To handle significant traffic spikes and potentially malicious IPs, you can use Google Cloud Armor to

configure rate-based bans. This approach allows you to automatically ban clients that exceed a

predefined request rate, protecting your application from potential denial-of-service attacks.

Access Google Cloud Console: Log in to your Google Cloud Console.

Navigate to Google Cloud Armor: Go to the "Security" section and select "Google Cloud Armor".

Create Security Policy: Create a new security policy or edit an existing one. Add a new rule to the

policy.

Configure Rate-Based Ban: Set the action to rate_based_ban. Define the rate limit (e.g., requests per

second) and set the ban_duration_sec parameter to the desired time interval.

Apply the Policy: Apply the security policy to your backend service or load balancer.

Monitor and Adjust: Monitor the traffic patterns and adjust the rate limits and ban durations as

necessary to balance security and availability.

Reference::

Google Cloud Armor Documentation

Rate Limiting with Cloud Armor

Objective: Store and retrieve sensitive configuration data for an application running on Compute

Engine.

Solution: Use Secret Manager to securely store and manage access to sensitive configuration data.

Steps:

Step 1: Open the Google Cloud Console.

Step 2: Navigate to the Secret Manager section.

Step 3: Create a new secret and add the sensitive configuration data.

Step 4: Set appropriate IAM policies to control access to the secret.

Step 5: Update the application to retrieve the secret from Secret Manager using the appropriate

client libraries or APIs.

Secret Manager provides a secure and centralized way to manage sensitive information, with fine-

grained access control and audit logging capabilities.

Reference::

Secret Manager Documentation

Storing and Accessing Secrets

The minimum length for passwords in Cloud Identity can be set to 8 characters. This aligns with

common security best practices for password policies, ensuring a basic level of complexity and

security.

Step-by-Step:

Access Admin Console: Log in to the Google Admin console.

Navigate to Security Settings: Go to Security > Password Management.

Set Minimum Length: Set the minimum length for passwords to 8 characters.

Save Changes: Save the settings and ensure that all user accounts adhere to the new policy.

Reference::

Google Cloud Identity Security Settings

Password Policy Best Practices

To enhance the security of your microservices architecture on Google Kubernetes Engine (GKE) and

ensure that only approved container images are deployed, implementing Binary Authorization is a

robust solution.

Option A: Enforcing Binary Authorization in your GKE clusters ensures that only container images that

meet your organization's security policies are deployed. By integrating container image vulnerability

scanning into your Continuous Integration/Continuous Deployment (CI/CD) pipeline, you can assess

images for known vulnerabilities before they are deployed. Binary Authorization can be configured to

use these vulnerability scan results to make policy decisions, effectively preventing the deployment

of insecure images. This approach leverages managed services provided by Google Cloud, ensuring

scalability and compliance with security standards.

Option B: Developing custom organization policies to restrict deployments to images within a specific

Artifact Registry project helps in controlling the source of images but does not inherently assess the

security posture of those images. Without integrated vulnerability scanning and enforcement

mechanisms, this approach may not fully mitigate the risk of deploying vulnerable images.

Option C: Building a system using third-party vulnerability databases and custom scripts requires

significant maintenance and may not integrate seamlessly with GKE. This approach can be error-

prone and lacks the efficiency of managed services designed for this purpose.

Option D: Automatically deploying new images upon successful CI/CD builds ensures rapid

deployment but does not address the need for security assessments of the images. While setting up

firewall rules is good practice, it does not prevent the deployment of potentially vulnerable images.

Therefore, Option A is the most effective approach, as it utilizes Google Cloud's managed services to

enforce security policies and integrate vulnerability assessments directly into the deployment

process, ensuring that only approved and secure container images are deployed to your GKE clusters.

Reference::

Binary Authorization Documentation

Container Analysis Documentation

To keep track of "who did what, where, and when?" within GCP projects, the administrator should

focus on Admin Activity logs and Data Access logs. Here’s a detailed explanation of why these two

log streams are essential:

Admin Activity Logs:

These logs capture administrative actions performed in your Google Cloud resources. This includes

actions like creating, modifying, or deleting resources.

Admin Activity logs provide detailed information about the user who performed the action, the

resource that was affected, the action performed, and the timestamp.

Data Access Logs:

These logs capture read and write operations on data within your Google Cloud services. This

includes actions like accessing or modifying data stored in databases, storage buckets, etc.

Data Access logs help track the access patterns of users and services to sensitive data, providing

insights into who accessed which data and when.

Steps to Enable and Access Logs:

Navigate to the Google Cloud Console.

Go to Logging in the left-hand menu.

Enable Admin Activity and Data Access logs if not already enabled.

Use Logs Explorer to filter and view specific logs based on your requirements.

By monitoring both Admin Activity and Data Access logs, administrators can gain comprehensive

visibility into the actions performed on their GCP resources and data, ensuring robust security and

compliance tracking.

Reference::

Google Cloud Logging Documentation

Audit Logs Overview

To migrate a legacy application to GCP without knowing what ports it uses and ensuring the

environment is secure, the best approach is to use a "Lift & Shift" method in an isolated project and

analyze the traffic using VPC Flow logs. Here’s a step-by-step explanation:

Isolated Project:

Create a new, isolated project within your GCP environment to host the legacy application. This

isolation ensures that any potential misconfigurations do not affect other projects.

Lift & Shift:

Migrate the application as-is (lift and shift) to the new isolated project. This involves moving the

application without altering its architecture.

Enable Internal TCP Traffic:

Configure VPC Firewall rules to allow all internal TCP traffic within the VPC network. This step

ensures that the application components can communicate internally without interruption.

Use VPC Flow Logs:

Enable VPC Flow logs to capture information about the traffic to and from your application. VPC Flow

logs provide details about the source, destination, port, and protocol of the traffic.

Analyze Traffic:

Analyze the VPC Flow logs to identify the necessary ports and protocols used by the application.

Based on this analysis, create specific firewall rules to allow only the required traffic, thereby

tightening security.

Implementation Steps:

Navigate to the VPC network section in the GCP Console.

Create a new VPC or use an existing one, and configure firewall rules to allow internal TCP traffic.

Enable VPC Flow logs from the VPC network settings.

Migrate your application to the new project.

Monitor and analyze the VPC Flow logs to refine your firewall rules.

By following these steps, you can safely migrate the application, understand its network

requirements, and secure it appropriately in the new GCP environment.

Reference::

Google Cloud VPC Documentation

VPC Flow Logs Documentation

Google Cloud Storage provides an Object Lifecycle Management feature that can help automate data

retention and deletion processes, ensuring compliance with data privacy regulations while

minimizing storage costs.

Lifecycle Management: Object Lifecycle Management allows you to define rules that automatically

delete objects after a specific period. This ensures that data is only retained for the required amount

of time and is deleted once it expires.

Configuration: You can configure lifecycle rules to delete objects based on conditions such as the age

of the object, the creation date, or custom metadata. This allows for precise control over the

retention period of your data.

Cost Efficiency: By using lifecycle policies to delete data automatically, you can reduce storage costs,

as you only pay for the storage you actively use.

Reference:

Cloud Storage Object Lifecycle Management

https://gsuite.google.com/learn-more/security/security-whitepaper/page-1.html

Shared responsibility “Security of the Cloud” - GCP is responsible for protecting the infrastructure

that runs all of the services offered in the GCP Cloud. This infrastructure is composed of the

hardware, software, networking, and facilities that run GCP Cloud services.

Reference:: https://cloud.google.com/kms/docs/envelope-encryption

Envelope Encryption: https://cloud.google.com/kms/docs/envelope-encryption

Here are best practices for managing DEKs:

-Generate DEKs locally.

-When stored, always ensure DEKs are encrypted at rest.

- For easy access, store the DEK near the data that it encrypts.

The DEK is encrypted (also known as wrapped) by a key encryption key (KEK). The process of

encrypting a key with another key is known as envelope encryption.

Here are best practices for managing KEKs:

-Store KEKs centrally. (KMS )

-Set the granularity of the DEKs they encrypt based on their use case. For example, consider a

workload that requires multiple DEKs to encrypt the workload's data chunks. You could use a single

KEK to wrap all DEKs that are responsible for that workload's encryption.

-Rotate keys regularly, and also after a suspected incident.

To provide temporary write access to a Cloud Storage bucket with the minimum permissions

necessary, you should:

Identify the Compute Engine instance’s default service account: Each Compute Engine instance has a

default service account that is used to interact with other Google Cloud services.

Assign the storage.objectCreator role: This predefined IAM role grants permissions to create objects

in a Cloud Storage bucket, which is sufficient for temporary write access. It does not grant

permissions to read or delete objects, thus adhering to the principle of least privilege.

Avoid using full permissions or long-lived keys: Options A and C suggest using broader permissions

than necessary or embedding long-lived keys, which could pose a security risk if compromised.

Service account impersonation (Option D) is not necessary for this task and would be more

appropriate for scenarios where you need to assume a different identity with different permissions.

Reference::

Google Cloud documentation on IAM roles for Cloud Storage, which lists the storage.objectCreator

role as providing permissions to create objects without granting full administrative access to the

bucket1.

Best practices for access control in Cloud Storage recommend using the least privilege necessary and

avoiding the use of long-lived service account keys2.