Do you think IIT Guwahati certified course can help you in your career?
No
Introduction
Customers of Google Cloud can use Assured Workloads to provide security measures to an environment that supports compliance mandates without sacrificing the calibre of their cloud experience. Customers may securely set up and secure critical workloads with Assured Workloads to satisfy their regulatory compliance needs. This blog explains the details of Assured Workloads along with the details of Deploying a resource with Assured Workloads, creating a folder, details of BigQuery, Cloud storage, persistent disk workload, and deleting a workload environment.
Without further ado, let's get started.
Deploy a resource with Assured Workloads
To deploy an Assured Workloads environment, Assured Workloads requires that you first create and register a folder. You are in charge of developing environment resources and encryption keys, depending on the compliance regime you decide.
Make the following preparations for your environment and first workload:
Create a company, if you haven't already, in the manner described below:
Verify your domain after setting up Cloud Identity.
Use Assured Workloads only after creating an organisation.
Choose a compliance regime.
Make a folder specifically for Assured Workloads settings.
In the Assured Workloads environment, make the following folder to assist your compliance regime:
In a workload environment, create a new folder (IL4, CJIS).
In a workload environment, create a new folder (FedRAMP, US Regions & Support).
Get a customer-managed encryption key and make one (CMEK).
Add a resource to your environment for Assured Workloads. Numerous resources are supported by Assured Workloads. Examples comprise:
Creating a workload for cloud storage.
Creating a workload for a persistent disc.
Establishing a BigQuery workload.
Let's look into the details of Creating a folder for Assured Workloads environments.
Creating a folder for Assured Workloads environments
Follow the steps to create a folder for Assured Workloads environments.
Prerequisites
Make sure you have completed the following before performing the process detailed in this guide:
Create or choose a Google Cloud organisation via the Google Cloud dashboard.
Give permissions for Identity and Access Management.
The minimal IAM permission levels required to build and access Assured Workloads environments are contained in the Folder Administrator Identity and Access Management (IAM) role.
Run the following gcloud command to assign the IAM role:
Do the following to make a new folder for Assured Workloads environments:
Head over to the Resource Manager.
Then select Create Folder.
Give the folder a name, choose the appropriate organisation and hierarchy of resources from the New Folder dialogue, and then click Create.
Find the newly created folder.
In the ID field, copy the ID.
Fill out the onboarding form for the Assured Workloads folder.
Set the folder's access preferences.
Creating a new folder in a workload environment (IL4, CJIS)
The following steps create a fresh workload environment:
Navigate to the Assured Workloads page in the Google Cloud console.
Click Select a project in the console toolbar, then pick your organisation.
Press Create.
Verify that you have satisfied the prerequisites before moving on to the Create an Assured Workloads folder steps and clicking Next.
After selecting the United States from the drop-down menu in the jurisdiction selection phase, Click Next.
After selecting the IL4 or CJIS option in the step under "Select a compliance type to be supported by your folder.", Click Next.
Choose the region you want to deploy resources to for the Assured Workloads environment in the Select a region step and then click Next.
Make sure you comprehend the limitations and restrictions of your workload before moving on to the phase of review the compliance controls.
Choose Next.
After configuring your folder,
Give the new folder a name by using something like aw-example.
To indicate the parent folder that has already been onboarded to Assured Workloads, specify the folder name for the Parent resource or browse the folders in your organisation.
Choose Next.
You will build a new project and a key ring for your customer-managed encryption keys (CMEK) on the step to configure key management.
Enter the name of the new key ring in the Key ring name field.
Enter the name of the newly created CMEK project in the Project name area (Optional). The default project name, cmek-FOLDER_NAME, will be used if no project name is supplied. The project ID shouldn't contain any sensitive information or personally identifiable information (PII).
Enter the ID of the project you'll be creating for your encryption keys in the Project ID field (Optional). The project ID shouldn't contain any sensitive information or personally identifiable information (PII).
The billing account for your Google Cloud organisation should be selected.
Review and confirm that the information about your new Assured Workloads environment is accurate in the final step. Next, select Create.
The resources created by Assured Workloads include:
A folder of Assured Workloads resources that enforces the compliance settings you've selected on Google Cloud resources that are supported.
Organizational policies that support case routing and impose resource location constraints.
A CMEK project containing the set-up CMEK key ring.
Let's dive into the details of creating a new folder in a workload environment.
Creating a new folder in a workload environment (FedRAMP, US Regions & Support)
The following steps create a fresh workload environment:
Navigate to the Assured Workloads page in the Google Cloud console.
Click Select a project in the console toolbar, then pick your organisation.
Press Create.
Verify that you have satisfied the prerequisites before moving on to the Create an Assured Workloads folder steps and clicking Next.
After selecting the United States from the drop-down menu in the jurisdiction selection phase, Click Next.
Choose FedRAMP Moderate, FedRAMP High, or US Regions and Support in the step to Choose a compliance type that is supported by your folder, and then click Next.
Choose the region you want to deploy resources to for the Assured Workloads environment in the Select a region step and then click Next.
Make sure you comprehend the limitations and restrictions of your workload before moving on to the phase of review the compliance controls.
Choose Next.
After configuring your folder,
Give the new folder a name by using something like aw-example.
To indicate the parent folder that has already been onboarded to Assured Workloads, specify the folder name for the Parent resource or browse the folders in your organisation.
Choose Next.
You will build a new project and a key ring for your customer-managed encryption keys (CMEK) on the step to configure key management.
Enter the name of the new key ring in the Key ring name field.
Enter the name of the newly created CMEK project in the Project name area (Optional). The default project name, cmek-FOLDER_NAME, will be used if no project name is supplied. The project ID shouldn't contain any sensitive information or personally identifiable information (PII).
Enter the ID of the project you'll be creating for your encryption keys in the Project ID field (Optional). The project ID shouldn't contain any sensitive information or personally identifiable information (PII).
The billing account for your Google Cloud organisation should be selected.
Review and confirm that the information about your new Assured Workloads environment is accurate in the final step. Next, select Create.
The resources created by Assured Workloads include:
A folder of Assured Workloads resources that enforces the compliance settings you've selected on Google Cloud resources that are supported.
Organizational policies that support case routing and impose resource location constraints.
A CMEK project containing the set-up CMEK key ring.
Let's look into the details of creating a BigQuery workload.
Create a BigQuery workload
The following steps create a BigQuery workload:
Prerequisite
You must be the project's owner, an organisation administrator, or have security access.
Select a compliance system and an encryption plan.
Make a folder for your environment with Assured Workloads.
In the Assured Workloads environment, make the following folder to assist your compliance regime:
In a workload environment, create a new folder (IL4, CJIS)
Create a new folder (FedRAMP, US Regions & Support)
Choose the project ID for the project that holds the CMEK keys for your Assured Workloads. This project is automatically created for you if the compliance regime you selected was IL4 (Preview) or CJIS.
Create the key
Make the CMEK key by performing the following:
Go to Cryptographic Keys in the Google Cloud console.
Choose the CMEK project with assured workloads. This project ID's default prefix is cmek-.
Click on your key ring.
Choose Create Key.
In the “What kind of key do you want to create?” section. Choose the Generated key from the drop-down list.
Enter the key name under the Key name.
Choose Software from the drop-down list for the Protection level.
Choose Symmetric encryption/decryption from the Purpose drop-down selection.
Choose 90 days from the drop-down list for the rotation duration.
Optional: Do the following to add a label:
Select Add a label
In the Key text field, type a key.
Value text field: Enter a value here.
Press Create.
The creation of the key is evident.
Obtain your CMEK key resource ID
Follow the following steps to obtain your CMEK key resource ID:
Select the project ID for the project that holds your CMEK keys in the Google Cloud console's Project Selector. If Assured Workloads establishes this project, it automatically prefixes it with the project ID cmek-.
Go to Cryptographic Keys under Security.
Click the name of the key ring under "Key rings."
Click the name of the key under the Keys tab in Key ring details.
To the right of the key name, select more_vertMore.
Follow the following steps to use the key in BigQuery:
Access BigQuery.
Choose the Assured Workloads resource project in the Project Selector where you wish to construct the BigQuery resource.
Click more vert next to the project you wish to create the dataset for in Explorer.
To create a dataset, click.
Enter a distinct dataset name in the Dataset ID field.
(Optional)Select a region for the dataset in the Data location drop-down list. The location is set to the United States if the value is set to Default. The location of a dataset cannot be altered once it has been created.
Choose one of the following from the drop-down selection for the default table expiration:
Never: (Default) No tables created in the dataset are ever deleted by BigQuery. They need to be manually deleted.
Days after table creation: Using this number, BigQuery may control when to delete newly created tables from the dataset. If you don't specify a table expiration when you create the table, this number is used.
Select Customer-managed key under encryption.
Choose Don't See Your Key? if you cannot find your key. Key Resource ID: type it in.
The resource ID dialogue for the Enter key appears.
Observe the directives; earlier in this article, you can find out your CMEK key resource ID.
In the Key resource ID area, paste the key.
Press Grant.
Select Create dataset.
If you set up Assured Workloads but didn't make a Customer Managed Encryption Key (CMEK) project:
Choose a key maintained by Google for encryption.
To create a dataset, click.
Let's dive into the details of creating a Cloud Storage workload.
Create a Cloud Storage workload
The following steps creates a cloud Storage workload:
Prerequisite
You must be the project's owner, an organisation administrator, or have security access.
Select a compliance system and an encryption plan.
Make a folder for your environment with Assured Workloads.
In the Assured Workloads environment, make the following folder to assist your compliance regime:
In a workload environment, create a new folder (IL4, CJIS)
Create a new folder (FedRAMP, US Regions & Support)
Choose the project ID for the project that holds the CMEK keys for your Assured Workloads. This project is automatically created for you if the compliance regime you selected was IL4 (Preview) or CJIS.
Create the key
Make the CMEK key by performing the following:
Go to Cryptographic Keys in the Google Cloud console.
Choose the CMEK project with assured workloads. This project ID's default prefix is cmek-.
Click on your key ring.
Choose Create Key.
In the “What kind of key do you want to create?” section. Choose the Generated key from the drop-down list.
Enter the key name under the Key name.
Choose Software from the drop-down list for the Protection level.
Choose Symmetric encryption/decryption from the Purpose drop-down selection.
Choose 90 days from the drop-down list for the rotation duration.
Optional: Do the following to add a label:
Select Add a label
In the Key text field, type a key.
Value text field: Enter a value here.
Press Create.
The creation of the key is evident.
Obtain your CMEK key resource ID
Follow the following steps to obtain your CMEK key resource ID:
Select the project ID for the project that holds your CMEK keys in the Google Cloud console's Project Selector. If Assured Workloads establishes this project, it automatically prefixes it with the project ID cmek.
Go to Cryptographic Keys under Security.
Click the name of the key ring under "Key rings."
Click the name of the key under the Keys tab in Key ring details.
To the right of the key name, select more_vertMore.
Follow the following steps to use the CMEK resource ID to encrypt Cloud Storage::
Navigate to Cloud Storage.
Choose the Assured Workloads resource project in the Project Selector where you want to create the Cloud Storage resource.
Click Create Bucket in the browser.
Enter the name of your bucket under Name your bucket.
Select your region under Choose where to keep your data.
Select the option that most closely matches your needs under Choose default storage class.
In the Select, a method for restricting object access, Choose the solution that best meets your requirements.
If you selected to build a CMEK project when you configured Assured Workloads, execute these steps in Advanced settings:
Choose a client-managed encryption key (CMEK).
Choose your CMEK Key from the Customer-managed encryption key drop-down list.
Choose Don't See Your Key? if you cannot find your key. Key Resource ID: type it in. The resource ID dialogue for the Enter key appears.
Observe the directives earlier in this article, you can find out your CMEK key resource ID.
In the Key resource ID area, paste the key.
Press Grant.
Press Create.
Choose a Google-managed encryption key if you didn't make a CMEK project when you set up Assured Workloads.
Press Create.
Let's look into the details of creating a Persistent Disk workload.
Create a Persistent Disk workload
The following steps creates a Persistent Disk workload:
Prerequisite
You must be the project's owner, an organisation administrator, or have security access.
Select a compliance system and an encryption plan.
Make a folder for your environment with Assured Workloads.
In the Assured Workloads environment, make the following folder to assist your compliance regime:
In a workload environment, create a new folder (IL4, CJIS)
Create a new folder (FedRAMP, US Regions & Support)
Choose the project ID for the project that holds the CMEK keys for your Assured Workloads. This project is automatically created for you if the compliance regime you selected was IL4 (Preview) or CJIS.
Create the key
Make the CMEK key by performing the following:
Go to Cryptographic Keys in the Google Cloud console.
Choose the CMEK project with assured workloads. This project ID's default prefix is cmek.
Click on your key ring.
Choose Create Key.
In the “What kind of key do you want to create?” section. Choose the Generated key from the drop-down list.
Enter the key name under the Key name.
Choose Software from the drop-down list for the Protection level.
Choose Symmetric encryption/decryption from the Purpose drop-down selection.
Choose 90 days from the drop-down list for the rotation duration.
Optional: Do the following to add a label:
Select Add a label
In the Key text field, type a key.
Value text field: Enter a value here.
Press Create.
The creation of the key is evident.
Obtain your CMEK key resource ID
Follow the following steps to obtain your CMEK key resource ID:
Select the project ID for the project that holds your CMEK keys in the Google Cloud console's Project Selector. If Assured Workloads establishes this project, it automatically prefixes it with the project ID cmek.
Go to Cryptographic Keys under Security.
Click the name of the key ring under "Key rings."
Click the name of the key under the Keys tab in Key ring details.
To the right of the key name, select more_vertMore.
The following steps uses CMEK resource ID to encrypt Persistent Disk:
Click on VM instances.
Choose the Assured Workloads resource project in the Project Selector where you want to build the Persistent Disk resource.
If you want to add a disc, check the box and click the name of the instance.
Click Edit under VM instance details.
Click Add new disc under Additional discs.
Give the disc a name, set its attributes, and choose "Blank" for the Source type.
Click Customer-managed encryption key under "Encryption" (CMEK).
Choose Don't See Your Key? if you cannot find your key. Key Resource ID: type it in. The resource ID dialogue for the Enter key appears.
Follow the directions in the section of this tutorial titled "Obtain your CMEK key resource ID."
In the Key resource ID area, paste the key.
Press Grant.
To finish configuring the disc, click Done.
If you set up Assured Workloads without creating a CMEK project:
Choose a key maintained by Google for encryption.
Select "Done"
To add the new disc and apply your modifications to the instance, click Save.
Let's look into the details of IAM roles.
IAM roles
A principal's access to resources is constrained by their roles. Give a principal only the rights necessary for it to engage with the relevant Google Cloud APIs, features, or resources. You must be given one of the jobs indicated below with that capacity, as well as a Cloud Billing access control role, in order to be able to construct an Assured Workloads environment. Additionally, a live, functional billing account is required.
Required roles
These are the minimal requirements/responsibilities pertaining to Assured Workloads.
Assured Workloads Administrator: In order to create and remove workload situations.
Resource Manager Organization Admin: Access to manage every resource owned by an organisation.
Assured Workloads roles
The IAM roles that are connected to guaranteed workloads are listed below, along with instructions on how to grant them using the Google Cloud CLI. Replace example@customer.org with the user's email address and the placeholder for ORGANIZATION_ID with the real organisation identification.
roles/assuredworkloads.admin
To create and remove workloads. It provides read-write access.
A Google Cloud security best practise is properly securing IAM roles to adhere to the least privileged. This idea adheres to the idea that users should only have access to the goods, services, and software that are necessary for their job. When delivering goods and services outside the Assured Workloads environment, users are not currently banned from using out-of-scope services with Assured Workloads projects. Security administrators can create custom roles that restrict user access to only in-scope goods within the Assured Workloads environment by using the list of in-scope products by compliance regime as guidance. Within an Assured Workloads context, custom roles can enable gaining and maintaining compliance.
Let's look into the details of deleting a workload environment.
Delete a workload environment
The following steps remove a workload environment:
Navigate to the Manage resources page in the console.
Go to Resources > Manage.
Select the Assured Workloads folder from the folder list, and then click Delete.
Type the folder ID as directed in the dialogue box that displays, and then click Shut down to delete the folder.
Select the project with the same name as the folder you just deleted, but with cmek- appended to it, from the project list. Click Delete after that.
Enter the project ID in the dialogue box as directed, then click Shut down to destroy the project.
Click Compliance from the menu's navigation menu.
Locate the workload environment you want to remove from the list and click Delete. Type the name of the workload environment in the dialogue box as directed, then click Confirm to delete the workspace environment.
Frequently Asked Questions
Is Google Cloud FedRAMP certified?
In order to comply with the Federal Risk and Authorization Management Program, Google has adopted a distinctive strategy. Numerous Google Cloud Platform (GCP) and G-Suite products have FedRAMP Moderate certification, while 17 GCP products just earned FedRAMP High certification.
Is FedRAMP mandatory?
Yes, FedRAMP is required for all cloud deployments and service models used by executive agencies with Low, Moderate, and High-risk impact levels.
What is the advantage of using CMEK?
You can utilise your own cryptographic keys for data that is at rest in Cloud SQL by using the CMEK functionality.
Conclusion
In this article, we have extensively discussed the details of Assured Workloads along with the details of Deploying a resource with Assured Workloads, creating a folder, details of BigQuery, Cloud storage, persistent disk workload, and deleting a workload environment.