Author Archives: anuj - Page 3
Short lived access tokens in GCP – Service account impersonation
Service account keys provide long lived access. One often has to provide short term access to GCP resources. That's what Service account impersonation does. Service account impersonation requires two service…
Firewall rules and GCP Cloud Storage
Firewall rules only apply at a VPC Network Level. They have nothing to do with preventing traffic to and from cloud storage. To do that, you have to either use…
Using only Trusted Images in GCP Projects
Step 1 - Create a separate project - and store all hardened images in it. Step 2 - Enforce the Org Policy - Define trusted image project. This will ensure…
Public Access Prevention Org Policy GCP
Org Policy - Public Access Prevention It is a best practice to enable this constraint at the top Organization Level. If projects need to override it, they can. But by…
OS patch management on GCP Compute Engine VMs
VM Manager API is the service to use. Enable a feature called OS Patch Management in there.
Default VPC Firewall Rules in GCP
All inbound traffic is denied by default However, all OUTBOUND is allowed by default. So - if there is a need to ensure that the default VPC instances see no…
Service Account Key Rotation in GCP
Create a new service account key Switch applications to use the new key Destroy the old key
FIPS 140 Level 2 encryption requirements on GCP
Cloud KMS does not meet Level 2 Fips 140 requirements Only Cloud HSM does - and requires an on premises HSM solution.
Cloud DLP – De identify Sensitive Data in GCP
To deidentify sensitive data, you need to replace the data with cryptographic tokens. The GCP service that helps you accomplish this is called Cloud DLP (Cloud data loss prevention).
Scanning for Vulnerabilities on GCP
There are two services you can use Web Security Scanner - this will scan your application (hosted either on App Engine or Compute Engine) for vulnerablities - outdated libraries, hackable…