GCPcloud~5 mins

Security best practices in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Security best practices help protect your cloud resources from unauthorized access and data leaks. They guide you to set up safe access controls and keep your data private and secure.

When you want to control who can access your cloud storage buckets to keep data safe.

When you need to give temporary access to a developer without sharing permanent credentials.

When you want to encrypt sensitive data stored in your cloud databases.

When you want to monitor and log access to your cloud resources for auditing.

When you want to avoid exposing your cloud services to the public internet unnecessarily.

Commands

This command gives Alice read-only access to the project, following the principle of least privilege.

Terminal

gcloud projects add-iam-policy-binding example-project --member='user:alice@example.com' --role='roles/viewer'

Expected OutputExpected

Updated IAM policy for project [example-project].

→

--member - Specifies the user or service account to grant the role.

→

--role - Specifies the exact role to assign, limiting permissions.

Creates a Cloud KMS key to encrypt sensitive data, ensuring data is protected at rest.

Terminal

gcloud kms keys create my-key --location=us-east1 --keyring=my-keyring --purpose=encryption

Expected OutputExpected

Created key [my-key].

→

--location - Specifies the region for the key.

→

--purpose - Defines the key's use, here for encryption.

Creates a logging sink to export logs from Compute Engine instances to a storage bucket for auditing.

Terminal

gcloud logging sinks create my-sink storage.googleapis.com/my-logs-bucket --log-filter='resource.type=gce_instance'

Expected OutputExpected

Created sink [my-sink].

→

--log-filter - Filters logs to only include those from specific resources.

Creates a firewall rule to deny all incoming traffic from internal IP ranges, reducing attack surface.

Terminal

gcloud compute firewall-rules create deny-internal --direction=INGRESS --priority=1000 --network=default --action=DENY --rules=all --source-ranges=10.128.0.0/9

Expected OutputExpected

Creating firewall rule...done.

→

--direction - Sets the traffic direction the rule applies to.

→

--action - Defines whether to allow or deny the traffic.

Key Concept

If you remember nothing else from this pattern, remember: always grant the minimum permissions needed and protect data with encryption and monitoring.

Common Mistakes

Granting broad roles like 'owner' to users who only need to view resources.

This gives users more access than necessary, increasing security risks.

Assign specific roles like 'viewer' or 'editor' based on actual needs.

Not enabling logging or exporting logs for auditing.

Without logs, you cannot track who accessed or changed resources, making it hard to detect breaches.

Set up logging sinks to export logs to secure storage for review.

Leaving firewall rules open to all IP addresses by default.

This exposes services to the internet, increasing chances of attacks.

Restrict firewall rules to only allow trusted IP ranges or internal networks.

Summary

Use IAM roles to give users only the permissions they need.

Encrypt sensitive data using Cloud KMS keys.

Set up logging sinks to monitor access and changes.

Create firewall rules to limit network access.