The Architecture Center provides content resources across a wide variety of security and identity and access management (IAM) subjects.
Get started
If you are new to Google Cloud or new to designing for security and IAM on Google Cloud, begin with these resources:
- Enterprise foundations blueprint
- Identity and access management overview
- Landing zone design in Google Cloud
Security and IAM resources in the Architecture Center
You can filter the following list of security and IAM resources by typing a product name or a phrase that's in the resource title or description.
Automate malware scanning for files uploaded to Cloud Storage This document shows you how to build an event-driven pipeline that can help you automate the evaluation of files for malicious code. Products used: Cloud Logging, Cloud Run, Cloud Storage, Eventarc |
Best practices for mitigating compromised OAuth tokens for Google Cloud CLI Describes how to mitigate the impact of an attacker compromising the OAuth tokens that are used by the gcloud CLI. Products used: Google Cloud CLI |
Best practices for operating containers This article describes a set of best practices for making containers easier to operate. These practices cover a wide range of topics, from security to monitoring and logging. Their aim is to make applications easier to run in Google Kubernetes Engine... Products used: Cloud Monitoring, Cloud Storage, Google Kubernetes Engine (GKE) |
Best practices for protecting against cryptocurrency mining attacks Cryptocurrency mining (also known as bitcoin mining ) is the process used to create new cryptocoins and verify transactions. Crytocurrency mining attacks occurs when attackers who gain access to your environment might also exploit your resources to... Products used: Cloud Key Management Service, Compute Engine, Google Cloud Armor, Identity and Access Management |
Best practices for securing your applications and APIs using Apigee Describes best practices that can help you to secure your applications and APIs using Apigee API management, Google Cloud Armor, reCAPTCHA Enterprise, and Cloud CDN. Products used: Cloud Armor, Cloud CDN, Waap |
Build and deploy generative AI and machine learning models in an enterprise Describes the generative AI and machine learning (ML) blueprint, which deploys a pipeline for creating AI models. |
Build hybrid and multicloud architectures using Google Cloud Provides practical guidance on planning and architecting your hybrid and multi-cloud environments using Google Cloud. Products used: Anthos, Cloud Load Balancing, Compute Engine, Google Kubernetes Engine (GKE) |
Building internet connectivity for private VMs Describes options for connecting to and from the internet using Compute Engine resources that have private IP addresses. Products used: Cloud Load Balancing, Cloud NAT, Compute Engine, Identity-Aware Proxy |
C3 AI architecture on Google Cloud Develop applications using C3 AI and Google Cloud. Products used: Cloud Key Management Servoce, Cloud NAT, Cloud Storage, Virtual Private Cloud |
Centralized network appliances on Google Cloud This document is intended for network administrators, solutions architects, and operations professionals who run centralized network appliances on Google Cloud. Knowledge of Compute Engine and Virtual Private Cloud (VPC) networking in Google Cloud is... Products used: Cloud Load Balancing, Compute Engine |
Configure networks for FedRAMP and DoD in Google Cloud Provides configuration guidance to help you to comply with design requirements for FedRAMP High and DoD IL2, IL4, and IL5 when you deploy Google Cloud networking policies. |
Configuring SaaS data protection for Google Workspace data with Spin.AI How to configure SpinOne - All-in-One SaaS Data Protection with Cloud Storage. |
Controls to restrict access to individually approved APIs Many organizations have a compliance requirement to restrict network access to an explicitly approved list of APIs, based on internal requirements or as part of adopting Assured Workloads. On-premises, this requirement is often addressed with proxy... Products used: assured Workloads |
Data management with Cohesity Helios and Google Cloud How Cohesity works with Google Cloud Storage. Cohesity is a hyperconverged secondary storage system for consolidating backup, test/dev, file services, and analytic datasets onto a scalable data platform. Products used: Cloud Storage |
Discusses how to use Sensitive Data Protection to create an automated data transformation pipeline to de-identify sensitive data like personally identifiable information (PII). Products used: BigQuery, Cloud Pub/Sub, Cloud Storage, Dataflow, Identity and Access Management, Sensitive Data Protection |
Decide the network design for your Google Cloud landing zone This document describes four common network designs for landing zones, and helps you choose the option that best meets your requirements. Products used: VPC Service Controls, Virtual Private Cloud |
Deploy a secured serverless architecture using Cloud Functions Provides guidance on how to help protect serverless applications that use Cloud Functions (2nd gen) by layering additional controls onto your existing foundation. Products used: Cloud Functions |
Deploy a secured serverless architecture using Cloud Run Provides guidance on how to help protect serverless applications that use Cloud Run by layering additional controls onto your existing foundation. Products used: Cloud Run |
Deploy an enterprise developer platform on Google Cloud Describes the enterprise application blueprint, which deploys an internal developer platform that provides managed software development and delivery. |
Deploy network monitoring and telemetry capabilities in Google Cloud Network telemetry collects network traffic data from devices on your network so that the data can be analyzed. Network telemetry lets security operations teams detect network-based threats and hunt for advanced adversaries, which is essential for... Products used: Compute Engine, Google Kubernetes Engine (GKE), Logging, Packet Mirroring, VPC, Virtual Private Cloud |
Design secure deployment pipelines Describes best practices for designing secure deployment pipelines based on your confidentiality, integrity, and availability requirements. Products used: App Engine, Cloud Run, Google Kubernetes Engine (GKE) |
Designing networks for migrating enterprise workloads: Architectural approaches This document introduces a series that describes networking and security architectures for enterprises that are migrating data center workloads to Google Cloud. These architectures emphasize advanced connectivity, zero-trust security principles, and... Products used: Anthos Service Mesh, Cloud CDN, Cloud DNS, Cloud Interconnect, Cloud Intrusion Detection System (Cloud IDS), Cloud Load Balancing, Cloud NAT, Cloud VPN, Google Cloud Armor, Identity-Aware Proxy, Network Connectivity Center, Traffic Director, VPC Service Controls, Virtual Private Cloud |
Disaster recovery planning guide The first part of a series that discusses disaster recovery (DR) in Google Cloud. This part provides an overview of the DR planning process: what you need to know in order to design and implement a DR plan. Products used: Cloud Key Management Service, Cloud Storage, Spanner |
Enterprise foundations blueprint This series presents an opinionated view of Google Cloud security best practices, organized to allow users to deploy them for their workloads on Google Cloud. |
FortiGate architecture in Google Cloud Describes the overall concepts around deploying a FortiGate Next Generation Firewall (NGFW) in Google Cloud. Products used: Cloud Load Balancing, Cloud NAT, Compute Engine, Virtual Private Cloud |
Google Cloud FedRAMP implementation guide This guide is intended for security officers, compliance officers, IT admins, and other employees who are responsible for Federal Risk and Authorization Management Program (FedRAMP) implementation and compliance on Google Cloud. This guide helps you... Products used: Cloud Identity, Cloud Logging, Cloud Monitoring, Cloud VPN, Google Cloud Armor, Google Workspace, Identity and Access Management, Identity-Aware Proxy, Security Command Center |
Hybrid and multicloud architecture patterns Discusses common hybrid and multicloud architecture patterns, and describes the scenarios that these patterns are best suited for. Products used: Cloud DNS, Cloud Interconnect, Cloud Pub/Sub, Cloud Run, Cloud SQL, Cloud Storage, Google Cloud Armor, Google Kubernetes Engine (GKE), Looker |
Identify and prioritize security risks with Wiz Security Graph and Google Cloud Describes how to identify and prioritize security risks in your cloud workloads with Wiz Security Graph and Google Cloud. Products used: Artifact Registry, Cloud Audit Logs, Cloud SQL, Cloud Storage, Compute Engine, Google Kubernetes Engine (GKE), Identity Access Management, Security Command Center |
Implement your Google Cloud landing zone network design This document provides steps and guidance to implement your chosen network design for your landing zone. Products used: Virtual Private Cloud |
Implementing Binary Authorization using Cloud Build and GKE Shows how to use Binary Authorization for Google Kubernetes Engine (GKE). Binary authorization is the process of creating attestations on container images for the purpose of verifying that certain criteria are met before you can deploy the images to GKE. Products used: Artifact Registry, Binary Authorization, Cloud Build, Cloud Key Management Service, Cloud Source Repositories, Google Kubernetes Engine (GKE) |
Import data from an external network into a secured BigQuery data warehouse Describes an architecture that you can use to help secure a data warehouse in a production environment, and provides best practices for importing data into BigQuery from an external network such as an on-premises environment. Products used: BigQuery |
Import data from Google Cloud into a secured BigQuery data warehouse Describes an architecture that you can use to help secure a data warehouse in a production environment, and provides best practices for data governance of a data warehouse in Google Cloud. Products used: BigQuery, Cloud Key Management Service, Dataflow, Sensitive Data Protection |
Ingesting clinical and operational data with Cloud Data Fusion Explains to researchers, data scientists, and IT teams how Cloud Data Fusion can unlock data by ingesting, transforming, and storing the data in BigQuery, an aggregated data warehouse on Google Cloud. Products used: BigQuery, Cloud Data Fusion, Cloud Storage |
Landing zone design in Google Cloud This series shows how to design and build a landing zone in Google Cloud, guiding you through high-level decisions about identity onboarding, resource hierarchy, network design, and security. |
Limiting scope of compliance for PCI environments in Google Cloud Describes best practices for architecting your cloud environment for Payment Card Industry (PCI) Security Standards Council compliance. Products used: App Engine, BigQuery, Cloud Key Management Service, Cloud Logging, Cloud Monitoring, Cloud SQL, Identity and Access Management, Sensitive Data Protection |
Manage just-in-time privileged access to projects Describes how you can use an open source tool to implement just-in-time privileged access to Google Cloud resources. Products used: App Engine, Identity-Aware Proxy |
Helps you plan, design, and implement the process of migrating your application and infrastructure workloads to Google Cloud, including computing, database, and storage workloads. Products used: App Engine, Cloud Build, Cloud Data Fusion, Cloud Deployment Manager, Cloud Functions, Cloud Run, Cloud Storage, Container Registry, Data Catalog, Dataflow, Direct Peering, Google Kubernetes Engine (GKE), Transfer Appliance |
Mitigating ransomware attacks using Google Cloud Code created by a third party to infiltrate your systems to hijack, encrypt, and steal data is referred to as ransomware. To help you mitigate ransomware attacks, Google Cloud provides you with controls for identifying, protecting, detecting,... Products used: Google Security Operations, Google Workspace |
Overview of identity and access management Explores the general practice of identity and access management (generally referred to as IAM) and the individuals who are subject to it, including corporate identities, customer identities, and service identities. Products used: Cloud Identity, Identity and Access Management |
OWASP Top 10 2021 mitigation options on Google Cloud Helps you identify Google Cloud products and mitigation strategies that can help you defend against common application-level attacks that are outlined in OWASP Top 10. Products used: Google Cloud Armor, Security Command Center |
PCI Data Security Standard compliance Shows how to implement the Payment Card Industry Data Security Standard (PCI DSS) for your business on Google Cloud. Products used: App Engine, BigQuery, Cloud Functions, Cloud Key Management Service, Cloud Logging, Cloud Monitoring, Cloud Storage, Compute Engine, Google Kubernetes Engine (GKE), Sensitive Data Protection, VPC Service Controls |
This guide is intended to help you address concerns unique to Google Kubernetes Engine (GKE) applications when you are implementing customer responsibilities for Payment Card Industry Data Security Standard (PCI DSS) requirements. Disclaimer: This... Products used: Google Cloud Armor, Google Kubernetes Engine (GKE), Sensitive Data Protection |
Performing a PITR of a PostgreSQL database on Compute Engine Create a demonstration database and run an application workload. Then, you configure the archive and backup processes. Next, you learn how to verify the backup, archive, and recovery processes. Products used: Cloud Storage, Compute Engine |
Scenarios for exporting Cloud Logging: Compliance requirements Shows how to export logs from Cloud Logging to Cloud Storage to meet your organization's compliance requirements. Products used: Cloud Audit Logs, Cloud Logging, Cloud Storage |
Secure virtual private cloud networks with the Palo Alto VM-Series NGFW Describes the networking concepts that you need to understand to deploy Palo Alto Networks VM-Series next generation firewall (NGFW) in Google Cloud. Products used: Cloud Storage |
Security blueprint: PCI on GKE The PCI on GKE blueprint contains a set of Terraform configurations and scripts that demonstrate how to bootstrap a PCI environment in Google Cloud. The core of this blueprint is the Online Boutique application, where users can browse items, add them... Products used: Google Kubernetes Engine (GKE) |
Security log analytics in Google Cloud Shows how to collect, export, and analyze logs from Google Cloud to help you audit usage and detect threats to your data and workloads. Use the included threat detection queries for BigQuery or Chronicle, or bring your own SIEM. Products used: BigQuery, Cloud Logging, Compute Engine, Looker Studio |
Set up an embedded finance solution using Google Cloud and Cloudentity Describes architectural options for providing your customers with a seamless and secure embedded finance solution. Products used: Cloud Run, Google Kubernetes Engine (GKE), Identity Platform |
Setting up a Pub/Sub proxy for mobile clients on GKE Shows you how to publish messages from mobile or client-side apps to Pub/Sub by using a proxy that handles authentication and authorization logic instead of client-side credentials. Products used: Cloud Build, Cloud Endpoints, Cloud Pub/Sub, Container Registry, Google Kubernetes Engine (GKE), Identity and Access Management |
Tokenizing sensitive cardholder data for PCI DSS Shows how to set up an access-controlled credit and debit card tokenization service on Cloud Functions. Products used: Cloud Key Management Service, Firestore, Identity and Access Management |
Describes how to harden data transfers from Amazon Simple Storage Service (Amazon S3) to Cloud Storage using Storage Transfer Service with a VPC Service Controls perimeter. Products used: Access Context Manager, Cloud Storage, Storage Transfer Service, VPC Service Controls |
Use cases for troubleshooting access problems on Google Cloud Describes how to use Google Cloud tools to troubleshoot use cases related to problems accessing Google Cloud resources. This document doesn't describe how to troubleshoot end-user access to your applications. Products used: Identity and Access Management |
Use Google Cloud Armor, load balancing, and Cloud CDN to deploy programmable global front ends Provides an architecture that uses a global front end which incorporates Google Cloud best practices to help scale, secure, and accelerate the delivery of your internet-facing applications. |
Using Microsoft SQL Server backups for point-in-time recovery on Compute Engine Perform backups on a Compute Engine SQL Server instance, including how to manage these backups and store them in Cloud Storage and how to restore a database to a point in time. Products used: Cloud Storage, Compute Engine |