Manage IAM policies, service accounts, and implement security best practices (~20% of exam).
Covers viewing and creating IAM policies, managing role types (basic, predefined, custom), creating and managing service accounts, implementing least privilege, service account impersonation, and short-lived credentials.
5 minutes
5 Questions
Configuring Access and Security in Google Cloud Platform (GCP) is a critical responsibility for Cloud Engineers, encompassing identity management, resource protection, and compliance enforcement.
**Identity and Access Management (IAM)** forms the foundation of GCP security. IAM allows you to define who (identity) has what access (role) to which resources. Principals can be Google accounts, service accounts, Google groups, or Cloud Identity domains. Roles are collections of permissions - you can use predefined roles or create custom roles for granular control.
**Service Accounts** are special accounts used by applications and virtual machines to authenticate and authorize API calls. Engineers must manage service account keys carefully, rotate them regularly, and follow the principle of least privilege when assigning permissions.
**Resource Hierarchy** affects access control significantly. Policies can be set at organization, folder, project, or resource levels. Permissions are inherited downward, so a role granted at the folder level applies to all projects within that folder.
**Cloud Identity** provides centralized user and group management. It integrates with existing identity providers through SAML or can sync with Active Directory using Google Cloud Directory Sync.
**VPC Security** includes firewall rules that control ingress and egress traffic. Cloud Armor provides DDoS protection and web application firewall capabilities. Private Google Access allows VMs to reach Google APIs using internal IP addresses.
**Encryption** is handled automatically for data at rest and in transit. Customer-managed encryption keys (CMEK) and customer-supplied encryption keys (CSEK) offer additional control over encryption key management.
**Audit Logging** through Cloud Audit Logs tracks administrative activities, data access, and system events. These logs are essential for compliance, troubleshooting, and security monitoring.
**Security Best Practices** include enabling multi-factor authentication, using organization policies to enforce constraints, regularly reviewing IAM permissions, and implementing VPC Service Controls for sensitive data protection.Configuring Access and Security in Google Cloud Platform (GCP) is a critical responsibility for Cloud Engineers, encompassing identity management, resource protection, and compliance enforcement.
**Identity and Access Management (IAM)** forms the foundation of GCP security. IAM allows you to defin…