Intermediate

GCP AI Security

Google Cloud Platform provides Vertex AI as its unified ML platform. Securing GCP AI workloads requires VPC Service Controls, fine-grained IAM, CMEK encryption, and comprehensive audit logging.

Vertex AI Security Controls

  1. VPC Service Controls

    Create a service perimeter around Vertex AI, Cloud Storage, and BigQuery. VPC Service Controls prevent data exfiltration by blocking API calls from outside the perimeter, even if an attacker has valid credentials.

  2. Private Service Connect

    Access Vertex AI endpoints through Private Service Connect rather than public endpoints. This keeps all ML traffic within your VPC and eliminates exposure to the public internet.

  3. Workload Identity

    Use Workload Identity Federation to grant ML pipelines access to GCP resources without long-lived service account keys. This eliminates the risk of key leakage and enables automatic credential rotation.

  4. Custom Service Accounts

    Create dedicated service accounts for each Vertex AI workload type. Training pipelines, prediction endpoints, and notebook instances should each have their own service account with minimal permissions.

IAM for GCP AI Platform

Role Permissions Use Case
Vertex AI User Create and manage training jobs, deploy models ML engineers running training pipelines
Vertex AI Viewer Read-only access to models, endpoints, datasets Auditors and stakeholders reviewing ML assets
Notebooks Runner Execute notebooks, access assigned resources Data scientists running experiments
Custom Prediction Role Deploy and invoke prediction endpoints only Applications consuming model predictions

CMEK Encryption for Vertex AI

Default Encryption Is Not Enough: GCP encrypts data at rest by default using Google-managed keys. For regulated AI workloads, you must use Customer-Managed Encryption Keys (CMEK) via Cloud KMS to maintain full control over key lifecycle, rotation, and access.
  • Training data: Encrypt Cloud Storage buckets containing training datasets with CMEK. Vertex AI inherits the bucket encryption settings
  • Model artifacts: Configure CMEK for the Cloud Storage locations where Vertex AI stores trained model artifacts
  • Notebook disks: Apply CMEK to Vertex AI Workbench notebook boot and data disks
  • Pipeline metadata: Vertex AI Pipelines metadata store supports CMEK for encrypting pipeline run data and artifacts
  • Feature Store: Enable CMEK for Vertex AI Feature Store to protect feature values used in online serving

Cloud Audit Logs for ML

Admin Activity Logs

Always-on logs that capture Vertex AI resource creation, modification, and deletion. Monitor for unauthorized model deployments, endpoint changes, and dataset modifications.

Data Access Logs

Enable data access audit logs for Vertex AI to track model prediction requests, training data reads, and feature store queries. Essential for compliance and detecting data exfiltration.

Security Command Center

Integrate Vertex AI findings with Security Command Center for centralized vulnerability management. SCC can detect misconfigurations like publicly accessible endpoints or overly permissive IAM bindings.

Log-Based Alerts

Create Cloud Monitoring alerts from audit log patterns. Alert on bulk model downloads, unusual prediction volumes, service account key creation, and IAM policy changes.

💡
Next Up: In the next lesson, we cover Azure AI Security — Azure Machine Learning security, Managed Identity, Private Endpoints, Key Vault integration, and Azure Monitor for ML.