1
00:00:01,110 --> 00:00:07,410
The next concept that we have is the sign URL, and we know that it is used for used to provide permissions

2
00:00:07,410 --> 00:00:14,790
or access to the users for limited time and limited permissions.

3
00:00:14,790 --> 00:00:15,360
Right.

4
00:00:15,450 --> 00:00:16,620
Authentication Information.

5
00:00:16,620 --> 00:00:22,230
Back end query is the query string itself allowing users without credentials to perform a specific options.

6
00:00:22,230 --> 00:00:30,420
Once the user has signed URL, they will be able to access the object while creating the user or system.

7
00:00:30,600 --> 00:00:36,570
Service account will need to have a permissions for which URL is giving permissions to.

8
00:00:36,600 --> 00:00:42,480
So the principal should have permissions Who is giving the or creating the signed URL?

9
00:00:42,570 --> 00:00:48,210
When you want to use sign URL, you want to provide access to the user or anyone who is using a particular

10
00:00:48,210 --> 00:00:48,870
application.

11
00:00:48,870 --> 00:00:50,030
Specific logic.

12
00:00:50,040 --> 00:00:53,730
Most common use case is upload or download with a specific time.

13
00:00:54,720 --> 00:00:55,710
You can.

14
00:00:57,450 --> 00:01:01,090
You can generate the signed URL using this one sign URL minus D.

15
00:01:01,870 --> 00:01:08,830
We are specifying the minutes right here and you can use different parameter here and I'm providing

16
00:01:08,830 --> 00:01:12,550
my key if I'm using any service account.

17
00:01:12,550 --> 00:01:19,120
Right, I can provide my key here which will authenticate this user a command.

18
00:01:19,120 --> 00:01:27,010
Whether I'm able to create the signed URL for a particular object and once generated, successfully

19
00:01:27,010 --> 00:01:29,290
generated, you will see this kind of sign URL.

20
00:01:29,290 --> 00:01:35,350
So this is actual URL, you will get it and anyone has this particular URL access, they will be able

21
00:01:35,350 --> 00:01:38,710
to access the cat.jpg file.

22
00:01:40,240 --> 00:01:42,250
Next one is the sign policy document.

23
00:01:42,250 --> 00:01:46,450
As I said, it is file level access control policy documents.

24
00:01:46,450 --> 00:01:51,010
Specify what you can upload to a bucket in the post form.

25
00:01:51,010 --> 00:01:52,600
It's a Json document.

26
00:01:52,630 --> 00:02:00,000
It contains conditions like exact match or startswith or the content link range policy document allows

27
00:02:00,010 --> 00:02:08,320
greater control over the size of a particular object who is uploading content type and other characteristics

28
00:02:08,320 --> 00:02:10,960
of the object that is being uploaded.

29
00:02:10,960 --> 00:02:18,310
And here in this particular example, we are saying the expiration time for that upload request.

30
00:02:18,570 --> 00:02:21,190
A content type is equal to image and jpg if at all.

31
00:02:21,190 --> 00:02:23,230
There is another different kind of image.

32
00:02:23,230 --> 00:02:27,190
It will not be allowed the content length in the bytes.

33
00:02:27,190 --> 00:02:31,150
So if you look at this one, right, this example, it's a one megabyte.

34
00:02:31,150 --> 00:02:38,620
If I'm trying to upload two megabytes, then it will not be allowed the algorithm to for the encryption

35
00:02:38,620 --> 00:02:42,340
data and then credentials for those.

36
00:02:42,350 --> 00:02:44,450
This is one of the example that you can use it.

37
00:02:44,450 --> 00:02:53,930
And when it is given or shown in the browser, right, this keys will be enforced in the HTML browser

38
00:02:53,930 --> 00:02:54,590
itself.

39
00:02:57,150 --> 00:03:00,300
The next one that we have is the conditions.

40
00:03:00,430 --> 00:03:08,190
Am Conditions is like more granular enforcement of certain requesters attribute, I would say.

41
00:03:08,730 --> 00:03:13,590
It defines an enforce conditions and attribute based on the access control, which means grant access

42
00:03:13,590 --> 00:03:20,700
only when the conditions are met and only applicable to the bucket when the uniform bucket access policy

43
00:03:20,700 --> 00:03:21,660
is turned on.

44
00:03:21,690 --> 00:03:23,490
As an example, I can go here.

45
00:03:23,490 --> 00:03:26,130
I'll go to the console now.

46
00:03:28,070 --> 00:03:33,800
So I can go here and in the permissions we saw this particular permissions, right.

47
00:03:33,800 --> 00:03:34,970
If I go and edit.

48
00:03:38,010 --> 00:03:42,420
Add conditions here if I turn on the uniform.

49
00:03:44,410 --> 00:03:48,340
I can say what I want to do it right.

50
00:03:48,340 --> 00:03:49,480
I can say.

51
00:03:53,030 --> 00:03:59,780
Restrict and then I can build the permissions like I can schedule, say, day of week.

52
00:03:59,900 --> 00:04:02,240
Hour of week, expiring access.

53
00:04:02,240 --> 00:04:06,290
I can say day of week, and I can define the days.

54
00:04:06,320 --> 00:04:07,040
Right?

55
00:04:08,430 --> 00:04:10,290
On Monday.

56
00:04:10,290 --> 00:04:12,150
Choose the time zone.

57
00:04:12,150 --> 00:04:13,980
I can define any time zone.

58
00:04:14,100 --> 00:04:16,140
I can define additional conditions.

59
00:04:16,140 --> 00:04:20,100
Also, I can say day of week and.

60
00:04:22,410 --> 00:04:23,070
On.

61
00:04:24,710 --> 00:04:28,010
Tuesday and I can choose any time zone.

62
00:04:29,350 --> 00:04:30,010
Right.

63
00:04:30,280 --> 00:04:31,120
And.

64
00:04:31,960 --> 00:04:32,980
I can even read it.

65
00:04:32,980 --> 00:04:38,110
The conditions, whatever I have put it, it will be like this in Json format.

66
00:04:39,580 --> 00:04:40,330
Right?

67
00:04:40,750 --> 00:04:41,800
And then I can.

68
00:04:42,660 --> 00:04:43,290
Save.

69
00:04:44,060 --> 00:04:47,270
So that condition is saved for me, right?

70
00:04:47,300 --> 00:04:56,480
I can test changes and it will give you a report on whether that particular access is allowed or not.

71
00:04:57,500 --> 00:05:02,300
Likewise, there are other parameters also which you can define in Iam conditions.

72
00:05:02,300 --> 00:05:10,040
I will not go ahead and discuss all of that or show all of that, but some of why do we need it, right?

73
00:05:10,070 --> 00:05:17,180
We want to give temporary access and we saw that you can give a time frame for production server access

74
00:05:17,180 --> 00:05:19,520
only from corporate network.

75
00:05:19,520 --> 00:05:25,940
You can actually define that and the agent type the condition specified in role binding for the Iam.

76
00:05:25,940 --> 00:05:31,220
And you can say either it is resource property or request property and this is very generic when I'm

77
00:05:31,220 --> 00:05:36,620
mentioning some of those are applicable to cloud storage bucket and some of those are not.

78
00:05:37,070 --> 00:05:44,040
And this originally came from a VPC service control and we are going to see that in details for our

79
00:05:44,040 --> 00:05:53,970
network security in some of the security and network engineering certification syllabus so you can restrict

80
00:05:53,970 --> 00:06:01,860
data being exfiltrated from cloud storage, having temporary access or time frame access from a corporate

81
00:06:01,890 --> 00:06:03,330
network or agent type.

82
00:06:03,720 --> 00:06:06,960
And you can define the resource, attribute or request.

83
00:06:06,960 --> 00:06:11,670
Attribute resource attributes are the compute engine.

84
00:06:11,670 --> 00:06:15,120
You can say cloud storage bucket, right?

85
00:06:15,120 --> 00:06:18,750
Examples are here or the request attribute.

86
00:06:18,750 --> 00:06:22,260
You can say you can put forward different attributes there.

87
00:06:22,260 --> 00:06:25,830
Some of those are applicable to cloud storage and some are not.

88
00:06:26,400 --> 00:06:30,780
As an example, we just defined Monday and Tuesday, right?

89
00:06:30,780 --> 00:06:32,310
I want to provide access to.

90
00:06:32,340 --> 00:06:39,210
So it starts with zero and it can go up to six and there are different parameter you can configure it,

91
00:06:39,240 --> 00:06:44,220
IP address and all that, but that is not applicable to cloud storage as such.

92
00:06:45,130 --> 00:06:50,830
The next one that we have is from the security standpoint is Papp public access prevention.

93
00:06:51,360 --> 00:06:56,710
Um, you, if at all, you are storing some private data within the cloud storage bucket.

94
00:06:56,710 --> 00:07:02,650
And if you don't want to accidentally being exposed to the public network, this is what you can actually

95
00:07:02,650 --> 00:07:03,130
do it.

96
00:07:03,130 --> 00:07:10,360
And what you can do is bucket can be set restricted for public access using Papp Public access prevention

97
00:07:10,360 --> 00:07:18,970
set stage two state to bucket and you can actually either so say enforced, which is like have that

98
00:07:18,970 --> 00:07:25,990
configured or whatever it is configured at the organization level or the folder level public access

99
00:07:25,990 --> 00:07:29,620
prevention policy, you can actually inherit that, right?

100
00:07:33,340 --> 00:07:35,310
That is from the Pap.

101
00:07:35,350 --> 00:07:39,610
Let's go ahead and try to put forward our bucket into Pap.

102
00:07:41,900 --> 00:07:47,690
I can go here and in permissions tab, I can click on public access.

103
00:07:47,900 --> 00:07:49,640
I can say confirm.

104
00:07:51,690 --> 00:07:57,060
And you are about to revoke all public access to this one.

105
00:07:57,150 --> 00:08:00,510
All users, including authenticated users, right?

106
00:08:00,510 --> 00:08:01,710
I can say confirm.

107
00:08:03,420 --> 00:08:10,530
And once I do that, I am actually restricting my bucket from any public access.

108
00:08:10,560 --> 00:08:10,950
Right.

109
00:08:10,950 --> 00:08:14,730
And you can go ahead and remove that particular public access.

110
00:08:15,900 --> 00:08:17,580
That's it from.

111
00:08:18,480 --> 00:08:18,870
Okay.

112
00:08:18,870 --> 00:08:21,190
And this one is here, right?

113
00:08:21,210 --> 00:08:29,470
I can go to go and switch it to uniform access policy so fine grain will be turned off.

114
00:08:29,490 --> 00:08:35,640
I can click on that one and then there might be some implications which I can accept at project level

115
00:08:35,670 --> 00:08:36,660
ACL to the bucket.

116
00:08:36,660 --> 00:08:37,350
Iam policy.

117
00:08:37,350 --> 00:08:39,060
I can just say uniform.

118
00:08:39,060 --> 00:08:40,680
Now it is uniform.

119
00:08:40,680 --> 00:08:46,260
You have 91 days left to revoke that uniform public access policy.

120
00:08:46,380 --> 00:08:46,770
Right?

121
00:08:46,770 --> 00:08:52,380
And you can go to fine grained access policy I can go to.

122
00:08:53,300 --> 00:09:00,800
This particular bucket, I can just say access is uniform public.

123
00:09:01,220 --> 00:09:04,190
Public access is not allowed.

124
00:09:05,730 --> 00:09:08,460
And that's it, right?

125
00:09:08,670 --> 00:09:10,900
If you have any questions on this one, let us know.

126
00:09:10,920 --> 00:09:14,920
Otherwise, you can move to the next lecture.

127
00:09:14,940 --> 00:09:17,280
That is our encryption, logging and monitoring.