General security guidance

Stay organized with collections Save and categorize content based on your preferences.

The default role automatically assigned for Compute Engine service accounts is Editor, which is very broad. Instead of using these default service accounts, create new service accounts for your projects with tightly scoped permissions that are matched to their use cases. After you've confirmed that the new service accounts work for their respective applications, disable the default Compute Engine service accounts. You can find the default Compute Engine service account in the project-level IAM section of the Google Cloud console. The service account name has the following format:

project-number-compute@developer.gserviceaccount.com

Similarly, if you use the App Engine service, create a new service account with tightly scoped permissions that are matched to your use case and override the default flow. After you've confirmed that the new service account works for your application, disable the App Engine default service account that was automatically created. You can find the default App Engine service account in the project-level IAM section of the Google Cloud console. The service account name has the following format:

your-project-id@appspot.gserviceaccount.com

Each Google Kubernetes Engine node has a IAM service account associated with it. By default, nodes are given the Compute Engine default service account, which you can find by navigating to the IAM section of the Google Cloud console. As previously discussed, this account has broad access by default, making it useful to a wide variety of applications, but it has more permissions than are required to run your Google Kubernetes Engine cluster. Instead, strongly consider creating and using a minimally privileged service account to run your Google Kubernetes Engine cluster. For more information about n hardening your Google Kubernetes Engine cluster, see the documentation for hardening your cluster's security and the Container Security Blog series.

Updates for the next version

The list of possible security controls you might care about for your specific business scenario can be quite broad. We recognize that this version of the security foundations blueprint doesn't cover everything. Future updates will include topics about data residency; data classification; and additional native guard rail services for security and compliance.

Summary

This guide provided our opinionated step-by-step guidance for configuring and deploying your Google Cloud estate. With the v2.5 version, we added guidance for restricting service and data location and for leveraging Assured Workloads when you are subject to regulatory compliance. We identified key decision points and areas of focus, and for each of those we provided both background considerations and discussions of the tradeoffs and motivations for each of the decisions we made. We recognize that these choices might not match every individual company's requirements and business context. You are free to adopt and modify the guidance we've provided.

We will continue to update this blueprint to stay current with new product capabilities, customer feedback, and the needs of and changes to the security landscape.

A core Google security principle covered in our BeyondProd paper is to use simple, automated, and standardized change rollout, which emphasizes the use of automation to limit exception cases and to minimize the need for human action. We therefore include a full Terraform repository of the scripts that you can use to automate the majority of the curated steps in this guide. You can run the scripts end-to-end to deploy the full opinionated foundation blueprint. The scripts can also be used and modified individually so that you can leverage parts of the blueprint that are the most relevant for your use case.

Finally, we can provide you with access to a demonstration Google organization using the repository of Terraform automation from start to finish. This gives you a view of what the full security foundations are like after they've been configured and are operational.

If you would like viewer access to the demonstration organization, please contact your Google Cloud sales team.

For support questions, or if you need a copy of the previous version of this document, contact us at security-foundations-blueprint-support@google.com.

For advisory and implementation services Google Cloud is collaborating with Deloitte's industry-leading cyber practice to deliver end-to-end architecture, design, and deployment services to support your cloud security journey.