Access Control - bobbae/gcp GitHub Wiki

Access Control is a mechanism you can use to define who has access to resources.

IAM

Identity and Access Management lets administrators authorize who can take action on specific resources, giving you full control and visibility.

Context-Aware Access

Based on the BeyondCorp security model, Context-Aware Access is an approach that utilizes a variety of Google Cloud offerings to enforce granular access control based on a user's identity and context of the request.

Identity-Aware Proxy

Identity-Aware Proxy (IAP) lets you manage access to applications running in the App Engine standard environment, App Engine flexible environment, Compute Engine, and GKE.

IAP establishes a central authorization layer for applications accessed by HTTPS, so you can adopt an application-level access control model instead of using network-level firewalls. When you turn on IAP, you must also use signed headers or the App Engine standard environment Users API to secure your app.

https://www.youtube.com/watch?v=XqMY-rPk3MY

Serving and securing internal applications that can be accessed anywhere without the need for a VPN

https://bravenewgeek.com/tag/identity-aware-proxy/

Device Identity

The Cloud Identity Groups API allows you to create and manage different types of devices within your organization.

https://cloud.google.com/identity/docs/concepts/overview-devices

Groups Identity

A group is a collection of entities, where each entity can be either another group or a user.

https://cloud.google.com/identity/docs/groups

Access Context Manager

Access Context Manager allows Google Cloud organization administrators to define fine-grained, attribute based access control for projects and resources in Google Cloud.

Administrators first define an access policy, which is an organization-wide container for access levels and service perimeters.

Access levels describe the necessary requirements for requests to be honored.

SASE

Secure access service edge, or SASE, is a cloud-based security model which bundles software-defined networking with network security functions and delivers them from a single service provider.

SASE brings network security services and access control closer to the end user by shifting those key processes to the cloud, and operates on a global network in order to minimize latency while doing so.

ACL

An access control list (ACL) is a mechanism you can use to define who has access to your buckets and objects, as well as what level of access they have. In Cloud Storage, you apply ACLs to individual buckets and objects. Each ACL consists of one or more entries. An entry gives a specific user (or group) the ability to perform specific actions. Each entry consists of two pieces of information:

A permission, which defines what actions can be performed (for example, read or write).

A scope (sometimes referred to as a grantee), which defines who can perform the specified actions (for example, a specific user or group of users).

https://cloud.google.com/storage/docs/gsutil/addlhelp/SecurityandPrivacyConsiderations#access-control-lists

Predefined ACLs

A predefined or "canned" ACL is an alias for a set of specific ACL entries that you can use to quickly apply many ACL entries at once to a bucket or object.

https://cloud.google.com/storage/docs/access-control/lists#predefined-acl

Concentric permissions and scopes

Cloud Storage uses concentric permissions, so when you grant WRITER permission, you also grant READER permission, and if you grant OWNER permission, you also grant READER and WRITER permission.

https://cloud.google.com/storage/docs/access-control/lists#concentric

CORS

Cross Origin Resource Sharing (CORS) allows interactions between resources from different origins, something that is normally prohibited in order to prevent malicious behavior.

https://cloud.google.com/storage/docs/configuring-cors

RBAC

Role-based access control (RBAC) is a policy-neutral access-control mechanism defined around roles and privileges.

Tailscale ACL

https://tailscale.com/kb/1018/acls/