{"id":99393,"date":"2025-05-15T17:54:36","date_gmt":"2025-05-15T12:24:36","guid":{"rendered":"https:\/\/www.whizlabs.com\/blog\/?p=99393"},"modified":"2025-05-15T17:54:36","modified_gmt":"2025-05-15T12:24:36","slug":"gcp-cloud-engineers-handle-security-iam","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/gcp-cloud-engineers-handle-security-iam\/","title":{"rendered":"How GCP Cloud Engineers Handle Security &#038; IAM"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">In this blog, we will explore a <\/span><a title=\"Google Cloud Certified Associate Cloud Engineer\" href=\"https:\/\/www.whizlabs.com\/google-cloud-certified-associate-cloud-engineer\/\" target=\"_blank\" rel=\"noopener\"><b>Google Cloud Certified Associate Cloud Engineer<\/b><\/a><span style=\"font-weight: 400;\">,\u00a0 you are responsible for not only deploying and maintaining cloud applications and solutions but also configuring security access. This blog discusses the Google cloud security best practices based on the Google Certified Associate Cloud Engineer Certification exam. Let&#8217;s get started to understand how GCP cloud engineers handle security and IAM.\u00a0<\/span><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_76 ez-toc-wrap-left counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #ea7e02;color:#ea7e02\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #ea7e02;color:#ea7e02\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.whizlabs.com\/blog\/gcp-cloud-engineers-handle-security-iam\/#Google_Cloud_Platform_Security\" >Google Cloud Platform Security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.whizlabs.com\/blog\/gcp-cloud-engineers-handle-security-iam\/#Multi-Factor_Authentication_MFA_in_GCP\" >Multi-Factor Authentication (MFA) in GCP<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.whizlabs.com\/blog\/gcp-cloud-engineers-handle-security-iam\/#Identity_and_Access_Management_IAM\" >Identity and Access Management (IAM)<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.whizlabs.com\/blog\/gcp-cloud-engineers-handle-security-iam\/#IAM_core_components\" >IAM core components<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.whizlabs.com\/blog\/gcp-cloud-engineers-handle-security-iam\/#IAM_important_features\" >IAM important features<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.whizlabs.com\/blog\/gcp-cloud-engineers-handle-security-iam\/#IAM_Role\" >IAM Role<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.whizlabs.com\/blog\/gcp-cloud-engineers-handle-security-iam\/#Resource_hierarchy_and_policy_inheritance\" >Resource hierarchy and policy inheritance<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.whizlabs.com\/blog\/gcp-cloud-engineers-handle-security-iam\/#Service_Accounts\" >Service Accounts<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.whizlabs.com\/blog\/gcp-cloud-engineers-handle-security-iam\/#IAM_Security_Best_Practices\" >IAM Security Best Practices<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.whizlabs.com\/blog\/gcp-cloud-engineers-handle-security-iam\/#Final_thoughts\" >Final thoughts<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Google_Cloud_Platform_Security\"><\/span><strong>Google Cloud Platform Security<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">At the heart of Google Cloud Security is the<\/span> <a title=\"shared fate\" href=\"https:\/\/cloud.google.com\/security\/shared-fate?hl=en\" target=\"_blank\" rel=\"nofollow noopener\"><b>shared fate<\/b><\/a><span style=\"font-weight: 400;\"> model, which emphasizes close collaboration and partnership between Google and its customers for maintaining cloud security. In this approach, besides ensuring infrastructure security, Google provides customers with best practices, security configurations, compliance recommendations, and tools and services to securely deploy and manage cloud workloads.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While security teams play an important role in designing and maintaining cloud security, everyone working on the cloud is responsible for maintaining security. The misconfigurations or weak access controls can expose cloud infrastructure to vulnerabilities. As a result, organisations need to manage resources to prevent unwanted access, align with least privilege security principles and more.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Google provides infrastructure security through six progressive layers, maintaining a defence of depth.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Figure. Six Security Layers of Google Cloud<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-99396\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/six-security-layers-of-google-cloud-1.webp\" alt=\"six security layers google cloud\" width=\"1536\" height=\"177\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/six-security-layers-of-google-cloud-1.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/six-security-layers-of-google-cloud-1-300x35.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/six-security-layers-of-google-cloud-1-1024x118.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/six-security-layers-of-google-cloud-1-768x89.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/six-security-layers-of-google-cloud-1-150x17.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">The focus of this blog is identity security, which is authenticating all users\u2019 identities and services. The Google Certified Associate Cloud Engineer course covers this topic in the <\/span><i><span style=\"font-weight: 400;\">Configuring Access and Security section<\/span><\/i><span style=\"font-weight: 400;\">. The two common approaches to secure identity are:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Multi-factor authentication (MFA)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Identity and access management (IAM)<\/span><\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Multi-Factor_Authentication_MFA_in_GCP\"><\/span><strong>Multi-Factor Authentication (MFA) in GCP<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">MFA is a verification process which asks users to present two or more factors to authenticate their identity and get access. The Multifactor Authentication (MFA) in GCP gets users\u00a0 \u201csomething you know (password) with \u201csomething you have (phone\/security key)\u201d to harden accounts. This makes multi-factor authentication (MFA) the best for an IAM practice.\u00a0 Starting in November 2024, MFA is now mandatory for Google Cloud<\/span> <span style=\"font-weight: 400;\">in a phased manner. It provides an extra layer of security, which helps prevent unauthorized access to Google Cloud resources. With MFA enabled, along with your password, you must enter a second form of verification, such as:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Prompts<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">A security key<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">An authenticator app<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Backup codes<\/span><\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Identity_and_Access_Management_IAM\"><\/span><strong>Identity and Access Management (IAM)<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">In general, <\/span><a title=\"Google Cloud IAM\" href=\"https:\/\/www.whizlabs.com\/blog\/a-complete-guide-to-cloud-iam\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\"><strong>Google Cloud IAM<\/strong> <\/span><\/a><span style=\"font-weight: 400;\">is a model for verifying and authenticating user and account identities and regulating access to those identities. It is one of the core areas in the Google Cloud <\/span><b>Well-Architected Framework: Security, privacy, and compliance<\/b><span style=\"font-weight: 400;\">.\u00a0 GCP IAM controls access to GCP resources. It enables you to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Allow and revoke access<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enforce granularity on who and what they can access<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Manage roles and permissions<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Audit<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Acting as the front gate for all types of security, IAM sets policies to control who can access what across data, network, applications, and infrastructure in a hierarchical format. <\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-99398\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/identity-and-access-management.webp\" alt=\"identity and access management\" width=\"1536\" height=\"448\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/identity-and-access-management.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/identity-and-access-management-300x88.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/identity-and-access-management-1024x299.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/identity-and-access-management-768x224.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/identity-and-access-management-150x44.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">The following table shows the breakup of IAM functions:<\/span><\/p>\n<table>\n<tbody>\n<tr>\n<td><span style=\"font-weight: 400;\">Who<\/span><\/td>\n<td><span style=\"font-weight: 400;\">members<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Example: Users, groups, organizations, service accounts<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">What access<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Roles<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Example: Basic (broad) and predefined (granular)<\/span><\/td>\n<\/tr>\n<tr>\n<td><span style=\"font-weight: 400;\">Resources<\/span><\/td>\n<td><span style=\"font-weight: 400;\">GCP resources<\/span><\/td>\n<td><span style=\"font-weight: 400;\">Example: Instances, projects, cloud storage buckets, etc.<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">Figure. IAM acts as the front gate for all types of GCP security<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-99399\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-gcp-security.webp\" alt=\"iam gcp security\" width=\"1536\" height=\"872\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-gcp-security.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-gcp-security-300x170.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-gcp-security-1024x581.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-gcp-security-768x436.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-gcp-security-150x85.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<h3><span class=\"ez-toc-section\" id=\"IAM_core_components\"><\/span><span style=\"font-weight: 400;\">IAM core components<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">IAM defines who can do what on which GCP resources, using three components.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-99400\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-core-components.webp\" alt=\"iam core components\" width=\"1536\" height=\"654\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-core-components.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-core-components-300x128.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-core-components-1024x436.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-core-components-768x327.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-core-components-150x64.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Principal<\/b><span style=\"font-weight: 400;\">: also known as member, a principal represents authenticated identities of an end user or an application. IAM supports different types of principals, and they can be divided into two broad categories:<br \/>\n<\/span><strong>\u00a0 * <\/strong><b>Human users<\/b><span style=\"font-weight: 400;\">: represent human users; for example, Google Accounts, Google groups, and federated identities in\u00a0 workforce identity pools.<br \/>\n<\/span><b>\u00a0 * Workloads<\/b><span style=\"font-weight: 400;\">: represent workloads; for example, service accounts and federated identities in a workload identity pool.<br \/>\n<img decoding=\"async\" class=\"alignnone size-full wp-image-99401\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/principals-of-iam.webp\" alt=\"iam principals\" width=\"1536\" height=\"495\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/principals-of-iam.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/principals-of-iam-300x97.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/principals-of-iam-1024x330.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/principals-of-iam-768x248.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/principals-of-iam-150x48.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><br \/>\n<\/span><\/li>\n<\/ul>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Role<\/b><span style=\"font-weight: 400;\">: It is the collection of permissions assigned to a principal that determines what the principal can do and with what resources. A permission is a specific operation allowed on a resource.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Resource<\/b><span style=\"font-weight: 400;\">: Everything in Google Cloud is a resource. Google Cloud resource that you want to let the principal access<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span class=\"ez-toc-section\" id=\"IAM_important_features\"><\/span><span style=\"font-weight: 400;\">IAM important features<\/span><span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Deploying and managing applications and services in GCP requires a clear understanding of\u00a0 IAM features and the way Google structures projects and manages identities and access control. The following are some of the core IAM features:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Role-Based Access Control (RBAC )<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Resource hierarchy and policy inheritance<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Service accounts<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Your knowledge of these features will help you perform tasks such as managing identity and access management (IAM) assignments, creating customer roles, managing service accounts, and viewing audit logs. In addition, you will be able to relate how these\u00a0 features help meet Google security best practices, such as:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Least privilege: Grant minimal permissions to predefined roles.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Separation of duties: allow some users to have the ability to change codes and others to deploy codes<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Defense of depth: apply multiple overlapping security controls<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"IAM_Role\"><\/span><strong>IAM Role<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Cloud engineers can enforce granularity on who and what they can access through roles. IAM supports three types of roles.\u00a0<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-99402\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-roles.webp\" alt=\"iam roles\" width=\"1536\" height=\"552\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-roles.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-roles-300x108.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-roles-1024x368.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-roles-768x276.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/iam-roles-150x54.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Basic roles<\/b><span style=\"font-weight: 400;\">: These are broad roles that are applied at the project level of the resource hierarchy. They are of three types: reader, writer, and admin.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Predefined roles<\/b><span style=\"font-weight: 400;\">: also known as curated roles, these roles provide granular access for a specific service and are created and managed by Google Cloud. They are designed to map to job functions, for example, Compute Network Admin, Security Reviewer, Storage Admin, and much more.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Custom roles<\/b><span style=\"font-weight: 400;\">: These are created and managed by users to provide granular access according to a user-specified list of permissions.\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Example: a group of users is granted the instance admin role on project a.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-99405\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/list-of-permissions.webp\" alt=\"list of permissions\" width=\"1536\" height=\"700\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/list-of-permissions.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/list-of-permissions-300x137.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/list-of-permissions-1024x467.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/list-of-permissions-768x350.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/list-of-permissions-150x68.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Resource_hierarchy_and_policy_inheritance\"><\/span><strong>Resource hierarchy and policy inheritance<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Google follows a fixed hierarchy consisting of Organizations, Folders, and Projects to distribute and manage GCP resources. IAM works in tandem with this resource organization to define who can access what at different levels.<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Organization: it is the super node of the hierarchy that represents an organization such as a company.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Folders: they are optional and provide sub-organizations for additional grouping to represent department, team, application or environment.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Projects: They are mandatory and act as the primary container for managing Google resources.\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">As a cloud engineer, you must understand the resource hierarchy and the inheritance properties that propagate down because it directly relate to how policies are managed and applied when you use Google Cloud. Policies and permissions work together to control access because permissions are assigned to roles and not to members. A policy binds members with roles.\u00a0 <\/span><\/p>\n<p><span style=\"font-weight: 400;\">Example. Google resource hierarchy<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-99406\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-resource-hierarchy.webp\" alt=\"google resource hierarchy\" width=\"1536\" height=\"1536\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-resource-hierarchy.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-resource-hierarchy-300x300.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-resource-hierarchy-1024x1024.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-resource-hierarchy-150x150.webp 150w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-resource-hierarchy-768x768.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-resource-hierarchy-24x24.webp 24w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-resource-hierarchy-48x48.webp 48w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-resource-hierarchy-96x96.webp 96w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-resource-hierarchy-250x250.webp 250w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Figure. Resource hierarchy and IAM policy inheritance<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-99407\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/resource-hierarchy-and-iam-policy-inheritance.webp\" alt=\"resource hierarchy iam policy inheritance\" width=\"1536\" height=\"840\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/resource-hierarchy-and-iam-policy-inheritance.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/resource-hierarchy-and-iam-policy-inheritance-300x164.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/resource-hierarchy-and-iam-policy-inheritance-1024x560.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/resource-hierarchy-and-iam-policy-inheritance-768x420.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/resource-hierarchy-and-iam-policy-inheritance-150x82.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Service_Accounts\"><\/span><strong>Service Accounts<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Service accounts are special accounts for non-human users such as applications, services, and <\/span><a title=\"VM instances\" href=\"https:\/\/www.whizlabs.com\/blog\/how-to-deploy-a-vm-instance-in-google-cloud\/\" target=\"_blank\" rel=\"noopener\"><b>VM instances<\/b><\/a><span style=\"font-weight: 400;\">. Service accounts control server-to-server interactions:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Authentication from one service to another<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Control privileges used by resources<\/span><\/li>\n<\/ul>\n<p><strong>They are of two types:<\/strong><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">User-managed service accounts: users create and manage them<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Service agents: Google Cloud creates and manages<\/span><\/li>\n<\/ul>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-99408\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/service-accounts.webp\" alt=\"service accounts\" width=\"1536\" height=\"495\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/service-accounts.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/service-accounts-300x97.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/service-accounts-1024x330.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/service-accounts-768x248.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/service-accounts-150x48.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Service accounts can act as both principals and resources. You can grant service accounts access to Google Cloud resources and permit other principals to access the service account.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone size-full wp-image-99409\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-cloud-resources-and-permit.webp\" alt=\"google cloud resources and permit\" width=\"1536\" height=\"495\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-cloud-resources-and-permit.webp 1536w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-cloud-resources-and-permit-300x97.webp 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-cloud-resources-and-permit-1024x330.webp 1024w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-cloud-resources-and-permit-768x248.webp 768w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/google-cloud-resources-and-permit-150x48.webp 150w\" sizes=\"(max-width: 1536px) 100vw, 1536px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"IAM_Security_Best_Practices\"><\/span><span style=\"font-weight: 400;\">IAM Security Best Practices<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Google IAM is a powerful tool, yet it can become complex due to its fine-grained access control, hierarchical policy inheritance, and multiple identity types. The following best practices will help you simplify it:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use projects to isolate resources and understand policy inheritance thoroughly<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Use groups when configuring Google Cloud access and assign roles to the group for the ease of managing permissions.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Basic roles can be overly permissive. Instead, use the most limited predefined roles or custom roles that meet your needs.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Grant role by smallest scope, for example Compute Admin role vs. Compute Instance Admin.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">If a role is needed across multiple projects, grant at organization or folder level.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Implement processes to manager service account keys<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Final_thoughts\"><\/span><strong>Final thoughts<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">The Google Associate Cloud Engineer certification is\u00a0an entry-level certification for IT professionals who are new to GCP. For a Cloud Engineer it is tasked with designing, implementing and maintaining secure cloud infrastructure.\u00a0 Becoming proficient in the Cloud security model and IAM best practices is important for passing the exam and applying these principles in real-life scenarios. You can pick the best resources from us, we have dedicated course specific practice tests, video courses, <\/span><strong><a title=\"Sandboxes\" href=\"https:\/\/www.whizlabs.com\/google-cloud-sandbox\/\" target=\"_blank\" rel=\"noopener\">Sandboxes<\/a><\/strong><span style=\"font-weight: 400;\"> and <\/span><strong><a title=\"Hands-on Labs\" href=\"https:\/\/www.whizlabs.com\/hands-on-labs\/?&amp;sortedBy=popularCourse&amp;page=0\" target=\"_blank\" rel=\"noopener\">Hands-on Labs<\/a><\/strong><span style=\"font-weight: 400;\"> to help you gather all required knowledge. What now? check out our content. And achieving this certification, you can perform a bit of everything, and from here, you can further your cloud career by specialising in an advanced role such as Cloud Security Engineer, Solutions Architect, DevOps Engineer and many more.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog, we will explore a Google Cloud Certified Associate Cloud Engineer,\u00a0 you are responsible for not only deploying and maintaining cloud applications and solutions but also configuring security access. This blog discusses the Google cloud security best practices based on the Google Certified Associate Cloud Engineer Certification exam. Let&#8217;s get started to understand how GCP cloud engineers handle security and IAM.\u00a0 Google Cloud Platform Security At the heart of Google Cloud Security is the shared fate model, which emphasizes close collaboration and partnership between Google and its customers for maintaining cloud security. In this approach, besides ensuring infrastructure [&hellip;]<\/p>\n","protected":false},"author":408,"featured_media":99403,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[12],"tags":[2254,789],"class_list":["post-99393","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-google-cloud","tag-gcp-associate-cloud-engineer","tag-google-cloud"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam.webp",1536,864,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-150x150.webp",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-300x169.webp",300,169,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-768x432.webp",768,432,true],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-1024x576.webp",1024,576,true],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam.webp",1536,864,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam.webp",1536,864,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-24x24.webp",24,24,true],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-48x48.webp",48,48,true],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-96x96.webp",96,96,true],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-150x150.webp",150,150,true],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-300x300.webp",300,300,true],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-250x250.webp",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-640x853.webp",640,853,true],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-96x96.webp",96,96,true],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2025\/05\/how-gcp-cloud-engineers-handle-security-iam-150x84.webp",150,84,true]},"uagb_author_info":{"display_name":"Anitha Dorairaj","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/anitha-dorairaj\/"},"uagb_comment_info":0,"uagb_excerpt":"In this blog, we will explore a Google Cloud Certified Associate Cloud Engineer,\u00a0 you are responsible for not only deploying and maintaining cloud applications and solutions but also configuring security access. This blog discusses the Google cloud security best practices based on the Google Certified Associate Cloud Engineer Certification exam. Let&#8217;s get started to understand&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/99393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/408"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=99393"}],"version-history":[{"count":8,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/99393\/revisions"}],"predecessor-version":[{"id":99413,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/99393\/revisions\/99413"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/99403"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=99393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=99393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=99393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}