Using Identity-Aware Proxy (IAP) for managing SSH access to private VMs ensures secure access

control and avoids the need for public IPs. IAP allows you to enforce identity-based access control

policies.

Enable IAP: Ensure that IAP is enabled for your project. This can be done via the Google Cloud

Console under "Security" -> "Identity-Aware Proxy".

Set Up Firewall Rule: Create a firewall rule to allow SSH traffic from the IAP IP ranges.

Navigate to "VPC network" -> "Firewall".

Create a new rule allowing ingress traffic on port 22 (SSH) from the IAP IP ranges.

Assign IAP-Secured Tunnel User Role: Grant the roles/iap.tunnelResourceAccessor role to the

administrators who need SSH access.

Go to "IAM & Admin" -> "IAM".

Assign the IAP-Secured Tunnel User role to the relevant users or groups.

SSH Using IAP: Administrators can now use IAP to SSH into the instances. This can be done using the

gcloud command:

gcloud compute ssh [INSTANCE_NAME] --tunnel-through-iap

Reference::

Using Identity-Aware Proxy for TCP forwarding

Google Cloud Firewall Rules

Rotating a user-managed Service Account key involves creating a new key, updating your application

to use the new key, and then deleting the old key to maintain security. Here’s the step-by-step

process:

Create a New Key: Use the Google Cloud Console or gcloud command-line tool to create a new key

for the service account. This generates a new key pair and provides you with the private key.

gcloud iam service-accounts keys create new-key-file.json --iam-

account=YOUR_SERVICE_ACCOUNT_EMAIL

Update Application: Update your application configuration to use the new key. This might involve

replacing the old key file with the new one or updating the environment variables or configurations

that point to the key file.

Delete the Old Key: Once you have confirmed that the application is working correctly with the new

key, delete the old key from the service account to ensure it cannot be used for unauthorized access.

gcloud iam service-accounts keys delete OLD_KEY_ID --iam-

account=YOUR_SERVICE_ACCOUNT_EMAIL

This process ensures that your service account keys are regularly rotated, reducing the risk of key

compromise.

Reference:

Managing Service Account Keys

Service Account Key Rotation

Use Cryptographic Verification If there is a risk of IAP being turned off or bypassed, your app can

check to make sure the identity information it receives is valid. This uses a third web request header

added by IAP, called X-Goog-IAP-JWT-Assertion. The value of the header is a cryptographically signed

object that also contains the user identity data. Your application can verify the digital signature and

use the data provided in this object to be certain that it was provided by IAP without alteration.

To allow Compute Engine instances to access public repositories for security updates while an egress

firewall rule is in place to deny all internet traffic, you need to create a more specific egress rule that

permits traffic to the CIDR range of the repository. The priority of this rule should be lower (i.e., a

higher priority number) than the deny rule.

Steps:

Identify the CIDR Range: Determine the CIDR range of the public repository from which the security

updates will be fetched.

Create Egress Firewall Rule: Create a new egress firewall rule allowing traffic to the identified CIDR

range with a priority less than 1000.

Apply Firewall Rule: Use the Google Cloud Console or gcloud command-line tool to apply the new

firewall rule.

Reference::

Google Cloud: Firewall rules

Creating firewall rules

https://cloud.google.com/blog/products/g-suite/7-ways-admins-can-help-secure-accounts-againstphishing-g-suite

https://www.duocircle.com/content/email-security-services/email-security-incryptography#:~:text=Customer%20Login-

,Email%20Security%20In%20Cryptography%20Is%20One%20Of%20The%20Most,Measures%20To%2

0Prevent%20Phishing%20Attempts&text=Cybercriminals%20love%20emails%20the%20most,networ

ks%20all%20over%20the%20world.

To organize GCP projects based on different business units and manage IAM permissions, you should

create an organization node and assign folders for each business unit. This approach allows you to

logically separate projects under folders and apply IAM policies at the folder level.

Step-by-Step:

Create Organization Node: Ensure that your GCP account is linked to an organization.

Create Folders for Business Units:

Navigate to the GCP Console > IAM & Admin > Resource Manager.

Create a folder for each business unit under the organization node.

Move Projects to Folders:

Move existing projects into the respective folders according to the business unit.

Set IAM Policies:

Assign IAM roles and permissions at the folder level to manage access for each business unit

independently.

Monitor and Manage: Use Cloud Audit Logs and other GCP tools to monitor the activities and ensure

compliance with the organization’s policies.

Reference::

Creating and Managing Folders

Managing IAM Policies

To connect Compute Engine instances within a Google Cloud Platform project to workloads running

in a dedicated server room that can only be accessed from within the private company network, you

can use the following approaches:

Cloud VPN: Cloud VPN securely connects your on-premises network to your Google Cloud Virtual

Private Cloud (VPC) network through an IPsec VPN connection. This enables secure communication

between your GCP instances and your on-premises workloads over the internet.

Cloud Interconnect: Cloud Interconnect provides direct physical connections between your on-

premises network and Google's network. It offers higher bandwidth and lower latency compared to

Cloud VPN, making it suitable for workloads that require fast and reliable connectivity.

Both Cloud VPN and Cloud Interconnect allow you to securely connect your on-premises

environments to Google Cloud, ensuring that the workloads remain within the private company

network.

Reference:

Cloud VPN Overview

Cloud Interconnect Overview

This approach allows you to control network traffic at the folder level. By attaching external IP

addresses to the VMs in scope, you can ensure that the VMs have a unique, routable IP address for

outbound connections. Then, by defining and applying a hierarchical firewall policy at the folder

level, you can enforce that egress connections are limited to the specified IP range and only from the

specified VPC network.

To access a user's Google Drive on their behalf without relying on the user's credentials and following

Google-recommended practices, you should use a service account with domain-wide delegation.

Create a Service Account:

Go to the Cloud Console, navigate to IAM & Admin > Service Accounts.

Click "Create Service Account" and provide necessary details.

Grant Domain-Wide Delegation:

Edit the service account to enable "G Suite Domain-wide Delegation".

Download the JSON key file.

Configure API Access in G Suite:

Go to the Google Admin Console.

Navigate to Security > API Controls > Domain-wide Delegation.

Add a new API client and use the client ID from the service account.

Authorize the necessary API scopes (e.g., https://www.googleapis.com/auth/drive).

Implement in Application:

Use the Google API Client Library for the desired language.

Load the service account credentials and perform user impersonation to access Google Drive.

Reference::

Domain-wide Delegation of Authority

Using OAuth 2.0 for Server to Server Applications

To meet data residency requirements on Google Cloud, the recommended option is to use

Organization Policy Service constraints. This service allows you to define and enforce specific

constraints across your organization, including constraints related to the geographical location where

data is stored.

Organization Policy Service constraints allow administrators to enforce policies that restrict resources

to specific locations. For instance, you can set policies to ensure that all storage buckets, databases,

and other data resources reside within specific geographic boundaries. This helps in complying with

data residency requirements.

Reference:

Organization Policy Service documentation

Google Cloud Data Residency