GCP Security

Access
1. Google IDaaS (IDentity as a Service)
  1. Using Existing IdP
    1. Active Directory / Google Cloud Directory Sync (GCDS)
    2. Hybrid Environment
    3. Federating Google Cloud
  2. Automated Provisioning
  3. Configuration Manager
  4. Group
    1. Dynamic Group
      1. Creating and Updating
      2. Automated membership
    2. Manage Group Using API
    3. Security Group
  5. Transfer Consumer Accounts (Unmanaged Users)
  6. Federating Identity
2. Service Account
  1. Short-lived Credentials
  2. Restricting service account
  3. Manage Service Account Keys
  4. Using Service Account with GCE
  5. Put credentials in the config
  6. Delegation & Impersonation
  7. Undelete Service Account
  8. API security
  9. Cloud Functions security
3. IAM (Authentication & Authorization)
  1. SSO
    1. Setup SSO
    2. Setup SSO via 3rd Party IdP
    3. SAML with Apigee
  2. Roles
    1. Basic Roles
    2. Predefined Roles
      1. Billing
      2. App Engine
      3. Organization Role Administrator
    3. Custom Role
  3. Access Control
    1. Organization
    2. Folder
    3. Project
    4. Resource
      1. GCS (Google Cloud Storage)
      2. GAE (Google App Engine)
      3. GCE (Google Compute Engine)
4. Resource Manager
  1. Resource hierarchy
  2. Create and Manage Organization
  3. Cloud Asset Inventory
5. Shared Responsibility Matrix
Network Security
1. Network design
  1. Load Balancer
    1. HTTP(s) Load Balancing
    2. External TCP Proxy Load Balancing
    3. SSL Load Balancing
  2. Cloud Armor (WAF)
  3. DDOS Protection
  4. Internal / External IP Address
  5. Firewall / GCE Security Policy
    1. Rule with Service Account
    2. Rule with Tag
  6. Zero Trust
    1. IAP (Identity-Aware Proxy)
  7. Cloud DNS
    1. DNSSEC (Domain Name System Security Extensions)
  8. Cloud Migration
    1. Lift and Shift
    2. Improve and Move
    3. Remove and Replace (Rip and Replace)
  9. Cloud Adoption Framework
2. Network segmentation
  1. VPC Design
    1. Isolate Data
    2. Isolate with Service Account
  2. DNS Zone
    1. DNS Peering
    2. Forwarding Zone
    3. Peering Zone
3. Private connection
  1. External
    1. From/To on-premise
      1. Cloud Interconnect
      2. Dedicated Interconnect
      3. Partner Interconnect
      4. Cloud VPN / IPSEC
    2. Cloud NAT
    3. Internet Access from VPC
  2. Internal
    1. VPC Peering
    2. Shared VPC
    3. Google API (Private Google Access)
    4. DNZ Private Zone
    5. Restrict External IP address to VM
Data Protection
1. IAM Condition
2. Cloud DLP
  1. InfoTypes
    1. Built-in
    2. Custom
  2. Redaction (e.g., PII)
  3. De-identification
    1. Pseudonymization
    2. Generalization
    3. Date Shifting
  4. Google Vision API
  5. Video Intelligence API
  6. Google Cloud Natural Language API
  7. Inspecting Storage
    1. Sampling
  8. Data Exfiltration Prevention
3. BigQuery Datasets
  1. Authorized Views
  2. Authorized Datasets
  3. Exporting Data
4. VPC Service Control
  1. Perimeter Bridge
    1. Example
  2. Context Aware
    1. Example
  3. Service Perimeter
    1. Example
5. Secrets and Key Management
  1. Cloud KMS
    1. Key Rotation
    2. Key Version State
    3. Encryption
    4. IAM (Segregation of Duties)
  2. Secrets Manager
    1. Access Control
  3. Third Party Secret Management
  4. Detecting Security Keys in Source Repositories
6. VM
  1. VM Metadata Protection
  2. VM Instance Groups
7. Encryption
  1. Encryption at Rest
    1. Google default encryption
    2. Customer-Managed Encryption Keys (CMEK)
    3. Customer-Supplied Encryption Keys (CSEK)
    4. External Key Manager (EKM)
    5. Cloud HSM
    6. Storage Classes
      1. Object Lifecycle Management
    7. Confidential VM
    8. Envelope Encryption
  2. Encryption in Transit
8. Data deletion
Security Operations
1. SecDevOps - Build and deploy infra and apps
  1. Web Security Scanner
  2. Shielded VM
    1. Image Management
      1. Image Management Best Practices
    2. Secure Boot
    3. Virtual Trusted Platform Module (vTPM)
      1. Measured Boot & Integrity Monitoring
  3. Container Security (Build and Deploy)
    1. Binary Authorization
    2. Container Registry (Container Analysis and Vulnerability Scanning)
    3. Base Images
      1. Google-manage base Images
      2. Custom base Images (secure image pipeline)
      3. Build small container images
      4. Trusted Images
    4. Cluster Hardening
    5. Best Practices for Building Containers
    6. GKE Security
  4. Secure Data Workloads
    1. Overview
    2. GCP Products
    3. Use Case
    4. Isolate Workloads
  5. Threat Modelling
2. Logging
  1. Cloud Audit Log
    1. Admin Activity Logs
    2. System Event Logs
    3. Data Access Logs
      1. Data Access Audit Logs
      2. BigQuery Data Access Audit Logs
    4. Policy Denied Logs
  2. GKE Logs
    1. Cloud Logging
    2. Docker-explorer
    3. Kubectl Sysdig
  3. Access Transparency Logs
  4. Agent Logs
  5. VPC Flow Logs
  6. Log Retention Compliance
  7. Exporting Logging
    1. To External SIEM
  8. Configure Logging Agent
3. Monitoring and Detection
  1. Security Command Center
  2. Event Threat Detection
  3. Notification
  4. Alert
  5. Connecting to AWS Account
  6. Cloud Trace
  7. Cloud Debugger
  8. Cloud Profiler
4. Forseti Security
  1. Architecture
  2. Best Practice
5. Backup and DRP
  1. Cloud Bigtable Replication
  2. Cloud Storage
6. Log Analysis
Compliance
1. Data Classification
2. Data Retention
  1. Google Cloud Storage
3. Data Inspection
4. Standards
  1. HIPAA
    1. Healthcare API
    2. Google Cloud Healthcare Data Protection Toolkit
  2. FedRAMP High
  3. SOX
  4. PCI DSS
  5. ISO 27018
  6. FIPS 140-2 Validated
  7. GDPR
  8. COPPA (Children Online Privacy Protection Act) - 1998
Google Cloud Security Videos
Courses (Need Subscription)
Checklists and Cheatsheets
Exam Recap & Practice