Cloud IAM Overview

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to Lesson

Podcast

Play an AI-generated podcast conversation about this lesson
Download our mobile app to listen on the go
Get App

Questions and Answers

What does IAM primarily help manage?

  • User privileges and resource access (correct)
  • Code deployment
  • Network security
  • Data storage

The organization resource represents an individual user.

False (B)

What is one example of a role that can be assigned in IAM?

Compute Viewer

IAM includes members, roles, and ________ accounts.

<p>service</p> Signup and view all the answers

Match the following IAM components with their descriptions:

<p>Organization = Root node of the hierarchy Folders = Groups projects for better management Projects = Contain resources Resources = Specific services like Storage or Compute Engine</p> Signup and view all the answers

Which statement best describes the IAM resource hierarchy?

<p>Each resource has exactly one parent. (C)</p> Signup and view all the answers

IAM policies define the privileges and actions associated with resources.

<p>True (A)</p> Signup and view all the answers

What is the purpose of policy inheritance in IAM?

<p>To allow child resources to inherit permissions from parent resources.</p> Signup and view all the answers

What role allows a user to create new projects and automatically make them the owner?

<p>Creator (A)</p> Signup and view all the answers

The Admin role has limited control in the organization node.

<p>False (B)</p> Signup and view all the answers

List the three types of IAM roles in Cloud IAM.

<p>Basic, Predefined, Custom</p> Signup and view all the answers

In Cloud IAM, the ______ role provides read-only access to resources.

<p>Viewer</p> Signup and view all the answers

Match each IAM role with its corresponding capability:

<p>Owner = Full administrative access Editor = Modify code and deploy applications Viewer = Read-only access Billing Administrator = Manage billing and add administrators</p> Signup and view all the answers

Which role can delete projects in a Cloud IAM setup?

<p>Deleter (A)</p> Signup and view all the answers

In the folder node, the Creator role can only view the structure of folders.

<p>False (B)</p> Signup and view all the answers

What are the fixed, coarse-grained roles in IAM known as?

<p>Basic roles</p> Signup and view all the answers

What is the role of an Organization Admin in Google Cloud?

<p>Control over all cloud resources and useful for auditing (D)</p> Signup and view all the answers

IAM roles granted at the organization level are not inherited by resources in folders under the organization.

<p>False (B)</p> Signup and view all the answers

What type of user is responsible for assigning the Organization Admin role?

<p>Workspace or Cloud Identity super administrator</p> Signup and view all the answers

The ______ can create projects within the organization if they have the proper role.

<p>Project Creator</p> Signup and view all the answers

Which of the following is NOT a responsibility of the Organization Admin?

<p>Create projects directly (C)</p> Signup and view all the answers

An organization node is the root node for Google Cloud resources.

<p>True (A)</p> Signup and view all the answers

What acts as a trust boundary within a company?

<p>Projects</p> Signup and view all the answers

Match the following roles with their corresponding responsibilities:

<p>Organization Admin = Define IAM policies and audit resources Project Creator = Control creation of projects Super Administrator = Assign roles and manage accounts Organization User = Access resources based on roles</p> Signup and view all the answers

What role would allow a user to start and stop Compute Engine virtual machines?

<p>compute.instanceAdmin (B)</p> Signup and view all the answers

A service account belongs to an individual end user.

<p>False (B)</p> Signup and view all the answers

What is the purpose of a Google Group in Identity and Access Management?

<p>To apply an access policy to a collection of users.</p> Signup and view all the answers

A Google ______ represents a developer, an administrator, or any other person who interacts with Google Cloud.

<p>account</p> Signup and view all the answers

Match the following member types with their descriptions:

<p>Google Account = Represents an individual user Service Account = Represents an application Google Group = A collection of users Google Workspace domain = A domain for Google Workspace users</p> Signup and view all the answers

Which statement is NOT true regarding IAM member identities?

<p>You can use IAM to create or manage your users or groups. (C)</p> Signup and view all the answers

You can create as many service accounts as needed for your application.

<p>True (A)</p> Signup and view all the answers

Name one type of member that can be defined in Identity and Access Management.

<p>Google Account, Service Account, Google Group, Google Workspace domain, or Cloud Identity domain.</p> Signup and view all the answers

What role is automatically granted to the default Compute Engine service account?

<p>Editor (A)</p> Signup and view all the answers

The default Compute Engine service account can only be enabled when a new instance is created using the Google Cloud console.

<p>False (B)</p> Signup and view all the answers

What is the email format for the default Compute Engine service account?

<p><a href="mailto:[email protected]">[email protected]</a></p> Signup and view all the answers

The process of determining permissions for an authenticated identity is known as _____ .

<p>authorization</p> Signup and view all the answers

What does an access token with a read-only scope allow an application to do?

<p>Read data from a Cloud Storage bucket (B)</p> Signup and view all the answers

Match the following applications with their access privileges:

<p>Application A = Read-only access Application B = Read-write access</p> Signup and view all the answers

Scopes can be customized after a VM instance has been created.

<p>True (A)</p> Signup and view all the answers

User-created service accounts should use _____ roles instead of scopes.

<p>IAM</p> Signup and view all the answers

What is the primary purpose of Organization Restrictions in Google Cloud?

<p>To restrict access to resources within a specific Google Cloud organization (B)</p> Signup and view all the answers

The principle of least privilege should be followed when granting roles in Google Cloud.

<p>True (A)</p> Signup and view all the answers

Why is it beneficial to grant roles to Google groups instead of individual users?

<p>It allows for easier management of group membership without changing IAM policies.</p> Signup and view all the answers

The _______ hierarchy helps to group resources that share the same trust boundary.

<p>resource</p> Signup and view all the answers

Match the following roles with their respective needs:

<p>Network Admin Group = Group needing read_write role View Only Group = Group needing view_only role Storage Admin Group = Group needing read_write role Viewer Group = Group needing view_only role</p> Signup and view all the answers

Which practice is recommended for auditing IAM policies?

<p>Using Cloud Audit Logs to keep track of policy changes (A)</p> Signup and view all the answers

Groups can be used to enhance control over IAM policies.

<p>True (A)</p> Signup and view all the answers

What should you check on each resource to understand permissions better?

<p>The policy granted and the inheritance of that policy.</p> Signup and view all the answers

Flashcards

What is IAM?

Identity and Access Management (IAM) is a system for controlling who can access what in Google Cloud. It defines permissions for users, groups, and service accounts to interact with resources like Compute Engine, Cloud Storage, and BigQuery.

What is the Organization Node?

The organization node represents your company in the Google Cloud resource hierarchy. It's the top-level entity, and everything else is organized underneath it.

What are Folders?

Folders are a way to group projects within an organization. They can be used to organize resources by department, team, or purpose.

What are Projects?

Projects are containers for your Google Cloud services and resources, like Compute Engine instances, Cloud Storage buckets, and BigQuery datasets.

Signup and view all the flashcards

What are Resources?

Resources are the individual components within a project, such as a virtual machine, a storage bucket, or a database table.

Signup and view all the flashcards

What are IAM Policies?

Policies determine what permissions are granted to users, groups, and service accounts. They control who can do what on specific resources.

Signup and view all the flashcards

What is the IAM resource hierarchy?

The resource hierarchy helps organize Google Cloud resources in a tree-like structure. It starts with the Organization, then goes to Folders, Projects, and finally Resources.

Signup and view all the flashcards

What is Policy Inheritance?

IAM policies can be inherited down the resource hierarchy. This means that permissions granted at a higher level apply to all resources below it.

Signup and view all the flashcards

Organization Admin

The highest level in the resource hierarchy. Grants control over all resources within the organization.

Signup and view all the flashcards

Organization Viewer

Allows viewing access to all resources within an organization.

Signup and view all the flashcards

Folder Admin

Allows full control over folders, including creating and managing sub-folders.

Signup and view all the flashcards

Folder Creator

Allows browsing the folder hierarchy and creating new folders. Can't manage existing folders.

Signup and view all the flashcards

Folder Viewer

Allows viewing access to folders and projects within a specific folder.

Signup and view all the flashcards

Project Creator

Allows creating new projects and automatically becomes the owner of those projects.

Signup and view all the flashcards

Project Deleter

Grants the ability to delete projects.

Signup and view all the flashcards

Basic IAM Role

A type of IAM role that grants predefined, coarse-grained access to resources, offering limited flexibility.

Signup and view all the flashcards

Organization Node

A root node in the Google Cloud resource hierarchy encompassing all Google Cloud resources. Example, "yourcompany.cloud.google.com".

Signup and view all the flashcards

Organization Inheritance

The ability to create and manage projects is inherited by all resources within the organization.

Signup and view all the flashcards

Project as Trust Boundary

Projects define boundaries within an organization, creating a trusted environment for services within them.

Signup and view all the flashcards

Organization and Google Workspace/Cloud Identity

A Google Workspace or Cloud Identity account is directly associated with the Organization resource in Google Cloud.

Signup and view all the flashcards

Workspace/Cloud Identity Super Admin

The super administrator of Google Workspace or Cloud Identity can assign the Organization Admin role to users and act as the point of contact for recovery issues.

Signup and view all the flashcards

Organization Admin Responsibilities

The Organization Admin can create and manage IAM policies, defining the structure of the resource hierarchy and delegating responsibilities for Networking, Billing, and Resource Hierarchy using IAM roles.

Signup and view all the flashcards

Google Account

A Google account represents a developer, administrator, or any person interacting with Google Cloud. It can be any email address associated with a Google account, including gmail.com or other domains.

Signup and view all the flashcards

Service Account

An account belonging to your application, not an individual user. When running code on Google Cloud, you specify this account for the code to run as.

Signup and view all the flashcards

Google Group

A collection of Google accounts and service accounts. They have a unique email address and allow applying access policies to a group of users at once.

Signup and view all the flashcards

IAM Members

Different types of members in Identity and Access Management (IAM). These members determine who can access Google Cloud resources.

Signup and view all the flashcards

Instance Operator Role

The ability to start and stop virtual machines (VMs) in Google Compute Engine but not change their configuration.

Signup and view all the flashcards

Identity and Access Management (IAM)

A system for managing user access to Google Cloud resources. It allows defining roles with specific permissions.

Signup and view all the flashcards

Roles

A collection of permissions for users to manage specific Google Cloud services. Examples include compute.instanceAdmin, storage.objectAdmin, and appengine.appAdmin.

Signup and view all the flashcards

Custom Roles

Customizable user roles that allow specific actions on Google Cloud resources, such as starting and stopping VMs without reconfiguration.

Signup and view all the flashcards

What is the default Compute Engine service account?

A service account automatically created for each Google Cloud project. It is named after the project number, given the Editor role, and enabled on instances created with gcloud or the Google Cloud console.

Signup and view all the flashcards

Can the default service account be changed for instance creation?

The default Compute Engine service account can be overridden in an instance creation process. This includes specifying a custom service account or disabling the default service account altogether.

Signup and view all the flashcards

What are Scopes?

Scopes refer to the permissions granted to an authenticated identity. They determine what operations an application can perform on Google Cloud resources.

Signup and view all the flashcards

How do scopes affect an application's access token?

An access token, generated by the Google Authorization Server, carries specific scopes that define the level of access for an application to Google Cloud resources. The scopes determine actions like reading or modifying data in Cloud Storage.

Signup and view all the flashcards

How are scopes used in an application?

Scopes define the permissions for an application to access a specific Google Cloud service. Each application can have a unique set of scopes, limiting access to specific actions like only reading data.

Signup and view all the flashcards

Can you modify scopes for a Compute Engine instance after creation?

You can change the default scopes assigned to a Compute Engine instance after creation. This allows you to fine-tune the instance's access rights.

Signup and view all the flashcards

How should permissions be managed for user-created service accounts?

Instead of customizing scopes for user-created service accounts, use IAM roles for finer-grained access control. IAM roles offer a more flexible and structured way to manage permissions.

Signup and view all the flashcards

What is authorization, and how does it relate to scopes?

Authorization is the process of determining which authenticated identities have access to which specific resources. Scopes are used to define and verify these permissions based on access tokens granted to applications.

Signup and view all the flashcards

What is the purpose of using projects in IAM?

Grouping resources based on shared trust boundaries. This makes access control more logical and efficient.

Signup and view all the flashcards

Explain the concept of "inheritance" in IAM.

Policies can be applied to a parent resource and automatically inherited by its child resources. For example, a policy applied to a folder will affect all projects within it.

Signup and view all the flashcards

Why is the principle of least privilege important in IAM?

The principle of least privilege encourages granting only the necessary permissions to users and groups. This minimizes the risk of unauthorized access and helps maintain security.

Signup and view all the flashcards

What's the advantage of using Google groups for IAM?

Using groups allows you to easily manage user permissions. Instead of granting roles to each individual, you can add or remove users from a group, which automatically updates their access rights.

Signup and view all the flashcards

Why is auditing important in IAM?

Auditing ensures that you're aware of any changes made to your IAM policies and the membership of groups. This helps prevent unauthorized modifications and ensures that access is controlled.

Signup and view all the flashcards

Why is controlling group ownership important in IAM?

By controlling who owns the Google group, you can ensure that only authorized personnel have the ability to add or remove members. This helps maintain control of the permissions associated with the group.

Signup and view all the flashcards

What's the benefit of using multiple groups in IAM?

Creating multiple groups allows you to provide different levels of access based on specific roles. This can help ensure that only the necessary permissions are granted to each user or group.

Signup and view all the flashcards

Study Notes

Identity and Access Management (IAM) Overview

  • IAM is a way to identify who can do what on a resource (e.g., person, group, application).
  • Resources can be any Google Cloud service.
  • IAM has components like organizations, roles, members, and service accounts.
  • Organization Restrictions feature helps control access.
  • Best practices are to apply concepts to daily work.

IAM Resource Hierarchy

  • Google Cloud resources are hierarchical.
  • The Organization node is the root.
  • Folders are children of the organization.
  • Projects are children of folders.
  • Resources are children of projects.

Organization Node

  • Root node for Google Cloud resources.
  • Organization Admin role controls all cloud resources (useful for auditing).
  • Project Creator role controls project creation.

Creating and Managing Organizations

  • Created when a Google Workspace or Cloud Identity account creates a Google Cloud Project.
  • Workspace or Cloud Identity super administrators assign Organization admins and manage account lifecycles.
  • Organization admins define IAM policies and resource hierarchy, delegating responsibility.

Folders

  • Additional grouping and isolation boundary between projects.
  • Can represent departments, legal entities, or teams.
  • Allow delegation of administrative rights.

Resource Manager Roles

  • Organization Admin: full control over all resources.
  • Organization Viewer: views all resources.
  • Folder Admin: full control over folders.
  • Folder Creator: manages folder creation.
  • Folder Viewer: views folders and resources below a resource.
  • Project Creator: creates new projects (automatic owner).
  • Project Deleter: deletes projects.

IAM Roles (Types)

  • Basic roles (Owner, Editor, Viewer).
  • Predefined roles (specific Google Cloud services).
  • Custom roles (define precise permissions).

IAM Basic Roles

  • Owner: full administrative access (adding, removing members, deleting projects).
  • Editor: modify and delete access (deploying applications, configuring resources).
  • Viewer: read-only access.

IAM Predefined Roles

  • GCP services provide sets of predefined roles for granular access to specific resources.
  • These roles are collections of permissions.

IAM Predefined Roles (Example)

  • InstanceAdmin role: permissions for managing compute instances.

Compute Engine IAM Roles

  • Compute Admin: full control of Compute Engine resources.
  • Network Admin: manages networking resources (excluding firewall rules and SSL certificates).
  • Storage Admin: manages disks, images, and snapshots.

IAM Custom Roles

  • Roles define specific permission sets.
  • Example: "Instance Operator" role for starting and stopping virtual machines.

IAM Members (Types)

  • Google Accounts (developers, admins).
  • Service Accounts (accounts for applications).
  • Google Groups (collections of accounts).
  • Google Workspace domains.
  • Cloud Identity domains.

IAM Allow Policies

  • Grants access to Google Cloud resources.
  • Controls access to the resources and their descendants.
  • Binds, or associates, principals (or identities) to a single IAM role.

IAM Deny Policies

  • Prevent principals from using specific permissions, regardless of their roles.
  • Specifies principals, permissions, and (optional) conditions for denial.

IAM Conditions

  • Allow defining attribute-based access control using conditions in role bindings.
  • Conditions are expressed as logic statements.

Organization Policies

  • Configurations of restrictions defined by constraints.
  • Applied to organizations, folders, or projects.
  • Inherited by children resources.

Single Sign-On (SSO)

  • Configured using Cloud Identity.
  • Third-party solutions if SAML2 isn't supported (ADFS, Ping, Okta).

Service Accounts

  • Provide identity for service-to-service interactions.
  • Used for applications or programs running within Compute Engine instances.
  • Service accounts have unique email addresses.
  • Types include user-created, built-in, and Google APIs service accounts.

Service Account Keys

  • Google-managed vs User-managed keys
  • Google manages keys for default service accounts.
  • User manages keys, responsible for security and rotation.

Identity-Aware Proxy (IAP)

  • Central authorization layer for HTTPS-accessed applications.
  • Enforces policies based on identity.
  • Provides access controls for applications without VPNs.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Quiz Team

Related Documents

More Like This

AWS IAM: Identity and Access Management
216 questions
AWS Cloud Practitioner Essentials T2.3
20 questions
4. [H] IAM, Accounts and AWS Organisations
103 questions
Use Quizgecko on...
Browser
Browser