Google cloud: begin with Security? for Newbies
Steps to start with Security & best practices:
Org and Projects:
- Create Organization
- Projects come under Organization
- Create a new Project
- Project is an Isolated Environment
- Resources are created inside a Project (Resource Group in Azure)
*****************************************************************
Identities:
- Create new Identities (Trust factor)
- Secure Identities
- Identities are used to access Resources and take Actions
- Google is your Identity Provider (IDP)
- You can use your Own IDP (Cloud or On-Prem)
- Policies are attached to Identities
*****************************************************************
Subjects (Identities):
- Create Users, Groups, Service Accounts
- Give access to Users only to a Project/s & Operations inside a Project
- Assign Roles (Permissions) -> Users, Groups, Service Accounts
****************************************************************
IAM :
- Who can perform which Actions on which Resources?
- Role (permissions on Specific Resources)
- IAM Role = collection of Permissions
- Primitive Roles = OWNER, EDITOR, VIEWER
- Custom Roles, (AdminRole = LogsRole + AppEngineRole)
- Custom Roles, (AdminRole = LogsRole - permissions)
- Policy = Binding between Role & (User or Groups or Service Accounts)
- Best practice: Grant Roles to Groups
***************************************************************** Service Accounts:
- SA comes under a “Project”
- SA attributes : {Name, Member email id, Role (permissions)}
- Any Code running inside Google : VM, Containers, Pods, App engine can get access to Google API (actions) using SA keys
- We can assign SA -> to a VM or Pod or any Google Services/Resources
- Google cloud also creates & manages Service Accounts
- SA Types = Google-managed & User-managed Credentials
- In User-managed SA, the User will use SA Key to access GCP services
********************************************************************In Beta coming soon: Resource-level IAM
Set IAM Policies on individual GCP Resources
Resources = VM, Images, PD,etc
*****************************************************************
** Private Beta coming soon: Name Prefix condition & Conditional IAM
Conditional IAM : who can do which Actions on what Resources, under what Condition
Access allowed only if condition matches
Location based access to Resources (condition = location {CIDR IP range})
Times based access to Resources (condition = time (8 am to 11 am))
Name Prefix condition: Grant access based on Name prefix-match
*****************************************************************
