Author Archives: anuj - Page 2
GCP – Failed SSH Attempts
Use Case - monitor for failed SSH attempts and alert based on failures Log based alerts would be needed - there is no built in metric for failed SSH attempts.…
Retention Policies and Cloud Storage
Use Case - Disallow deletion of bucket objects, regardless of IAM access Retention policy will lock the bucket (or object in a bucket) and not allow deletion, regardless of access…
Service accounts- at Org, Folder Levels – and at Resource Levels
High level service accounts (Folders, projects and Org level) should be few SAs. No keys allowed. The AD groups (containing human users) should be defined for these with all the…
Short lived access tokens in GCP – Service account impersonation
Service account keys provide long lived access. One often has to provide short term access to GCP resources. That's what Service account impersonation does. Service account impersonation requires two service…
Firewall rules and GCP Cloud Storage
Firewall rules only apply at a VPC Network Level. They have nothing to do with preventing traffic to and from cloud storage. To do that, you have to either use…
Using only Trusted Images in GCP Projects
Step 1 - Create a separate project - and store all hardened images in it. Step 2 - Enforce the Org Policy - Define trusted image project. This will ensure…
Public Access Prevention Org Policy GCP
Org Policy - Public Access Prevention It is a best practice to enable this constraint at the top Organization Level. If projects need to override it, they can. But by…
OS patch management on GCP Compute Engine VMs
VM Manager API is the service to use. Enable a feature called OS Patch Management in there.
Default VPC Firewall Rules in GCP
All inbound traffic is denied by default However, all OUTBOUND is allowed by default. So - if there is a need to ensure that the default VPC instances see no…
Service Account Key Rotation in GCP
Create a new service account key Switch applications to use the new key Destroy the old key