Managing GCP IAM Permissions with On-premises Active Directory

Questions and Answers

What should be done to centrally manage GCP IAM permissions from on-premises Active Directory by group membership?

Use the Admin SDK to create groups and assign IAM permissions from Active Directory.

Set up SAML 2.0 Single Sign-On (SSO) and assign IAM permissions to the groups. (correct)

Set up Cloud Directory Sync to sync users and set IAM permissions on the users.

Use the Cloud Identity and Access Management API to create users and IAM permissions from Active Directory.

What is a best practice when creating a secure container image?

Use public container images as a base image for the app.

Ensure that the app runs as PID 1.

Use many container image layers to hide sensitive information. (correct)

Package multiple apps in a container.

To scan secrets and store them in Cloud SQL, what should be used?

Run the Cloud Data Loss Prevention API. (correct)

Use the Cloud Identity and Access Management API.

Set up SAML 2.0 Single Sign-On (SSO).

Deploy SCM to a Compute Engine VM with local SSDs.

What is NOT recommended as part of creating a secure container image?

Packaging multiple apps as one container.

How can GCP IAM permissions be managed in relation to an on-premises Active Directory Service?

Sync users using Cloud Directory Sync and set IAM permissions on users.

Which approach should be taken when deploying SCM for managing secrets?

Deploy SCM to a Compute Engine VM with local SSDs.

What is the recommended technique for a financial institution to have maximum control over the encryption process of data stored at rest in BigQuery?

Customer-managed encryption keys (CMEK)

Which storage solution is allowed for a company deploying their application on Google Cloud Platform to automatically replicate data over at least two geographic places?

Cloud BigQuery

In the context of Google Cloud Platform, what does configuring Cloud VPN between a private network and GCP help achieve?

Secure communication between the private network and GCP

For an e-retailer moving to Google Cloud Platform with an ecommerce website, what is a crucial security measure they should consider?

Enforcing strong encryption for data stored at rest

What is the purpose of provisioning user passwords using GSuite Password Sync in Google Cloud Platform?

Synchronize user passwords between GSuite and GCP

If a company policy requires long-term data to be stored in multiple geographic locations, which storage solution should they consider on Google Cloud Platform?

Cloud BigQuery

What should the Infrastructure Operations Systems Engineer do to minimize disruption when a domain is already being used by G Suite for setting up Cloud Identity?

Provision the data science manager's account as a Super Administrator in the existing domain

What access should a team grant to manage permissions and auditing in a Cloud Identity domain with an organizational resource having hundreds of projects?

Organization Role Administrator

In the scenario where a business unit at a multinational corporation starts moving workloads into GCP, what type of access should be granted to take over managing permissions and auditing?

Organization Role Administrator

When an application on a Compute Engine instance needs to read data from a Cloud Storage bucket, what is the most suitable course of action?

Set up a service account with the required read permissions for the Compute Engine instance

In the context of managing permissions and auditing in GCP, what role should be assigned to effectively handle organization resources?

Organization Role Administrator

If faced with a situation where a domain is already being used by G Suite for a Cloud Identity setup, what action should be recommended to avoid disruption?

Register a new domain exclusively for Cloud Identity purposes

What should be done to ensure Compute Engine instances in the production project do not have public IP addresses?

Enable Private Access on the VPC network in the production project

Which action should be taken to enforce the requirement of ensuring Compute Engine instances have public IPs for the frontend application?

Set up an organization policy to only permit public IPs for the front-end Compute Engine instances

What security characteristics are associated with VPC peering for connecting two VPC networks?

Central management of routes, firewalls, and VPNs for peered networks

In VPC peering, what does it mean if the peered networks are non-transitive?

Non-transitive peered networks; where only directly peered networks can communicate

How can firewall rules be applied in VPC peering between two networks?

Firewall rules that can be created with a tag from one peered network to another peered network

If two VPC networks belong to different Google Cloud Platform organizations, what still remains possible in terms of VPC peering?

Ability to peer networks that belong to different Google Cloud Platform organizations

What is the primary responsibility of an organization's security and risk management teams when using Google Cloud's App Engine?

Encrypting all stored data

To limit users with administrative privileges at the organization level, which roles should be restricted according to the provided information?

Organization Administrator

For which technology stack area would an organization's security and risk management teams need to focus primarily when using App Engine?

Encrypting all stored data

What is the only account that has a role that can write to BigQuery according to the provided information?

App Engine Default Service Account

Which role should an engineering team restrict to limit users with administrative privileges at the organization level?

Super Admin

What is the main concern of an organization's security and risk management teams regarding their responsibility for production workloads running in Google Cloud Platform?

Encrypting all stored data

Study Notes

Cloud Data Loss Prevention API

• Scan secrets and store them in Cloud SQL.

IAM Permissions Management

• Centrally manage GCP IAM permissions from on-premises Active Directory Service using SAML 2.0 Single Sign-On (SSO).
• Assign IAM permissions to groups.

Secure Container Image Creation

• Incorporate the following into the build if possible:
  • Ensure the app does not run as PID 1.
  • Remove any unnecessary tools not needed by the app.

Cloud Identity-Aware Proxy

• Configure Cloud Identity-Aware Proxy for the App Engine Application.

Encryption Techniques

• Use Customer-managed encryption keys (CMEK) for maximum control over encryption process in BigQuery.
• Use Cloud Storage as a federated Data Source for storing long-term data.

Cloud Identity

• Use Cloud Identity to manage permissions and auditing domain resources.
• Grant Organization Role Administrator access to manage permissions and auditing domain resources.

VPC and IAM

• Use Organization Policy Administrator to set up an organization policy to only permit public IPs for front-end Compute Engine instances.
• Use VPC peering to connect two VPC networks with non-transitive peered networks.
• Restrict the Organization Administrator and Super Admin roles to limit users with administrative privileges at the organization level.

Security and Risk Management

• Focus on encrypting all stored data as primary responsibility when using App Engine.
• Ensure the security and risk management teams are responsible for defending against XSS and SQLi attacks in App Engine.

Description

Learn how to centrally manage Google Cloud Platform IAM permissions from an on-premises Active Directory Service by syncing groups and setting IAM permissions based on group membership. This quiz covers best practices for integrating GCP IAM with Active Directory.