Google Cloud Professional Cloud Security Engineer LATEST EDITION 2024/25 GUARANTEED GRADE A+
8 keer bekeken 0 keer verkocht
Vak
Google Cloud Professional Cloud Security Engineer
Instelling
Google Cloud Professional Cloud Security Engineer
Resource Hierarchy
- Parent/Child Relationship structure
- Resembles a file system
- Top-down policy inheritance with policy controlled by IAM
- Each child object can only have one parent
- Org -> Folders (Optional) -> Projects -> Resources
Organization
- Root node
- Organization ...
Google Cloud Professional Cloud
Security Engineer LATEST EDITION
2024/25 GUARANTEED GRADE A+
Resource Hierarchy
- Parent/Child Relationship structure
- Resembles a file system
- Top-down policy inheritance with policy controlled by IAM
- Each child object can only have one parent
- Org -> Folders (Optional) -> Projects -> Resources
Organization
- Root node
- Organization Admin Role created - Full power to efit any/all
resources
Notable Organization Roles
- Org. Policy Admin: Broad control over all cloud resources
- Project Creator: Find-grained control of project creation
Folders (Optional)
- Grouping mechanism and isolation boundary; Grouping of other
folders and projects
- Used to model different legal entities, departments, and teams
within a company
Projects
- Core layer, required to do anything
- Basis for creating, enabling, and using all GCP services
Project Identifies
- Project ID: Globally Unique; chosen by you; immutable
- Project Number: auto-created/read-only, doesn't have to be unique,
chosen by you, immutable
- Project Name: Globally unique, chosen by GCP, immutable
Resources
- Everything created on GCP
Policies
- Can be placed at all layers of the hierarchy
- Inheritance is transitive and permissive parents overrule
restrictive child policies
Constraints
- Type of restrictions against a GCP service or a list of GCP
services
- Applied at the organization level
- Inherited by all its children folders and projects
,Cloud IAM
Lets you manage access controls by defining who can do what on which
resources
Google Account/Cloud Identity User (IAM)
Any email address that is associated with a Google account, including
gmail.com or other domains
Service Account (IAM)
- An account that belongs to your application instead of an
individual user
- Has no need for authentication
- Identified by its email address
Google Group (IAM)
A named collection of Google accounts/service accounts
GSuite Domain/Cloud Identity (IAM)
An organization domain name
allAuthenticatedUsers (IAM)
A special identifier that represents every authentication GCP account
(except anonymous users)
allUsers (IAM)
A special identifier that represents everyone, including anonymous
users
Primitive Roles
Roles that existed prior to IAM (Owner, Editor, Viewer)
Predefined Roles
IAM roles that give finer-grained access control than primitive roles
Custom Roles
User-defined roles you create to tailor permissions to the specific
needs of your organization
Policies (IAM)
- Needed in order to grant roles
- A collection of statements that defines who has what type of access
- Attached to a resources to enforce access controls whenever the
resources is accessed
- Represented by an IAM policy object
Google-Managed Service Account
Represents different Google Services, automatically granted IAM roles
User-Managed Service Accounts
- Created for/by you; based on enabled APIs in project
Keys (IAM)
- Access managed by account keys
- Default SA account keys are managed by Google; Custom SAs can use
user-managed custom keys
- Google maintains copy of public key for verifications and the
public/private key pair is yours to manage
,Scopes (IAM)
- Legacy method of granting permissions for default SAs on an
individual instance
- Grant per-instance permissions to other GCP resources via the
instance
Cloud Identity
Identity-as-a-Service; solutions for managing users, groups, and
security settings from a centralized location
Free Edition (Cloud Identity)
- INcludes core identity and endpoint management services
- Provides free, managed Google accounts to users who don't need
Google Workspace management
Permium Edition )Cloud Identity)
- Enterprise security, application management, and decide management
services
- Includes auto user provisioning, app allowlisting, and rules for
auto mobile device management
Single-Sign On (Cloud Identity)
SAML-based SSO via a third-party identity provider where Google acts
as the service provider (Google AD, LDAP using GCDS)
Multi-Factor Authentication (Cloud Identity)
Two-factor authentications; physical security key, Google prompt,
authenticator app, backup codes, text/call
Mobile Device Management (Cloud Identity)
- Enforce policies for personal/corporate devices
- Create whitelist of approved applications
- Require company-managed apps
Federate with On-Prem AD (Cloud Identity)
Cloud Identity maps (or federates) AD accounts to Cloud Identity
acccounts
Google Cloud Directory Sync (Cloud Identity)
Syncs data in Google domain with AD or LDAP server; Google users,
groups, and shared contacts are sync'd to match
VPC Network
- Virtual version of a network (software-defined network) contained
in a project
- Provide connections between resources in GCP, segmented into
subnets
- Subnets are regional resources and can span multiple zones
VPC Routing
- Defines paths for packet ingress/egress
- Firewall rules control traffic in/out of a VPC
- Private Google access is an option for internal communication only
- Connect with on-prem through Interconnect or VPN
, VPC Permissions
- Admin is secured through IAM
- VPC network backed into Compute Engine IAM roles (CE Admin and CE
Network Admin)
VPC Limitations
- Network must have at least one subnet before you can use it
- VPC networks only support IPv4 traffic unicast traffic
- No IPv6 traffic supported within the network
- IPv6 address supported for global load balancer
VPC Peering
Allows private connections across 2 VPC networks regardless of
whether or not they belong to the same project/organization
VPC Peering Restrictions
- A subnet CIDR range in one peered VPC cannot overlap with a static
route in another peered network
- Peering doesn't provide granular route controls to filter out which
subnet CIDR ranges are reachable
- Transitive peering is not supported
Shared VPC
Allows an organization to connect resources from multiple projects to
a common VPC network in order to communicate with the internal Google
network
Firewall Rules
- Allow/deny traffic to and from your VMs based on specific
configurations
- Always enforced
- Stateful
- Defined at the network (VPC) level but enforced at the instance
level
- 2 implied rules: allow egress (allow all outbound) and deny ingress
(deny all inbound)
Always Blocked Traffic
- GRE traffic
- Ports other than TCP, TDP, ICMP, IPIP
- Egress on TCP 25 (SMTP)
Always Allowed Traffic
- DHCP
- DNS
- NTP
- Instance Metadata (169.254.169.254)
Network Tags
- Text attributes for CE instances
- Allow you to apply firewall rules/routes to specific instances/set
of instances
Voordelen van het kopen van samenvattingen bij Stuvia op een rij:
Verzekerd van kwaliteit door reviews
Stuvia-klanten hebben meer dan 700.000 samenvattingen beoordeeld. Zo weet je zeker dat je de beste documenten koopt!
Snel en makkelijk kopen
Je betaalt supersnel en eenmalig met iDeal, creditcard of Stuvia-tegoed voor de samenvatting. Zonder lidmaatschap.
Focus op de essentie
Samenvattingen worden geschreven voor en door anderen. Daarom zijn de samenvattingen altijd betrouwbaar en actueel. Zo kom je snel tot de kern!
Veelgestelde vragen
Wat krijg ik als ik dit document koop?
Je krijgt een PDF, die direct beschikbaar is na je aankoop. Het gekochte document is altijd, overal en oneindig toegankelijk via je profiel.
Tevredenheidsgarantie: hoe werkt dat?
Onze tevredenheidsgarantie zorgt ervoor dat je altijd een studiedocument vindt dat goed bij je past. Je vult een formulier in en onze klantenservice regelt de rest.
Van wie koop ik deze samenvatting?
Stuvia is een marktplaats, je koop dit document dus niet van ons, maar van verkoper Allan100. Stuvia faciliteert de betaling aan de verkoper.
Zit ik meteen vast aan een abonnement?
Nee, je koopt alleen deze samenvatting voor €14,32. Je zit daarna nergens aan vast.
