What is the “Principle of least privilage”?
When it comes to security, managing access is a foundational capability—whether you’re talking about a physical space or your cloud infrastructure. If you were securing an office, you wouldn’t give every employee a master key that can open the front door, the mailbox, and the safe. Likewise, when you’re securing your cloud infrastructure, you should limit employees’ access based on their role and what they require to do their job.
https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege
What are the 3 primative roles?
Primitive roles include:
Viewer - Permissions for read-only actions that do not affect state, such as viewing (but not modifying) existing resources or data.
Editor - All viewer permissions, plus permissions for actions that modify state, such as changing existing resources.
Owner - All editor permissions and permissions for the following actions:
- Manage roles and permissions for a project and all resources within the project.
- Set up billing for a project.
These were developed prior to the release of IAM.
Predefined roles are part of IAM role based access management services in GCP. The predefined roles provide granular access to services which cater for a wide variety of scenarios. The RBAC system is made up of three major componants:
Roles
Permissions
Users (which can come in the form of groups of users or even service accounts)
I the format of X is assigned to Y, can you order the three areas above to identify which componant is assigned to which to provide secure access to GCP services?
Permissions are assigned to Roleswhich are assigned toUsers.
We start with the permissions, or “What am I allowed to do”. Then we specifiy which roles are allowed to do it. Like “the Admin role can view/edit/create files in a bucket”. Finally, we assign the role to our users and groups. “The user SmithJ21 is assigned the Admin role so that it can view/edit/create files in a bucket.”
There are three types of roles:
Primitive/Basic
Predefined
Custom
When should each be used?
Primitive/Basic roles - Development uses only. Basic roles include thousands of permissions across all Google Cloud services. In production environments, do not grant basic roles unless there is no alternative. Instead, grant the most limited predefined roles or custom roles that meet your needs.
Predefined Roles - Development, or in some cases Production. These roles are likely not going to exactly fit your needs. You will need to combine them to create configurations which fit your needs. It is likely this will cause you to create configurations which have more permissions than you need, but be more fine-grained than Basic Roles.
Custom Roles - Use these roles whenever possible. With “Principle of least privalage” in mind, you can define exactly what permissions are nessassary for each role to perform it’s duties and no more.
What are the methods that can be used to view roles that have been assigned to identies in Google Cloud Platform?
You can use the Roles tab in the IAM & Admin section of the console to list the identities assigned particular roles.
You can also use the Command Line Interface (CLI) to access the information. The command - gcloud projects get-iam-policy lists roles assigned to users in a project.
What CLI command will allow you to view details of a role, including permissions assigned to a role?
gcloud iam roles describe
You can also view users granted roles by drilling down into a role in the Roles page of the IAM & Admin section of the console. When working with IAM, you will be using the gcloud command when working from the command line.
What are Scopes and to which services do they apply?
Scopes are a form of access control applied to Virtual Machine instances. The VM can only perform operations allowed by scopes and IAM roles assigned to the service account of the instance. You can use IAM roles to constrain scopes and use scopes to constrain IAM roles.
- What does IAM stand for?
- Identity and Authorization Management
- Identity and Access Management
- Identity and Auditing Management
- Individual Access Management
Answer = B
IAM stands for Identity and Access Management, so option B is correct.
Option A is incorrect; the A does not stand for authorization, although that is related.
Option C is incorrect; the A does not stand for auditing, although that is related.
Option D is incorrect. IAM also works with groups, not just individuals.
- When you navigate to IAM & Admin in Cloud Console, what appears in the main body of the page?
- Members and roles assigned
- Roles only
- Members only
- Roles and permissions assigned
Answer = A
Members and their roles are listed, so option A is correct.
Options B and C are incorrect because they are missing the other main piece of information provided in the listing.
Option D is incorrect; permissions are not displayed on that page.
- Why are primitive roles classified in a category in addition to IAM?
- They are part of IAM.
- They were created before IAM.
- They were created after IAM.
- They are not related to access control.
Answer = B
Primitive roles were created before IAM and provided coarse-grained access controls, so option B is correct.
Option A is incorrect; they are used for access control.
Option C is incorrect; IAM is the newer form of access control.
Option D is incorrect; they do provide access control functionality.
- A developer intern is confused about what roles are used for. You describe IAM roles as a collection of what?
- Identities
- Permissions
- Access control lists
- Audit logs
Answer = B
Roles are used to group permissions that can then be assigned to identities, so option B is correct.
Option A is incorrect; roles do not have identities, but identities can be granted roles.
Option C is incorrect; roles do not use access control lists.
Option D is incorrect; roles do not include audit logs. Logs are collected and managed by Stackdriver Logging.
- You want to list roles assigned to users in a project called ace-exam-project. What gcloud command would you use?
- gcloud iam get-iam-policy ace-exam-project
- gcloud projects list ace-exam-project
- gcloud projects get-iam-policy ace-exam-project
- gcloud iam list ace-exam-project
Answer = C
The correct answer is gcloud projects get-iam-policy ace-exam-project, so option C is correct.
Option A is incorrect because the resource should be projects and not iam.
Option B is incorrect; list does not provide detailed descriptions.
Option D is incorrect because iam and list are incorrectly referenced.
- You are working in the form displayed after clicking the Add link in the IAM form of IAM & Admin in Cloud Console. There is a parameter called New Members. What items would you enter in that parameter?
- Individual users only
- Individual users or groups
- Roles or individual users
- Roles or groups
Answer = B
New members can be users, indicated by their email addresses, or groups, so option B is correct.
Option A is incorrect; it does not include groups.
Options C and D are incorrect because roles are not added there.
- You have been assigned the App Engine Deployer role. What operations can you perform?
- Write new versions of an application only
- Read application configuration and settings only
- Read application configuration and settings and write new configurations
- Read application configuration and settings and write new versions
Answer = D
Deployers can read application configurations and settings and write new application versions, so option D is correct.
Option A is incorrect because it is missing the ability to read configurations and settings.
Option B is incorrect because it is missing writing new versions.
Option C is incorrect because it references writing new configurations. (Deployer cannot create a new configuration, but can create a new version from a configuration someone else has created)
- You want to list permissions in a role using Cloud Console. Where would you go to see that?
- IAM & Admin; select Roles. All permissions will be displayed.
- IAM & Admin; select Roles. Check the box next to a role to display the permissions in that role.
- IAM & Admin; select Audit Logs.
- IAM & Admin; select Service Accounts and then Roles.
Answer = B
The correct steps are navigating to IAM & Admin, selecting Roles, and then checking the box next to a role, so option B is correct.
Option A is incorrect; all roles are not displayed automatically.
Option C is incorrect; audit logs do not display permissions.
Option D is incorrect; there is no Roles option in Service Accounts.
- You are meeting with an autidor to discuss security practices in the cloud. The auditor asks how you implement several best practices. You describe how IAM predefined roles help to implement which security best practice(s)?
- Least privilege
- Separation of duties
- Defense in depth
- Options A and B
Answer = D
Predefined roles help implement both least privilege and separation of duties, so option D is correct. Predefined roles do not implement defense in depth by themselves but could be used with other security controls to implement defense in depth.
- What launch stages are available when creating custom roles?
- Alpha and beta only
- General availability only
- Disabled only
- Alpha, beta, general availability, and disabled
- The gcloud command to create a custom role is what?
- gcloud project roles create
- gcloud iam roles create
- gcloud project create roles
- gcloud iam create roles
Answer = B
The correct answer, option B, is gcloud iam roles create. (Commands start with the service you wish to make changes to, then end with a verb (or action) you want to perform)
Option A is incorrect because it references project instead of iam.
Option C is incorrect because it references project instead of iam, and the terms create and roles are out of order.
Option D is incorrect because the terms create and roles are out of order.
https://cloud.google.com/sdk/docs/cheatsheet#understanding_commands
- A DevOps engineer is confused about the purpose of scopes. Scopes are access controls that are applied to what kind of resources?
- Storage buckets
- VM instances
- Persistent disks
- Subnets
Answer = B
Scopes are permissions granted to VM instances, so option B is correct. Scopes in combination with IAM roles assigned to service accounts assigned to the VM instance determine what operations the VM instance can perform.
Options A and C are incorrect; scopes do not apply to storage resources.
Option D is incorrect; scopes do not apply to subnets.
- A scope is identified using what kind of identifier?
- A randomly generated ID
- A URL beginning with https://www.googleserviceaccounts/
- A URL beginning with https://www.googleapis.com/auth/
- A URL beginning with https://www.googleapis.com/auth/PROJECT_ID]
Answer = C
Scope identifiers start with https://www.googleapis.com/auth/ and are followed by a scope-specific name, such as devstorage.read_only or logging.write, so option C is correct.
Option A is incorrect; scope IDs are not randomly generated.
Option B is incorrect; the domain name is not googleserviceaccounts.
Option D is incorrect; scopes are not linked directly to projects.
- A VM instance is trying to read from a Cloud Storage bucket. Reading the bucket is allowed by IAM roles granted to the service account of the VM. Reading buckets is denied by the scopes assigned to the VM. What will happen if the VM tries to read from the bucket?
- The application performing the read will skip over the read operation.
- The read will execute because the most permissive permission is allowed.
- The read will not execute because both scopes and IAM roles are applied to determine what operations can be performed.
- The read operation will succeed, but a message will be logged to Stackdriver Logging.
Answer = C
Both scopes and IAM roles assigned to service accounts must allow an operation for it to succeed, so option C is correct.
Option A is incorrect; access controls do not affect the flow of control in applications unless explicitly coded for that.
Option B is incorrect; the most permissive permission is not used.
Option D is incorrect; the operation will not succeed.
- What are the options for setting scopes in a VM?
- Allow Default Access and Allow Full Access only
- Allow Default Access, Allow Full Access, and Set Access for Each API
- Allow Full Access or Set Access For Each API only
- Allow Default Access and Set Access For Each API only
Answer = B
The options for setting scopes are: Allow Default Access, Allow Full Access, and Set Access For Each API, so option B is correct.
Option A is incorrect; it is missing Set Access For Each API.
Option C is incorrect; it is missing Allow Default Access.
Option D is incorrect; it is missing Allow Full Access.
- What gcloud command would you use to set scopes?
A. gcloud compute instances set-scopes
B. gcloud compute instances set-service-account
C. gcloud compute service-accounts set-scopes
D. gcloud compute service-accounts define-scopes
- What gcloud command would you use to assign a service account when creating a VM?
- gcloud compute instances create [INSTANCE_NAME] –service-account [SERVICE_ACCOUNT_EMAIL]
- gcloud compute instances create-service-account [INSTANCE_NAME][SERVICE_ACCOUNT_EMAIL]
- gcloud compute instances define-service-account [INSTANCE_NAME][SERVICE_ACCOUNT_EMAIL]
- gcloud compute create instances-service-account [INSTANCE_NAME][SERVICE_ACCOUNT_EMAIL]
Answer = A
You can assign a service account when creating a VM using the create command.
Option B is incorrect; there is no create-service-account command verb.
Option C is incorrect; there is no define-service-account command verb.
Option D is incorrect; there is no instances-service-account command; also, create should come at the end of the command.
