Get a certification voucher, access to all on-demand training and $500 Google Cloud credits through Innovators Plus. Explore all benefits.

Professional Cloud Security Engineer

Certification exam guide

A Cloud Security Engineer enables organizations to design and implement secure workloads and infrastructure on Google Cloud. Through an understanding of security best practices and industry security requirements, this person designs, develops, and manages a secure solution by using Google security technologies. A Cloud Security Engineer should be proficient in all aspects of cloud security. This includes identity and access management, defining organizational structure and policies, using Google Cloud technologies to provide data protection, configuring network security defenses, monitoring environments for threat detection and incident response, security policy as code, the secure software development lifecycle, and enforcing regulatory controls.

Section 1: Configuring access within a cloud solution environment

1.1 Managing Cloud Identity. Considerations include:

    ●  Configuring Google Cloud Directory Sync and third-party connectors

    ●  Managing a super administrator account

    ●  Automating the user lifecycle management process

    ●  Administering user accounts and groups programmatically

1.2 Managing service accounts. Considerations include:

    ●  Protecting and auditing service accounts and keys

    ●  Automating the rotation of user-managed service account keys

    ●  Identifying scenarios that require service accounts

    ●  Creating, disabling, authorizing, and securing service accounts

    ●  Managing and creating short-lived credentials

    ●  Configuring workload identity federation

    ●  Securing default service accounts

    ●  Managing service account impersonation

1.3 Managing authentication. Considerations include:

    ●  Creating a password and session management policy for user accounts

    ●  Setting up Security Assertion Markup Language (SAML) and OAuth

    ●  Configuring and enforcing two-factor authentication

1.4 Managing and implementing authorization controls. Considerations include:

    ●  Managing privileged roles and separation of duties with Identity and Access Management (IAM) roles and permissions

    ●  Granting permissions to different types of identities

    ●  Managing IAM and access control list (ACL) permissions

    ●  Designing identity roles at the organization, folder, project, and resource level

    ●  Configuring Access Context Manager

    ●  Applying Policy Intelligence for better permission management

    ●  Managing permissions through groups

1.5 Defining resource hierarchy. Considerations include:

    ●  Creating and managing organizations

    ●  Managing organization policies for organization folders, projects, and resources

    ●  Using resource hierarchy for access control and permissions inheritance

Section 2: Configuring perimeter and boundary security

2.1 Designing perimeter security. Considerations include:

    ●  Configuring network perimeter controls (firewall rules, hierarchical firewalls, Identity-Aware Proxy [IAP], load balancers, and Certificate Authority Service)

    ●  Identifying differences between private and public addressing

    ●  Configuring web application firewall (Google Cloud Armor)

    ●  Configuring Cloud DNS security settings

2.2 Configuring boundary segmentation. Considerations include:

    ●  Configuring security properties of a VPC network, VPC peering, Shared VPC, and firewall rules

    ●  Configuring network isolation and data encapsulation for N-tier application design

    ●  Configuring VPC Service Controls

2.3 Establishing private connectivity. Considerations include:

    ●  Designing and configuring private connectivity between VPC networks and Google Cloud projects (Shared VPC, VPC peering, and Private Google Access for on-premises hosts)

    ●  Designing and configuring private connectivity between data centers and VPC network (IPsec and Cloud Interconnect)

    ●  Establishing private connectivity between VPC and Google APIs (Private Google Access, restricted Google access, Private Google Access for on-premises hosts, Private Service Connect)

    ●  Using Cloud NAT to enable outbound traffic

Section 3: Ensuring data protection

3.1 Protecting sensitive data and preventing data loss. Considerations include:

    ●  Inspecting and redacting personally identifiable information (PII)

    ●  Configuring pseudonymization

    ●  Configuring format-preserving substitution

    ●  Restricting access to BigQuery, Cloud Storage, and Cloud SQL datastores

    ●  Securing secrets with Secret Manager

    ●  Protecting and managing compute instance metadata

3.2 Managing encryption at rest, in transit, and in use. Considerations include:

    ●  Understanding use cases for Google default encryption, customer-managed encryption keys (CMEK), customer-supplied encryption keys (CSEK), Cloud External Key Manager (EKM), and Cloud HSM

    ●  Creating and managing encryption keys for CMEK, CSEK, and EKM

    ●  Applying Google's encryption approach to use cases

    ●  Configuring object lifecycle policies for Cloud Storage

    ●  Enabling Confidential Computing

    ●  Encryption in transit

Section 4: Managing operations within a cloud solution environment

4.1 Building and deploying secure infrastructure and applications. Considerations include:

    ●  Automating security scanning for Common Vulnerabilities and Exposures (CVEs) through a continuous integration and delivery (CI/CD) pipeline

    ●  Automating virtual machine image creation, hardening, maintenance, and patch management

    ●  Automating container image creation, verification, hardening, maintenance, and patch management

    ●  Automating policy as code and drift detection

4.2 Configuring logging, monitoring, and detection. Considerations include:

    ●  Configuring and analyzing network logs (firewall rule logs, VPC flow logs, packet mirroring, Cloud Intrusion Detection System [Cloud IDS])

    ●  Designing an effective logging strategy

    ●  Logging, monitoring, responding to, and remediating security incidents

    ●  Exporting logs to external security systems

    ●  Configuring and analyzing Google Cloud audit logs and data access logs

    ●  Configuring log exports (log sinks and aggregated sinks)

    ●  Configuring and monitoring Security Command Center (Security Health Analytics, Event Threat Detection, Container Threat Detection, Web Security Scanner)

Section 5: Supporting compliance requirements

5.1 Determining regulatory requirements for the cloud. Considerations include:

    ●  Determining concerns relative to compute, data, and network

    ●  Evaluating the security shared responsibility model (Access Transparency)

    ●  Configuring security controls within cloud environments (regionalization of data and services)

    ●  Limiting compute and data for regulatory compliance

    ●  Determining the Google Cloud environment in scope for regulatory compliance