Cloud Security Engineer Preparation Details
The Google Cloud Professional Cloud Security Engineer (PCSE) certification validates your ability to design, develop, and manage secure infrastructure using Google Cloud security technologies. This guide walks through every domain, task, and objective in the official exam guide, pairing each skill with verified Google Cloud documentation so you can study topic by topic.
You can also explore more GCP certification study guides on the GCP Certifications category page to keep building your cloud security skills.
Google Cloud Security Engineer Materials:
| Coursera | Cloud Security Engineer Professional Certificate |
| Udemy | Google Professional Cloud Security Engineer Certification |
| Whizlabs | Google Cloud Certified Professional Cloud Security Engineer |
Content Domain 1: Configuring access (~25% of the exam)
1.1 Managing Cloud Identity. Considerations include:
Configuring Google Cloud Directory Sync and implement single sign-on (SSO) with a third-party identity provider.
About Google Cloud Directory Sync
Federate Google Cloud with Active Directory
Managing a super administrator account.
Super administrator account best practices
Security best practices for administrator accounts
Set admin privileges to protect user privacy
Automating the user lifecycle management process.
Administering user accounts and groups programmatically.
Create and manage groups using APIs
Configuring Workforce Identity Federation
Configure Workforce Identity Federation
Best practices for using Workforce Identity Federation
1.2 Managing service accounts. Considerations include:
Securing and protecting service accounts (including default service accounts).
Best practices for using service accounts securely
Identifying scenarios requiring service accounts.
How to authenticate service accounts to help keep applications secure
Creating, disabling, and authorizing service accounts.
Disable and enable service accounts
Create and delete service account keys
Roles for service account authentication
Securing, auditing, and mitigating the usage of service account keys.
Best practices for managing service account keys
Disable and enable service account keys
Restrict IAM service account usage
Managing and creating short-lived credentials.
Create short-lived credentials for a service account
Create short-lived credentials for multiple service accounts
Use service account impersonation
Configuring Workload Identity Federation.
Managing service account impersonation.
Roles for service account authentication
1.3 Managing authentication. Considerations include:
Creating a password and session management policy for user accounts.
Enforce and monitor password requirements for users
Set session length for Google services
Setting up Security Assertion Markup Language (SAML) and OAuth.
Technical overview of SAML-based SSO
Configure the OAuth consent screen and choose scopes
Configuring and enforcing 2-step verification.
2-step verification requirement for Google Cloud
Protect your business with 2-Step Verification
1.4 Managing and implementing authorization controls. Considerations include:
Managing privileged roles and separation of duties with Identity and Access Management (IAM) roles and permissions.
Managing IAM and access control list (ACL) permissions.
Access control for organization resources with IAM
Granting permissions to different types of identities using IAM conditions and IAM deny policies.
Defining access control at the organization, folder, project, and resource level using the principle of least privilege.
Using resource hierarchy for access control
Access control for projects with IAM
Configuring Access Context Manager.
Access Context Manager Overview
Applying Policy Intelligence.
Overview of role recommendations
Policy Analyzer for allow policies
Managing permissions through groups.
Create and manage groups using APIs
Access control for organization resources with IAM
Identifying use cases and configuring Privileged Access Manager.
Privileged Access Manager overview
Privileged Access Manager permissions and setup
1.5 Defining the resource hierarchy. Considerations include:
Managing folders and projects at scale.
Manage projects within folders
Managing pre-built or custom organization policies for the organization, folders, and projects.
Organization policy constraints
Using the resource hierarchy for access control and permissions inheritance.
Using resource hierarchy for access control
Content Domain 2: Securing communications and establishing boundary protection (~22% of the exam)
2.1 Designing and configuring perimeter security. Considerations include:
Configuring network perimeter controls (e.g., Cloud Next Generation Firewall [Cloud NGFW] rules and policies, Identity-Aware Proxy [IAP], load balancers, and Certificate Authority Service).
Hierarchical firewall policies
Certificate Authority Service documentation
Setting up application layer inspection on Cloud NGFW (e.g., layer 7).
Hierarchical firewall policies
Differentiating between private and public IP addressing.
Configure Private Google Access
Access APIs from VMs with external IP addresses
Configuring web application firewalls (e.g., Google Cloud Armor).
Create and manage security policies
Deploying Secure Web Proxy.
Quickstart: Deploy a Secure Web Proxy instance
Configuring Cloud DNS security settings.
DNS Security Extensions (DNSSEC) overview
Advanced threat detection with DNS Armor
Continually monitoring and restricting configured APIs.
2.2 Configuring boundary segmentation. Considerations include:
Configuring security properties of a VPC network, VPC peering, Shared VPC, and firewall rules.
Virtual Private Cloud (VPC) overview
Configuring network isolation and data encapsulation for N-tier applications.
Hierarchical firewall policies
Identifying use cases and configuring VPC Service Controls.
Overview of VPC Service Controls
Protecting resources with VPC Service Controls
2.3 Establishing private connectivity. Considerations include:
Designing and configuring private connectivity between VPC networks and Google Cloud projects (Shared VPC, VPC peering, and Private Google Access for on-premises hosts).
Set up and manage VPC Network Peering
Configure Private Google Access for on-premises hosts
Designing and configuring private connectivity and encryption between data centers and VPC network (e.g., HA VPN, Cloud Interconnect).
HA VPN over Cloud Interconnect overview
Establishing private connectivity between VPC and Google APIs (Private Google Access, Private Google Access for on-premises hosts, restricted Google access, Private Service Connect).
Private Google Access for on-premises hosts
Set up private connectivity to Google APIs and services
About Private Service Connect interfaces
Using Cloud NAT to enable outbound traffic.
Content Domain 3: Ensuring data protection (~23% of the exam)
3.1 Protecting sensitive data and preventing data loss. Considerations include:
Configuring Sensitive Data Protection (SDP) (e.g., discovering and redacting personally identifiable information (PII), configuring pseudonymization and format preserving encryption).
Sensitive Data Protection documentation
Classification, redaction, and de-identification
Restricting access to Google Cloud data services (e.g., BigQuery, Cloud Storage, and Cloud SQL datastores).
Overview of VPC Service Controls
Securing secrets with Secret Manager.
Protecting and managing compute instance metadata.
Set and remove custom metadata
Protecting resources with VPC Service Controls
3.2 Managing encryption at rest, in transit, and in use. Considerations include:
Identifying use cases for Google default encryption, customer-managed encryption keys (CMEK), and Cloud External Key Manager (EKM).
Customer-managed encryption keys (CMEK)
Cloud Key Management Service encryption
Determining when to use software and hardware keys
Cloud Key Management Service overview
Cloud Key Management Service encryption
Creating and managing encryption keys for CMEK and EKM (e.g., key rotation and revocation, key import).
Customer-managed encryption keys (CMEK)
Customer-managed encryption keys
Applying encryption methods to various use cases.
Cloud Key Management Service encryption
Protect resources with Cloud KMS keys
Configuring object lifecycle policies for Cloud Storage.
Configuration examples for Object Lifecycle Management
Enabling Confidential Computing.
Confidential Computing overview
Create a Confidential VM instance
3.3 Securing AI workloads. Considerations include:
Implementing security and privacy controls for AI/ML systems to protect against unintentional exploitation of data or models.
Security controls for Generative AI
Security controls for machine learning services
Determining security requirements for IaaS-hosted and PaaS-hosted training models.
Security controls for machine learning services
Confidential computing for data analytics, AI, and federated learning
Implementing security controls for Gemini Enterprise Agent Platform.
Content Domain 4: Managing operations (~19% of the exam)
4.1 Automating infrastructure and application security. Considerations include:
Automating security scanning for Common Vulnerabilities and Exposures (CVEs) through a continuous integration and delivery (CI/CD) pipeline.
Artifact analysis and vulnerability scanning
Scan OS packages automatically
Configuring Binary Authorization to secure GKE clusters or Cloud Run.
Automating virtual machine and container image creation (e.g., hardening, maintenance, VM patch management).
Managing policy and drift detection at scale (e.g., cloud security posture management, custom organization policies and custom modules for Security Health Analytics).
Overview of custom modules for Security Health Analytics
4.2 Configuring logging, monitoring, and detection. Considerations include:
Configuring and analyzing network logs (Cloud Next Generation Firewall [Cloud NGFW], VPC flow logs, Packet Mirroring, Cloud Intrusion Detection System [Cloud IDS], Log Analytics).
Analyze logs using Logs Explorer and Observability Analytics
Designing an effective logging strategy.
Security log analytics in Google Cloud
Logging, monitoring, responding to, and remediating security incidents.
Security Command Center overview
Designing secure access to logs.
Route logs to supported destinations
Exporting logs to external security systems.
Route logs to supported destinations
Configuring and analyzing Google Cloud Audit Logs and data access logs.
Configuring log exports (log sinks and aggregated sinks).
Collate and route organization- and folder-level logs to supported destinations
Aggregate and store your organization’s logs
Configuring and monitoring Security Command Center.
Security Command Center overview
Configure Security Command Center services
Use Security Command Center in the Google Cloud console
Content Domain 5: Supporting compliance requirements (~11% of the exam)
5.1 Adhering to regulatory and industry standards requirements for the cloud. Considerations include:
Determining technical needs relative to compute, data, network, and storage.
Shared responsibilities and shared fate on Google Cloud
Evaluating the shared responsibility model.
Shared responsibilities and shared fate on Google Cloud
Shared responsibility in Assured Workloads
Configuring security controls within cloud environments to support compliance requirements (e.g., Assured Workloads, organizational policies, Access Transparency, Access Approval, regionalization of data and services).
Introduction to Access Transparency
Introduction to Access Approval
Determining the Google Cloud environment in scope for regulatory compliance.
Mapping compliance requirements to Google Cloud services and security controls (e.g., network and access segmentation, audit log coverage).
Overview of VPC Service Controls
Cloud Security Engineer – Final Thoughts
This guide covers every domain, task, and objective in the Professional Cloud Security Engineer exam guide, from identity and access management through data protection, secure operations, and regulatory compliance. Working through each linked resource will give you hands-on familiarity with the exact services Google tests you on.
Security engineering on Google Cloud spans a lot of surface area, so pace yourself and revisit the trickier domains like encryption key management and VPC Service Controls more than once. You can also explore more GCP certification study guides on the GCP Certifications category page to keep building your skills. Have a question or tip? Leave a comment below.
Receive Updates on Cloud Security Engineer Exam
Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.