arrow_back

Navigate Security Decisions with Gemini

Sign in Join
Quick tip: Review the prerequisites before you run the lab
Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.
Test and share your knowledge with our community!
done
Get access to over 700 hands-on labs, skill badges, and courses

Navigate Security Decisions with Gemini

Lab 45 minutes universal_currency_alt 1 Credit show_chart Introductory
info This lab may incorporate AI tools to support your learning.
Test and share your knowledge with our community!
done
Get access to over 700 hands-on labs, skill badges, and courses

Overview

Gemini for Google Cloud is an always-on AI collaborator that provides help to users of all skill levels where they need it. In this lab, you will learn how to identify and remediate security misconfigurations in your Google Cloud environment using Security Command Center's Gemini features.

Note: Duet AI was renamed to Gemini, our next-generation model. This lab has been updated to reflect this change. Any references to Duet AI in the user interface or documentation should be treated as equivalent to Gemini while following the lab instructions. Note: As an early-stage technology, Gemini can generate output that seems plausible but is factually incorrect. We recommend that you validate all output from Gemini before you use it. For more information, see Gemini for Google Cloud and responsible AI.

Objectives

In this lab, you will learn how to perform the following tasks:

  • Enable Gemini in a Google Cloud project
  • Deploy example workloads into an environment in Google Cloud
  • Identify security misconfigurations with Gemini
  • Remediate security misconfigurations with Gemini

Scenario

As you monitor your infrastructure for ways to improve your security posture, Gemini can help identify infrastructure or configuration changes that will prevent issues in the future.

In this example, consider that you are a security engineer at an ecommerce company where managed Kubernetes clusters are regularly deployed. You need a way to see if there are any misconfigurations, and you want quick instructions to help fix those issues in your cloud environment.

Setup and requirements

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Cloud console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab

  2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

    The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.

  3. If necessary, copy the Username below and paste it into the Sign in dialog.

    {{{user_0.username | "Username"}}}

    You can also find the Username in the Lab Details panel.

  4. Click Next.

  5. Copy the Password below and paste it into the Welcome dialog.

    {{{user_0.password | "Password"}}}

    You can also find the Password in the Lab Details panel.

  6. Click Next.

    Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

  7. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To view a menu with a list of Google Cloud products and services, click the Navigation menu at the top-left, or type the service or product name in the Search field. Navigation menu icon

Task 1. Enable Gemini

You will first enable Gemini in your Google Cloud project and configure the necessary permissions for your Google Cloud Qwiklabs user account.

  1. Click on the Cloud Shell icon (Cloud Shell icon) in the top-right corner of the Google Cloud console toolbar.

  2. To set your project ID and region environment variables, run the following commands:

PROJECT_ID=$(gcloud config get-value project) REGION={{{project_0.default_region|lab region}}} echo "PROJECT_ID=${PROJECT_ID}" echo "REGION=${REGION}"
  1. To store the signed-in Google user account in an environment variable, run the following command:
USER=$(gcloud config get-value account 2> /dev/null) echo "USER=${USER}"

  1. Click Authorize if prompted.

  2. Enable the Cloud AI Companion API for Gemini:

gcloud services enable cloudaicompanion.googleapis.com --project ${PROJECT_ID}
  1. To use Gemini, grant the necessary IAM roles to your Google Cloud Qwiklabs user account:
gcloud projects add-iam-policy-binding ${PROJECT_ID} --member user:${USER} --role=roles/cloudaicompanion.user gcloud projects add-iam-policy-binding ${PROJECT_ID} --member user:${USER} --role=roles/serviceusage.serviceUsageViewer

Adding these roles lets the user use Gemini assistance.

Click Check my progress to verify your performed task. Enable Gemini

Task 2. Create a GKE cluster and deploy a web app

You will now be creating a Google Kubernetes Engine (GKE) cluster running a handful of microservices.

  1. Run the following command to create a GKE cluster named test:
gcloud container clusters create test --region={{{project_0.default_region|lab region}}} --num-nodes=1

This should take a few minutes. Upon completion, you should see a result similar to the following:

Creating cluster test in {{{project_0.default_region|lab region}}}... Cluster is being health-checked (master is healthy)...done. Created [https://container.googleapis.com/v1/projects/agmsb-gke-lab/zones/us-central1/clusters/test]. To inspect the contents of your cluster, go to: https://console.cloud.google.com/kubernetes/workload_/gcloud/us-central1/test?project=agmsb-gke-lab kubeconfig entry generated for test. NAME: test LOCATION: {{{project_0.default_region|lab region}}} MASTER_VERSION: 1.27.3-gke.100 MASTER_IP: 34.66.224.143 MACHINE_TYPE: e2-medium NODE_VERSION: 1.27.3-gke.100 NUM_NODES: 3 STATUS: RUNNING
  1. Now, clone a repository that contains code for a web app:
git clone https://github.com/GoogleCloudPlatform/microservices-demo && cd microservices-demo
  1. Use kubectl to deploy a set of microservices to the GKE cluster:
kubectl apply -f ./release/kubernetes-manifests.yaml
  1. After a couple minutes, run the following command to get the public IP address to access your web app in a browser:
kubectl get service frontend-external | awk '{print $4}'
  1. Copy the IP address from the output of the above command and paste it into a new browser tab.

You should see a web app similar to the following:

Web app

Click Check my progress to verify your performed task. Create a GKE cluster and deploy a web app

Task 3. Identify security misconfigurations with Gemini

Now that you have an existing GKE cluster running an ecommerce app, you will identify areas where you can improve your security posture with Gemini.

  1. Return to your tab with the Google Cloud console.

  2. Refresh the Google Cloud console page.

  3. Minimize the Cloud Shell pane.

  4. Click on the Gemini icon (Gemini icon) in the top-right corner of the Google Cloud console toolbar.

  5. Click Start Chatting.

  6. Enter the following prompt:

What services in Google Cloud can help me identify areas to improve security for a set of microservices running in a GKE cluster?

Gemini should respond with something similar to the following:

There are a number of services in Google Cloud that can help you identify areas to improve security for a set of microservices running in a GKE cluster. These include:

  • Security Command Center can help you identify and prioritize security risks across your Google Cloud environment, including GKE clusters.
  • Cloud Asset Inventory can help you track and manage your Google Cloud resources, including GKE clusters.
  • Cloud Logging can help you collect and analyze logs from your GKE clusters.
  • Cloud Monitoring can help you monitor the performance and health of your GKE clusters.
These are just a few of the many services in Google Cloud that can help you improve the security of your microservices. By using these services, you can help protect your data from unauthorized access, and you can also help improve your security posture over time.

In this scenario, you decide that Security Command Center sounds like the right place to start.

  1. Open the Navigation menu and select Security > Risk Overview.

With multiple visualizations discussing vulnerabilities, you want to ask Gemini to help you quickly understand what is classified as a vulnerability in Security Command Center.

  1. Enter the following prompt:
How does Security Command Center define a vulnerability?

Gemini's response should be similar to the following:

Security Command Center defines a vulnerability as a flaw or weakness in software programs that an attacker could use to gain access to or otherwise compromise your Google Cloud environment.

Source: https://cloud.google.com/security-command-center/docs/finding-classes

  1. Click on the documentation link to better disambiguate between finding classes.

  2. After reading about them, close the tab and return to the Google Cloud console.

  3. Click Findings from the sidebar of the Google Cloud console.

  4. To see the findings for your GKE cluster, find the "Quick Filters" section and select Google container cluster under Resource Type.

You should see a number of Medium severity findings.

  1. Click on the Cluster secrets encryption disabled finding.

At the top of this finding panel, you should see a section titled "Description" with a summary similar to the following:

Application-layer secrets encryption provides an additional layer of security for sensitive data, such as user-defined secrets and secrets required for the operation of the cluster, such as service account keys, which are all stored in etcd...

  1. Exit out of this information panel.

  2. Next, click on the Over privileged account finding and view the summary in the description which is similar to the following:

This GKE node uses the Compute Engine default service node, which has broad access by default and may be over privileged for running your Kubernetes Engine cluster....

  1. Exit out of this information panel.

  2. Finally, click on the Master authorized networks disabled finding. You should see a description similar to the following:

Control plane authorized networks improve security for your container cluster by blocking specified IP addresses from accessing your cluster's control plane...
  1. Exit out of this information panel.

Now that you have an understanding of some of your environment's security misconfigurations, you will leverage Gemini's recommendations to remediate them.

Task 4. Remediate a security misconfiguration

Now that you have had the opportunity to review multiple areas to begin improving the security of your GKE cluster, you will remediate the "Master authorized networks disabled" finding using the instructions provided by Gemini's summary in Security Command Center.

  1. Open the Navigation menu and select Kubernetes Engine > Clusters.

  2. Click the name of the cluster you created earlier ("test").

  3. Scroll down to the Control Plane Networking section.

  4. Click on the pencil icon to edit Control plane networking.

  5. Check the box next to Enable authorized networks.

  6. Check the box underneath Add Google Cloud external IP addresses to authorized networks.

  7. Click Save changes.

  8. Click Clusters in the sidebar.

You will see cluster being updated, shown by a spinning wheel or half green circle icon in the Status section.

  1. While the network policy updates for the control plane take place, open Gemini from the Google Cloud console toolbar.

  2. Enter the following prompt:

How do control plane authorized networks work in GKE?

Gemini's response should be similar to the following:

Control plane authorized networks allow you to restrict access to the control plane of your GKE cluster. By default, the control plane is accessible from any address. However, you can add one or more authorized networks to restrict access to only those networks.

To add an authorized network, go to the Google Kubernetes Engine page in the Google Cloud console. Click the name of the cluster you want to modify. Under Networking, in the Control plane authorized networks field, click edit Edit control plane authorized networks...

Applying the updated control plane policy may take a few minutes to take effect.

  1. Once you see a green checkmark in the Status column next to your cluster, you have successfully updated your cluster configuration.

Click Check my progress to verify your performed task. Remediate a security misconfiguration

End your lab

When you have completed your lab, click End Lab. Qwiklabs removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.

Before you begin

  1. Labs create a Google Cloud project and resources for a fixed time
  2. Labs have a time limit and no pause feature. If you end the lab, you'll have to restart from the beginning.
  3. On the top left of your screen, click Start lab to begin

Use private browsing

  1. Copy the provided Username and Password for the lab
  2. Click Open console in private mode

Sign in to the Console

  1. Sign in using your lab credentials. Using other credentials might cause errors or incur charges.
  2. Accept the terms, and skip the recovery resource page
  3. Don't click End lab unless you've finished the lab or want to restart it, as it will clear your work and remove the project

This content is not currently available

We will notify you via email when it becomes available

Great!

We will contact you via email if it becomes available

One lab at a time

Confirm to end all existing labs and start this one

Setup your console before you begin

Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.