creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-11 13:44:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
1cffd664f555699d8e2b46f5ea94edaaa520f721
Anthropic-Cybersecurity-Skills/skills/implementing-zero-trust-with-beyondcorp/references/api-reference.md
T

2.6 KiB
Raw Blame History

API Reference: Implementing Zero Trust with BeyondCorp

gcloud IAP Commands

# Enable IAP on backend service
gcloud iap web enable --resource-type=backend-services \
  --service=my-backend --project=my-project

# Get IAP IAM policy
gcloud iap web get-iam-policy --project=my-project

# Grant IAP access with access level condition
gcloud iap web add-iam-policy-binding --project=my-project \
  --member="group:team@example.com" \
  --role="roles/iap.httpsResourceAccessor" \
  --condition="expression=accessPolicies/123/accessLevels/corp_device,title=CorpDevice"

# Enable required APIs
gcloud services enable iap.googleapis.com
gcloud services enable accesscontextmanager.googleapis.com
gcloud services enable beyondcorp.googleapis.com

Access Context Manager Commands

# Create access policy
gcloud access-context-manager policies create --organization=ORG_ID --title="Corp Policy"

# Create access level (device + IP)
gcloud access-context-manager levels create corp_trusted \
  --policy=POLICY_ID --title="Corporate Trusted" \
  --basic-level-spec=level_spec.yaml

# List access levels
gcloud access-context-manager levels list --policy=POLICY_ID --format=json

Access Level Spec (YAML)

conditions:
  - ipSubnetworks:
      - "10.0.0.0/8"
      - "172.16.0.0/12"
    devicePolicy:
      requireScreenlock: true
      osConstraints:
        - osType: DESKTOP_WINDOWS
          minimumVersion: "10.0.19041"
        - osType: DESKTOP_MAC
          minimumVersion: "12.0.0"
      allowedEncryptionStatuses:
        - ENCRYPTED
    regions:
      - "US"
      - "GB"

IAP Roles

Role Description
roles/iap.httpsResourceAccessor Access IAP-protected resources
roles/iap.admin Full IAP administration
roles/iap.settingsAdmin Modify IAP settings
roles/iap.tunnelResourceAccessor Access via IAP TCP tunneling

Python SDK

from google.cloud import iap_v1
client = iap_v1.IdentityAwareProxyAdminServiceClient()
# List tunnel destinations
request = iap_v1.ListTunnelDestGroupsRequest(parent=f"projects/{project}/iap_tunnel/locations/-")

Audit Log Query (Cloud Logging)

resource.type="gce_backend_service"
logName="projects/PROJECT/logs/cloudaudit.googleapis.com%2Fdata_access"
protoPayload.methodName="AuthorizeUser"
protoPayload.authenticationInfo.principalEmail!=""

References

Reference in New Issue View Git Blame Copy Permalink