GCPcloud~30 mins

Security best practices in GCP - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Security Best Practices in Google Cloud Platform

📖 Scenario: You are setting up a new project in Google Cloud Platform (GCP) for a small company. The company wants to follow security best practices to protect their cloud resources.We will create a simple setup that includes a service account with limited permissions, enable audit logging, and configure firewall rules to restrict access.

🎯 Goal: Build a secure GCP environment by creating a service account with minimal permissions, enabling audit logs for monitoring, and setting up firewall rules to allow only specific traffic.

📋 What You'll Learn

Create a service account named secure-sa in the project

Assign the roles/viewer role to the service account

Enable audit logging for all admin read and write activities

Create a firewall rule named allow-ssh that allows TCP port 22 from a specific IP range 203.0.113.0/24

💡 Why This Matters

🌍 Real World

Companies use these security best practices to protect their cloud resources from unauthorized access and to monitor changes for compliance.

💼 Career

Cloud engineers and security specialists must know how to configure service accounts, audit logs, and firewall rules to maintain secure cloud environments.

Progress0 / 4 steps

Create a service account

Create a service account named secure-sa in the project using the gcloud command.

GCP

# Use gcloud to create the service account named secure-sa
# Your code here

Need a hint?

Use the gcloud iam service-accounts create command with the name secure-sa.

Assign the Viewer role to the service account

Assign the roles/viewer role to the service account secure-sa@${PROJECT_ID}.iam.gserviceaccount.com using the gcloud command.

GCP

gcloud iam service-accounts create secure-sa --display-name="Secure Service Account"
# Assign roles/viewer role to secure-sa service account
# Your code here

Need a hint?

Use gcloud projects add-iam-policy-binding with the service account email and role roles/viewer.

Enable audit logging for admin read and write activities

Enable audit logging for admin read and write activities on all services in the project by updating the audit config using the gcloud command.

GCP

gcloud iam service-accounts create secure-sa --display-name="Secure Service Account"
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member="serviceAccount:secure-sa@${PROJECT_ID}.iam.gserviceaccount.com" --role="roles/viewer"
# Enable audit logging for admin read and write activities
# Your code here

Need a hint?

Use gcloud logging sinks create with a filter for admin activity methods.

Create a firewall rule to allow SSH from a specific IP range

Create a firewall rule named allow-ssh that allows TCP port 22 from the IP range 203.0.113.0/24 using the gcloud command.

GCP

gcloud iam service-accounts create secure-sa --display-name="Secure Service Account"
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member="serviceAccount:secure-sa@${PROJECT_ID}.iam.gserviceaccount.com" --role="roles/viewer"
gcloud logging sinks create admin-activity-logs storage.googleapis.com/my-secure-bucket --log-filter='protoPayload.methodName:("SetIamPolicy" OR "Create" OR "Delete" OR "Update")' --project=${PROJECT_ID}
# Create firewall rule allow-ssh to allow TCP port 22 from 203.0.113.0/24
# Your code here

Need a hint?

Use gcloud compute firewall-rules create with the name allow-ssh, allow TCP port 22, and source range 203.0.113.0/24.