You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
The Security, Privacy, and Compliance pillar of the GCP Architecture Framework focuses on protecting your workloads, data, and users from threats. Google Cloud provides a layered security model with controls at every level — identity, network, data, and application. A well-architected workload on GCP applies the principle of least privilege, encrypts data at every stage, and continuously monitors for threats.
| Principle | Description |
|---|---|
| Defence in depth | Apply multiple layers of security controls — no single layer is sufficient |
| Least privilege | Grant only the minimum permissions required for each identity |
| Zero trust | Verify every request regardless of its origin — do not trust the network |
| Shift left | Integrate security into the development process, not just deployment |
| Automate security | Use policy-as-code and automated scanning to enforce security at scale |
IAM is the foundation of GCP security. It controls who can do what on which resources.
| Concept | Description |
|---|---|
| Principal | An identity — Google Account, service account, Google Group, or Google Workspace domain |
| Role | A collection of permissions — predefined or custom |
| Policy | A binding of principals to roles on a resource |
| Resource hierarchy | Organisation > Folder > Project > Resource — policies inherit downward |
| Conditions | IAM conditions that restrict when a binding is effective (time, resource attributes) |
| Practice | Description |
|---|---|
| Use groups, not individuals | Bind roles to Google Groups — manage membership, not IAM policies |
| Prefer predefined roles | Use Google-maintained roles over primitive roles (Owner, Editor, Viewer) |
| Avoid Owner and Editor | These roles grant broad permissions — use specific predefined or custom roles |
| Use Workload Identity | Bind GKE pods to service accounts without key files |
| Audit regularly | Use IAM Recommender to identify over-privileged accounts |
| Set up organisation policies | Enforce guardrails like disabling service account key creation |
# Create a service account with a specific purpose
gcloud iam service-accounts create order-processor \
--display-name="Order Processing Service"
# Grant a specific role (not Editor or Owner)
gcloud projects add-iam-policy-binding my-project \
--member="serviceAccount:order-processor@my-project.iam.gserviceaccount.com" \
--role="roles/pubsub.subscriber"
# Disable service account key creation via org policy
gcloud resource-manager org-policies enable-enforce \
constraints/iam.disableServiceAccountKeyCreation \
--organization=123456789
| Component | Purpose |
|---|---|
| Shared VPC | Centralise network management while delegating resource creation to service projects |
| Private Google Access | Allow VMs without external IPs to reach Google APIs |
| VPC Service Controls | Create security perimeters that restrict data movement between projects |
| Cloud NAT | Provide outbound internet access without assigning public IPs |
| Cloud Armor | Web application firewall and DDoS protection for external-facing services |
# Deny all ingress by default (best practice)
gcloud compute firewall-rules create deny-all-ingress \
--network=my-vpc \
--direction=INGRESS \
--action=DENY \
--rules=all \
--priority=65534
# Allow specific traffic with tags
gcloud compute firewall-rules create allow-http-to-web \
--network=my-vpc \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:80,tcp:443 \
--target-tags=web-server \
--source-ranges=0.0.0.0/0 \
--priority=1000
BeyondCorp Enterprise implements zero-trust access to applications:
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.