GCP Professional Cloud Security Engineer Certification Notes

Overview

The Professional Cloud Security Engineer certification focuses on designing and implementing secure workloads and infrastructure on Google Cloud. The exam tests your ability to:

Configure secure access management
Establish secure network boundaries
Ensure proper data protection
Manage security operations
Support compliance requirements

Helpful resources:

Section 1: Configuring Access (~25% of exam)

1.1 Managing Cloud Identity

Google Cloud Directory Sync (GCDS):
- Synchronizes users and groups from existing LDAP/Active Directory to Google Cloud
- Doesn’t migrate passwords; only syncs identity information
Single Sign-On (SSO):
- Configure SAML 2.0 with third-party IdPs like Okta, Azure AD, etc.
- Allows for centralized authentication management
Super Administrator Account:
- Highest privilege role in Google Workspace/Cloud Identity
- Best practices:
  - Have at least 2 super admin accounts (for redundancy)
  - Use separate accounts from daily operations
  - Enable 2-step verification
  - Review super admin actions regularly
User Lifecycle Management:
- Automate using Cloud Identity API
- Implement automated onboarding/offboarding workflows
- Use Google Groups for managing role-based access
Programmatic Administration:
- Use Directory API, Admin SDK, Cloud Identity API
- Implement scripts to automate user/group management
Workforce Identity Federation:
- Allows 3rd party identity provider access to Google Cloud services
- No need to sync users to Cloud Identity
- Configure trust between Google Cloud and external IdP
- Map attributes from IdP to Google Cloud

Helpful links:

1.2 Managing Service Accounts

Service Account Security Best Practices:
- Treat service accounts like user accounts (or more strictly)
- Delete unused default service accounts
- Follow least privilege principle
- Regularly audit service account permissions
Use Cases for Service Accounts:
- Running applications on Compute Engine, GKE
- Executing administrative tasks from scripts/applications
- Service-to-service authentication
- Delegating domain-wide authority in Google Workspace
Service Account Management:
- Create only when necessary
- Disable unused accounts
- Use IAM roles to authorize service accounts
Service Account Keys Management:
- Avoid keys when possible (use other auth methods)
- Rotate keys regularly
- Store keys securely (Secret Manager)
- Monitor key usage
- Audit key creation and downloads
Short-lived Credentials:
- Prefer over long-lived keys
- Use Service Account Token Creator role
- Implement with signJwt or signBlob IAM methods
Workload Identity Federation:
- Allow applications outside Google Cloud to use IAM
- Configure identity pool and provider
- Map external identity to service account
Service Account Impersonation:
- Temporarily assume service account permissions
- Use --impersonate-service-account in gcloud
- Grant Service Account Token Creator role

Helpful links:

1.3 Managing Authentication

Password and Session Management:
- Define password complexity requirements
- Set password expiration policies
- Configure session timeouts
- Implement password reset procedures
SAML and OAuth:
- Set up SAML for enterprise IdP integration
- Configure OAuth for third-party application access
- Understand token-based authentication flows
2-Step Verification:
- Enforce MFA for all users
- Support multiple authentication factors (phone, security key, etc.)
- Configure verification frequency
- Set up backup codes process

Helpful links:

1.4 Managing Authorization Controls

IAM Roles and Permissions:
- Basic roles: Owner, Editor, Viewer (avoid when possible)
- Predefined roles: Service-specific roles with curated permissions
- Custom roles: Build your own permission sets
Separation of Duties:
- Split sensitive permissions across multiple roles
- Ensure no single individual can perform all critical functions
- Establish approval workflows for sensitive operations
IAM Conditions:
- Apply conditional logic to IAM policies:
  - Time-based access
  - Resource attribute-based
  - Request attribute-based
IAM Deny Policies:
- Explicitly deny permissions
- Override allow policies
- Set at organization/folder level
Resource Hierarchy:
- Organization → Folders → Projects → Resources
- Define access at each level
- Apply principle of least privilege
Access Context Manager:
- Define access levels based on attributes (IP, device, etc.)
- Implement context-aware access control
- Use with VPC Service Controls
Policy Intelligence:
- Recommender for IAM
- IAM Policy Analyzer
- Policy Troubleshooter
- Policy Insights
Group-based Permissions:
- Assign roles to groups instead of individual users
- Manage group membership centrally
- Implement role-based access control
Privileged Access Manager:
- Just-in-time access to sensitive resources
- Time-bound elevation of privileges
- Approval workflows for privileged access

Helpful links:

1.5 Defining Resource Hierarchy

Managing at Scale:
- Use folders to organize projects by department, environment, etc.
- Implement naming conventions
- Utilize labels for resource categorization
Organization Policies:
- Define constraints on resources
- Implement guardrails (e.g., restrict resource creation in certain regions)
- Pre-built or custom constraints
Inheritance Model:
- Policies inherit down the hierarchy
- Child policies can’t remove parent restrictions
- Most restrictive policy applies

Helpful links:

Section 2: Securing Communications and Boundary Protection (~22% of exam)

2.1 Designing Perimeter Security

Cloud NGFW (Next Generation Firewall):
- Hierarchical firewall policies
- Global and regional rules
- Service perimeters
Identity-Aware Proxy (IAP):
- Context-aware access to applications
- Layer 7 protection for web apps and VMs
- Centralized authentication and authorization
Load Balancers:
- SSL/TLS termination
- Certificate management
- Health checks and traffic distribution
Certificate Authority Service:
- Deploy and manage private CAs
- Issue certificates for internal services
- Integrate with Certificate Manager
Layer 7 Inspection:
- Application-level filtering
- Content inspection
- Protocol validation
Private vs Public IP Addressing:
- Internal vs external IP allocation
- When to use each type
- Security implications
Google Cloud Armor:
- DDoS protection
- WAF capabilities
- Pre-configured and custom rules
- Edge protection
Secure Web Proxy:
- URL filtering
- TLS inspection
- Data loss prevention
- Centralized egress control
Cloud DNS Security:
- DNS Security Extensions (DNSSEC)
- Private DNS zones
- DNS policies and logging
API Monitoring and Restriction:
- Service usage monitoring
- API key restrictions
- Quota management
- Service control policies

Helpful links:

2.2 Configuring Boundary Segmentation

VPC Security Properties:
- Subnet configuration
- Private Google Access
- Custom routes
- Flow logs
VPC Peering:
- Connect VPCs without exposing to internet
- No transitive peering
- Security considerations
Shared VPC:
- Centralized network administration
- Service project access controls
- Host project permissions
Firewall Rules:
- Hierarchical firewall policies
- Network tags
- Service accounts in rules
- Ingress/egress control
N-tier Application Isolation:
- Network segmentation by function
- Defense in depth approach
- Data flow controls
VPC Service Controls:
- Service perimeters
- Access levels
- Ingress/egress policies
- Mitigate data exfiltration risks

Helpful links:

2.3 Establishing Private Connectivity

VPC Network Connectivity:
- Shared VPC
- VPC peering
- Private Google Access for on-premises
Private Connectivity to Data Centers:
- Cloud VPN (High Availability)
  - Site-to-site encrypted tunnels
  - BGP for dynamic routing
- Cloud Interconnect
  - Dedicated Interconnect (physical)
  - Partner Interconnect (via provider)
  - VLAN attachments
Private Access to Google APIs:
- Private Google Access
- Private Service Connect
- Restricted Google Access
Cloud NAT:
- Source NAT for outbound connections
- Configure for VMs without external IPs
- Regional service with redundancy

Helpful links:

Section 3: Ensuring Data Protection (~23% of exam)

3.1 Protecting Sensitive Data

Sensitive Data Protection (SDP):
- Data discovery for PII
- De-identification techniques:
  - Masking
  - Tokenization
  - Redaction
- Content inspection
- Format-preserving encryption
Data Service Access Restrictions:
- BigQuery authorized views and row-level security
- Cloud Storage ACLs and signed URLs
- Cloud SQL authorized networks and IAM
Secret Manager:
- Centralized secret storage
- Version control for secrets
- IAM integration
- Automatic rotation
Compute Instance Metadata:
- Secure metadata server access
- Custom metadata protection
- Block project-wide SSH keys

Helpful links:

3.2 Managing Encryption

Encryption Types:
- Google default encryption (always on)
- Customer-managed encryption keys (CMEK)
- Customer-supplied encryption keys (CSEK)
- External Key Manager (EKM)
Key Management:
- Cloud KMS for key management
- Hardware Security Modules (Cloud HSM)
- Key rotation policies
- Key import procedures
Use Cases by Service:
- Storage: CMEK, EKM
- Compute: Encrypted disks, confidential computing
- Databases: CMEK integration
Cloud Storage Lifecycle:
- Automatic transition between storage classes
- Retention policies
- Object versioning
- Lifecycle conditions
Confidential Computing:
- Memory encryption with AMD SEV
- Confidential VMs
- Confidential GKE Nodes
- Encrypted-in-use data processing

Helpful links:

3.3 Securing AI Workloads

AI/ML System Protection:
- Data isolation
- Model access controls
- Training/serving security boundaries
Training Model Security:
- IaaS-hosted (self-managed)
  - Secure compute environments
  - Network isolation
- PaaS-hosted (managed)
  - Service-specific security controls
  - Integration with IAM
Vertex AI Security Controls:
- CMEK encryption
- VPC-SC integration
- Private endpoints
- IAM roles for model access

Helpful links:

Section 4: Managing Operations (~19% of exam)

4.1 Automating Security

Security Scanning in CI/CD:
- Container vulnerability scanning
- Code scanning tools
- Artifact scanning
- Automated remediation
Binary Authorization:
- Image signature verification
- Attestation authorities
- Policy enforcement
- Integration with GKE and Cloud Run
Automated Image Creation:
- Hardening templates
- Packer for VM images
- Container image best practices
- Patch management automation
Policy and Drift Detection:
- Cloud Security Posture Management
- Custom organization policies
- Security Health Analytics
- Configuration monitoring

Helpful links:

4.2 Logging, Monitoring, and Detection

Network Logs:
- VPC Flow Logs
- Cloud NGFW logs
- Packet Mirroring
- Cloud IDS
Logging Strategy:
- Centralized log management
- Log retention policies
- Log aggregation
- Cost optimization
Security Incident Response:
- Detection mechanisms
- Response playbooks
- Remediation procedures
- Post-incident analysis
Secure Log Access:
- IAM for logs access
- Separation of duties
- Log-based metrics
External Log Export:
- Log sinks to external SIEM
- Pub/Sub integration
- BigQuery analytics
- Cloud Storage archival
Audit Logs:
- Admin Activity logs (always on)
- Data Access logs (configurable)
- System Event logs
- Policy Denied logs
Log Exports:
- Project, folder, and org-level sinks
- Aggregated sinks
- Exclusion filters
- Real-time exports
Security Command Center:
- Threat detection
- Security posture dashboard
- Vulnerability management
- Integration with Chronicle

Helpful links:

Section 5: Supporting Compliance Requirements (~11% of exam)

5.1 Regulatory and Industry Standards

Technical Compliance Needs:
- Compute: Isolation, hardening
- Data: Encryption, residency, retention
- Network: Segmentation, encryption
- Storage: Integrity, durability
Shared Responsibility Model:
- Google responsibilities
- Customer responsibilities
- Service model variations (IaaS, PaaS, SaaS)
Compliance Controls:
- Assured Workloads for regulated industries
- Organization policies
- Access Transparency
- Access Approval
- Data residency configuration
Determining Scope:
- Resource inclusion/exclusion
- Logical boundaries
- Risk assessment
- Compliance mapping
Compliance Mapping:
- Mapping requirements to GCP services
- Demonstrating control effectiveness
- Documentation for audits
- Continuous compliance monitoring

Helpful links:

Exam Preparation Tips

Focus on hands-on experience with key security services
Learn how to integrate multiple security controls
Understand the security implications of architectural decisions
Review Google Cloud Security best practices documentation
Practice implementing security controls across different resource types
Master IAM concepts and the resource hierarchy

Additional Helpful Resources: