Skip to main content

Google Cloud Security Essentials


Intro Video

Photo of Matthew Ulasien

Matthew Ulasien

Team Lead Google Cloud in Content









Course Details

This course will teach the core fundamentals necessary to properly secure your Google Cloud environment, and manage who has access to what resources. The concepts introduced in this course are necessary for any security considerations on Google Cloud.


Course Introduction

Getting Started

Course Introduction


Lesson Description:

Welcome to the Google Cloud Platform Security Essentials course. In this lesson, we will cover the importance of security on Google Cloud, what we will cover in this course, and prerequisites for taking this course.

About the Training Architect


Lesson Description:

Learn more about your course author, Matthew Ulasien.

Getting Started

Introducing our Demonstration Organization


Lesson Description:

Introducing our true-to-life organization that we'll be using, in which we will need to secure our GCP infrastructure for a new startup company.

Protecting Your Google Cloud Account


Lesson Description:

The most important lesson for this entire course is to know how to protect your Google Cloud account. Your account is the key to your entire organization, and protecting it is a top priority. We will cover best practices for protecting your account in this lesson.

Understanding Identity in the Cloud

Identity and Access Management (IAM)

GCP Resource Hierarchy


Lesson Description:

This lesson is a 'Big-picture' overview of how resources on Google Cloud Platform are organized. This lesson which will be vital in understanding how Identity and Access Management (IAM) works.

Identity and Access Management (IAM)


Lesson Description:

This lesson will go over all of the concepts and terminology of how Cloud IAM works on Google Cloud Platform, which we'll use as a point of reference for demonstrations.

Navigating IAM


Lesson Description:

In this lesson, we are going to demonstrate how to navigate the IAM console and view roles that are available. We will be using a similar navigation method when talking about IAM roles throughout the rest of the course.

Adding IAM Roles


Lesson Description:

Now that we've gone over how to navigate the IAM menu in GCP, let's build upon that and assign some roles, and see the end result.



Lesson Description:

Folders are a newer addition to IAM policies on GCP. Folders allow you to group projects (and other folders) together, which in turn allows you to apply a single IAM policy to a folder. This single IAM policy will then apply the same policy to all the other projects and folders inside.

Service Accounts


Lesson Description:

Service accounts are a special member type that can be assigned to a program or application, not a human user. We are going to go over how they are used and how they can be both a member and a resource at the same time.

Custom Roles


Lesson Description:

Custom roles are another new feature that allow you to customize roles to have the exact mix of permissions that you need, which can be more fine-tuned than the existing predefined roles. In this lesson we will demonstrate:How to view permissions for existing roles How to use an existing role as a template for customized roles

Edit IAM Policy


Lesson Description:

In this lesson, we are going to demonstrate how to edit a project’s IAM policy using the command line interface (gcloud commands). This lesson is a bit more advanced since we are working with editing JSON files, but it is good to understand the ‘behind the scenes’ working of how IAM policies are set. For your reference, we are using the below commands for viewing and editing our IAM policies: Retrieve IAM policy and download in JSON format:

gcloud projects get-iam-policy (PROJECT_ID) --format json > (filename).json 
Update IAM policy from updated JSON file:
gcloud projects set-iam-policy PROJECT_ID iam.json 
Add single binding without downloading JSON file:
gcloud projects add-iam-policy-binding PROJECT_ID --member user:(user's email) --role roles/editor

IAM Best Practices


Lesson Description:

In this lesson, we will cover general best practices for properly setting up your IAM policy environment to minimize exposure and risk.

Putting it all Together


Lesson Description:

We are now going to take everything we've learned in this section and put it together for a true-to-life business set up for securing our GCP environment.

QUIZ: Google Cloud IAM and Security


Infrastructure Security

Securing GCP Network Infrastructure

Virtual Private Cloud (VPC)


Lesson Description:

What is a VPC on Google Cloud Platform, and what does it mean from a security perspective? We are going to start this section with a high-level overview of how VPC's are organized on GCP.

Firewalls Basics


Lesson Description:

Firewall policies are the core security component for managing what network traffic is and is not allowed in your VPC. We will be focusing on firewalls throughout this section, which will also carry over into many other security discussions as well.

Viewing Firewall Rules


Lesson Description:

We are going to start our journey into firewalls by viewing default firewall rules in a default VPC.

Create Targeted Firewall Rule


Lesson Description:

Now that we've viewed default firewall rules, let's build upon that by creating a firewall rule ourselves. We will create a target firewall rule that only affects a single instance (or group of instances) via network tags. Note: GCP Firewall rules have specific components and characteristics that differ from a local firewall: Firewall Rules Overview

Automate Firewall Rules for Webserver


Lesson Description:

While we can create targeted firewall rules for tagged instances to allow HTTP/S access via ports 80/443, Compute Engine makes this an easily automated process via a simple checkbox. We will demonstrate this 'easier' method in this lesson.

Limiting Exposure


Lesson Description:

By default, a Compute Engine instance has an external (or public) IP address that is accessible to the whole world. This also exposes it to unnecessary risk if it does not need to be public. We are going to discuss how to limit that exposure in this lesson.

Google Cloud VPN


Lesson Description:

We are going to demonstrate how to connect two VPC networks using Google Cloud VPN to allow us to connect to an internal-only instance via the connected network.

Bastion Host


Lesson Description:

A bastion host acts as a 'bridge' or a 'jump server', allowing an outside location to access an internal-only instance. We are going to demonstrate the process of using a bastion host to connect to an internal-only instance while still minimizing exposure.

Interactive Serial Console


Lesson Description:

This will be our third method of how to connect to internal-only instances. The serial console acts as a 'virtual serial port' to troubleshoot instances, which also acts as a method of connecting over internal IP address.



Lesson Description:

Overview of how network routing works in a VPC, and when you'd want to create a custom route for advanced security scenarios.

Private Google Access


Lesson Description:

How to enable private Google access to let an instance with no external IP address communicate with Google Cloud services. By default, managed GCP services such as Cloud Storage require connecting over an external IP address. Private Google Access allows you to use the same services without an external IP address.

Network IAM Roles


Lesson Description:

A discussion on the IAM roles needed to manage various VPC and firewall functions.

QUIZ: Google Cloud VPC Security Essentials


Securing your Operating System

OS Security Overview


Lesson Description:

We are going to start a new section by going over the high-level view of what OS Security on Compute Engine looks like, which will bridge into more detailed lessons.

Limit OS Access by Location


Lesson Description:

We will again be discussing firewalls, which is your first line of defense for limiting access to GCE instances. Locking down OS access via SSH/RDP is of critical importance, and firewall rules are a key method of doing so.

OS Updates


Lesson Description:

Keeping your OS up to date is your responsibility. Here's how to do it, and what tools you can use to make the process easier.If you want to read about extra items added to public images, you can read the full listing here:

Securing Scaling Instance Groups


Lesson Description:

Updating managed instance groups requires a much different process for updating all of them compared to updating individual instances. We will cover how to update them using managed instance templates combined with updated custom images.

SSH Keys and Metadata


Lesson Description:

Connecting to a GCE instance using custom SSH keys (vs. built in GCP SDK method) requires creating a custom SSH key, and then adding the public key to instance metadata. This lesson will go over the entire process.

Securing SSH Access to Linux Instances


Lesson Description:

We are going to apply the concepts from the previous lessons by going through the process of creating a custom SSH key and adding the public key to metadata for custom SSH access.

Linux Access and IAM Roles


Lesson Description:

IAM roles are important for securing access to GCP resources. We will be discussing the unique OS Login role to allow a member to log into a Compute Engine instance without giving them too much admin access to the rest of Compute Engine.

Windows Instance Access Management


Lesson Description:

Windows access has a completely different approach compared to Linux. We will discuss the differences in this lesson.

OS Security Best Practices and Acceptable Use


Lesson Description:

These are the best practices for hardening your OS against malicious attackers and how to resolve acceptable use disputes.

QUIZ: Securing the Operating System


Data Security

Securing Your Data

Securing Cloud Storage


Lesson Description:

Overview of the importance of properly securing your cloud storage resources, and the consequences of not doing so.

Cloud Storage IAM Roles


Lesson Description:

Demonstration of IAM Roles for cloud storage both project-wide and at the per-bucket level.

Demonstrating Storage IAM Scopes


Lesson Description:

Demonstration of working with storage buckets with different levels of IAM scopes.

Access Control Lists (ACLs)


Lesson Description:

Access Control Lists are another method of data access management that work in conjunction with IAM roles. We will explore the differences and the relationship between both.

Demonstrating ACLs


Lesson Description:

Hands-on demonstration of ACLs in action.

Signed URLs


Lesson Description:

Overview and demonstration of signed URLs.

Database Security


Lesson Description:

Overview of securing managed databases on GCP.

QUIZ: Securing Your Data with Google Cloud


Monitoring, Alerting , and Auditing

Monitoring GCP

Logging and Monitoring with Stackdriver


Lesson Description:

It is vitally important to have a record of every action taken in our GCP environment. Stackdriver is the method to log, monitor, and alert us to actions taken. This lesson will be an overview on the history of Stackdriver and how it is used from a security perspective, which we will build upon in the upcoming lessons.

Viewing Stackdriver Logs


Lesson Description:

In this lesson, we are going to look at Stackdriver's advanced Logs Viewer, which is the source location of all logged events in GCP. We are also going to look at the Activity Viewer, which is a more user-friendly view of all events.

Exporting Logs


Lesson Description:

We will discuss the importance of exporting logs and go through a sample demonstration of exporting IAM policy logs to Cloud Storage.

Monitoring and Alerts


Lesson Description:

It is important to be able to receive real-time alerts when specific administrative actions are taking place. We will go over creating custom event metrics and use those metrics to create an alert to let us know when an IAM policy has been changed.

Google Cloud Platform and Auditing

Compliance on Google Cloud Platform


Lesson Description:

This will be a high-level overview regarding meeting different compliance requirements on GCP. For the full details of meeting the compliance requirements, visit GCP's documentation with the link below:

QUIZ: Monitoring, Alerting, and Auditing within the Google Cloud


Encryption Essentials

GCP Encryption Options


Encryption on Google Cloud Platform


Lesson Description:

In this lesson, we are going to cover the basics of: 1. What is encryption and how does it protect your data. 2. Encryption in transit and at rest. 3. How Google encrypts your data by default. 4. Customer provided options for encryption.

Key Management Service


Lesson Description:

Let's learn more about the Cloud Key Managment service and how it acts as a 'middle ground' between hosting your own encryption keys and letting Google handle automatically managing and rotating them.We will follow this lesson with a hands-on demonstration of this lesson's topics in action.

Encryption Demonstration with KMS


Lesson Description:

We are now going to demonstrate using the Cloud Key Management Service to create a new keyring+key. We will then encrypt a text file before decrypting it into a new file. The below link is a PDF version of Google’s quick start to follow along at your own pace: Below are the encoding and encrypt/decrypt commands I used in this lesson: Encode top-secret.txt into base64 format

cat top-secret.txt | base64
Encrypt our base64 string into a new encrypted file called top-secret.encrypted. You would need to update the project, keyring, key, and base64 string if you’re following along on your end:
curl -s -X POST "" 
-d "{"plaintext":"VE9QIFNFQ1JFVApUaGUgcGFzc3dvcmQgaXMgImJhbmFuYXMiLgo="}" 
  -H "Authorization:Bearer $(gcloud auth print-access-token)" 
  -H "Content-Type:application/json" 
| jq .ciphertext -r > top-secret.encrypted
This is the command used to decrypt the above file, and then output it into a new unencrypted file:
curl -v "" 
  -d "{"ciphertext":"$(cat top-secret.encrypted)"}" 
  -H "Authorization:Bearer $(gcloud auth application-default print-access-token)"
  -H "Content-Type:application/json" 
| jq .plaintext -r | base64 -d > newfile.txt

QUIZ: Google Cloud Encryption Options



Final Steps

Next Steps


Lesson Description:

Thank you for joining us on this journey to learn about Google Cloud Platform Security Essentials. Here's what to do next now that you've completed this course.

Take this course and learn a new skill today.

Transform your learning with our all access plan.

Start 7-Day Free Trial