Google Cloud Security Essentials

Course

Intro Video

Photo of Matthew Ulasien

Matthew Ulasien

Team Lead Google Cloud in Content

Length

10:05:14

Difficulty

Intermediate

Videos

52

Quizzes/Exams

6

Course Details

This course will teach the core fundamentals necessary to properly secure your Google Cloud environment, and manage who has access to what resources. The concepts introduced in this course are necessary for any security considerations on Google Cloud.

Syllabus

Course Introduction

Getting Started

Course Introduction

00:02:47

Lesson Description:

Welcome to the Google Cloud Platform Security Essentials course. In this lesson, we will cover the importance of security on Google Cloud, what we will cover in this course, and prerequisites for taking this course.

About the Training Architect

00:00:41

Lesson Description:

Learn more about your course author, Matthew Ulasien.

Getting Started

Introducing our Demonstration Organization

00:02:13

Lesson Description:

Introducing our true-to-life organization that we'll be using, in which we will need to secure our GCP infrastructure for a new startup company.

Protecting Your Google Cloud Account

00:08:13

Lesson Description:

The most important lesson for this entire course is to know how to protect your Google Cloud account. Your account is the key to your entire organization, and protecting it is a top priority. We will cover best practices for protecting your account in this lesson.

Understanding Identity in the Cloud

Identity and Access Management (IAM)

GCP Resource Hierarchy

00:05:55

Lesson Description:

This lesson is a 'Big-picture' overview of how resources on Google Cloud Platform are organized. This lesson which will be vital in understanding how Identity and Access Management (IAM) works.

Identity and Access Management (IAM)

00:16:31

Lesson Description:

This lesson will go over all of the concepts and terminology of how Cloud IAM works on Google Cloud Platform, which we'll use as a point of reference for demonstrations.

Navigating IAM

00:06:42

Lesson Description:

In this lesson, we are going to demonstrate how to navigate the IAM console and view roles that are available. We will be using a similar navigation method when talking about IAM roles throughout the rest of the course.

Adding IAM Roles

00:15:22

Lesson Description:

Now that we've gone over how to navigate the IAM menu in GCP, let's build upon that and assign some roles, and see the end result.

Folders

00:11:31

Lesson Description:

Folders are a newer addition to IAM policies on GCP. Folders allow you to group projects (and other folders) together, which in turn allows you to apply a single IAM policy to a folder. This single IAM policy will then apply the same policy to all the other projects and folders inside.

Service Accounts

00:17:11

Lesson Description:

Service accounts are a special member type that can be assigned to a program or application, not a human user. We are going to go over how they are used and how they can be both a member and a resource at the same time.

Custom Roles

00:11:23

Lesson Description:

Custom roles are another new feature that allow you to customize roles to have the exact mix of permissions that you need, which can be more fine-tuned than the existing predefined roles. In this lesson we will demonstrate: How to view permissions for existing roles How to use an existing role as a template for customized roles

Edit IAM Policy

00:07:13

Lesson Description:

In this lesson, we are going to demonstrate how to edit a project’s IAM policy using the command line interface (gcloud commands). This lesson is a bit more advanced since we are working with editing JSON files, but it is good to understand the ‘behind the scenes’ working of how IAM policies are set. For your reference, we are using the below commands for viewing and editing our IAM policies: Retrieve IAM policy and download in JSON format: gcloud projects get-iam-policy (PROJECT_ID) --format json > (filename).json Update IAM policy from updated JSON file: gcloud projects set-iam-policy PROJECT_ID iam.json Add single binding without downloading JSON file: gcloud projects add-iam-policy-binding PROJECT_ID --member user:(user's email) --role roles/editor

IAM Best Practices

00:08:14

Lesson Description:

In this lesson, we will cover general best practices for properly setting up your IAM policy environment to minimize exposure and risk.

Putting it all Together

00:09:45

Lesson Description:

We are now going to take everything we've learned in this section and put it together for a true-to-life business set up for securing our GCP environment.

QUIZ: Google Cloud IAM and Security

00:30:00

Infrastructure Security

Securing GCP Network Infrastructure

Virtual Private Cloud (VPC)

00:07:53

Lesson Description:

What is a VPC on Google Cloud Platform, and what does it mean from a security perspective? We are going to start this section with a high-level overview of how VPC's are organized on GCP.

Firewalls Basics

00:06:53

Lesson Description:

Firewall policies are the core security component for managing what network traffic is and is not allowed in your VPC. We will be focusing on firewalls throughout this section, which will also carry over into many other security discussions as well.

Viewing Firewall Rules

00:09:20

Lesson Description:

We are going to start our journey into firewalls by viewing default firewall rules in a default VPC.

Create Targeted Firewall Rule

00:06:54

Lesson Description:

Now that we've viewed default firewall rules, let's build upon that by creating a firewall rule ourselves. We will create a target firewall rule that only affects a single instance (or group of instances) via network tags. Note: GCP Firewall rules have specific components and characteristics that differ from a local firewall: Firewall Rules Overview

Automate Firewall Rules for Webserver

00:04:49

Lesson Description:

While we can create targeted firewall rules for tagged instances to allow HTTP/S access via ports 80/443, Compute Engine makes this an easily automated process via a simple checkbox. We will demonstrate this 'easier' method in this lesson.

Limiting Exposure

00:04:06

Lesson Description:

By default, a Compute Engine instance has an external (or public) IP address that is accessible to the whole world. This also exposes it to unnecessary risk if it does not need to be public. We are going to discuss how to limit that exposure in this lesson.

Google Cloud VPN

00:09:50

Lesson Description:

We are going to demonstrate how to connect two VPC networks using Google Cloud VPN to allow us to connect to an internal-only instance via the connected network.

Bastion Host

00:15:19

Lesson Description:

A bastion host acts as a 'bridge' or a 'jump server', allowing an outside location to access an internal-only instance. We are going to demonstrate the process of using a bastion host to connect to an internal-only instance while still minimizing exposure.

Interactive Serial Console

00:05:38

Lesson Description:

This will be our third method of how to connect to internal-only instances. The serial console acts as a 'virtual serial port' to troubleshoot instances, which also acts as a method of connecting over internal IP address.

Routes

00:09:38

Lesson Description:

Overview of how network routing works in a VPC, and when you'd want to create a custom route for advanced security scenarios.

Private Google Access

00:09:26

Lesson Description:

How to enable private Google access to let an instance with no external IP address communicate with Google Cloud services. By default, managed GCP services such as Cloud Storage require connecting over an external IP address. Private Google Access allows you to use the same services without an external IP address.

Network IAM Roles

00:09:48

Lesson Description:

A discussion on the IAM roles needed to manage various VPC and firewall functions.

QUIZ: Google Cloud VPC Security Essentials

00:30:00

Securing your Operating System

OS Security Overview

00:02:55

Lesson Description:

We are going to start a new section by going over the high-level view of what OS Security on Compute Engine looks like, which will bridge into more detailed lessons.

Limit OS Access by Location

00:06:27

Lesson Description:

We will again be discussing firewalls, which is your first line of defense for limiting access to GCE instances. Locking down OS access via SSH/RDP is of critical importance, and firewall rules are a key method of doing so.

OS Updates

00:09:50

Lesson Description:

Keeping your OS up to date is your responsibility. Here's how to do it, and what tools you can use to make the process easier. If you want to read about extra items added to public images, you can read the full listing here: https://cloud.google.com/compute/docs/images#os-details

Securing Scaling Instance Groups

00:12:54

Lesson Description:

Updating managed instance groups requires a much different process for updating all of them compared to updating individual instances. We will cover how to update them using managed instance templates combined with updated custom images.

SSH Keys and Metadata

00:08:19

Lesson Description:

Connecting to a GCE instance using custom SSH keys (vs. built in GCP SDK method) requires creating a custom SSH key, and then adding the public key to instance metadata. This lesson will go over the entire process.

Securing SSH Access to Linux Instances

00:13:32

Lesson Description:

We are going to apply the concepts from the previous lessons, and go through the process of creating a custom SSH key and adding the public key to metadata for custom SSH access.

Linux Access and IAM Roles

00:07:16

Lesson Description:

IAM roles are important for securing access to GCP resources. We will be discussing the unique OS Login role to allow a member to log into a Compute Engine instance without giving them too much admin access to the rest of Compute Engine.

Windows Instance Access Management

00:09:46

Lesson Description:

Windows access has a completely different approach compared to Linux. We will discuss the differences in this lesson.

OS Security Best Practices and Acceptable Use

00:08:17

Lesson Description:

These are the best practices for hardening your OS against malicious attackers and how to resolve acceptable use disputes.

QUIZ: Securing the Operating System

00:30:00

Data Security

Securing Your Data

Securing Cloud Storage

00:01:56

Lesson Description:

Overview of the importance of properly securing your cloud storage resources, and the consequences of not doing so.

Cloud Storage IAM Roles

00:07:09

Lesson Description:

Demonstration of IAM Roles for cloud storage both project-wide and at the per-bucket level.

Demonstrating Storage IAM Scopes

00:11:01

Lesson Description:

Demonstration of working with storage buckets with different levels of IAM scopes.

Access Control Lists (ACLs)

00:10:40

Lesson Description:

Access Control Lists are another method of data access management that work in conjunction with IAM roles. We will explore the differences and the relationship between both.

Demonstrating ACLs

00:11:24

Lesson Description:

Hands-on demonstration of ACLs in action.

Signed URLs

00:07:49

Lesson Description:

Overview and demonstration of signed URLs.

Database Security

00:05:25

Lesson Description:

Overview of securing managed databases on GCP.

QUIZ: Securing Your Data with Google Cloud

00:30:00

Monitoring, Alerting , and Auditing

Monitoring GCP

Logging and Monitoring with Stackdriver

00:07:58

Lesson Description:

It is vitally important to have a record of every action taken in our GCP environment. Stackdriver is the method to log, monitor, and alert us to actions taken. This lesson will be an overview on the history of Stackdriver and how it is used from a security perspective, which we will build upon in the upcoming lessons.

Viewing Stackdriver Logs

00:11:00

Lesson Description:

In this lesson, we are going to look at Stackdriver's advanced Logs Viewer, which is the source location of all logged events in GCP. We are also going to look at the Activity Viewer, which is a more user-friendly view of all events.

Exporting Logs

00:04:49

Lesson Description:

We will discuss the importance of exporting logs and go through a sample demonstration of exporting IAM policy logs to Cloud Storage.

Monitoring and Alerts

00:07:49

Lesson Description:

It is important to be able to receive real-time alerts when specific administrative actions are taking place. We will go over creating custom event metrics and use those metrics to create an alert to let us know when an IAM policy has been changed.

Google Cloud Platform and Auditing

Compliance on Google Cloud Platform

00:07:38

Lesson Description:

This will be a high-level overview regarding meeting different compliance requirements on GCP. For the full details of meeting the compliance requirements, visit GCP's documentation with the link below: https://cloud.google.com/security/compliance

QUIZ: Monitoring, Alerting, and Auditing within the Google Cloud

00:30:00

Encryption Essentials

GCP Encryption Options

Notes

https://cloud.google.com/security/encryption-at-rest/

Encryption on Google Cloud Platform

00:09:40

Lesson Description:

In this lesson, we are going to cover the basics of: 1. What is encryption and how does it protect your data. 2. Encryption in transit and at rest. 3. How Google encrypts your data by default. 4. Customer provided options for encryption.

Key Management Service

00:05:03

Lesson Description:

Let's learn more about the Cloud Key Managment service and how it acts as a 'middle ground' between hosting your own encryption keys and letting Google handle automatically managing and rotating them. We will follow this lesson with a hands-on demonstration of this lesson's topics in action.

Encryption Demonstration with KMS

00:10:21

Lesson Description:

We are now going to demonstrate using the Cloud Key Management Service to create a new keyring+key. We will then encrypt a text file before decrypting it into a new file. The below link is a PDF version of Google’s quick start to follow along at your own pace: https://linuxacademy.com/cp/guides/download/refsheets/guides/refsheets/quickstart---cloud-kms-documentation---google-cloud_1521842513.pdf Below are the encoding and encrypt/decrypt commands I used in this lesson: Encode top-secret.txt into base64 format cat top-secret.txt | base64 Encrypt our base64 string into a new encrypted file called top-secret.encrypted. You would need to update the project, keyring, key, and base64 string if you’re following along on your end: curl -s -X POST "https://cloudkms.googleapis.com/v1/projects/pwnet-nms/locations/global/keyRings/pwnet-keyring/cryptoKeys/key1:encrypt" -d "{"plaintext":"VE9QIFNFQ1JFVApUaGUgcGFzc3dvcmQgaXMgImJhbmFuYXMiLgo="}" -H "Authorization:Bearer $(gcloud auth print-access-token)" -H "Content-Type:application/json" | jq .ciphertext -r > top-secret.encrypted This is the command used to decrypt the above file, and then output it into a new unencrypted file: curl -v "https://cloudkms.googleapis.com/v1/projects/pwnet-nms/locations/global/keyRings/pwnet-keyring/cryptoKeys/key1:decrypt" -d "{"ciphertext":"$(cat top-secret.encrypted)"}" -H "Authorization:Bearer $(gcloud auth application-default print-access-token)" -H "Content-Type:application/json" | jq .plaintext -r | base64 -d > newfile.txt

QUIZ: Google Cloud Encryption Options

00:30:00

Conclusion

Final Steps

Next Steps

00:01:35

Lesson Description:

Thank you for joining us on this journey to learn about Google Cloud Platform Security Essentials. Here's what to do next now that you've completed this course.

Get Recognized!

00:01:01

Lesson Description:

How to get recognized for your certification.