{ "cells": [ { "cell_type": "markdown", "source": [ "# NEXT25 BRK2-187: Secure your cloud with Google Cloud’s security and compliance innovations\n", "\n", "## What You'll learn\n", "\n", "1. Google Cloud’s security building blocks and how they fit together to provide a foundation for your workloads\n", "2. How to meet baseline compliance for a real application and it’s data\n", "3. How to protect sensitive PII with strong controls without changing the workload\n", "4. How to create guardrails, while enabling developers to self-serve\n" ], "metadata": { "id": "s21uSouYN67Q" }, "id": "s21uSouYN67Q" }, { "cell_type": "markdown", "source": [ "## Demo: Assured Workload Migration API\n", "\n", "Parsing via jq generated by Gemini interaction" ], "metadata": { "id": "AYgW1cd_ljfp" }, "id": "AYgW1cd_ljfp" }, { "cell_type": "code", "source": [ "%%bash\n", "\n", "DESTINATION_ORGANIZATION_ID=\"YOUR_ORG\"\n", "DESTINATION_WORKLOAD_ID=\"YOUR_ASSURED_WORKLOAD_ID\"\n", "SOURCE_PROJECT_ID=\"YOUR_PROJECT\"\n", "QUOTA_PROJECT_ID=\"QUOTA_PROJECT\"\n", "REGION=\"us-east4\"\n", "\n", "export GOOGLE_CLOUD_QUOTA_PROJECT=$QUOTA_PROJECT_ID\n", "gcloud config set project $QUOTA_PROJECT_ID\n", "\n", "#Might need to do 'gcloud autho login' after connection\n", "curl -s -X GET -H \"Authorization: Bearer $(gcloud auth print-access-token)\" -H \"x-goog-user-project: $SOURCE_PROJECT_ID\" \"https://$REGION-assuredworkloads.googleapis.com/v1/organizations/$DESTINATION_ORGANIZATION_ID/locations/$REGION/workloads/$DESTINATION_WORKLOAD_ID:analyzeWorkloadMove?project=projects/$SOURCE_PROJECT_ID\" | jq -r '\n", " .assetMoveAnalyses[] as $asset | # Iterate through each asset analysis, store current asset in $asset variable\n", " $asset.analysisGroups[]?.analysisResult | # Navigate into analysisGroups (if it exists) and then analysisResult\n", " ( # Start a block to handle warnings and blockers separately but combine their outputs\n", " (.warnings[]? | {type: \"Warning\", detail: .detail}), # Process warnings: create an object for each warning\n", " (.blockers[]? | {type: \"Blocker\", detail: .detail}) # Process blockers: create an object for each blocker (if any)\n", " ) | # Pipe the resulting {type, detail} objects\n", " \"\\u001b[31m\\(.type)\\u001b[0m \\(.detail) \\n\\u001b[1m\\($asset.asset)\\u001b[0m\\n\" # Format the output string: Type, Detail, Resource Name\n", "' -" ], "metadata": { "id": "JHPhak4kj36H" }, "id": "JHPhak4kj36H", "execution_count": null, "outputs": [] }, { "cell_type": "markdown", "source": [ "## Demo: Confidential Mode for Hyperdisk" ], "metadata": { "id": "wqmRXlY8lmIU" }, "id": "wqmRXlY8lmIU" }, { "cell_type": "code", "source": [ "%%bash\n", "\n", "PROJECT_ID=\"PROJECT_ID\"\n", "SNAPSHOT_NAME=\"SNAPSHOT_NAME\"\n", "ZONE=\"europe-west4-b\"\n", "CHD_NAME=\"next-demo-chd\"\n", "KMS_NAME=\"FULL_KEY_NAME\"\n", "\n", "gcloud compute disks create $CHD_NAME \\\n", " --zone=$ZONE \\\n", " --source-snapshot=$SNAPSHOT_NAME \\\n", " --type=hyperdisk-balanced \\\n", " --kms-key=$KMS_NAME \\\n", " --confidential-compute" ], "metadata": { "id": "0KKb8eeQlJbY" }, "id": "0KKb8eeQlJbY", "execution_count": null, "outputs": [] }, { "cell_type": "markdown", "source": [ "## Demo: Confidential Dataflow\n", "\n", "Follow instructions for Dataflow flex template \"getting started\"\n", "https://cloud.google.com/dataflow/docs/guides/templates/using-flex-templates#python\n" ], "metadata": { "id": "U9Bfdktylzzs" }, "id": "U9Bfdktylzzs" }, { "cell_type": "code", "source": [ "%%bash\n", "\n", "BUCKET_NAME=\"eubanking\"\n", "LOCATION=\"europe-west4\"\n", "\n", "gcloud dataflow flex-template run \"client-bank-cvm-`date +%Y%m%d-%H%M%S`\" \\\n", " --template-file-gcs-location \"gs://$BUCKET_NAME/client_info.json\" \\\n", " --parameters output=\"gs://$BUCKET_NAME/processed-client-cards-\" \\\n", " --region \"$LOCATION\" \\\n", " --disable-public-ips \\\n", " --network=\"next-eubanking\" \\\n", " --subnetwork=\"regions/europe-west4/subnetworks/next-eubanking-sn\" \\\n", " --additional-experiments=enable_confidential_compute\n" ], "metadata": { "id": "ah2mstcvlo5a" }, "id": "ah2mstcvlo5a", "execution_count": null, "outputs": [] }, { "cell_type": "markdown", "source": [ "## Demo: Custom Org policies\n", "Create a machine policy" ], "metadata": { "id": "a46CCbH2N_Zg" }, "id": "a46CCbH2N_Zg" }, { "cell_type": "code", "source": [ "%%bash\n", "\n", "PROJECT_ID=\"PROJECT_ID\"\n", "ORG_ID=\"ORD_ID\"\n", "ZONE=\"europe-west4-a\"\n", "\n", "cat <<EOF > ./custom_constraint_1.yaml\n", "name: organizations/$ORD_ID/customConstraints/custom.restrictInstanceMachineType\n", "resourceTypes:\n", "- compute.googleapis.com/Instance\n", "methodTypes:\n", "- CREATE\n", "condition: resource.machineType.contains('n2') || resource.machineType.contains('e2')\n", "actionType: ALLOW\n", "displayName: Restrict GCE VM Instances to N2 or E2\n", "description: N2 and E2 instances are permitted in this project. Please select a different machine type or contact susan@helpdesk.\n", "EOF\n", "\n", "gcloud org-policies set-custom-constraint ./custom_constraint_1.yaml --project $PROJECT_ID\n", "\n", "cat <<EOF > ./enforce_constraint_1.yaml\n", "name: projects/$PROJECT_ID/policies/custom.restrictInstanceMachineType\n", "spec:\n", " rules:\n", " - enforce: true\n", "EOF\n", "\n", "gcloud org-policies set-custom-constraint ./custom_constraint_1.yaml\n", "\n", "gcloud compute instances create this-vm-is-blocked --project=$PROJECT_ID --zone=$ZONE --machine-type=m3-ultramem-32 --network-interface=network=default\n", "\n", "gcloud compute instances create this-vm-is-allowed --project=$PROJECT_ID --zone=$ZONE --machine-type=n2-standard-2 --network-interface=network=default\n" ], "metadata": { "id": "3YwRhli5mLV4" }, "id": "3YwRhli5mLV4", "execution_count": null, "outputs": [] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.10.10" }, "colab": { "provenance": [], "name": "gcn25-brk2-187" } }, "nbformat": 4, "nbformat_minor": 5 }