Cheat Sheet

Google Cloud Security

Best Practices
This comprehensive guide is designed for IT
professionals, organizations, and all those passionate
about enhancing their security measures on the

Google Cloud Platform. Drawing from a wealth of

expert knowledge and extensive research, our cheat
sheet simplifies the complex world of advanced
security, presenting insights that are both accessible
and actionable. With the latest tools and strategies at
your disposal, you will be armed and ready to fight
evolving digital threats.

Visibility and monitoring

1 Agentless scanning
The traditional method of scanning, which often required the installation of agents on each device
or instance, is now seen as cumbersome and risky due to the potential for introducing overhead
and vulnerabilities. That’s where agentless scanning comes in. Agentless scanning offers a
seamless way to monitor your cloud environment by eliminating the need for individual
installations, ensuring that security threats are identified and addressed promptly. 

Google Cloud’s agentless scanning offering is Virtual Machine Threat Detection (VMTD) in

the Security Command Center (SCC). VMTD is a pioneering detection capability that boasts
agentless memory scanning designed to identify threats like crypto-mining malware within virtual
machines operating on Google Cloud. This agentless approach not only reduces performance
impact but also minimizes the operational overhead associated with software agent deployment
and management.

Figure 1: Data flow for Virtual Machine Threat Detection (Source: Google Cloud Blog)

© Wiz Inc. All Rights Reserved. 1

CloudSec Academy Best Practices

2 Centralized logging and monitoring

Complex cloud environments present the problem of managing and monitoring security events
across diverse resources and services. Centralized logging and monitoring systems offer a solution
by aggregating logs from various sources, enabling real-time anomaly detection and coordinated
responses. Google Cloud’s Operations Suite, including tools like Cloud Logging and Monitoring, is
instrumental to achieving this centralized approach.

Set up Cloud Logging in Google Cloud

Navigate to the Google Cloud Console

Go to the "Operations" section and select "Logging.
Configure your desired resources to send logs to Cloud Logging:

# Using gcloud command to create a sink that exports logs to a

Cloud Storage bucket

gcloud logging sinks create my-sink storage.googleapis.com/my-

bucket --log-filter="severity>=ERROR"

Integrate Cloud Monitoring

InSet up desired metrics, dashboards, and alerting policies:

# Using gcloud command to create an alerting policy

gcloud alpha monitoring policies create --policy-from-file=my-

alert-policy.json

Visualization

Consider using tools like Google’s Looker Studio or Grafana to visualize your logs

and metrics.

Data security and compliance

1 Data security
Data breaches can lead to devastating consequences, both in terms of financial loss and
reputational damage. Advanced cryptographic techniques, combined with stringent access
controls and monitoring mechanisms, form the bedrock of a sound data security strategy.
Organizations can build a fortress around their sensitive data by encrypting both data at rest and
in transit and by regularly auditing access logs.

© Wiz Inc. All Rights Reserved. 2

CloudSec Academy Best Practices

Implement data encryption

At rest: Use Google Cloud's built-in encryption to secure data stored in services like

Cloud Storage, BigQuery, and Compute Engine:

# Using gsutil to create a Cloud Storage bucket with default

encryption

gsutil mb -c standard -l [REGION] -p [PROJECT_ID] gs://

[BUCKET_NAME]

gsutil kms encryption -k projects/[PROJECT_ID]/locations/global/

keyRings/[KEY_RING]/cryptoKeys/[KEY] gs://[BUCKET_NAME]

In transit: Ensure all data transferred over networks is encrypted using protocols like


SSL/TLS:

# Using gcloud to create a load balancer with SSL:

gcloud compute ssl-certificates create [SSL_CERT_NAME] --

certificate=[CERT_FILE_PATH] --private-key=[KEY_FILE_PATH]

2 Implement cloud security posture management (CSPM)

Cloud security posture management (CSPM) tools are specifically designed to address modern

cloud environments’ rapid growth and intricacy. These tools offer a comprehensive view of your

cloud infrastructure and actively monitor and enforce secure and compliant configurations across

all cloud resources.

Choose a CSPM tool

Google Cloud offers built-in CSPM capabilities through the Security Command Center. Ensure it's

enabled for your project:

# Using gcloud to enable Security Command Center for your projec t

gcloud scc services enable securitycenter .googleapis.com --

project=[PROJECT_ID]

Monitor cloud resources

Set up regular scans of your cloud resources to detect misconfigurations or non-


compliant settings:

© Wiz Inc. All Rights Reserved. 3

CloudSec Academy Best Practices

# Using gcloud to start a scan

gcloud scc assets list --organization=[ORG_ID] --

project=[PROJECT_ID]

Enforce secure configurations

Use CSPM tools to enforce policies and ensure that all resources adhere to best

security practices:

# Using gcloud to create a security policy

gcloud scc policies create --organization=[ORG_ID] --policy-

file=[POLICY_FILE_PATH]

Advanced threat protection

1 Vertex AI security
Vertex AI, a prominent offering from the Google Cloud Platform for machine-learning solutions,
brings many tools to the table. Yet, as with any sophisticated platform, it has security challenges.
To safeguard against vulnerabilities, conduct regular audits of Vertex AI configurations. Equally
important is the careful cleansing of data used for training to prevent potential data leaks or
malicious data-poisoning attempts.

By implementing the following steps, organizations can ensure Vertex AI deployments remain
secure, effectively mitigating potential threats and vulnerabilities in machine-learning workflows.

Audit Vertex AI configurations

Regularly review and update the configurations of your Vertex AI resources:

# Using gcloud to list all Vertex AI models in your project

gcloud ai-platform models list --project=[PROJECT_ID]

Sanitize training data

Ensure that the data used for training is free from malicious inputs. Consider using tools like
TensorFlow Data Validation (TFDV) for this purpose:

© Wiz Inc. All Rights Reserved. 4

CloudSec Academy Best Practices

# Generate statistics for training data

import tensorflow_data_validation as tfdv

train_stats =
tfdv.generate_statistics_from_csv(data_location='path_to_train_data
.csv')

tfdv.visualize_statistics(train_stats)v

Monitor for anomalies

Set up monitoring to detect any unusual activities or results from your machine-learning models:

# Using gcloud to monitor Vertex AI job logs

gcloud logging read "resource.type=ml_job AND logName=projects/

[PROJECT_ID]/logs/vertex-ai.googleapis.com%2Fjob" --limit=50

2 Kubernetes security
A breach in a Kubernetes cluster can lead to catastrophic outcomes, including data leaks and
service outages. To bolster the security of Kubernetes deployments, adopt practices such as role-
based access control (RBAC), stringent network policies, and routine vulnerability assessments of
container images.

Implement role-based access control (RBAC)

Define roles and role bindings to control who can access the Kubernetes API and what actions
they can perform:

# Sample RBAC role and role binding for a pod reader

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

namespace: default

name: pod-reader

© Wiz Inc. All Rights Reserved. 5

CloudSec Academy Best Practices

rules:

- apiGroups: [""]

resources: ["pods"]

verbs: ["get", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

name: read-pods

namespace: default

subjects:

- kind: User

name: "jeff"

apiGroup: rbac.authorization.k8s.io

roleRef:

kind: Role

name: pod-reader

apiGroup: rbac.authorization.k8s.io

Enforce network policies

Control the communication between pods using network policies:

# Sample network policy to allow traffic only from a specific pod

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

name: allow-specific-pod

spec:

podSelector:

matchLabels:

© Wiz Inc. All Rights Reserved. 6

CloudSec Academy Best Practices

role: api

policyTypes:

- Ingress

ingress:

- from:

- podSelector:

matchLabels:

role: frontend

Risk management and visualization

1 Risk management
Mastery of risk management requires understanding risks and then effectively prioritizing them.
Leveraging advanced tools, particularly graph visualization techniques, can significantly enhance
an organization's risk-management capabilities. These tools provide a comprehensive and

intuitive view of potential threat vectors by graphically representing resources and their
interconnected risks.

Inventory cloud resources

Regularly catalog and classify all assets within your cloud environment:

# Using gcloud to list all Compute Engine instances

gcloud compute instances list --project=[PROJECT_ID]

Evaluate and prioritize risks

Assess each resource for potential vulnerabilities and prioritize based on impact

and likelihood:

# Using gcloud to get details of a specific Compute Engine instance

gcloud compute instances describe [INSTANCE_NAME] --zone=[ZONE] --

project=[PROJECT_ID]

© Wiz Inc. All Rights Reserved. 7

CloudSec Academy Best Practices

Implement graph visualization

Use tools like the Cloud Asset Inventory (or third-party solutions like Neo4j) to visualize the
relationships and risks associated with your resources:

# Using gcloud to export asset details for visualization

gcloud asset export --content-type=resource --project=[PROJECT_ID]

--output-path=gs://[BUCKET_NAME]/assets.txt

Conclusion: The importance of advanced Google

Cloud security protocols
Adopting advanced Google Cloud security practices is more than a mere protective measure—it's
a transformative journey. That’s why implementing barriers against threats isn’t enough. We must
also enable innovation to succeed in the cloud. Use this cheat sheet as your guide to confidently
navigating the cloud while always staying a step ahead of emerging challenges.

To further enhance your understanding and get hands-on experience with our solutions, schedule
a Wiz demo and discover the full potential of advanced security with Wiz.

Schedule a Wiz demo and discover the full potential Get a Demo
of advanced security with Wiz

© Wiz Inc. All Rights Reserved. 8