Google Cloud Computing Foundation Course - Week 10 Lecture Notes Summary

Lecture 46: Explore Encryption Options

Types of Encryption in Google Cloud

• Default Encryption: Automatically encrypts data at rest (AES 256-bit) and in transit (TLS).
• Customer-Managed Encryption Keys (CMEK):
• Managed through Google’s Cloud KMS (Key Management Service).
• Supports symmetric and asymmetric cryptographic keys.
• Offers key rotation and control.
• Customer-Supplied Encryption Keys (CSEK):
• Users generate and manage their own encryption keys.
• Provides more control but requires complex management.
• Keys are discarded after encryption operations.
• Client-Side Encryption: Data is encrypted on the client side before storage in GCP.

Lecture 47: Understand Authentication and Authorization

Cloud Identity and Access Management (IAM)

• IAM Policies:
• Define who (user, group, service account) can do what (roles and permissions) on which
resource.
• G Suite and Cloud Identity:
• Integrates with G Suite for centralized identity management.
• Cloud Identity offers management without G Suite products.
• Cloud Directory Sync:
• Syncs users and groups from external systems like Active Directory.

IAM Roles
• Primitive Roles: Owner, Editor, Viewer, Billing Admin – apply across all resources in a project.
• Predefined Roles: Apply to specific GCP services.
• Custom Roles: Allow granular control, customized per organization needs.

Service Accounts
• Used for service-to-service authentication.
• Permissions can be managed using IAM policies.

Lecture 48: Best Practices for Authorization

Resource Hierarchy
• Use projects to group resources with the same trust boundary.
• Understand role inheritance in the resource hierarchy.
Service Account Best Practices
• Be cautious when granting roles to service accounts.
• Use naming conventions and key rotation policies.

Lecture 49: Quiz Highlights

• True/False and scenario-based questions focus on IAM policy hierarchy, role-based access, and
encryption options.

Lecture 50: Summary of Cloud Security and IAM

• Security Responsibilities: Google handles infrastructure security, while customers manage data
access and encryption.
• Encryption Options: GCP provides default encryption, CMEK, CSEK, and client-side
encryption.
• Cloud IAM: Controls access using roles and permissions, including integration with G Suite
and Cloud Identity.
• Best Practices: Leverage resource hierarchy, use least privilege, and manage service accounts
carefully.

Lecture 51: Introduction to GCP Networking

Networking Concepts
• Virtual Private Cloud (VPC): Isolated networks within GCP.
• Public and Private IPs: Distinguish between internal and external access.
• Google Network Architecture: Includes regions, zones, cache nodes, points of presence, and
fiber infrastructure.

Firewall and Routes

• Control access and traffic between resources within a VPC.

Hybrid Cloud Networking

• VPNs: Connect on-premises infrastructure to GCP.
• Direct Peering: Directly connects networks for low-latency communication.

Questions with Answers

1. What are the encryption options in GCP?
• Default, CMEK, CSEK, and Client-Side Encryption.
2. What is CMEK?
• Customer-Managed Encryption Keys that are managed through Google’s Cloud KMS.
3. What is the difference between CMEK and CSEK?
• CMEK is managed through GCP, while CSEK requires the user to generate and manage
their own keys.
4. How is data encrypted in transit in GCP?
• Via TLS (Transport Layer Security).
5. What does Cloud IAM do?
• Manages access to resources by defining who can do what on which resource.
6. What is a primitive role in IAM?
• Roles like Owner, Editor, Viewer that apply across all GCP resources in a project.
7. What is a predefined role in IAM?
• Roles specific to GCP services, offering more fine-grained permissions.
8. What is a custom role in IAM?
• User-defined roles that provide granular control over permissions.
9. What is Cloud Directory Sync?
• A tool that syncs users and groups from systems like Active Directory to GCP.
10.What are service accounts used for?
• Service-to-service communication, allowing services to authenticate with each other.
11.What is the resource hierarchy in GCP?
• The organizational structure that defines how resources are grouped and accessed.
12.What is the principle of least privilege in IAM?
• Granting the minimum permissions necessary for a user to perform their role.
13.How can roles be inherited in IAM?
• Permissions applied to a resource are inherited by its sub-resources.
14.What is a billing admin role?
• Grants access to billing information without access to the project resources.
15.What is client-side encryption?
• Encrypting data locally before storing it in GCP.
16.How does GCP secure data at rest?
• By default, GCP encrypts data at rest using AES 256-bit encryption.
17.What is Cloud KMS?
• A key management service that automates key generation, rotation, and management.
18.What is the difference between symmetric and asymmetric encryption?
• Symmetric encryption uses the same key for encryption and decryption, while
asymmetric uses a pair of public and private keys.
19.How can GCP users manage centralized identity?
• Through G Suite or Cloud Identity.
20.What are the best practices for managing service accounts?
• Use meaningful display names, rotate keys regularly, and avoid granting unnecessary
permissions.
21.How does Cloud IAM integrate with G Suite?
• Allows centralized management of users and groups for GCP resources.
22.What is a VPC in GCP?
 • A Virtual Private Cloud that allows isolated networking within GCP.
23.What are firewall rules in GCP?
• Define which traffic is allowed to enter or leave a VPC.
24.What are the types of IP addresses in GCP?
• Public IPs for external access and Private IPs for internal access within a VPC.
25.What is the Google Network Architecture?
• A global infrastructure that includes regions, zones, cache nodes, and fiber connections.
26.What is the role of Cloud Identity in GCP?
• A unified platform for managing user groups, access, and devices.
27.What are the advantages of using IAM custom roles?
• Provides granular control and customization for specific organizational needs.
28.What is Google’s default encryption?
• GCP automatically encrypts data at rest and in transit.
29.What is a persistent disk in GCP?
• A storage option for virtual machines that can be encrypted using CMEK or CSEK.
30.How does key rotation work in Cloud KMS?
• Keys can be manually rotated or set to rotate automatically at regular intervals.
31.What is a service account in GCP?
• A special Google account used to authenticate services for service-to-service
communication.
32.What is the purpose of routes in GCP?
• To define the network paths for traffic within a VPC.
33.How does direct peering work in GCP?
• Provides a direct connection between your network and Google’s network for low-
latency communication.
34.What is hybrid cloud networking?
• Integrates on-premises networks with GCP using VPNs or direct peering.
35.What are load-balancing options in GCP?
• Distributes traffic across multiple resources to ensure availability and performance.
36.What is the purpose of Cloud Identity-Aware Proxy (IAP)?
• Provides centralized authorization for applications accessed over TLS.
37.What are the components of the resource hierarchy in GCP?
• Organizations, Folders, Projects, and Resources.
38.What is a point of presence in Google’s network?
• A location where Google’s network connects with other networks.
39.What are cache nodes in GCP?
• Nodes that store frequently accessed data closer to users to reduce latency.
40.What is an IAM policy in GCP?
• A set of rules that define what actions a user or service can perform on a resource.
41.How does Google protect service-to-service communication?
• Through the use of service accounts and IAM roles.
42.What are audit logs in GCP?
• Logs that record who did what on which resource and when, for security and compliance
purposes.
43.What is the Cloud IAM Viewer role?
• Allows users to view resources without modifying them.
44.What is key rotation and why is it important?
• The regular updating of encryption keys to enhance security.
45.What is a virtual machine in GCP?
• A compute resource that runs applications in the cloud.
46.What are IAM permissions?
• Fine-grained actions that users or services are allowed to perform on GCP resources.
47.What is a project in GCP?
• A grouping of resources in GCP that share the same trust boundary.
48.How do predefined IAM roles work?
• Roles that are designed for specific GCP services with defined sets of permissions.
49.What is Cloud Armor in GCP?
• A security service that helps protect applications from DDoS attacks and other threats.
50.How does a service account authenticate with other GCP services?
• By using an email-like identity and IAM policies to control permissions.