Google Cloud Certified Professional Cloud Security Engineer

Google Cloud Certified Professional Cloud Security Engineer Intermediate — Quiz 2

Google Cloud Certified Professional Cloud Security Engineer Intermediate — Quiz 2 — Study Guide

Google Cloud Professional Security Engineer: IAM, Compliance & Security Monitoring

Securing a Google Cloud environment isn't just about firewalls — it's about *who* can do *what*, *where*, and *when*. Understanding IAM (Identity and Access Management), audit logging, compliance tools, and dynamic access controls is the foundation of cloud security. Whether you're protecting customer data under GDPR or responding to an emergency access scenario, these concepts determine how safe your organization truly is.

Resource Hierarchy & IAM Inheritance

Google Cloud organizes resources in a tree structure:

Organization
  └── Folders
        └── Projects
              └── Resources (VMs, Buckets, Databases, etc.)

IAM policies are inherited downward. A policy set at the Organization level flows to all Folders, Projects, and Resources beneath it. This means:

Granting a role at the Organization level gives access to *everything* below it.

Granting a role at the Project level limits access to that project's resources only.

You cannot restrict an inherited permission at a lower level using standard IAM — but Deny Policies (discussed below) can block inherited grants.

Analogy: Think of it like a company org chart. A policy set at the CEO level applies to every department, but a department-level policy only affects that team.

Roles & Permissions

IAM uses roles (collections of permissions) assigned to members (users, groups, service accounts).

Role Type	Description	Example
Basic Roles	Broad legacy roles	`roles/viewer`, `roles/editor`, `roles/owner`
Predefined Roles	Fine-grained, service-specific	`roles/storage.objectViewer`
Custom Roles	You define the permissions	Only the exact permissions needed

Key Roles to Know

roles/viewer — View all resources, no modifications (read-only across the project)

roles/securityAdmin — Can manage IAM policies and security settings

roles/iam.securityReviewer — Can view IAM policies without modifying them

Least Privilege Principle

Always grant the minimum permissions required to perform a task. Avoid using roles/owner or roles/editor for automated workloads or third-party access.

Service Accounts & Authentication

Service accounts are special Google-managed identities used by applications and VMs — not humans. They authenticate using cryptographic keys or short-lived tokens.

# Create a service account
gcloud iam service-accounts create my-app-sa \
  --display-name="My App Service Account"
Bind a role to the service account
gcloud projects add-iam-policy-binding my-project \
  --member="serviceAccount:my-app-sa@my-project.iam.gserviceaccount.com" \
  --role="roles/storage.objectViewer"

Workload Identity Federation

Instead of downloading service account keys (a security risk), Workload Identity Federation lets external workloads (AWS, GitHub Actions, on-prem) authenticate to Google Cloud using short-lived tokens — no long-lived credentials needed.

Best Practice: Prefer Workload Identity Federation over service account key files whenever possible.

IAM Policies: `setIamPolicy` & `getIamPolicy`

Two critical API methods control IAM policy management:

getIamPolicy — Retrieves the current IAM policy for a resource

setIamPolicy — Replaces the IAM policy on a resource

# Example: Get IAM policy for a Cloud Storage bucket
from google.cloud import storageclient = storage.Client()
bucket = client.get_bucket("my-bucket")
policy = bucket.get_iam_policy()  # calls getIamPolicy internally

Auditing who calls setIamPolicy is critical — it tells you who *changed* access controls.

IAM Conditions & Dynamic Access Control

IAM Conditions let you add attribute-based rules to role bindings, enabling dynamic access control:

{
  "role": "roles/storage.objectViewer",
  "members": ["user:contractor@example.com"],
  "condition": {
    "title": "Expires Jan 2025",
    "expression": "request.time < timestamp('2025-01-01T00:00:00Z')"
  }
}

Conditions can restrict access by time, resource name, IP address, or resource type — perfect for third-party or temporary access scenarios.

Deny Policies & IAM Recommender

Deny Policies

Unlike regular IAM (which grants access), Deny Policies explicitly *block* specific permissions — even if a grant exists at a higher level. This is powerful for enforcing organizational guardrails.

IAM Recommender

The IAM Recommender analyzes actual usage and suggests removing excess permissions. If a service account was granted roles/editor but only ever reads from Cloud Storage, it will recommend downgrading to roles/storage.objectViewer.

Audit Logs & Security Monitoring

Cloud Audit Logs record who did what, when, and where across your GCP environment.

Log Type	What It Captures
Admin Activity	IAM policy changes, resource creation/deletion
Data Access	Reading/writing data in services like BigQuery, Cloud Storage
System Event	Automated Google-initiated actions

To audit IAM policy modifications, use Cloud Audit Logs → Admin Activity logs filtered for SetIamPolicy events in Cloud Logging.

# Query for IAM policy changes in Cloud Logging
gcloud logging read \
  'protoPayload.methodName="SetIamPolicy"' \
  --project=my-project

Compliance: GDPR & Cloud DLP

GDPR Requirements

Under GDPR, organizations must identify, protect, and control access to personally identifiable information (PII). Google Cloud supports this through:

Cloud DLP (Data Loss Prevention) — Discovers and classifies sensitive data (emails, credit cards, national IDs) across Cloud Storage, BigQuery, and Datastore

VPC Service Controls — Prevents data exfiltration

Audit Logs — Provides evidence of data access for compliance reporting

# Example: Inspect a string for PII using Cloud DLP
from google.cloud import dlp_v2dlp = dlp_v2.DlpServiceClient()
inspect_config = {"info_types": [{"name": "EMAIL_ADDRESS"}, {"name": "PHONE_NUMBER"}]}
item = {"value": "Contact us at user@example.com or 555-1234"}
response = dlp.inspect_content(parent="projects/my-project", inspect_config=inspect_config, item=item)

Cloud Storage & Cloud SQL Security

Bucket Permissions Best Practices

Never use allUsers or allAuthenticatedUsers for sensitive buckets

Use uniform bucket-level access (disables legacy ACLs)

Apply IAM Conditions for time-limited or third-party access

Cloud SQL

Use IAM database authentication instead of native passwords

Restrict access using Authorized Networks and Private IP

Assign service accounts with minimal roles (e.g., roles/cloudsql.client)

Break Glass & Emergency Access

A break glass account is an emergency access mechanism — a highly privileged account used only during critical incidents when normal access controls fail. Best practices:

Store credentials in a secure vault (e.g., Secret Manager)

Require multi-party approval to use

Alert immediately via Cloud Monitoring when the account is used

Rotate credentials after each use and audit thoroughly

Key Takeaways

IAM policies inherit downward through the resource hierarchy; use Deny Policies to block inherited grants at lower levels.

Least privilege means granting only the permissions needed — use IAM Recommender to identify and remove excess access over time.

Cloud Audit Logs (especially Admin Activity logs) are your primary tool for auditing SetIamPolicy changes and tracking who modified access controls.

Cloud DLP is the go-to service for discovering and classifying PII to meet GDPR and other compliance requirements.

Workload Identity Federation and IAM Conditions enable secure, dynamic, and time-limited access without long-lived credentials.