Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Last Updated: Mar 27, 2024

Assured Workloads

Leveraging ChatGPT - GenAI as a Microsoft Data Expert
Speaker
Prerita Agarwal
Data Specialist @
23 Jul, 2024 @ 01:30 PM

Introduction

Customers of Google Cloud can use Assured Workloads to provide security measures to an environment that supports compliance mandates without sacrificing the calibre of their cloud experience. Customers may securely set up and secure critical workloads with Assured Workloads to satisfy their regulatory compliance needs.
This blog explains the details of Assured Workloads along with the details of Deploying a resource with Assured Workloads, creating a folder, details of BigQuery, Cloud storage, persistent disk workload, and deleting a workload environment.

Without further ado, let's get started.

Deploy a resource with Assured Workloads

To deploy an Assured Workloads environment, Assured Workloads requires that you first create and register a folder. You are in charge of developing environment resources and encryption keys, depending on the compliance regime you decide.

Make the following preparations for your environment and first workload:

  • Create a company, if you haven't already, in the manner described below:
    • Verify your domain after setting up Cloud Identity.
       
    • Use Assured Workloads only after creating an organisation.
       
  • Choose a compliance regime.
     
  • Make a folder specifically for Assured Workloads settings.
     
  • In the Assured Workloads environment, make the following folder to assist your compliance regime:
    • In a workload environment, create a new folder (IL4, CJIS).
       
    • In a workload environment, create a new folder (FedRAMP, US Regions & Support).
       
  • Get a customer-managed encryption key and make one (CMEK).
     
  • Add a resource to your environment for Assured Workloads. Numerous resources are supported by Assured Workloads. Examples comprise:
    • Creating a workload for cloud storage.
       
    • Creating a workload for a persistent disc.
       
    • Establishing a BigQuery workload.
       

Let's look into the details of Creating a folder for Assured Workloads environments.

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

Creating a folder for Assured Workloads environments

Follow the steps to create a folder for Assured Workloads environments.

Prerequisites

Make sure you have completed the following before performing the process detailed in this guide:

  • Create or choose a Google Cloud organisation via the Google Cloud dashboard.
     
  • Give permissions for Identity and Access Management.
     
  • The minimal IAM permission levels required to build and access Assured Workloads environments are contained in the Folder Administrator Identity and Access Management (IAM) role.
     
  • Run the following gcloud command to assign the IAM role:
     

Code:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member=USER \
  --role="roles/resourcemanager.folderAdmin"

Create a new folder

Do the following to make a new folder for Assured Workloads environments:

  • Head over to the Resource Manager.
     
  • Then select Create Folder.
     
  • Give the folder a name, choose the appropriate organisation and hierarchy of resources from the New Folder dialogue, and then click Create.
     
  • Find the newly created folder.
     
  • In the ID field, copy the ID.
     
  • Fill out the onboarding form for the Assured Workloads folder.
     
  • Set the folder's access preferences.

Creating a new folder in a workload environment (IL4, CJIS)

The following steps create a fresh workload environment:

  • Navigate to the Assured Workloads page in the Google Cloud console.
     
  • Click Select a project in the console toolbar, then pick your organisation.
     
  • Press Create.
     
  • Verify that you have satisfied the prerequisites before moving on to the Create an Assured Workloads folder steps and clicking Next.
     
  • After selecting the United States from the drop-down menu in the jurisdiction selection phase, Click Next
     
  • After selecting the IL4 or CJIS option in the step under "Select a compliance type to be supported by your folder.", Click Next
     
  • Choose the region you want to deploy resources to for the Assured Workloads environment in the Select a region step and then click Next.
     
  • Make sure you comprehend the limitations and restrictions of your workload before moving on to the phase of review the compliance controls.
     
  • Choose Next.
     
  • After configuring your folder,
    • Give the new folder a name by using something like aw-example.
       
    • To indicate the parent folder that has already been onboarded to Assured Workloads, specify the folder name for the Parent resource or browse the folders in your organisation.
       
  • Choose Next.
     
  • You will build a new project and a key ring for your customer-managed encryption keys (CMEK) on the step to configure key management.
    • Enter the name of the new key ring in the Key ring name field.
       
    • Enter the name of the newly created CMEK project in the Project name area (Optional). The default project name, cmek-FOLDER_NAME, will be used if no project name is supplied. The project ID shouldn't contain any sensitive information or personally identifiable information (PII).
       
    • Enter the ID of the project you'll be creating for your encryption keys in the Project ID field (Optional). The project ID shouldn't contain any sensitive information or personally identifiable information (PII).
       
    • The billing account for your Google Cloud organisation should be selected.
       
  • Review and confirm that the information about your new Assured Workloads environment is accurate in the final step. Next, select Create.
     

The resources created by Assured Workloads include:

  • A folder of Assured Workloads resources that enforces the compliance settings you've selected on Google Cloud resources that are supported. 
     
  • Organizational policies that support case routing and impose resource location constraints.
     
  • A CMEK project containing the set-up CMEK key ring.
     

Let's dive into the details of creating a new folder in a workload environment.

Creating a new folder in a workload environment (FedRAMP, US Regions & Support)

The following steps create a fresh workload environment:

  • Navigate to the Assured Workloads page in the Google Cloud console.
     
  • Click Select a project in the console toolbar, then pick your organisation.
     
  • Press Create.
     
  • Verify that you have satisfied the prerequisites before moving on to the Create an Assured Workloads folder steps and clicking Next.
     
  • After selecting the United States from the drop-down menu in the jurisdiction selection phase, Click Next
     
  • Choose FedRAMP ModerateFedRAMP High, or US Regions and Support in the step to Choose a compliance type that is supported by your folder, and then click Next.
     
  • Choose the region you want to deploy resources to for the Assured Workloads environment in the Select a region step and then click Next.
     
  • Make sure you comprehend the limitations and restrictions of your workload before moving on to the phase of review the compliance controls.
     
  • Choose Next.
     
  • After configuring your folder,
    • Give the new folder a name by using something like aw-example.
       
    • To indicate the parent folder that has already been onboarded to Assured Workloads, specify the folder name for the Parent resource or browse the folders in your organisation.
       
  • Choose Next.
     
  • You will build a new project and a key ring for your customer-managed encryption keys (CMEK) on the step to configure key management.
    • Enter the name of the new key ring in the Key ring name field.
       
    • Enter the name of the newly created CMEK project in the Project name area (Optional). The default project name, cmek-FOLDER_NAME, will be used if no project name is supplied. The project ID shouldn't contain any sensitive information or personally identifiable information (PII).
       
    • Enter the ID of the project you'll be creating for your encryption keys in the Project ID field (Optional). The project ID shouldn't contain any sensitive information or personally identifiable information (PII).
       
    • The billing account for your Google Cloud organisation should be selected.
       
  • Review and confirm that the information about your new Assured Workloads environment is accurate in the final step. Next, select Create.
     

The resources created by Assured Workloads include:

  • A folder of Assured Workloads resources that enforces the compliance settings you've selected on Google Cloud resources that are supported. 
     
  • Organizational policies that support case routing and impose resource location constraints.
     
  • A CMEK project containing the set-up CMEK key ring.
     

Let's look into the details of creating a BigQuery workload.

Create a BigQuery workload

The following steps create a BigQuery workload:

Prerequisite

  • You must be the project's owner, an organisation administrator, or have security access.
     
  • Select a compliance system and an encryption plan.
     
  • Make a folder for your environment with Assured Workloads.
     
  • In the Assured Workloads environment, make the following folder to assist your compliance regime:
    • In a workload environment, create a new folder (IL4, CJIS)
       
    • Create a new folder (FedRAMP, US Regions & Support)
       
  • Choose the project ID for the project that holds the CMEK keys for your Assured Workloads. This project is automatically created for you if the compliance regime you selected was IL4 (Preview) or CJIS.

Create the key

Make the CMEK key by performing the following:

  • Go to Cryptographic Keys in the Google Cloud console.
     
  • Choose the CMEK project with assured workloads. This project ID's default prefix is cmek-.
     
  • Click on your key ring.
     
  • Choose Create Key.
     
  • In the “What kind of key do you want to create?” section. Choose the Generated key from the drop-down list.
     
  • Enter the key name under the Key name.
     
  • Choose Software from the drop-down list for the Protection level.
     
  • Choose Symmetric encryption/decryption from the Purpose drop-down selection.
     
  • Choose 90 days from the drop-down list for the rotation duration.
     
  • Optional: Do the following to add a label:
    • Select Add a label
       
    • In the Key text field, type a key.
       
    • Value text field: Enter a value here.
       
  • Press Create.
     

The creation of the key is evident.

Obtain your CMEK key resource ID

Follow the following steps to obtain your CMEK key resource ID:

  • Select the project ID for the project that holds your CMEK keys in the Google Cloud console's Project Selector. If Assured Workloads establishes this project, it automatically prefixes it with the project ID cmek-.
     
  • Go to Cryptographic Keys under Security.
     
  • Click the name of the key ring under "Key rings."
     
  • Click the name of the key under the Keys tab in Key ring details.
     
  • To the right of the key name, select more_vertMore.
     
  • Click to copy a resource name.
     

The format of the resource string is as follows:

Code:

projects/SECURITY_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME

Use the key in BigQuery

Follow the following steps to use the key in BigQuery:

  • Access BigQuery.
     
  • Choose the Assured Workloads resource project in the Project Selector where you wish to construct the BigQuery resource.
     
  • Click more vert next to the project you wish to create the dataset for in Explorer.
     
  • To create a dataset, click.
     
  • Enter a distinct dataset name in the Dataset ID field.
     
  • (Optional)Select a region for the dataset in the Data location drop-down list. The location is set to the United States if the value is set to Default. The location of a dataset cannot be altered once it has been created.
     
  • Choose one of the following from the drop-down selection for the default table expiration:
    • Never: (Default) No tables created in the dataset are ever deleted by BigQuery. They need to be manually deleted.
       
    • Days after table creation: Using this number, BigQuery may control when to delete newly created tables from the dataset. If you don't specify a table expiration when you create the table, this number is used.
       
  • Select Customer-managed key under encryption.
    • Choose Don't See Your Key? if you cannot find your key. Key Resource ID: type it in.
       
    • The resource ID dialogue for the Enter key appears.
       
    • Observe the directives; earlier in this article, you can find out your CMEK key resource ID.
       
    • In the Key resource ID area, paste the key.
       
    • Press Grant.
       
    • Select Create dataset.
       
  • If you set up Assured Workloads but didn't make a Customer Managed Encryption Key (CMEK) project:
    • Choose a key maintained by Google for encryption.
       
    • To create a dataset, click.
       

Let's dive into the details of creating a Cloud Storage workload.

Create a Cloud Storage workload

The following steps creates a cloud Storage workload:

Prerequisite

  • You must be the project's owner, an organisation administrator, or have security access.
     
  • Select a compliance system and an encryption plan.
     
  • Make a folder for your environment with Assured Workloads.
     
  • In the Assured Workloads environment, make the following folder to assist your compliance regime:
    • In a workload environment, create a new folder (IL4, CJIS)
       
    • Create a new folder (FedRAMP, US Regions & Support)
       
  • Choose the project ID for the project that holds the CMEK keys for your Assured Workloads. This project is automatically created for you if the compliance regime you selected was IL4 (Preview) or CJIS.

Create the key

Make the CMEK key by performing the following:

  • Go to Cryptographic Keys in the Google Cloud console.
     
  • Choose the CMEK project with assured workloads. This project ID's default prefix is cmek-.
     
  • Click on your key ring.
     
  • Choose Create Key.
     
  • In the “What kind of key do you want to create?” section. Choose the Generated key from the drop-down list.
     
  • Enter the key name under the Key name.
     
  • Choose Software from the drop-down list for the Protection level.
     
  • Choose Symmetric encryption/decryption from the Purpose drop-down selection.
     
  • Choose 90 days from the drop-down list for the rotation duration.
     
  • Optional: Do the following to add a label:
    • Select Add a label
       
    • In the Key text field, type a key.
       
    • Value text field: Enter a value here.
       
  • Press Create.
     

The creation of the key is evident.

Obtain your CMEK key resource ID

Follow the following steps to obtain your CMEK key resource ID:

  • Select the project ID for the project that holds your CMEK keys in the Google Cloud console's Project Selector. If Assured Workloads establishes this project, it automatically prefixes it with the project ID cmek.
     
  • Go to Cryptographic Keys under Security.
     
  • Click the name of the key ring under "Key rings."
     
  • Click the name of the key under the Keys tab in Key ring details.
     
  • To the right of the key name, select more_vertMore.
     
  • Click to copy a resource name.
     

The format of the resource string is as follows:

Code:

projects/SECURITY_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME

Use CMEK resource ID to encrypt Cloud Storage

Follow the following steps to use the CMEK resource ID to encrypt Cloud Storage::

  • Navigate to Cloud Storage.
     
  • Choose the Assured Workloads resource project in the Project Selector where you want to create the Cloud Storage resource.
     
  • Click Create Bucket in the browser.
     
  • Enter the name of your bucket under Name your bucket.
     
  • Select your region under Choose where to keep your data.
     
  • Select the option that most closely matches your needs under Choose default storage class.
     
  • In the Select, a method for restricting object access, Choose the solution that best meets your requirements.
     
  • If you selected to build a CMEK project when you configured Assured Workloads, execute these steps in Advanced settings:
    • Choose a client-managed encryption key (CMEK).
       
    • Choose your CMEK Key from the Customer-managed encryption key drop-down list.
       
    • Choose Don't See Your Key? if you cannot find your key. Key Resource ID: type it in. The resource ID dialogue for the Enter key appears.
       
    • Observe the directives earlier in this article, you can find out your CMEK key resource ID.
       
    • In the Key resource ID area, paste the key.
       
    • Press Grant.
       
    • Press Create.
       
  • Choose a Google-managed encryption key if you didn't make a CMEK project when you set up Assured Workloads.
     
  • Press Create.
     

Let's look into the details of creating a Persistent Disk workload.

Create a Persistent Disk workload

The following steps creates a Persistent Disk workload:

Prerequisite

  • You must be the project's owner, an organisation administrator, or have security access.
     
  • Select a compliance system and an encryption plan.
     
  • Make a folder for your environment with Assured Workloads.
     
  • In the Assured Workloads environment, make the following folder to assist your compliance regime:
    • In a workload environment, create a new folder (IL4, CJIS)
       
    • Create a new folder (FedRAMP, US Regions & Support)
       
  • Choose the project ID for the project that holds the CMEK keys for your Assured Workloads. This project is automatically created for you if the compliance regime you selected was IL4 (Preview) or CJIS.

Create the key

Make the CMEK key by performing the following:

  • Go to Cryptographic Keys in the Google Cloud console.
     
  • Choose the CMEK project with assured workloads. This project ID's default prefix is cmek.
     
  • Click on your key ring.
     
  • Choose Create Key.
     
  • In the “What kind of key do you want to create?” section. Choose the Generated key from the drop-down list.
     
  • Enter the key name under the Key name.
     
  • Choose Software from the drop-down list for the Protection level.
     
  • Choose Symmetric encryption/decryption from the Purpose drop-down selection.
     
  • Choose 90 days from the drop-down list for the rotation duration.
     
  • Optional: Do the following to add a label:
    • Select Add a label
       
    • In the Key text field, type a key.
       
    • Value text field: Enter a value here.
       
  • Press Create.
     

The creation of the key is evident.

Obtain your CMEK key resource ID

Follow the following steps to obtain your CMEK key resource ID:

  • Select the project ID for the project that holds your CMEK keys in the Google Cloud console's Project Selector. If Assured Workloads establishes this project, it automatically prefixes it with the project ID cmek.
     
  • Go to Cryptographic Keys under Security.
     
  • Click the name of the key ring under "Key rings."
     
  • Click the name of the key under the Keys tab in Key ring details.
     
  • To the right of the key name, select more_vertMore.
     
  • Click to copy a resource name.
     

The format of the resource string is as follows:

Code:

projects/SECURITY_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME

Use CMEK resource ID to encrypt Persistent Disk

The following steps uses CMEK resource ID to encrypt Persistent Disk:

  • Click on VM instances.
     
  • Choose the Assured Workloads resource project in the Project Selector where you want to build the Persistent Disk resource.
     
  • If you want to add a disc, check the box and click the name of the instance.
     
  • Click Edit under VM instance details.
     
  • Click Add new disc under Additional discs.
     
  • Give the disc a name, set its attributes, and choose "Blank" for the Source type.
     
  • Click Customer-managed encryption key under "Encryption" (CMEK).
    • Choose Don't See Your Key? if you cannot find your key. Key Resource ID: type it in. The resource ID dialogue for the Enter key appears.
       
    • Follow the directions in the section of this tutorial titled "Obtain your CMEK key resource ID."
       
    • In the Key resource ID area, paste the key.
       
    • Press Grant.
       
    • To finish configuring the disc, click Done.
       
  • If you set up Assured Workloads without creating a CMEK project:
    • Choose a key maintained by Google for encryption.
       
    • Select "Done"
       
  • To add the new disc and apply your modifications to the instance, click Save.
     

Let's look into the details of IAM roles.

IAM roles

A principal's access to resources is constrained by their roles. Give a principal only the rights necessary for it to engage with the relevant Google Cloud APIs, features, or resources.
You must be given one of the jobs indicated below with that capacity, as well as a Cloud Billing access control role, in order to be able to construct an Assured Workloads environment. Additionally, a live, functional billing account is required.

Required roles

These are the minimal requirements/responsibilities pertaining to Assured Workloads.

  • Assured Workloads Administrator: In order to create and remove workload situations.
     
  • Resource Manager Organization Admin: Access to manage every resource owned by an organisation.

Assured Workloads roles

The IAM roles that are connected to guaranteed workloads are listed below, along with instructions on how to grant them using the Google Cloud CLI.
Replace example@customer.org with the user's email address and the placeholder for ORGANIZATION_ID with the real organisation identification.

roles/assuredworkloads.admin

To create and remove workloads. It provides read-write access.

Code: 

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/assuredworkloads.admin"

roles/assuredworkloads.editor

It provides read-write access.

Code:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/assuredworkloads.editor"

roles/assuredworkloads.reader

It is used for obtaining and cataloguing workloads. It allows read-only access.

Code:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="user:example@customer.org" \
  --role="roles/assuredworkloads.reader"

Assured Workloads IAM best practices

A Google Cloud security best practise is properly securing IAM roles to adhere to the least privileged. This idea adheres to the idea that users should only have access to the goods, services, and software that are necessary for their job. When delivering goods and services outside the Assured Workloads environment, users are not currently banned from using out-of-scope services with Assured Workloads projects.
Security administrators can create custom roles that restrict user access to only in-scope goods within the Assured Workloads environment by using the list of in-scope products by compliance regime as guidance. Within an Assured Workloads context, custom roles can enable gaining and maintaining compliance.

Let's look into the details of deleting a workload environment.

Delete a workload environment

The following steps remove a workload environment:

  • Navigate to the Manage resources page in the console.
     
  • Go to Resources > Manage.
     
  • Select the Assured Workloads folder from the folder list, and then click Delete.
     
  • Type the folder ID as directed in the dialogue box that displays, and then click Shut down to delete the folder.
     
  • Select the project with the same name as the folder you just deleted, but with cmek- appended to it, from the project list. Click Delete after that.
     
  • Enter the project ID in the dialogue box as directed, then click Shut down to destroy the project.
     
  • Click Compliance from the menu's navigation menu.
     
  • Locate the workload environment you want to remove from the list and click Delete. Type the name of the workload environment in the dialogue box as directed, then click Confirm to delete the workspace environment.

Frequently Asked Questions

Is Google Cloud FedRAMP certified?

In order to comply with the Federal Risk and Authorization Management Program, Google has adopted a distinctive strategy. Numerous Google Cloud Platform (GCP) and G-Suite products have FedRAMP Moderate certification, while 17 GCP products just earned FedRAMP High certification.

Is FedRAMP mandatory?

Yes, FedRAMP is required for all cloud deployments and service models used by executive agencies with Low, Moderate, and High-risk impact levels.

What is the advantage of using CMEK?

You can utilise your own cryptographic keys for data that is at rest in Cloud SQL by using the CMEK functionality.

Conclusion

In this article, we have extensively discussed the details of Assured Workloads along with the details of Deploying a resource with Assured Workloads, creating a folder, details of BigQuery, Cloud storage, persistent disk workload, and deleting a workload environment.

We hope that this blog has helped you enhance your knowledge regarding Assured Workloads, and if you would like to learn more, check out our articles on Google Cloud Certification. You can refer to our guided paths on the Coding Ninjas Studio platform to learn more about DSADBMSCompetitive ProgrammingPythonJavaJavaScript, etc. To practice and improve yourself in the interview, you can also check out Top 100 SQL problemsInterview experienceCoding interview questions, and the Ultimate guide path for interviews. Do upvote our blog to help other ninjas grow. Happy Coding!!

thank you image
Topics covered
1.
Introduction
2.
Deploy a resource with Assured Workloads
3.
Creating a folder for Assured Workloads environments
3.1.
Prerequisites
3.2.
Create a new folder
4.
Creating a new folder in a workload environment (IL4, CJIS)
5.
Creating a new folder in a workload environment (FedRAMP, US Regions & Support)
6.
Create a BigQuery workload
6.1.
Prerequisite
6.2.
Create the key
6.3.
Obtain your CMEK key resource ID
6.4.
Use the key in BigQuery
7.
Create a Cloud Storage workload
7.1.
Prerequisite
7.2.
Create the key
7.3.
Obtain your CMEK key resource ID
7.4.
Use CMEK resource ID to encrypt Cloud Storage
8.
Create a Persistent Disk workload
8.1.
Prerequisite
8.2.
Create the key
8.3.
Obtain your CMEK key resource ID
8.4.
Use CMEK resource ID to encrypt Persistent Disk
9.
IAM roles
9.1.
Required roles
9.2.
Assured Workloads roles
9.2.1.
roles/assuredworkloads.admin
9.2.2.
roles/assuredworkloads.editor
9.2.3.
roles/assuredworkloads.reader
9.3.
Assured Workloads IAM best practices
10.
Delete a workload environment
11.
Frequently Asked Questions
11.1.
Is Google Cloud FedRAMP certified?
11.2.
Is FedRAMP mandatory?
11.3.
What is the advantage of using CMEK?
12.
Conclusion