Skip to content

Best Pratices

High Level Documentation

Link Notes
Map the Cloud
  • Find information about public cloud provider regional services availability fast, from AWS, Azure, Google Cloud, CloudFlare and Fastly
  • Get stats of services, regions and edge locations
Google Cloud security best practices center Best practices guides provide specific, informed guidance on helping secure Google Cloud deployments and describe recommended configurations, architectures, suggested settings, and other operational advice

Operational Guides

Link Notes
Google Cloud security foundations guide Opinionated guidance and accompanying automation to help you build security into your starting point for your Google Cloud deployments (companion repo)
PCI on GKE Set of Terraform configurations and scripts that demonstrate how to bootstrap a PCI environment in Google Cloud
Best practices for enterprise multi-tenancy Best practices to safely and efficiently set up multiple multi-tenant clusters for an enterprise organization
How Attackers Can Exploit GCP's Multicloud Workload Solution A deep dive into the inner workings of GCP Workload Identity Federation, taking a look at risks and how to avoid misconfigurations
Bastion Hosts

Code Samples

Link Notes
terraform-google-modules Terraform modules for Google Cloud, made by Google Cloud
Cloud Foundation Toolkit Best practice Infrastructure as Code (IaC) templates
cloud-foundation-fabric End-to-end modular samples for Terraform on GCP
Google Cloud samples Search for samples demonstrating the usage of Google Cloud products, across ML APIs, Storage, serverless, and more. You can filter by language and product

Federation

AWS

Link Notes
Exchange AWS Credentials for GCP Credentials using GCP STS Service Sample procedure that will exchange a long term or short term AWS credential for a GCP credential
Access GCP from AWS using Workload Identity Federation
  • Workload Identity federation allows to access GCP resources from AWS without the need for service account keys
  • gcp-workload-identity-federation: Python module to enable workload identity federation from AWS to GCP
Keyless API - Launching GCP workloads from AWS How to call Google Cloud APIs from AWS or Azure without managing secret keys impersonating a service account

GSuite

Link Notes
Marco Lancini Domain-Wide Delegation of Authority in GSuite
  • How to setup Domain-Wide Delegation of Authority in GSuite
Don't fear the authentication: Google Drive edition
  • Just as you can share a Drive folder with a person, you can also share a Drive folder with an IAM service account