{"id":6109,"date":"2019-10-14T09:26:17","date_gmt":"2019-10-14T02:26:17","guid":{"rendered":"http:\/\/gcloudvn.wam.vn\/thuc-hanh-nguyen-tac-dac-quyen-toi-thieu\/"},"modified":"2023-05-04T14:20:50","modified_gmt":"2023-05-04T07:20:50","slug":"thuc-hanh-nguyen-tac-dac-quyen-toi-thieu","status":"publish","type":"post","link":"https:\/\/gcloudvn.com\/en\/kienthuc\/thuc-hanh-nguyen-tac-dac-quyen-toi-thieu\/","title":{"rendered":"[Information] Practice the principle of least privilege"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-14893\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2019\/10\/Security.ai_V1-04-04_1-1024x569.jpg\" alt=\"Practice the principle of least privilege 1\" width=\"894\" height=\"497\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">When it comes to security, access management is a cornerstone capability \u2013 whether you&#039;re talking about a physical space or your cloud infrastructure. If you are securing an office, you will provide each employee with a master key that can open the front door, mailbox, and safe. Likewise, when you&#039;re protecting your cloud infrastructure, you should restrict employees&#039; access to the network based on their roles and what they require to do their jobs.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">This concept is called the principle of least privilege, which <\/span><span style=\"font-weight: 400;\">NIST&#039;s Computer Security Resource Center<\/span><span style=\"font-weight: 400;\"> definition is: A security principle that limits the access privileges of authorized personnel\u2026 to the minimum level necessary to perform their job. \u201cIn practice, this means assigning credentials and privileges only when necessary to both the user and the service, and removing any permissions that are no longer needed.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Keeping the principle of least privilege in mind, here are five practical tips to minimize the surface area of exposed resources on <a href=\"https:\/\/gcloudvn.com\/en\/google-cloud-platform\/\">Google Cloud Platform<\/a><\/span>\u00a0(GCP) and protects against some common attacks.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_80 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewbox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewbox=\"0 0 24 24\" version=\"1.2\" baseprofile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/thuc-hanh-nguyen-tac-dac-quyen-toi-thieu\/#1_Tranh_su_dung_qua_nhieu_primitive_roles\" >#1: Avoid using too many primitive roles<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/thuc-hanh-nguyen-tac-dac-quyen-toi-thieu\/#2_Gan_roles_cho_nhom_khong_gan_cho_ca_nhan\" >#2: Assign roles to groups, not individuals<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/thuc-hanh-nguyen-tac-dac-quyen-toi-thieu\/#3_Giam_rui_ro_cua_hanh_vi_default_service_account\" >#3: Reduce the risk of default service account behavior<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/thuc-hanh-nguyen-tac-dac-quyen-toi-thieu\/#4_Giam_rui_ro_va_kiem_soat_truy_cap_vao_du_an_cua_ban_bang_cach_su_dung_cac_tinh_nang_mang\" >#4: Reduce risk and control access to your project using network features<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/thuc-hanh-nguyen-tac-dac-quyen-toi-thieu\/#5_Can_nhac_su_dung_cac_nen_tang_va_dich_vu_da_duoc_quan_ly\" >#5: Consider using managed platforms and services<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/gcloudvn.com\/en\/kienthuc\/thuc-hanh-nguyen-tac-dac-quyen-toi-thieu\/#Luu_y_cuoi_cung\" >Final Note<\/a><\/li><\/ul><\/nav><\/div>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"1_Tranh_su_dung_qua_nhieu_primitive_roles\"><\/span><span style=\"font-size: 14pt;\"><b>#1: Avoid using too many primitive roles<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Primitive roles<\/span><span style=\"font-weight: 400;\"> as Owner and Editor grant broad access to all project resources. To tighten access security, consider using the\u00a0 <\/span><span style=\"font-weight: 400;\">predefined roles<\/span><span style=\"font-weight: 400;\"> more specifically in <\/span><span style=\"font-weight: 400;\">Cloud Identity and Access Management (IAM<\/span><span style=\"font-weight: 400;\">) or define the <\/span><span style=\"font-weight: 400;\">custom roles<\/span><span style=\"font-weight: 400;\"> more suitable for your organization. For example, if you have a database <a href=\"https:\/\/gcloudvn.com\/en\/cloud-sql\/\">Cloud SQL<\/a>, instead of granting the project-wide Editor role to everyone, you can grant roles <\/span><span style=\"font-weight: 400;\">cloudsql.editor<\/span><span style=\"font-weight: 400;\"> for the user to create a new database, <\/span><span style=\"font-weight: 400;\">cloudsql.client<\/span><span style=\"font-weight: 400;\"> for those who just need to connect to existing and limited databases <\/span><span style=\"font-weight: 400;\">cloudsql.admin<\/span><span style=\"font-weight: 400;\"> for database administrators.<\/span><\/p>\n<p style=\"text-align: justify;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-14894\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2019\/10\/Avoid_excessive_use_of_broad_primitive_roles.max-800x800.png\" alt=\"Practice the principle of least privilege 2\" width=\"762\" height=\"259\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Policy design page<\/span><span style=\"font-weight: 400;\"> Google&#039;s has several sample structures and policies for different types of organizations, including startups, large enterprises, and customer education and training.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"2_Gan_roles_cho_nhom_khong_gan_cho_ca_nhan\"><\/span><span style=\"font-size: 14pt;\"><b>#2: Assign roles to groups, not individuals<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">If you assign the IAM role directly to an individual, they will keep the permissions granted by that role even if they change roles, move around your organization, or no longer require them. A safer and more maintainable option is to put users in logical groups. For example, to manage a database, you can create <\/span><span style=\"font-weight: 400;\">db-editors<\/span><span style=\"font-weight: 400;\">, <\/span><span style=\"font-weight: 400;\">db-viewers<\/span><span style=\"font-weight: 400;\"> and <\/span><span style=\"font-weight: 400;\">db-admins<\/span><span style=\"font-weight: 400;\"> and allow users to inherit roles from these groups:<\/span><\/p>\n<figure id=\"attachment_14895\" aria-describedby=\"caption-attachment-14895\" style=\"width: 759px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-14895\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2019\/10\/Assign_roles_to_groups.0525014406140271.max-1100x1100-1024x452.png\" alt=\"An example of assigning users and roles to groups \" width=\"759\" height=\"335\" \/><figcaption id=\"caption-attachment-14895\" class=\"wp-caption-text\"><em>An example of assigning users and roles to groups<\/em><\/figcaption><\/figure>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Groups can be created in the Admin Console for any G Suite domain (<a href=\"https:\/\/gcloudvn.com\/en\/google-workspace\/\">Google Workspace customers<\/a>) any or <\/span><span style=\"font-weight: 400;\">linked from an external tool such as Active Directory<\/span><span style=\"font-weight: 400;\">. By using groups for ownership, you can also avoid orphan projects and resources \u2013 where a project or resource has an owner leaving the organization.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">You can <\/span><span style=\"font-weight: 400;\">assign roles at the organization, folder, project, or resource level<\/span><span style=\"font-weight: 400;\">. This allows larger organizations to easily manage roles for a specific group of developers or an entire accounting department. Note, however, that child resources cannot be limited to parent-granted roles: e.g. role <\/span><span style=\"font-weight: 400;\">cloudsql.viewer<\/span><span style=\"font-weight: 400;\"> the user&#039;s project level overrides any resource level restrictions on any database in the same project.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"3_Giam_rui_ro_cua_hanh_vi_default_service_account\"><\/span><span style=\"font-size: 14pt;\"><b>#3: Reduce the risk of default service account behavior<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Service account (<\/span><span style=\"font-weight: 400;\">Service accounts<\/span><span style=\"font-weight: 400;\">) is a special type of account for applications that need to access data. However, if the private information of the application is compromised, the attacker will have all the access rights granted to the application by the service account role.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Default service account of <a href=\"https:\/\/gcloudvn.com\/en\/compute-engine\/\">Compute Engine<\/a><\/span><span style=\"font-weight: 400;\">, important <\/span><span style=\"font-weight: 400;\">editor<\/span><span style=\"font-weight: 400;\">, is enabled for all instances created in a project unless you specify otherwise.<\/span><\/p>\n<figure id=\"attachment_14896\" aria-describedby=\"caption-attachment-14896\" style=\"width: 694px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-14896\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2019\/10\/default_service_account.0528019403980366.max-1100x1100-1024x942.png\" alt=\"The default service account has edit permissions for all resources in the project.\" width=\"694\" height=\"638\" \/><figcaption id=\"caption-attachment-14896\" class=\"wp-caption-text\"><em>The default service account has edit permissions for all resources in the project.<\/em><\/figcaption><\/figure>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Create a custom service account<\/span><span style=\"font-weight: 400;\"> to use to create versions and <\/span><span style=\"font-weight: 400;\">limited its role<\/span><span style=\"font-weight: 400;\"> to the minimum necessary to significantly reduce risk. For example, many applications using Cloud SQL only need roles <\/span><span style=\"font-weight: 400;\">cloudsql.client<\/span><span style=\"font-weight: 400;\"> allow them to connect to an existing database.<\/span><\/p>\n<figure id=\"attachment_14897\" aria-describedby=\"caption-attachment-14897\" style=\"width: 790px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-14897\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2019\/10\/custom_service_accounts.0526019805760391.max-1100x1100-1024x695.png\" alt=\"With a custom service account, you can grant the minimum privileges required for instances and applications.\" width=\"790\" height=\"536\" \/><figcaption id=\"caption-attachment-14897\" class=\"wp-caption-text\"><em>With a custom service account, you can grant the minimum privileges required for instances and applications.<\/em><\/figcaption><\/figure>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Another approach is to grant minimum privileges to individual service accounts and <\/span><span style=\"font-weight: 400;\">create your application-specific service accounts<\/span><span style=\"font-weight: 400;\">. This gives you more fine-grained control over each app&#039;s perks, although you&#039;ll need to <\/span><span style=\"font-weight: 400;\">Careful management<\/span><span style=\"font-weight: 400;\"> service account login information.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"4_Giam_rui_ro_va_kiem_soat_truy_cap_vao_du_an_cua_ban_bang_cach_su_dung_cac_tinh_nang_mang\"><\/span><span style=\"font-size: 14pt;\"><b>#4: Reduce risk and control access to your project using network features<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">To enable communication between resources, new GCP projects initially have <\/span><span style=\"font-weight: 400;\">a default network<\/span><span style=\"font-weight: 400;\"> connect all the resources in that project. This is convenient for development, but in this default configuration, if an attacker has unauthorized access to a resource, they can also reach others.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">To limit this risk, do not use the default network in the official environment and explicitly specify the acceptable source IP ranges, ports, and protocols in <\/span><span style=\"font-weight: 400;\">network firewall<\/span><span style=\"font-weight: 400;\">. You should also separate sensitive applications into <\/span><span style=\"font-weight: 400;\">virtual private cloud<\/span><span style=\"font-weight: 400;\"> (VPC) individually, and if interconnection between applications is required, use <\/span><span style=\"font-weight: 400;\">Shared VPC<\/span><span style=\"font-weight: 400;\">. In each VPC, use the <\/span><span style=\"font-weight: 400;\">Subnet<\/span><span style=\"font-weight: 400;\"> different for public facing services (e.g. web servers and <\/span><span style=\"font-weight: 400;\">fortress server<\/span><span style=\"font-weight: 400;\">) and its own ancillary service. Allocate public IP to instances in public subnet only and add firewall rule with <\/span><span style=\"font-weight: 400;\">network card<\/span><span style=\"font-weight: 400;\"> to control which services can communicate with each other. Finally, grant permission to create or modify firewalls and routes only to those directly responsible for the network.<\/span><\/p>\n<figure id=\"attachment_14898\" aria-describedby=\"caption-attachment-14898\" style=\"width: 767px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-14898\" src=\"https:\/\/gcloudvn.com\/wp-content\/uploads\/2019\/10\/example_of_limiting_acces.0524028006390551.max-1100x1100-1024x883.png\" alt=\"An example of access restriction with firewalls and public and private subnets.\" width=\"767\" height=\"661\" \/><figcaption id=\"caption-attachment-14898\" class=\"wp-caption-text\"><em>An example of access restriction with firewalls and public and private subnets.<\/em><\/figcaption><\/figure>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Security applications and scenarios with custom network encoding<\/span><span style=\"font-weight: 400;\"> will guide you through setting up the above public\/private subnet configuration. <\/span><span style=\"font-weight: 400;\">Design policy for customer articles<\/span><span style=\"font-weight: 400;\"> which google mentioned earlier also contains sample network designs for common use cases. For guidance on the trade-offs of single, multiple, and shared VPCs, see<\/span><span style=\"font-weight: 400;\">Best practices and reference architectures for VPC design<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"5_Can_nhac_su_dung_cac_nen_tang_va_dich_vu_da_duoc_quan_ly\"><\/span><span style=\"font-size: 14pt;\"><b>#5: Consider using managed platforms and services<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">If you deploy and manage your own applications, you are responsible for the security configuration, including maintaining accounts and permissions. You can limit your liability by hosting your application on regulated platforms like <\/span><span style=\"font-weight: 400;\">Cloud Run<\/span><span style=\"font-weight: 400;\">, <\/span><a href=\"https:\/\/gcloudvn.com\/en\/app-engine\/\"><span style=\"font-weight: 400;\">App Engine<\/span><\/a><span style=\"font-weight: 400;\"> or <\/span><span style=\"font-weight: 400;\">Cloud Functions<\/span><span style=\"font-weight: 400;\"> or by using fully managed services for databases and processing frameworks like <\/span><span style=\"font-weight: 400;\">Cloud SQL<\/span><span style=\"font-weight: 400;\"> for MySQL and Postgres, <\/span><span style=\"font-weight: 400;\">Cloud Dataproc<\/span><span style=\"font-weight: 400;\"> for Hadoop and Spark and <\/span><span style=\"font-weight: 400;\">Cloud Memorystore<\/span><span style=\"font-weight: 400;\"> for Redis.<\/span><\/p>\n<h2 style=\"text-align: justify;\"><span class=\"ez-toc-section\" id=\"Luu_y_cuoi_cung\"><\/span><span style=\"font-size: 14pt;\"><b>Final Note<\/b><\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Security is a top priority in all aspects of Google Cloud<\/span><span style=\"font-weight: 400;\">, but cloud security is a shared responsibility, and it is ultimately your responsibility to make the right configuration and product choices for your organization to protect your data on GCP. These tips are a great starting point to help reduce your attack surface and help you make more informed risk decisions. For more resources and security solutions for your business, be sure to check out the page <\/span><a href=\"https:\/\/cloud.google.com\/security\/\" target=\"_blank\" rel=\"nofollow noopener\"><span style=\"font-weight: 400;\">Trust &amp; Security<\/span><\/a><span style=\"font-weight: 400;\"> by Google.<\/span><\/p>\n<p style=\"text-align: right;\"><strong>Update: Gimasys<\/strong><\/p>","protected":false},"excerpt":{"rendered":"<p>Khi n\u00f3i \u0111\u1ebfn b\u1ea3o m\u1eadt, qu\u1ea3n l\u00fd quy\u1ec1n truy c\u1eadp l\u00e0 m\u1ed9t kh\u1ea3 n\u0103ng n\u1ec1n t\u1ea3ng &#8211; cho d\u00f9 b\u1ea1n \u0111ang n\u00f3i v\u1ec1 m\u1ed9t kh\u00f4ng gian v\u1eadt l\u00fd hay c\u01a1 s\u1edf h\u1ea1 t\u1ea7ng \u0111\u00e1m m\u00e2y c\u1ee7a b\u1ea1n. N\u1ebfu b\u1ea1n \u0111ang&hellip;<\/p>","protected":false},"author":1,"featured_media":6110,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6109","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-kienthuc","entry","has-media"],"_links":{"self":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/posts\/6109","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/comments?post=6109"}],"version-history":[{"count":0,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/posts\/6109\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/media\/6110"}],"wp:attachment":[{"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/media?parent=6109"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/categories?post=6109"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gcloudvn.com\/en\/wp-json\/wp\/v2\/tags?post=6109"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}