To ensure that an external user cannot gain access to an internal application on Google App Engine even if an employee’s password is compromised, configure Cloud Identity-Aware Proxy (IAP).
Enable IAP:
Go to the Cloud Console, navigate to the App Engine application, and select "Identity-Aware Proxy".
Enable IAP for the application.
Configure Access Policies:
Set up access policies to restrict who can access the application.
Use IAM roles to grant access only to specific users or groups.
Enforce Authentication:
IAP enforces Google authentication, ensuring that users must log in with their GSuite credentials.
Enable Multi-Factor Authentication (MFA):
Enforce 2FA for all GSuite users to add an extra layer of security.
Advantages:
Protection against Compromised Credentials: Even if passwords are compromised, attackers cannot access the application without passing IAP authentication.
Centralized Access Management: Easily manage and monitor access through IAM and IAP policies.
Identity-Aware Proxy Overview
Setting up IAP
