Identity & Access Management
NOTICE: This course is deprecated and has been replaced by https://cloudacademy.com/course/configuring-gcp-access-security-2685/
Security is considered to be one of the biggest challenges when comparing cloud vs. in-house infrastructure. Due to lack of trust, loss of control, and the multi-tenant nature of the cloud, security controls and mechanisms are of the utmost importance.
Google Cloud Platform offers tools with a single dashboard and simple interfaces to implement security policies. Google Cloud Identity and Access Management (IAM) provides an easy way to manage GCP users and the permissions assigned to them. Besides human users, GCP provides a way to create non-human identities (service accounts) and attach those to cloud applications and VMs. The correct configuration and usage of service accounts and IAM are critical to GCP security. GCP also provides a centralized dashboard to view audit logs, which are useful in the case of a security breach.
To help you get the most out of the security tools offered in Google Cloud, this course covers how to properly manage IAM, service accounts, and audit logs.
- Understand how cloud security differs from on-premises security
- Configure identities and access levels in Google Cloud Platform using Cloud IAM
- Create, manage, and assign service accounts to GCP VMs
- View audit logs in the GCP console
- Students preparing for GCP cloud certifications
- Cloud administrators and IT professionals
- Cloud security practitioners
- GCP developers
- Completion of Google Cloud Platform Fundamentals course on Cloud Academy or practical working experience with GCP infrastructure
- Basic proficiency with command-line tools and Linux operating system environments
Hello and welcome to this lecture on Identity Access Management or IAM. In this lecture, you will learn the basics of identity and access management in Google Cloud. We'll also learn best practices and how to apply IAM on a GCP project.
First, let's try to understand the need for Cloud IAM. When you are in an in-house environment, identities and access control are managed by an enterprise IT department. The resources such as virtual machines, storage, and services are all controlled by the enterprise. So it is easier to apply access control policies. However, in the cloud this is different. The resources in the cloud are managed by the cloud provider. Resources are much more dynamic in the cloud. For instance, virtual machines and containers can be migrated and scaled up and down.
Access control mechanisms designed for static in-house resources can be difficult to use and manage in the cloud. Enterprises running their workloads in the cloud need a simple way to control access to their resources. They need different access levels for different user roles such as project administrators, developers, and testers.
Google Cloud Identity and Access Management or IAM is a managed service in GCP which gives you additional capabilities to secure access to your GCP resources. Cloud IAM gives users a single dashboard where they can view the different identities and the access levels associated with them. IAM also presents a consistent interface that applies to many GCP services including Compute Engine, App Engine, Kubernetes Engine, and Google Cloud Storage. Users do not have to create or learn separate access control mechanisms for individual services. Instead, they can learn how to use IAM once, and use it to control access over most GCP resources and services.
In GCP, resources are organized into a level hierarchy. With IAM, if you apply policies at the highest level, they will automatically propagate down to resources in the tree. IAM policies can be applied at the organization level, the folder level, the project level, and in some cases, at the resource level. An organization is at the topmost level in this hierarchy. It represents an enterprise or a company. Under the organization level, you can add folders. They're optional but it's usually a good idea to use them if you're mapping resources to anything but a very small organization.
The most common use case is to have a separate folder for each department in your organization. You can also have subfolders under each folder. For example, you might want to have a separate subfolder for each team within a department. Under the folder level is the project level. All resources must be part of a project. A project is used to group related cloud resources together. For example, you might want to have a separate project for each of your applications. Projects can be used to isolate groups of resources for security and billing purposes. A project is a trust value and a level of isolation, so IAM policies applied to one project do not affect the resources in another project. For example, a user can be a project owner for project A but have no access to project B. This is a good way to prevent one team from intentionally or inadvertently affecting the VMs and other resources used by another team. Within a project, for fine-grained control, you can also apply IAM policies on individual resources such as cloud storage buckets and Kubernetes containers.
Now that you understand the structure of GCP resources, let me emphasize one of the most important IAM best practices; this is the principle of least privilege. The main idea is to restrict users and applications to not do more than they're supposed to do. Using cloud identity and access management, you can follow the principle of least privilege and limit the permissions granted to any particular user to the minimum necessary.
Abhishek Gupta has 10+ years of experience in the domain of high-performance computing, cloud, and security. Currently, he's leading an innovation team at the Schlumberger Software Technology Innovation Center and is also a visiting faculty member at Santa Clara University where he teaches a graduate course in cloud computing. Gupta has a Ph.D. in Computer Science from the University of Illinois at Urbana Champaign.