The Professional Cloud Security Engineer certification focuses on designing and implementing secure workloads and infrastructure on Google Cloud. The exam tests your ability to:
- Configure secure access management
- Establish secure network boundaries
- Ensure proper data protection
- Manage security operations
- Support compliance requirements
Helpful resources:
- Google Cloud Directory Sync (GCDS):
- Synchronizes users and groups from existing LDAP/Active Directory to Google Cloud
- Doesn't migrate passwords; only syncs identity information
- Single Sign-On (SSO):
- Configure SAML 2.0 with third-party IdPs like Okta, Azure AD, etc.
- Allows for centralized authentication management
- Super Administrator Account:
- Highest privilege role in Google Workspace/Cloud Identity
- Best practices:
- Have at least 2 super admin accounts (for redundancy)
- Use separate accounts from daily operations
- Enable 2-step verification
- Review super admin actions regularly
- User Lifecycle Management:
- Automate using Cloud Identity API
- Implement automated onboarding/offboarding workflows
- Use Google Groups for managing role-based access
- Programmatic Administration:
- Use Directory API, Admin SDK, Cloud Identity API
- Implement scripts to automate user/group management
- Workforce Identity Federation:
- Allows 3rd party identity provider access to Google Cloud services
- No need to sync users to Cloud Identity
- Configure trust between Google Cloud and external IdP
- Map attributes from IdP to Google Cloud
Helpful links:
- Cloud Identity documentation
- Google Cloud Directory Sync
- Setting up SSO
- Workforce Identity Federation
- Service Account Security Best Practices:
- Treat service accounts like user accounts (or more strictly)
- Delete unused default service accounts
- Follow least privilege principle
- Regularly audit service account permissions
- Use Cases for Service Accounts:
- Running applications on Compute Engine, GKE
- Executing administrative tasks from scripts/applications
- Service-to-service authentication
- Delegating domain-wide authority in Google Workspace
- Service Account Management:
- Create only when necessary
- Disable unused accounts
- Use IAM roles to authorize service accounts
- Service Account Keys Management:
- Avoid keys when possible (use other auth methods)
- Rotate keys regularly
- Store keys securely (Secret Manager)
- Monitor key usage
- Audit key creation and downloads
- Short-lived Credentials:
- Prefer over long-lived keys
- Use Service Account Token Creator role
- Implement with signJwt or signBlob IAM methods
- Workload Identity Federation:
- Allow applications outside Google Cloud to use IAM
- Configure identity pool and provider
- Map external identity to service account
- Service Account Impersonation:
- Temporarily assume service account permissions
- Use
--impersonate-service-accountin gcloud - Grant Service Account Token Creator role
Helpful links:
- Service Accounts overview
- Service Account best practices
- Workload Identity Federation
- Service Account Impersonation
- Password and Session Management:
- Define password complexity requirements
- Set password expiration policies
- Configure session timeouts
- Implement password reset procedures
- SAML and OAuth:
- Set up SAML for enterprise IdP integration
- Configure OAuth for third-party application access
- Understand token-based authentication flows
- 2-Step Verification:
- Enforce MFA for all users
- Support multiple authentication factors (phone, security key, etc.)
- Configure verification frequency
- Set up backup codes process
Helpful links:
- IAM Roles and Permissions:
- Basic roles: Owner, Editor, Viewer (avoid when possible)
- Predefined roles: Service-specific roles with curated permissions
- Custom roles: Build your own permission sets
- Separation of Duties:
- Split sensitive permissions across multiple roles
- Ensure no single individual can perform all critical functions
- Establish approval workflows for sensitive operations
- IAM Conditions:
- Apply conditional logic to IAM policies:
- Time-based access
- Resource attribute-based
- Request attribute-based
- Apply conditional logic to IAM policies:
- IAM Deny Policies:
- Explicitly deny permissions
- Override allow policies
- Set at organization/folder level
- Resource Hierarchy:
- Organization → Folders → Projects → Resources
- Define access at each level
- Apply principle of least privilege
- Access Context Manager:
- Define access levels based on attributes (IP, device, etc.)
- Implement context-aware access control
- Use with VPC Service Controls
- Policy Intelligence:
- Recommender for IAM
- IAM Policy Analyzer
- Policy Troubleshooter
- Policy Insights
- Group-based Permissions:
- Assign roles to groups instead of individual users
- Manage group membership centrally
- Implement role-based access control
- Privileged Access Manager:
- Just-in-time access to sensitive resources
- Time-bound elevation of privileges
- Approval workflows for privileged access
Helpful links:
- IAM overview
- Understanding roles
- Creating custom roles
- IAM conditions
- IAM deny policies
- Access Context Manager
- Policy Intelligence
- Managing at Scale:
- Use folders to organize projects by department, environment, etc.
- Implement naming conventions
- Utilize labels for resource categorization
- Organization Policies:
- Define constraints on resources
- Implement guardrails (e.g., restrict resource creation in certain regions)
- Pre-built or custom constraints
- Inheritance Model:
- Policies inherit down the hierarchy
- Child policies can't remove parent restrictions
- Most restrictive policy applies
Helpful links:
- Cloud NGFW (Next Generation Firewall):
- Hierarchical firewall policies
- Global and regional rules
- Service perimeters
- Identity-Aware Proxy (IAP):
- Context-aware access to applications
- Layer 7 protection for web apps and VMs
- Centralized authentication and authorization
- Load Balancers:
- SSL/TLS termination
- Certificate management
- Health checks and traffic distribution
- Certificate Authority Service:
- Deploy and manage private CAs
- Issue certificates for internal services
- Integrate with Certificate Manager
- Layer 7 Inspection:
- Application-level filtering
- Content inspection
- Protocol validation
- Private vs Public IP Addressing:
- Internal vs external IP allocation
- When to use each type
- Security implications
- Google Cloud Armor:
- DDoS protection
- WAF capabilities
- Pre-configured and custom rules
- Edge protection
- Secure Web Proxy:
- URL filtering
- TLS inspection
- Data loss prevention
- Centralized egress control
- Cloud DNS Security:
- DNS Security Extensions (DNSSEC)
- Private DNS zones
- DNS policies and logging
- API Monitoring and Restriction:
- Service usage monitoring
- API key restrictions
- Quota management
- Service control policies
Helpful links:
- Cloud NGFW documentation
- Identity-Aware Proxy
- Cloud Load Balancing
- Certificate Authority Service
- Google Cloud Armor
- Secure Web Proxy
- Cloud DNS Security
- VPC Security Properties:
- Subnet configuration
- Private Google Access
- Custom routes
- Flow logs
- VPC Peering:
- Connect VPCs without exposing to internet
- No transitive peering
- Security considerations
- Shared VPC:
- Centralized network administration
- Service project access controls
- Host project permissions
- Firewall Rules:
- Hierarchical firewall policies
- Network tags
- Service accounts in rules
- Ingress/egress control
- N-tier Application Isolation:
- Network segmentation by function
- Defense in depth approach
- Data flow controls
- VPC Service Controls:
- Service perimeters
- Access levels
- Ingress/egress policies
- Mitigate data exfiltration risks
Helpful links:
- VPC Network Connectivity:
- Shared VPC
- VPC peering
- Private Google Access for on-premises
- Private Connectivity to Data Centers:
- Cloud VPN (High Availability)
- Site-to-site encrypted tunnels
- BGP for dynamic routing
- Cloud Interconnect
- Dedicated Interconnect (physical)
- Partner Interconnect (via provider)
- VLAN attachments
- Cloud VPN (High Availability)
- Private Access to Google APIs:
- Private Google Access
- Private Service Connect
- Restricted Google Access
- Cloud NAT:
- Source NAT for outbound connections
- Configure for VMs without external IPs
- Regional service with redundancy
Helpful links:
- Sensitive Data Protection (SDP):
- Data discovery for PII
- De-identification techniques:
- Masking
- Tokenization
- Redaction
- Content inspection
- Format-preserving encryption
- Data Service Access Restrictions:
- BigQuery authorized views and row-level security
- Cloud Storage ACLs and signed URLs
- Cloud SQL authorized networks and IAM
- Secret Manager:
- Centralized secret storage
- Version control for secrets
- IAM integration
- Automatic rotation
- Compute Instance Metadata:
- Secure metadata server access
- Custom metadata protection
- Block project-wide SSH keys
Helpful links:
- Sensitive Data Protection
- Data Governance in BigQuery
- Cloud Storage security
- Cloud SQL security
- Secret Manager
- Compute Engine metadata
- Encryption Types:
- Google default encryption (always on)
- Customer-managed encryption keys (CMEK)
- Customer-supplied encryption keys (CSEK)
- External Key Manager (EKM)
- Key Management:
- Cloud KMS for key management
- Hardware Security Modules (Cloud HSM)
- Key rotation policies
- Key import procedures
- Use Cases by Service:
- Storage: CMEK, EKM
- Compute: Encrypted disks, confidential computing
- Databases: CMEK integration
- Cloud Storage Lifecycle:
- Automatic transition between storage classes
- Retention policies
- Object versioning
- Lifecycle conditions
- Confidential Computing:
- Memory encryption with AMD SEV
- Confidential VMs
- Confidential GKE Nodes
- Encrypted-in-use data processing
Helpful links:
- Encryption at rest in Google Cloud
- Cloud KMS documentation
- Cloud HSM
- External Key Manager
- Cloud Storage object lifecycle
- Confidential Computing
- AI/ML System Protection:
- Data isolation
- Model access controls
- Training/serving security boundaries
- Training Model Security:
- IaaS-hosted (self-managed)
- Secure compute environments
- Network isolation
- PaaS-hosted (managed)
- Service-specific security controls
- Integration with IAM
- IaaS-hosted (self-managed)
- Vertex AI Security Controls:
- CMEK encryption
- VPC-SC integration
- Private endpoints
- IAM roles for model access
Helpful links:
- Security Scanning in CI/CD:
- Container vulnerability scanning
- Code scanning tools
- Artifact scanning
- Automated remediation
- Binary Authorization:
- Image signature verification
- Attestation authorities
- Policy enforcement
- Integration with GKE and Cloud Run
- Automated Image Creation:
- Hardening templates
- Packer for VM images
- Container image best practices
- Patch management automation
- Policy and Drift Detection:
- Cloud Security Posture Management
- Custom organization policies
- Security Health Analytics
- Configuration monitoring
Helpful links:
- Container security scanning
- Binary Authorization
- OS hardening and patching
- Security Command Center posture management
- Network Logs:
- VPC Flow Logs
- Cloud NGFW logs
- Packet Mirroring
- Cloud IDS
- Logging Strategy:
- Centralized log management
- Log retention policies
- Log aggregation
- Cost optimization
- Security Incident Response:
- Detection mechanisms
- Response playbooks
- Remediation procedures
- Post-incident analysis
- Secure Log Access:
- IAM for logs access
- Separation of duties
- Log-based metrics
- External Log Export:
- Log sinks to external SIEM
- Pub/Sub integration
- BigQuery analytics
- Cloud Storage archival
- Audit Logs:
- Admin Activity logs (always on)
- Data Access logs (configurable)
- System Event logs
- Policy Denied logs
- Log Exports:
- Project, folder, and org-level sinks
- Aggregated sinks
- Exclusion filters
- Real-time exports
- Security Command Center:
- Threat detection
- Security posture dashboard
- Vulnerability management
- Integration with Chronicle
Helpful links:
- VPC Flow Logs
- Cloud Logging
- Cloud Monitoring
- Cloud Audit Logs
- Security Command Center
- Cloud IDS
- Packet Mirroring
- Technical Compliance Needs:
- Compute: Isolation, hardening
- Data: Encryption, residency, retention
- Network: Segmentation, encryption
- Storage: Integrity, durability
- Shared Responsibility Model:
- Google responsibilities
- Customer responsibilities
- Service model variations (IaaS, PaaS, SaaS)
- Compliance Controls:
- Assured Workloads for regulated industries
- Organization policies
- Access Transparency
- Access Approval
- Data residency configuration
- Determining Scope:
- Resource inclusion/exclusion
- Logical boundaries
- Risk assessment
- Compliance mapping
- Compliance Mapping:
- Mapping requirements to GCP services
- Demonstrating control effectiveness
- Documentation for audits
- Continuous compliance monitoring
Helpful links:
- Google Cloud compliance offerings
- Assured Workloads
- Access Approval
- Data residency
- Shared responsibility model
- Focus on hands-on experience with key security services
- Learn how to integrate multiple security controls
- Understand the security implications of architectural decisions
- Review Google Cloud Security best practices documentation
- Practice implementing security controls across different resource types
- Master IAM concepts and the resource hierarchy
Additional Helpful Resources: