PART I: Managing Security in Google Cloud Platform
Module 1: Foundations of GCP Security
-
Google Cloud's approach to security
-
The shared security responsibility model
-
Threats mitigated by Google and by GCP
-
Access Transparency
Module 2: Cloud Identity
-
Cloud Identity
-
Syncing with Microsoft Active Directory
-
Choosing between Google authentication and SAML-based SSO
-
GCP best practices
Module 3: Identity and Access Management
-
GCP Resource Manager: projects, folders, and organizations
-
GCP IAM roles, including custom roles
-
GCP IAM policies, including organization policies
-
GCP IAM best practices
Module 4: Configuring Google Virtual Private Cloud for Isolation and Security
-
Configuring VPC firewalls (both ingress and egress rules)
-
Load balancing and SSL policies
-
Private Google API access
-
SSL proxy use
-
Best practices for structuring VPC networks
-
Best security practices for VPNs
-
Security considerations for interconnect and peering options
-
Available security products from partners
Module 5: Monitoring, Logging, Auditing, and Scanning
-
Stackdriver monitoring and logging
-
VPC flow logs
-
Cloud audit logging
-
Deploying and Using Forseti
PART II: Mitigating Vulnerabilities on Google Cloud Platform
Module 6: Securing Compute Engine: techniques and best practices
-
Compute Engine service accounts, default and customer-defined
-
IAM roles for VMs
-
API scopes for VMs
-
Managing SSH keys for Linux VMs
-
Managing RDP logins for Windows VMs
-
Organization policy controls: trusted images, public IP address, disabling serial port
-
Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys
-
Finding and remediating public access to VMs
-
VM best practices
-
Encrypting VM disks with customer-supplied encryption keys
Module 7: Securing cloud data: techniques and best practices
-
Cloud Storage and IAM permissions
-
Cloud Storage and ACLs
-
Auditing cloud data, including finding and remediating publicly accessible data
-
Signed Cloud Storage URLs
-
Signed policy documents
-
Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys
-
Best practices, including deleting archived versions of objects after key rotation
-
BigQuery authorized views
-
BigQuery IAM roles
-
Best practices, including preferring IAM permissions over ACLs
Module 8: Protecting against Distributed Denial of Service Attacks: techniques and best practices
-
How DDoS attacks work
-
Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor
-
Types of complementary partner products
Module 9: Application Security: techniques and best practices
-
Types of application security vulnerabilities
-
DoS protections in App Engine and Cloud Functions
-
Cloud Security Scanner
-
Threat: Identity and Oauth phishing
-
Identity Aware Proxy
Module 10: Content-related vulnerabilities: techniques and best practices
-
Threat: Ransomware
-
Mitigations: Backups, IAM, Data Loss Prevention API
-
Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content
-
Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API