PProfessNet Academy
Google Cloud (GCP) — fundamentals/03core12 min

Compute Engine and Cloud Storage

Compute Engine and Cloud Storage are the foundation of most workloads in GCP — the equivalents of EC2/S3 in AWS and VM/Blob in Azure. This lesson shows their roles and the controls that ZEUS verifies.

Compute Engine — virtual machines

Compute Engine (GCE) is IaaS: virtual servers with great flexibility of machine types. You choose an image, a machine type (e.g. e2-standard-2, n2-standard-4) and a network.

gcloud compute instances create vm-zeus-01 \
  --zone=europe-central2-a \
  --machine-type=e2-standard-2 \
  --image-family=debian-12 --image-project=debian-cloud \
  --no-address   # bez publicznego IP

Key security controls:

  • no public IP where it is not needed (--no-address),
  • Shielded VM (Secure Boot, vTPM) — protection against rootkits,
  • OS Login instead of SSH keys in metadata,
  • disk encryption (default, optionally your own CMEK keys).

Tip: access VMs without a public IP through IAP TCP forwarding (gcloud compute ssh --tunnel-through-iap) — the equivalent of a Bastion, without opening ports to the internet.

Cloud Storage — object storage

Cloud Storage stores objects in buckets with storage classes (Standard, Nearline, Coldline, Archive) for cost optimization. As in every cloud — the most common source of leaks, so the controls are critical:

  • Uniform bucket-level access (uniform access, no per-object ACLs),
  • Public Access Prevention enabled,
  • encryption (default Google-managed or CMEK).
gcloud storage buckets create gs://zeus-data-4471 \
  --location=europe-central2 \
  --uniform-bucket-level-access \
  --public-access-prevention=enforced

Comparison with other clouds

GCPAWSAzure
Compute EngineEC2Virtual Machines
Cloud StorageS3Blob Storage
Shielded VMNitro/IMDSv2Trusted Launch
IAP TCP forwardingSSM Session ManagerBastion

The most common misconfigs

  1. A bucket with Public Access Prevention disabled → risk of a leak.
  2. A VM with a public IP and open SSH in a firewall rule.
  3. A service account attached to a VM with the editor role instead of a narrow one.

How ZEUS sees it

Through Cloud Asset Inventory and the service APIs, ZEUS reads all Compute Engine instances (public IP, Shielded VM, attached service accounts) and Cloud Storage buckets (Public Access Prevention, uniform access, encryption). These controls feed both posture and compliance frameworks — encryption and the absence of public exposure are direct requirements of ISO 27001 and NIS2.

In the next lesson: VPC networking and firewall.