Get a certification voucher, access to all on-demand training and $500 Google Cloud credits through Innovators Plus. Explore all benefits.

Professional Cloud Security Engineer

Certification exam guide

A Cloud Security Engineer allows organizations to design and implement secure workloads and infrastructure on Google Cloud. Through an understanding of security best practices and industry requirements, this individual designs, develops, and manages a secure solution by using Google security technologies. A Cloud Security Engineer is proficient in identity and access management, defining organizational security structure and policies, using Google Cloud technologies to provide data protection, configuring network security defenses, monitoring environments for threats, security automation, AI security, the secure software supply chain, and enforcing regulatory controls.


Section 1: Configuring access (~27% of the exam)

1.1 Managing Cloud Identity. Considerations include:

    ●  Configuring Google Cloud Directory Sync and third-party connectors

    ●  Managing a super administrator account

    ●  Automating the user lifecycle management process

    ●  Administering user accounts and groups programmatically

    ●  Configuring Workforce Identity Federation

1.2 Managing service accounts. Considerations include:

    ●  Securing and protecting service accounts (including default service accounts)

    ●  Identifying scenarios requiring service accounts

    ●  Creating, disabling, and authorizing service accounts

    ●  Securing, auditing and mitigating the usage of service account keys

    ●  Managing and creating short-lived credentials

    ●  Configuring Workload Identity Federation

    ●  Managing service account impersonation

1.3 Managing authentication. Considerations include:

    ●  Creating a password and session management policy for user accounts

    ●  Setting up Security Assertion Markup Language (SAML) and OAuth

    ●  Configuring and enforcing two-step verification

1.4 Managing and implementing authorization controls. Considerations include:

    ●  Managing privileged roles and separation of duties with Identity and Access Management (IAM) roles and permissions

    ●  Managing IAM and access control list (ACL) permissions

    ●  Granting permissions to different types of identities, including using IAM conditions and IAM deny policies

    ●  Designing identity roles at the organization, folder, project, and resource level

    ●  Configuring Access Context Manager

    ●  Applying Policy Intelligence for better permission management

    ●  Managing permissions through groups

1.5 Defining resource hierarchy. Considerations include:

    ●  Creating and managing organizations at scale

    ●  Managing organization policies for organization folders, projects, and resources

    ●  Using resource hierarchy for access control and permissions inheritance

Section 2: Securing communications and establishing boundary protection (~21% of the exam)

2.1 Designing and configuring perimeter security. Considerations include:

    ●  Configuring network perimeter controls (firewall rules, hierarchical firewall policies, Identity-Aware Proxy [IAP], load balancers, and Certificate Authority Service)

    ●  Differentiating between private and public IP addressing

    ●  Configuring web application firewall (Google Cloud Armor)

    ●  Deploying Secure Web Proxy

    ●  Configuring Cloud DNS security settings

    ●  Continually monitoring and restricting configured APIs

2.2 Configuring boundary segmentation. Considerations include:

    ●  Configuring security properties of a VPC network, VPC peering, Shared VPC, and firewall rules

    ●  Configuring network isolation and data encapsulation for N-tier applications

    ●  Configuring VPC Service Controls

2.3 Establishing private connectivity. Considerations include:

    ●  Designing and configuring private connectivity between VPC networks and Google Cloud projects (Shared VPC, VPC peering, and Private Google Access for on-premises hosts)

    ●  Designing and configuring private connectivity between data centers and VPC network (HA-VPN, IPsec, MACsec, and Cloud Interconnect)

    ●  Establishing private connectivity between VPC and Google APIs (Private Google Access, Private Google Access for on-premises hosts, restricted Google access, Private Service Connect)

    ●  Using Cloud NAT to enable outbound traffic

Section 3: Ensuring data protection (~20% of the exam)

3.1 Protecting sensitive data and preventing data loss. Considerations include:

    ●  Inspecting and redacting personally identifiable information (PII)

    ●  Ensuring continuous discovery of sensitive data (structured and unstructured)

    ●  Configuring pseudonymization

    ●  Configuring format-preserving encryption

    ●  Restricting access to BigQuery, Cloud Storage, and Cloud SQL datastores

    ●  Securing secrets with Secret Manager

    ●  Protecting and managing compute instance metadata

3.2 Managing encryption at rest, in transit, and in use. Considerations include:

    ●  Identifying use cases for Google default encryption, customer-managed encryption keys (CMEK), Cloud External Key Manager (EKM), and Cloud HSM

    ●  Creating and managing encryption keys for CMEK and EKM

    ●  Applying Google's encryption approach to use cases

    ●  Configuring object lifecycle policies for Cloud Storage

    ●  Enabling Confidential Computing

3.3 Planning for security and privacy in AI. Considerations include:

    ●  Implementing security controls for AI/ML systems (e.g., protecting against unintentional exploitation of data or models)

    ●  Determining security requirements for IaaS-hosted and PaaS-hosted training models

Section 4: Managing operations (~22% of the exam)

4.1 Automating infrastructure and application security. Considerations include:

    ●  Automating security scanning for Common Vulnerabilities and Exposures (CVEs) through a continuous integration and delivery (CI/CD) pipeline

    ●  Configuring Binary Authorization to secure GKE clusters or Cloud Run

    ●  Automating virtual machine image creation, hardening, maintenance, and patch management

    ●  Automating container image creation, verification, hardening, maintenance, and patch management

    ●  Managing policy and drift detection at scale (custom organization policies and custom modules for Security Health Analytics)

4.2 Configuring logging, monitoring, and detection. Considerations include:

    ●  Configuring and analyzing network logs (Firewall Rules Logging, VPC flow logs, Packet Mirroring, Cloud Intrusion Detection System [Cloud IDS], Log Analytics)

    ●  Designing an effective logging strategy

    ●  Logging, monitoring, responding to, and remediating security incidents

    ●  Designing secure access to logs

    ●  Exporting logs to external security systems

    ●  Configuring and analyzing Google Cloud audit logs and data access logs

    ●  Configuring log exports (log sinks and aggregated sinks)

    ●  Configuring and monitoring Security Command Center

Section 5: Supporting compliance requirements (~10% of the exam)

5.1 Determining regulatory requirements for the cloud. Considerations include:

    ●  Determining concerns relative to compute, data, network, and storage

    ●  Evaluating the shared responsibility model

    ●  Configuring security controls within cloud environments to support compliance requirements (regionalization of data and services)

    ●  Restricting compute and data for regulatory compliance (Assured Workloads, organizational policies, Access Transparency, Access Approval)

    ●  Determining the Google Cloud environment in scope for regulatory compliance