This chapter covers GCP security services, including IAM, VPC Service Controls, Cloud Armor, Cloud KMS, Secret Manager, Security Command Center, and audit logging. These topics are critical for the ACE exam, as security and compliance represent approximately 12-15% of the exam questions. Understanding how to configure and manage these services to protect GCP resources is essential for any Associate Cloud Engineer.
Jump to a section
Imagine GCP security services as a medieval fortress designed to protect a kingdom's treasure (your data). The fortress has multiple layers: an outer moat (VPC firewall rules) that blocks unauthorized entry, a drawbridge (Cloud Load Balancing with SSL policies) that only allows trusted visitors, and guards at every gate (Cloud IAM) checking IDs and permissions. Inside, each treasure room has its own lock (Cloud KMS for encryption keys), and there are secret passages (VPC Service Controls) that prevent even authorized visitors from moving between rooms without explicit permission. The fortress also employs a watchtower (Security Command Center) that continuously scans for threats, and a scribe (Cloud Audit Logs) who records every action. If an intruder is detected, the fortress can isolate a room (Cloud Armor) or sound an alarm (Cloud Monitoring). This layered defense ensures that even if one barrier is breached, others remain to protect the treasure.
Cloud IAM (Identity and Access Management)
Cloud IAM is the foundational security service for controlling access to GCP resources. It uses a unified system of who (identity), what (role), and which (resource) to define permissions. Identities can be Google Accounts, Service Accounts, Google Groups, or Cloud Identity domains. Roles are collections of permissions; there are three types: primitive roles (Owner, Editor, Viewer), predefined roles (fine-grained, managed by Google), and custom roles (user-defined). Resources are organized hierarchically: Organization > Folder > Project > Resource. Permissions are inherited down the hierarchy.
Key Mechanism: When a request is made, IAM evaluates all policies that apply to the resource and the requester's identity. The effective permission is the union of all granted permissions minus any denied permissions (if using deny policies). IAM uses a deny-by-default model: no access unless explicitly granted.
Important Defaults: - New projects have no IAM members except the creator (who gets Owner role). - Service accounts are automatically created for Compute Engine and App Engine with Editor role on the project by default (can be restricted). - Primitive roles are broad and not recommended for production.
Commands:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member='user:email@example.com' \
--role='roles/compute.instanceAdmin'
gcloud iam roles describe roles/compute.instanceAdminVPC Service Controls
VPC Service Controls (VPC-SC) provide a security perimeter around Google Cloud managed services (like BigQuery, Cloud Storage, Bigtable) to mitigate data exfiltration risks. They work by creating service perimeters that define which projects and services are protected. Requests crossing the perimeter are evaluated against access levels (based on IP, device, etc.) and ingress/egress rules.
How it works internally: 1. A service perimeter is defined with a set of projects (the protected project set). 2. All services within those projects are considered "inside" the perimeter. 3. When a request is made to a protected service, VPC-SC checks if the request originates from inside the perimeter (based on source project and network). 4. If the request crosses the perimeter (e.g., from a VM outside), it is either blocked or allowed based on ingress rules. 5. Dry-run mode allows testing policies without enforcement.
Key Defaults: - By default, no perimeters exist; all services are open. - When a perimeter is created, all projects inside it are restricted: no data can be copied out to non-perimeter projects. - Access levels can use IP ranges, device policies, or time constraints.
Commands:
gcloud access-context-manager perimeters create PERIMETER_NAME \
--title='My Perimeter' \
--resources='projects/PROJECT_NUMBER' \
--restricted-services='bigquery.googleapis.com' \
--spec-dry-runCloud Armor
Cloud Armor is a web application firewall (WAF) that protects HTTP(S) load-balanced applications from DDoS attacks and web attacks. It uses security policies with rules that match on characteristics like IP, geo-location, or layer 7 attributes. It integrates with Cloud CDN and Cloud Load Balancing.
Key Components: - Security policies: Attached to a backend service or target proxy. - Rules: Each rule has a condition (e.g., source IP range) and action (allow or deny). Rules are evaluated in priority order (lower number = higher priority). - Preconfigured rules: Google provides rules for OWASP Top 10 (SQL injection, XSS, etc.) called WAF rules. - Rate limiting: Can limit requests per client IP.
Defaults: - Default rule at priority 2147483647 allows all traffic if no explicit deny matches. - WAF rules are evaluated after custom rules. - Cloud Armor is only available with HTTP(S) Load Balancing (external or internal).
Commands:
gcloud compute security-policies create my-policy \
--description='My security policy'
gcloud compute security-policies rules create 1000 \
--security-policy=my-policy \
--src-ip-ranges='192.0.2.0/24' \
--action=deny-403Cloud KMS (Key Management Service)
Cloud KMS manages cryptographic keys for encrypting data at rest. It supports symmetric and asymmetric keys, and integrates with Cloud Storage, BigQuery, Compute Engine (disk encryption), and other services. Keys are stored in a key ring within a location (global or regional).
Key Mechanism: 1. Create a key ring (logical grouping). 2. Create a crypto key inside the key ring (the actual key material). 3. Use key versions for rotation; each version has a state (enabled, disabled, destroyed). 4. To encrypt data, a client calls Cloud KMS API; the service encrypts the data with the key and returns ciphertext. The key never leaves Cloud KMS. 5. Customer-managed encryption keys (CMEK) allow you to control key lifecycle.
Defaults: - Key rotation period: 90 days (can set from 1 day to 1,000,000 days). - Key rings are location-scoped; keys cannot be moved between key rings. - Key material is protected by FIPS 140-2 Level 3 validated HSMs.
Commands:
gcloud kms keyrings create my-keyring --location=global
gcloud kms keys create my-key --location=global --keyring=my-keyring --purpose=encryption
gcloud kms encrypt --plaintext-file=./plain.txt --ciphertext-file=./encrypted.enc \
--location=global --keyring=my-keyring --key=my-keySecret Manager
Secret Manager stores API keys, passwords, certificates, and other sensitive data. It provides a centralized place to manage secrets with versioning, access control via IAM, and automatic replication across regions.
How it works: 1. Create a secret with a name and payload (the secret value). 2. Access secrets via API or gcloud command; the secret is decrypted and returned in plaintext. 3. Secrets are versioned; you can access by version ID or use the latest. 4. IAM roles (Secret Manager Secret Accessor) control who can read secrets.
Defaults: - Secrets are replicated to the region where they are created unless you specify multiple regions. - Secret payload is encrypted at rest with AES-256. - There is no automatic rotation; you must manually create a new version.
Commands:
gcloud secrets create my-secret --replication-policy=automatic
echo -n 'my-password' | gcloud secrets versions add my-secret --data-file=-
gcloud secrets versions access latest --secret=my-secretSecurity Command Center
Security Command Center (SCC) is a centralized security and risk management platform. It provides visibility into misconfigurations, vulnerabilities, and threats across GCP resources. It uses findings generated by built-in services (e.g., Cloud Asset Inventory, Web Security Scanner) and third-party integrations.
Key Components: - Assets: GCP resources like VMs, buckets, datasets. - Findings: Security issues (e.g., open firewall ports, public buckets, IAM over-privilege). - Sources: Built-in and third-party providers that generate findings. - Notifications: Can send findings to Pub/Sub, Cloud Functions, or Security Operations.
Tiers: - Standard (free): Basic security health analytics, asset discovery, and vulnerability scanning. - Premium: Includes Event Threat Detection, Container Threat Detection, and more.
Defaults: - SCC is enabled at the organization level. - It automatically discovers all projects in the organization. - Findings are retained for 7 days (Standard) or 30 days (Premium).
Commands:
gcloud scc assets list --organization=ORGANIZATION_ID
gcloud scc findings list --organization=ORGANIZATION_ID --source=SOURCE_IDCloud Audit Logs
Cloud Audit Logs record administrative actions, data access, and system events. There are four types: - Admin Activity: Logs API calls that modify configuration (retained 400 days). - Data Access: Logs API calls that read or modify user-provided data (retained 30 days). - System Event: Logs GCP actions that modify resources (retained 400 days). - Policy Denied: Logs when a request is denied due to IAM deny policies (retained 30 days).
Key Mechanism: 1. Audit logs are generated automatically for all services. 2. They are stored in Cloud Logging buckets (default: _Required bucket for Admin Activity and System Event, _Default bucket for Data Access). 3. You can export logs to Cloud Storage, BigQuery, or Pub/Sub for long-term retention. 4. Data Access logs are disabled by default; you must enable them per service.
Defaults: - Admin Activity logs are always enabled and free. - Data Access logs are disabled by default; enabling them incurs costs. - Retention: 400 days for Admin Activity and System Event; 30 days for Data Access and Policy Denied.
Commands:
gcloud logging read 'logName="projects/PROJECT_ID/logs/cloudaudit.googleapis.com%2Factivity"' --limit=10
gcloud logging buckets create my-bucket --location=global --retention-days=365Interaction Between Services
These services work together. For example, Cloud Armor protects load-balanced apps; VPC-SC prevents data exfiltration from BigQuery; Cloud KMS encrypts secrets in Secret Manager; SCC aggregates findings from all; audit logs capture actions. A typical secure architecture uses IAM for access control, VPC-SC for data boundaries, Cloud Armor for edge security, and SCC for monitoring.
Enable Security Command Center
At the organization level, enable SCC by granting the Security Center Admin role to a user. SCC automatically discovers all projects and resources. It begins scanning for misconfigurations and vulnerabilities. Findings appear within minutes for common issues like public buckets or open firewall rules.
Create VPC Service Perimeter
Identify the projects containing sensitive data (e.g., BigQuery datasets). Create a service perimeter using gcloud or Console. Specify the restricted services (e.g., bigquery.googleapis.com). Enable dry-run mode first to test without enforcement. Review logs for violations before switching to enforced mode.
Configure Cloud Armor Policy
Create a security policy with rules to block malicious traffic. For example, deny traffic from specific IP ranges or countries. Add preconfigured WAF rules to protect against SQL injection and XSS. Attach the policy to the backend service of your HTTP(S) load balancer. Test with sample requests to ensure legitimate traffic is allowed.
Set up Cloud KMS for CMEK
Create a key ring and crypto key. Grant the Cloud KMS CryptoKey Encrypter/Decrypter role to the service account that will use the key (e.g., BigQuery service account). When creating a BigQuery dataset, specify the key as the default encryption key. All tables in that dataset will be encrypted with your key.
Enable Data Access Audit Logs
Go to Cloud Audit Logs in the Console and enable Data Access logs for the services you want to monitor (e.g., Cloud Storage, BigQuery). This logs every read and write to user data. Be aware of cost implications. Export logs to BigQuery for analysis and to retain beyond 30 days.
Scenario 1: Financial Services Company Protecting Customer Data
A bank uses BigQuery to store transaction data. They must comply with PCI DSS and SOC 2. They deploy VPC Service Controls with a perimeter around the BigQuery project. Only applications running in authorized VPCs can query the data. They use Cloud KMS with CMEK to encrypt the data at rest, rotating keys every 90 days. Cloud Audit Logs track all queries, and SCC alerts on any public bucket or over-privileged IAM role. Misconfiguration: Initially, they forgot to add the data ingestion pipeline's service account to the perimeter's ingress rules, causing all writes to fail. They resolved by adding an ingress rule from the pipeline's project.
Scenario 2: E-commerce Platform DDoS Protection
An online retailer uses HTTP(S) Load Balancing with Cloud Armor. During a flash sale, they expect high traffic but also want to block bots. They configure rate limiting at 100 requests per second per IP. They also block traffic from known malicious IP ranges using a deny rule. Cloud Armor logs show that 95% of blocked traffic came from automated scripts. They also use Cloud CDN to cache static content, reducing load on backend. The security policy is updated dynamically via Cloud Functions when new threat intelligence is received.
Scenario 3: Multi-Cloud SaaS Application
A SaaS company uses GCP for data processing and AWS for frontend. They store API keys in Secret Manager with automatic replication to multiple regions for low latency. They use IAM to grant access to the keys only to specific service accounts. They enable Data Access audit logs for Secret Manager to detect unauthorized access attempts. A common issue: developers hardcode secrets in code; Secret Manager prevents this by providing a centralized, auditable store.
What the ACE Tests
Objective 5.2: Security services configuration and management. Expect questions on IAM roles (primitive vs predefined vs custom), VPC Service Controls (perimeter, ingress/egress rules), Cloud Armor (security policies, WAF rules), Cloud KMS (key rotation, CMEK), Secret Manager (versioning, access), SCC (findings, sources), and audit logs (types, retention).
Common Wrong Answers
Confusing primitive roles with predefined: Candidates often choose 'Editor' as a least-privilege role, but Editor is a primitive role that grants broad permissions. The correct answer is a predefined role like roles/compute.instanceAdmin.
VPC Service Controls vs. Firewall Rules: Candidates think VPC-SC is just another firewall, but it controls data exfiltration at the API level, not network traffic. Firewall rules control network packets.
Cloud Armor vs. Cloud CDN: Some think Cloud Armor is a CDN feature; it is a WAF that works with CDN but is separate.
Audit log retention: 400 days for Admin Activity, 30 days for Data Access. Candidates mix them up.
Exam Traps
Service Account Key Security: Never store service account keys in code or source control. Use Secret Manager or workload identity federation.
VPC-SC Dry Run: Questions may ask how to test a perimeter without blocking traffic; answer is dry-run mode.
Cloud KMS Key Rotation: Default is 90 days; can be customized.
SCC Standard vs Premium: Standard is free; Premium includes threat detection.
How to Eliminate Wrong Answers
If a question involves restricting data movement between projects, think VPC-SC, not firewall.
If a question involves web attack protection, think Cloud Armor.
If a question involves encryption key management, think Cloud KMS.
If a question involves secret storage, think Secret Manager.
If a question involves compliance and auditing, think Cloud Audit Logs and SCC.
IAM uses a deny-by-default model; you must explicitly grant permissions.
Predefined roles are preferred over primitive roles for least privilege.
VPC Service Controls prevent data exfiltration; use dry-run mode first.
Cloud Armor protects HTTP(S) load-balanced apps with WAF rules.
Cloud KMS default key rotation period is 90 days.
Secret Manager stores secrets with versioning and IAM access control.
Security Command Center Standard tier is free; Premium adds threat detection.
Admin Activity audit logs are always enabled and retained 400 days.
Data Access audit logs must be enabled per service and retained 30 days.
Cloud KMS keys cannot be exported; they stay in Google's HSMs.
Service account keys should never be stored in code; use Secret Manager.
VPC-SC perimeters can include multiple projects and restrict specific services.
These come up on the exam all the time. Here's how to tell them apart.
Cloud KMS CMEK
You manage the key lifecycle (rotation, disabling).
Keys are stored in Cloud KMS HSMs.
Can be used with BigQuery, Cloud Storage, Compute Engine.
Requires granting KMS permissions to service accounts.
Slightly higher latency due to key access.
Google Default Encryption
Google manages all keys transparently.
Keys are rotated automatically by Google.
No additional configuration needed.
No IAM overhead for encryption.
Lower latency as keys are local.
VPC Service Controls
Controls data exfiltration at API level.
Works with managed services like BigQuery.
Uses perimeters and access levels.
Can be tested in dry-run mode.
Does not affect network traffic.
Firewall Rules
Controls network traffic at packet level.
Works with VM instances and networks.
Uses rules based on IP, port, protocol.
Immediately enforced when created.
Does not prevent API data access.
Mistake
IAM primitive roles are fine for production because they are easy to use.
Correct
Primitive roles (Owner, Editor, Viewer) are too broad; they grant permissions across all resources in a project. Predefined roles are scoped to specific services and are recommended for least privilege.
Mistake
VPC Service Controls are the same as firewall rules.
Correct
Firewall rules control network traffic at the packet level (L3/L4). VPC-SC controls data access at the API level (L7) and prevents data exfiltration even from within the network.
Mistake
Cloud Armor can be attached to any load balancer.
Correct
Cloud Armor only works with external HTTP(S) Load Balancing and internal HTTP(S) Load Balancing. It does not work with TCP/UDP load balancers.
Mistake
Cloud KMS keys can be exported and used outside GCP.
Correct
Cloud KMS keys never leave the service. You can only use them via API calls. For external use, you must export the key material (if allowed by policy) or use Cloud External Key Manager.
Mistake
Audit logs are stored indefinitely.
Correct
Admin Activity logs are retained for 400 days; Data Access logs for 30 days. You must export logs to Cloud Storage or BigQuery for longer retention.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
CMEK (Customer-Managed Encryption Keys) uses keys stored in Cloud KMS that you manage. CSEK (Customer-Supplied Encryption Keys) are keys you provide yourself; GCP uses them temporarily and discards them. CMEK is more common and easier to manage because you don't have to supply keys with each request. For the ACE exam, CMEK is the primary topic.
Create a custom IAM role with only `storage.objects.get` permission (or use predefined role `roles/storage.objectViewer`). Grant that role to the service account at the bucket level (not project level). Use `gsutil iam ch` or Console to add binding.
Yes, Cloud Armor supports internal HTTP(S) Load Balancing (backend service with internal IP). However, it does not support TCP/UDP load balancers. For internal use, you must ensure the security policy is attached to the backend service.
Any data access that crosses the perimeter is blocked. For example, a VM outside the perimeter cannot read data from a BigQuery dataset inside the perimeter. Ingress and egress rules can allow specific cross-perimeter access. In dry-run mode, violations are logged but not blocked.
Set a rotation period when creating the key or update it later. Use `gcloud kms keys update --rotation-period=90d --next-rotation-time=2025-01-01T00:00:00Z`. New key versions are created automatically. Old versions remain for decryption until destroyed.
Findings are retained for 7 days in Standard tier and 30 days in Premium tier. You can export findings to BigQuery for long-term storage. Note that SCC itself does not have a configurable retention; export is required for compliance.
Yes, you can grant the Secret Manager Secret Accessor role to a service account from another project. This is common for cross-project access. Ensure the service account has the role at the secret, project, or organization level.
You've just covered GCP Security Services — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?