Cloud IAM Overview

Questions and Answers

What does IAM primarily help manage?

• User privileges and resource access (correct)
• Code deployment
• Network security
• Data storage

The organization resource represents an individual user.

False (B)

What is one example of a role that can be assigned in IAM?

Compute Viewer

IAM includes members, roles, and ________ accounts.

service

Match the following IAM components with their descriptions:

Organization = Root node of the hierarchy Folders = Groups projects for better management Projects = Contain resources Resources = Specific services like Storage or Compute Engine

Which statement best describes the IAM resource hierarchy?

Each resource has exactly one parent. (C)

IAM policies define the privileges and actions associated with resources.

True (A)

What is the purpose of policy inheritance in IAM?

To allow child resources to inherit permissions from parent resources.

What role allows a user to create new projects and automatically make them the owner?

Creator (A)

The Admin role has limited control in the organization node.

False (B)

List the three types of IAM roles in Cloud IAM.

Basic, Predefined, Custom

In Cloud IAM, the ______ role provides read-only access to resources.

Viewer

Match each IAM role with its corresponding capability:

Owner = Full administrative access Editor = Modify code and deploy applications Viewer = Read-only access Billing Administrator = Manage billing and add administrators

Which role can delete projects in a Cloud IAM setup?

Deleter (A)

In the folder node, the Creator role can only view the structure of folders.

False (B)

What are the fixed, coarse-grained roles in IAM known as?

Basic roles

What is the role of an Organization Admin in Google Cloud?

Control over all cloud resources and useful for auditing (D)

IAM roles granted at the organization level are not inherited by resources in folders under the organization.

False (B)

What type of user is responsible for assigning the Organization Admin role?

Workspace or Cloud Identity super administrator

The ______ can create projects within the organization if they have the proper role.

Project Creator

Which of the following is NOT a responsibility of the Organization Admin?

Create projects directly (C)

An organization node is the root node for Google Cloud resources.

True (A)

What acts as a trust boundary within a company?

Projects

Match the following roles with their corresponding responsibilities:

Organization Admin = Define IAM policies and audit resources Project Creator = Control creation of projects Super Administrator = Assign roles and manage accounts Organization User = Access resources based on roles

What role would allow a user to start and stop Compute Engine virtual machines?

compute.instanceAdmin (B)

A service account belongs to an individual end user.

False (B)

What is the purpose of a Google Group in Identity and Access Management?

To apply an access policy to a collection of users.

A Google ______ represents a developer, an administrator, or any other person who interacts with Google Cloud.

account

Match the following member types with their descriptions:

Google Account = Represents an individual user Service Account = Represents an application Google Group = A collection of users Google Workspace domain = A domain for Google Workspace users

Which statement is NOT true regarding IAM member identities?

You can use IAM to create or manage your users or groups. (C)

You can create as many service accounts as needed for your application.

True (A)

Name one type of member that can be defined in Identity and Access Management.

Google Account, Service Account, Google Group, Google Workspace domain, or Cloud Identity domain.

What role is automatically granted to the default Compute Engine service account?

Editor (A)

The default Compute Engine service account can only be enabled when a new instance is created using the Google Cloud console.

False (B)

What is the email format for the default Compute Engine service account?

[email protected]

The process of determining permissions for an authenticated identity is known as _____ .

authorization

What does an access token with a read-only scope allow an application to do?

Read data from a Cloud Storage bucket (B)

Match the following applications with their access privileges:

Application A = Read-only access Application B = Read-write access

Scopes can be customized after a VM instance has been created.

True (A)

User-created service accounts should use _____ roles instead of scopes.

IAM

What is the primary purpose of Organization Restrictions in Google Cloud?

To restrict access to resources within a specific Google Cloud organization (B)

The principle of least privilege should be followed when granting roles in Google Cloud.

True (A)

Why is it beneficial to grant roles to Google groups instead of individual users?

It allows for easier management of group membership without changing IAM policies.

The _______ hierarchy helps to group resources that share the same trust boundary.

resource

Match the following roles with their respective needs:

Network Admin Group = Group needing read_write role View Only Group = Group needing view_only role Storage Admin Group = Group needing read_write role Viewer Group = Group needing view_only role

Which practice is recommended for auditing IAM policies?

Using Cloud Audit Logs to keep track of policy changes (A)

Groups can be used to enhance control over IAM policies.

True (A)

What should you check on each resource to understand permissions better?

The policy granted and the inheritance of that policy.

Flashcards

What is IAM?

Identity and Access Management (IAM) is a system for controlling who can access what in Google Cloud. It defines permissions for users, groups, and service accounts to interact with resources like Compute Engine, Cloud Storage, and BigQuery.

What is the Organization Node?

The organization node represents your company in the Google Cloud resource hierarchy. It's the top-level entity, and everything else is organized underneath it.

What are Folders?

Folders are a way to group projects within an organization. They can be used to organize resources by department, team, or purpose.

What are Projects?

Projects are containers for your Google Cloud services and resources, like Compute Engine instances, Cloud Storage buckets, and BigQuery datasets.

What are Resources?

Resources are the individual components within a project, such as a virtual machine, a storage bucket, or a database table.

What are IAM Policies?

Policies determine what permissions are granted to users, groups, and service accounts. They control who can do what on specific resources.

What is the IAM resource hierarchy?

The resource hierarchy helps organize Google Cloud resources in a tree-like structure. It starts with the Organization, then goes to Folders, Projects, and finally Resources.

What is Policy Inheritance?

IAM policies can be inherited down the resource hierarchy. This means that permissions granted at a higher level apply to all resources below it.

Organization Admin

The highest level in the resource hierarchy. Grants control over all resources within the organization.

Organization Viewer

Allows viewing access to all resources within an organization.

Folder Admin

Allows full control over folders, including creating and managing sub-folders.

Folder Creator

Allows browsing the folder hierarchy and creating new folders. Can't manage existing folders.

Folder Viewer

Allows viewing access to folders and projects within a specific folder.

Project Creator

Allows creating new projects and automatically becomes the owner of those projects.

Project Deleter

Grants the ability to delete projects.

Basic IAM Role

A type of IAM role that grants predefined, coarse-grained access to resources, offering limited flexibility.

Organization Node

A root node in the Google Cloud resource hierarchy encompassing all Google Cloud resources. Example, "yourcompany.cloud.google.com".

Organization Inheritance

The ability to create and manage projects is inherited by all resources within the organization.

Project as Trust Boundary

Projects define boundaries within an organization, creating a trusted environment for services within them.

Organization and Google Workspace/Cloud Identity

A Google Workspace or Cloud Identity account is directly associated with the Organization resource in Google Cloud.

Workspace/Cloud Identity Super Admin

The super administrator of Google Workspace or Cloud Identity can assign the Organization Admin role to users and act as the point of contact for recovery issues.

Organization Admin Responsibilities

The Organization Admin can create and manage IAM policies, defining the structure of the resource hierarchy and delegating responsibilities for Networking, Billing, and Resource Hierarchy using IAM roles.

Google Account

A Google account represents a developer, administrator, or any person interacting with Google Cloud. It can be any email address associated with a Google account, including gmail.com or other domains.

Service Account

An account belonging to your application, not an individual user. When running code on Google Cloud, you specify this account for the code to run as.

Google Group

A collection of Google accounts and service accounts. They have a unique email address and allow applying access policies to a group of users at once.

IAM Members

Different types of members in Identity and Access Management (IAM). These members determine who can access Google Cloud resources.

Instance Operator Role

The ability to start and stop virtual machines (VMs) in Google Compute Engine but not change their configuration.

Identity and Access Management (IAM)

A system for managing user access to Google Cloud resources. It allows defining roles with specific permissions.

Roles

A collection of permissions for users to manage specific Google Cloud services. Examples include compute.instanceAdmin, storage.objectAdmin, and appengine.appAdmin.

Custom Roles

Customizable user roles that allow specific actions on Google Cloud resources, such as starting and stopping VMs without reconfiguration.

What is the default Compute Engine service account?

A service account automatically created for each Google Cloud project. It is named after the project number, given the Editor role, and enabled on instances created with gcloud or the Google Cloud console.

Can the default service account be changed for instance creation?

The default Compute Engine service account can be overridden in an instance creation process. This includes specifying a custom service account or disabling the default service account altogether.

What are Scopes?

Scopes refer to the permissions granted to an authenticated identity. They determine what operations an application can perform on Google Cloud resources.

How do scopes affect an application's access token?

An access token, generated by the Google Authorization Server, carries specific scopes that define the level of access for an application to Google Cloud resources. The scopes determine actions like reading or modifying data in Cloud Storage.

How are scopes used in an application?

Scopes define the permissions for an application to access a specific Google Cloud service. Each application can have a unique set of scopes, limiting access to specific actions like only reading data.

Can you modify scopes for a Compute Engine instance after creation?

You can change the default scopes assigned to a Compute Engine instance after creation. This allows you to fine-tune the instance's access rights.

How should permissions be managed for user-created service accounts?

Instead of customizing scopes for user-created service accounts, use IAM roles for finer-grained access control. IAM roles offer a more flexible and structured way to manage permissions.

What is authorization, and how does it relate to scopes?

Authorization is the process of determining which authenticated identities have access to which specific resources. Scopes are used to define and verify these permissions based on access tokens granted to applications.

What is the purpose of using projects in IAM?

Grouping resources based on shared trust boundaries. This makes access control more logical and efficient.

Explain the concept of "inheritance" in IAM.

Policies can be applied to a parent resource and automatically inherited by its child resources. For example, a policy applied to a folder will affect all projects within it.

Why is the principle of least privilege important in IAM?

The principle of least privilege encourages granting only the necessary permissions to users and groups. This minimizes the risk of unauthorized access and helps maintain security.

What's the advantage of using Google groups for IAM?

Using groups allows you to easily manage user permissions. Instead of granting roles to each individual, you can add or remove users from a group, which automatically updates their access rights.

Why is auditing important in IAM?

Auditing ensures that you're aware of any changes made to your IAM policies and the membership of groups. This helps prevent unauthorized modifications and ensures that access is controlled.

Why is controlling group ownership important in IAM?

By controlling who owns the Google group, you can ensure that only authorized personnel have the ability to add or remove members. This helps maintain control of the permissions associated with the group.

What's the benefit of using multiple groups in IAM?

Creating multiple groups allows you to provide different levels of access based on specific roles. This can help ensure that only the necessary permissions are granted to each user or group.

Study Notes

Identity and Access Management (IAM) Overview

• IAM is a way to identify who can do what on a resource (e.g., person, group, application).
• Resources can be any Google Cloud service.
• IAM has components like organizations, roles, members, and service accounts.
• Organization Restrictions feature helps control access.
• Best practices are to apply concepts to daily work.

IAM Resource Hierarchy

• Google Cloud resources are hierarchical.
• The Organization node is the root.
• Folders are children of the organization.
• Projects are children of folders.
• Resources are children of projects.

Organization Node

• Root node for Google Cloud resources.
• Organization Admin role controls all cloud resources (useful for auditing).
• Project Creator role controls project creation.

Creating and Managing Organizations

• Created when a Google Workspace or Cloud Identity account creates a Google Cloud Project.
• Workspace or Cloud Identity super administrators assign Organization admins and manage account lifecycles.
• Organization admins define IAM policies and resource hierarchy, delegating responsibility.

Folders

• Additional grouping and isolation boundary between projects.
• Can represent departments, legal entities, or teams.
• Allow delegation of administrative rights.

Resource Manager Roles

• Organization Admin: full control over all resources.
• Organization Viewer: views all resources.
• Folder Admin: full control over folders.
• Folder Creator: manages folder creation.
• Folder Viewer: views folders and resources below a resource.
• Project Creator: creates new projects (automatic owner).
• Project Deleter: deletes projects.

IAM Roles (Types)

• Basic roles (Owner, Editor, Viewer).
• Predefined roles (specific Google Cloud services).
• Custom roles (define precise permissions).

IAM Basic Roles

• Owner: full administrative access (adding, removing members, deleting projects).
• Editor: modify and delete access (deploying applications, configuring resources).
• Viewer: read-only access.

IAM Predefined Roles

• GCP services provide sets of predefined roles for granular access to specific resources.
• These roles are collections of permissions.

IAM Predefined Roles (Example)

• InstanceAdmin role: permissions for managing compute instances.

Compute Engine IAM Roles

• Compute Admin: full control of Compute Engine resources.
• Network Admin: manages networking resources (excluding firewall rules and SSL certificates).
• Storage Admin: manages disks, images, and snapshots.

IAM Custom Roles

• Roles define specific permission sets.
• Example: "Instance Operator" role for starting and stopping virtual machines.

IAM Members (Types)

• Google Accounts (developers, admins).
• Service Accounts (accounts for applications).
• Google Groups (collections of accounts).
• Google Workspace domains.
• Cloud Identity domains.

IAM Allow Policies

• Grants access to Google Cloud resources.
• Controls access to the resources and their descendants.
• Binds, or associates, principals (or identities) to a single IAM role.

IAM Deny Policies

• Prevent principals from using specific permissions, regardless of their roles.
• Specifies principals, permissions, and (optional) conditions for denial.

IAM Conditions

• Allow defining attribute-based access control using conditions in role bindings.
• Conditions are expressed as logic statements.

Organization Policies

• Configurations of restrictions defined by constraints.
• Applied to organizations, folders, or projects.
• Inherited by children resources.

Single Sign-On (SSO)

• Configured using Cloud Identity.
• Third-party solutions if SAML2 isn't supported (ADFS, Ping, Okta).

Service Accounts

• Provide identity for service-to-service interactions.
• Used for applications or programs running within Compute Engine instances.
• Service accounts have unique email addresses.
• Types include user-created, built-in, and Google APIs service accounts.

Service Account Keys

• Google-managed vs User-managed keys
• Google manages keys for default service accounts.
• User manages keys, responsible for security and rotation.

Identity-Aware Proxy (IAP)

• Central authorization layer for HTTPS-accessed applications.
• Enforces policies based on identity.
• Provides access controls for applications without VPNs.