\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{casimkhan} \pdfinfo{ /Title (gcloud-incident-investigation-quick-reference.pdf) /Creator (Cheatography) /Author (casimkhan) /Subject (gcloud Incident Investigation Quick Reference Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{2D409C} \definecolor{LightBackground}{HTML}{F1F3F8} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{gcloud Incident Investigation Quick Reference Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{casimkhan} via \textcolor{DarkBackground}{\uline{cheatography.com/184196/cs/38390/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}casimkhan \\ \uline{cheatography.com/casimkhan} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 26th April, 2023.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{4} \begin{tabularx}{3.833cm}{p{0.3033 cm} p{0.3033 cm} p{0.3033 cm} } \SetRowColor{DarkBackground} \mymulticolumn{3}{x{3.833cm}}{\bf\textcolor{white}{GCP Logging}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{3}{x{3.833cm}}{{\bf{Default Logs}}} \tn % Row Count 1 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}---} \SetRowColor{LightBackground} \mymulticolumn{3}{x{3.833cm}}{Following are the logs generally available for GCP \newline {\bf{Activity Logs:}} Record of all activity within a user's GCP project, including operations performed by users, systems, and services. \newline {\bf{System Logs:}} Record of system-level events and messages related to the health and performance of GCP services. \newline {\bf{Audit Logs:}} Record of administrative and security-related activity, including authentication and authorization events, resource management operations, and data access events.} \tn \hhline{>{\arrayrulecolor{DarkBackground}}---} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{IAM commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{{\bf{gcloud iam - manage IAM service accounts and keys}}} \tn % Row Count 2 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#To list account name \newline gcloud auth list \newline gcloud auth activate-service-account {[}ACCOUNT{]} \newline gcloud auth print-identity-token -{}-impersonate-service-account=SA@PROJECT\_ID.iam.gserviceaccount.com \newline \#Check token info \newline curl \seqsplit{"https://oauth2.googleapis.com/tokeninfo?id\_token=ID\_TOKEN"} \newline \#Revoke token \newline gcloud auth revoke \newline \#Find iam roles for organisation \newline gcloud iam roles list -{}-organization=my-org-id \newline \#Find Specific role \newline gcloud iam roles list -{}-organization=my-org-id | grep {[}role-name{]}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{IAM commands (continue)}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#Search iam policies to specific user on project \newline gcloud projects get-iam-policy {[}project-id{]} -{}-flatten="bindings{[}{]}.members" -{}-filter="example-users@example.com" \newline \#Search iam policies to specific user across organization \newline gcloud asset search-all-iam-policies -{}-scope=organizations/{[}organization\_id{]} -{}-query='policy:example-user@example.com' \newline \#Search specific role on specific project \newline gcloud asset search-all-iam-policies -{}-scope=projects/{[}project-name{]} -{}-query='policy:roles/owner'} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{GCP Folders commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{{\bf{gcloud alpha resource-manager folders - manage Cloud Folders}}} \tn % Row Count 2 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#List folder for a specific organization \newline gcloud alpha resource-manager folders list -{}-organization=my-org-id \newline \#List folder within folder \newline gcloud alpha resource-manager folders list -{}-folder=my-folder-id} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{gcloud SDK}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{{\bf{Google Cloud CLI installation}}} \tn % Row Count 1 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\seqsplit{https://cloud.google.com/sdk/docs/install} \newline {\bf{gcloud commands reference}} \newline https://cloud.google.com/sdk/gcloud/reference} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{GCP Projects commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{{\bf{ gcloud projects - create and manage project access policies}}} \tn % Row Count 2 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#List projects within organization \newline gcloud projects list -{}-filter 'parent.id=my-org-id AND \seqsplit{parent.type=organization'} \newline \#List project label information \newline gcloud projects describe my-project \newline \#View iam policies which user is member of what \newline gcloud projects get-iam-policy my-project} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{GCP Organization commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{{\bf{gcloud organizations - create and manage GCP Organizations}}} \tn % Row Count 2 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#List available organizations for tenant \newline gcloud organizations list \newline \#Detail description \newline gcloud organizations describe my-org\_id \newline \#Show what policies are enable \newline gcloud resource-manager org-policies list -{}-organization=my-org-id -{}-show-unset \newline \#Show all projects within an Organization (e.g Org\_name) by looking at labels \newline gcloud projects list -{}-format=json | jq '.{[}{]}.labels | select(.organisation =="my\_org\_name")' | grep projectname | sort -u | wc -l} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{IAM commands (continue)}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#Find specific reviewer role permissions \newline gcloud iam roles describe {[}role-name{]} -{}-organization=my-org-id \newline \#Search for a specific permission for a given organization \newline gcloud asset search-all-iam-policies -{}-scope=organizations/{[}organization-id{]} -{}-query='policy.role.permissions:resourcemanager.projects.setIamPolicy' \newline \#Finding keys creation and expiration date/time of a specific iam service account \newline gcloud iam service-accounts keys list -{}-iam-account={[}example@iam.gserviceaccount.com{]}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{GCP Bucket commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{{\bf{gcloud storage - create and manage Cloud Storage buckets and objects}}} \tn % Row Count 2 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#To list buckets for specific project \newline gsutil ls -p my-project \newline \#Prints the object size, creation time stamp, and name of each matching object \newline gsutil ls -l gs://bucket/{\emph{.html gs://bucket/}}.txt \newline \#Print additional details \newline gsutil ls -L gs://my-project/ \newline \#List objects within bucket (-{}-recursive) \newline gcloud storage objects list gs://my-project/ -{}-limit=1 \newline gcloud storage ls -{}-recursive gs://my-project/} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{Basic Initialization commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{{\bf{Initial setup tasks}}} \tn % Row Count 1 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{gcloud init \newline \#To verify existing config \newline gcloud config list OR gcloud info \newline \#To set Project \newline gcloud config set project {[}project-name{]} \newline \#To remove project \newline gcloud config unset project {[}project-name{]}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{Compute commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{{\bf{gcloud compute - create and manipulate Compute Engine resources}}} \tn % Row Count 2 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#To list compute images for particular project \newline gcloud compute images list -{}-project={[}project-id{]} \newline \#To list compute instances for particular project \newline gcloud compute instances list -{}-project={[}project-id{]} \newline \#Detail description about the instance \newline gcloud compute instances describe my-instance -{}-project=my-project \newline \#View in different formatting \newline gcloud compute instances describe my-instance -{}-project=my-project -{}-format=flattened} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{Disk and Snapshots commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{{\bf{Read and manipulate Compute Engine disks/snapshots}}} \tn % Row Count 2 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#List disks for a specific project \newline gcloud compute disks list -{}-project=my-project \newline \#Read metadata info for a specific disk \newline gcloud compute disks describe my-disk-name -{}-zone=country-southeast1-a -{}-project=my-project \newline \#List snapshots for a project \newline gcloud compute snapshots list -{}-project=my-project \newline \#Count of snapshots within specific projects \newline gcloud compute snapshots list -{}-project=my-project -{}-format='value(NAME)' | wc -l} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{Disk and Snapshots commands (continue)}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#Create a snapshot of a persistent disk in zone us-central1-a \newline gcloud compute disks snapshot test -{}-zone=us-central1-a -{}-snapshot-names=snapshot-test -{}-description="Example snapshot" \newline \#Create an image from a snapshot \newline gcloud compute images create my-image -{}-source-snapshot=source-snapshot \newline \#Export a VMDK file my-image from a project to a Storage bucket \newline gcloud compute images export -{}-image=my-image -{}-destination-uri=gs://my-bucket/my-image.vmdk -{}-export-format=vmdk -{}-project=my-project} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{Incident Investigation commands}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{{\bf{List of useful commands for incident investigation}}} \tn % Row Count 2 (+ 2) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#List logs available for project \newline gcloud logging logs list -{}-project=my-project \newline \#Logs with matching insertId \newline gcloud logging read insertId="my-InsertId" -{}-project=my-project \newline \# Json format with jq filter on source ip \newline gcloud logging read insertId="my-InsertId" -{}-project=my-project -{}-format=json | jq '.{[}{]} \seqsplit{.protoPayload.requestMetadata.callerIp'}} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{Incident Investigation commands (continue)}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#By default search return result for past 1 day \newline \#Use freshness to go beyond 1 day \newline -{}-freshness=7d \newline \# Finding logs by Principal Email address \newline gcloud logging read \seqsplit{"protoPayload.authenticationInfo.principalEmail:'youremail@domain'"} -{}-project=my-project -{}-format=json -{}-limit=1 \newline \#Finding logs for specific time \newline gcloud logging read 'timestamp\textgreater{}="2023-01-30T18:50:59Z" AND timestamp\textless{}="2023-01-31T00:00:00Z"' -{}-project=my-project -{}-format=json} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{Incident Investigation commands (continue)}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#Timestamp Z shows that its in UTC format \newline \#To read logs from specific log source and filter activity matching on time \newline gcloud logging read 'logName=projects/{[}my-project{]}/logs/cloudaudit.googleapis.com\%2Factivity' -{}-project=my-project -{}-format=json | jq '.{[}{]} | select(.timestamp \textgreater{}= \seqsplit{"2023-02-03T00:20:18.984704107Z")'} | grep callerIp} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{3.833cm}{p{0.3433 cm} p{0.3433 cm} } \SetRowColor{DarkBackground} \mymulticolumn{2}{x{3.833cm}}{\bf\textcolor{white}{Incident Investigation commands (continue)}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{} \tn % Row Count 0 (+ 0) \hhline{>{\arrayrulecolor{DarkBackground}}--} \SetRowColor{LightBackground} \mymulticolumn{2}{x{3.833cm}}{\#Timestamp Z shows that its in UTC format \newline \#To read logs from specific log source and filter activity matching on time \newline gcloud logging read 'logName=projects/{[}my-project{]}/logs/cloudaudit.googleapis.com\%2Factivity' -{}-project=my-project -{}-format=json | jq '.{[}{]} | select(.timestamp \textgreater{}= \seqsplit{"2023-02-03T00:20:18.984704107Z")'} | grep callerIp} \tn \hhline{>{\arrayrulecolor{DarkBackground}}--} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}