Best Practices
High Level Documentation¶
| Link | Notes |
|---|---|
| Map the Cloud |
|
| Google Cloud security best practices center | Best practices guides provide specific, informed guidance on helping secure Google Cloud deployments and describe recommended configurations, architectures, suggested settings, and other operational advice |
| Move from always-on privileges to on-demand access with Privileged Access Manager | To help mitigate the risks associated with excessive privileges and misuses of elevated access, Google announced GCP's built-in Privileged Access Manager |
Operational Guides¶
| Link | Notes |
|---|---|
| Google Cloud security foundations guide | Opinionated guidance and accompanying automation to help you build security into your starting point for your Google Cloud deployments (companion repo) |
| Setting up a FedRAMP Aligned Three-Tier Workload on Google Cloud | This solution guide covers the process and the guidelines to deploy a FedRAMP-aligned three-tier workload on Google Cloud using Assured Workloads |
| PCI on GKE | Set of Terraform configurations and scripts that demonstrate how to bootstrap a PCI environment in Google Cloud |
| Best practices for enterprise multi-tenancy | Best practices to safely and efficiently set up multiple multi-tenant clusters for an enterprise organization |
| How Attackers Can Exploit GCP's Multicloud Workload Solution | A deep dive into the inner workings of GCP Workload Identity Federation, taking a look at risks and how to avoid misconfigurations |
| Bastion Hosts |
Code Samples¶
| Link | Notes |
|---|---|
| terraform-google-modules | Terraform modules for Google Cloud, made by Google Cloud |
| Cloud Foundation Toolkit | Best practice Infrastructure as Code (IaC) templates |
| cloud-foundation-fabric | End-to-end modular samples for Terraform on GCP |
| Google Cloud samples | Search for samples demonstrating the usage of Google Cloud products, across ML APIs, Storage, serverless, and more. You can filter by language and product |
Federation¶
AWS¶
| Link | Notes |
|---|---|
| Exchange AWS Credentials for GCP Credentials using GCP STS Service | Sample procedure that will exchange a long term or short term AWS credential for a GCP credential |
| Access GCP from AWS using Workload Identity Federation |
|
| Keyless API - Launching GCP workloads from AWS | How to call Google Cloud APIs from AWS or Azure without managing secret keys impersonating a service account |
GSuite¶
| Link | Notes |
|---|---|
| Marco Lancini Domain-Wide Delegation of Authority in GSuite |
|
| Don't fear the authentication: Google Drive edition |
|