of secrets
- Cloud Identity
- Users
- Groups
- Cloud Key Management Service (KMS)
- Key Rings
- Keys
- Key Versions
- Certificate Manager
- SSL Certificates
Logging and Monitoring Resources
- Cloud Monitoring
- Metrics
- Dashboards
- Alerts
- Cloud Logging
- Logs
- Log Sinks
- Log-Based Metrics
APIs and API Management
- APIs
- API Services (Cloud APIs like Vision API, Speech-to-Text API)
- API Gateway
- Gateways for managing APIs
- Cloud Endpoints
- Endpoints for APIs
DevOps and Automation Resources
- Cloud Functions
- Functions (serverless code)
- Cloud Run
- Services (containerized applications)
- App Engine
- Applications
- Versions
- Instances
- Cloud Build
- Builds (for CI/CD)
- Cloud Scheduler
- Jobs (scheduled tasks)
Billing and Management
- Billing Accounts
- Accounts and budgets
- Projects
- Projects (organizational units)
- Folders
Other Resources
- Recommender API
- Recommendations for resources like Compute Engine and Cloud IAM
- Cloud Tasks
- Task queues
Question: Can you help me visualizing organization, folders and project of GCP?
Assume, you are bank “IFDC Bank” and you want to move to GCP, then in a cloud environment, particularly in Google Cloud, organizing your resources properly is crucial to maintain security, governance, and scalability. Otherwise they can be misused. This misuse of resource can harm your customer’s saving or it can harm your infrastructure cost. Here’s an example structure for IFDC Bank moving to the cloud:
1. Organization
- Name:
ifdc-bank
- The Organization is at the top of the hierarchy and represents the entire bank as an entity within Google Cloud. This is typically mapped to the domain or enterprise identity of your organization. For example, it could be tied to the domain ifdc-bank.com.
2. Folders
Folders can represent large functional areas, departments, or business units within the bank. Folders help in organizing projects and applying consistent access control and policies.
Examples:
- Folder Name:
Retail-Banking
- Contains all the resources and projects related to retail banking operations, such as customer accounts, savings, loans, etc.
- Folder Name:
Corporate-Banking
- Includes resources for corporate accounts, large loans, and institutional banking services.
- Folder Name:
IT-Operations
- Holds all resources related to internal IT operations, infrastructure, and support.
- Folder Name:
Risk-Compliance
- Focuses on resources related to financial risk assessment, regulatory compliance, fraud detection, and auditing.
- Folder Name:
Analytics
- Dedicated to advanced analytics and data processing, handling big data, business intelligence, and AI/ML models.
3. Projects
Projects are individual units where specific workloads or applications live. Each project is isolated from the others, has its own billing, and is subject to specific permissions and policies.
Examples for Projects:
- Retail Banking Folder:
- Project Name:
customer-account-management
- Resources for managing retail customer accounts, transactions, and records.
- Project Name:
loan-processing
- Resources and applications for processing retail loan applications.
- Project Name:
- Corporate Banking Folder:
- Project Name:
corporate-loans
- For managing loans to corporate clients, including large transactions and custom loan terms.
- Project Name:
institutional-accounts
- Dedicated to managing high-value institutional banking clients.
- Project Name:
- IT Operations Folder:
- Project Name:
cloud-infrastructure
- Managing cloud resources like VMs, networks, storage, etc.
- Project Name:
devops-tools
- Resources dedicated to CI/CD pipelines, automation, and operations.
- Project Name:
- Risk & Compliance Folder:
- Project Name:
fraud-detection
- Resources and tools for detecting and preventing fraudulent transactions.
- Project Name:
regulatory-reporting
- Handling automated compliance reporting and auditing tools for regulatory bodies.
- Project Name:
- Analytics Folder:
- Project Name:
customer-data-analytics
- Resources for analyzing customer behavior, transaction data, and trends.
- Project Name:
ai-credit-scoring
- AI/ML resources to build credit-scoring models using customer data.
- Project Name:
Hierarchy Visualization:
Organization: ifdc-bank
├── Folder: Retail-Banking
│ ├── Project: customer-account-management
│ ├── Project: loan-processing
├── Folder: Corporate-Banking
│ ├── Project: corporate-loans
│ ├── Project: institutional-accounts
├── Folder: IT-Operations
│ ├── Project: cloud-infrastructure
│ ├── Project: devops-tools
├── Folder: Risk-Compliance
│ ├── Project: fraud-detection
│ ├── Project: regulatory-reporting
├── Folder: Analytics
├── Project: customer-data-analytics
├── Project: ai-credit-scoring
Hashtags
#GCP #CloudSecurity #GoogleCloud #IAM #CyberSecurity