Redacting Sensitive Text with Google Cloud DLP

Hands-On Lab

 

Photo of Joseph Lowery

Joseph Lowery

Google Cloud Training Architect II in Content

Length

00:30:00

Difficulty

Beginner

The internet makes a world of data accessible, and when that data is sensitive—like social security, credit card, and phone numbers—that’s a problem. Cloud Data Loss Prevention (Cloud DLP) is Google’s solution. This service makes it possible to detect a wide range of sensitive data and, if necessary, hide it from prying eyes. In this hands-on lab, we’ll enable the Cloud DLP API, create a service account and the necessary JSON key and token to access that API, and then use Cloud DLP to automatically detect and redact a series of sensitive data strings in a text file.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Redacting Sensitive Text with Google Cloud DLP

Introduction

The internet makes a world of data accessible, and when that data is sensitive—like social security, credit card, and phone numbers—that’s a problem. Cloud Data Loss Prevention (Cloud DLP) is Google’s solution. This service makes it possible to detect a wide range of sensitive data and, if necessary, hide it from prying eyes. In this hands-on lab, we’ll enable the Cloud DLP API, create a service account and the necessary JSON key and token to access that API, and then use Cloud DLP to automatically detect and redact a series of sensitive data strings in a text file.

Logging In to the Environment

  1. On the lab instructions page, right-click the Open GPC Console button.
  2. From the dropdown, select the option to open the link in a private browser window. (Note: Different browsers have different names for a private browser window. On Chrome, you'll choose Open Link in Incognito Window. If you're using Firefox, click Open Link in New Private Window. Etc.)
  3. On the Google sign-in page, enter the unique username you were provided on the lab instructions page. Click Next.
  4. Enter the unique password you were provided on the lab instructions page. Click Next.
  5. On the Welcome to your new account page, click Accept.
  6. In the Welcome L.A.! menu, check the box under Terms of service.
  7. Choose your country of residence, then click AGREE AND CONTINUE.

Enable Cloud DLP

  1. From the Google Cloud Platform dashboard, click the navigation menu at the top left of the page.
  2. In the dropdown, select APIs & Services > Library.
  3. On the API Library page, enter "DLP" in the search bar.
  4. Select the Cloud Data Loss Prevention (DLP) API.
  5. Click Enable.

Create a Service Account and Key

  1. Click the Cloud Shell icon at the top right of the page.
  2. Click START CLOUD SHELL.
  3. When it spins up, run the following command to establish a variable:
    export PROJECT_ID=[YOUR_PROJECT_ID]
  4. Create a service account.
    gcloud iam service-accounts create la-service-account --display-name "LA Service Account"
  5. Assign the appropriate permissions.
    gcloud projects add-iam-policy-binding ${PROJECT_ID} --member serviceAccount:la-service-account@${PROJECT_ID}.iam.gserviceaccount.com --role roles/owner
  6. Create a JSON key for authentication.
    gcloud iam service-accounts keys create ~/key.json --iam-account la-service-account@${PROJECT_ID}.iam.gserviceaccount.com

Authenticate the Service Account and Generate a Token

  1. In the Cloud Shell, run the following command:
    gcloud auth activate-service-account --key-file=key.json
    gcloud auth print-access-token
  2. Copy the generated token, then run the following command (remember to replace the variable with your copied string):
    export ACCESS_TOKEN=[RETURNED_TOKEN]

Redact the Sensitive Text

  1. Clone the GitHub repository:
    git clone https://github.com/linuxacademy/gcpro-security-engineer
  2. Change to the content-gcpro-security-engineer/dlp-redact-lab directory:
    cd content-gcpro-security-engineer/dlp-redact-lab
  3. Click the pencil icon at the top right of the Cloud Shell window to open the Cloud Shell code editor.
  4. In the left navigation panel, select content-gcpro-security-engineer > dlp-redact-lab > redact-input.json.
  5. In the Cloud Shell, run the following command to redact the sensitive information in the redact-input.json file:
    curl -s -H "Authorization: Bearer $ACCESS_TOKEN" -H "Content-Type: application/json" https://dlp.googleapis.com/v2/projects/$PROJECT_ID/content:deidentify -d @redact-input.json
  6. Review the output, and note the redacted string.

Conclusion

Congratulations, you've successfully completed this hands-on lab!