Create and manage cryptographic keys (Symmetric and asymmetric)
Control their use in your applications and GCP services
Provides an API to encrypt, decrypt, or sign data
Use existing cryptographic keys created on-premises
Integrates with almost all GCP services that need data encryption
Mode
Google Managed
Customer managed - using Cloud Key Management Service
Customer supplied - using the key created and managed by the customer
Secret Manager
Store API keys, password, or etc
Multiple version of secrets
Automate rotation with Cloud Function
Auditing with Cloud Audit Logs
Encrypted by default
VPC Service Control
Centrally manage multi-tenant service access at scale
Securely access multi-tenant services
Establish virtual security perimeters for API-based services
Maintain an ongoing log of access denials to spot potential malicious activity on Google Cloud resources
Configure private communication to cloud resources from VPC networks that span cloud and on-premises hybrid deployments using Private Google Access
Identity-Aware Proxy (IAP)
A central authorization layer for applications accessed by HTTPS
You can use an application-level access control model instead of relying on network-level firewalls
Applications and resources protected by Cloud IAP can only be accessed through the proxy by users and groups with the correct Cloud IAM role
When you grant a user access to an application or resource by Cloud IAP, they're subject to the fine-grained access controls implemented by the product in use without requiring a VPN
