Google Cloud Professional Cloud Security Engineer Study Guide

Google-Cloud-Professional-Cloud-Security-Engineer

Cloud Security Engineer Preparation Details

The Google Cloud Professional Cloud Security Engineer (PCSE) certification validates your ability to design, develop, and manage secure infrastructure using Google Cloud security technologies. This guide walks through every domain, task, and objective in the official exam guide, pairing each skill with verified Google Cloud documentation so you can study topic by topic.

You can also explore more GCP certification study guides on the GCP Certifications category page to keep building your cloud security skills.

Google Cloud Security Engineer Materials:

CourseraCloud Security Engineer Professional Certificate
UdemyGoogle Professional Cloud Security Engineer Certification
WhizlabsGoogle Cloud Certified Professional Cloud Security Engineer

Content Domain 1: Configuring access (~25% of the exam)

1.1 Managing Cloud Identity. Considerations include:

Configuring Google Cloud Directory Sync and implement single sign-on (SSO) with a third-party identity provider.

About Google Cloud Directory Sync

Federate Google Cloud with Active Directory

Single sign-on

Setting up SSO

Managing a super administrator account.

Super administrator account best practices

Security best practices for administrator accounts

Set admin privileges to protect user privacy

Automating the user lifecycle management process.

Directory API Overview

Admin SDK API overview

Administering user accounts and groups programmatically.

Admin SDK: Directory API

Create and manage groups using APIs

Admin SDK Directory Service

Configuring Workforce Identity Federation

Workforce Identity Federation

Configure Workforce Identity Federation

Best practices for using Workforce Identity Federation

1.2 Managing service accounts. Considerations include:

Securing and protecting service accounts (including default service accounts).

Best practices for using service accounts securely

Service accounts overview

Service accounts

Identifying scenarios requiring service accounts.

Service accounts overview

How to authenticate service accounts to help keep applications secure

Creating, disabling, and authorizing service accounts.

Disable and enable service accounts

Create and delete service account keys

Roles for service account authentication

Securing, auditing, and mitigating the usage of service account keys.

Best practices for managing service account keys

Disable and enable service account keys

Restrict IAM service account usage

Managing and creating short-lived credentials.

Create short-lived credentials for a service account

Create short-lived credentials for multiple service accounts

Use service account impersonation

Configuring Workload Identity Federation.

Workload Identity Federation

Managing service account impersonation.

Service account impersonation

Roles for service account authentication

1.3 Managing authentication. Considerations include:

Creating a password and session management policy for user accounts.

Enforce and monitor password requirements for users

Set session length for Google services

Setting up Security Assertion Markup Language (SAML) and OAuth.

Technical overview of SAML-based SSO

Configure the OAuth consent screen and choose scopes

Configuring and enforcing 2-step verification.

Deploy 2-Step Verification

2-step verification requirement for Google Cloud

Protect your business with 2-Step Verification

1.4 Managing and implementing authorization controls. Considerations include:

Managing privileged roles and separation of duties with Identity and Access Management (IAM) roles and permissions.

Roles and permissions

IAM overview

Managing IAM and access control list (ACL) permissions.

Access control for organization resources with IAM

IAM roles for Cloud Storage

Granting permissions to different types of identities using IAM conditions and IAM deny policies.

Overview of IAM Conditions

Deny policies

Deny access to resources

Defining access control at the organization, folder, project, and resource level using the principle of least privilege.

Using resource hierarchy for access control

Access control for projects with IAM

Configuring Access Context Manager.

Access Context Manager Overview

Access control with IAM

Applying Policy Intelligence.

Policy Intelligence overview

Overview of role recommendations

Policy Analyzer for allow policies

Managing permissions through groups.

Create and manage groups using APIs

Access control for organization resources with IAM

Identifying use cases and configuring Privileged Access Manager.

Privileged Access Manager overview

Privileged Access Manager permissions and setup

1.5 Defining the resource hierarchy. Considerations include:

Managing folders and projects at scale.

About resource hierarchy

Create folders

Manage projects within folders

Managing pre-built or custom organization policies for the organization, folders, and projects.

Organization policy constraints

Create custom constraints

Using the resource hierarchy for access control and permissions inheritance.

Using resource hierarchy for access control

Organize resources

Content Domain 2: Securing communications and establishing boundary protection (~22% of the exam)

2.1 Designing and configuring perimeter security. Considerations include:

Configuring network perimeter controls (e.g., Cloud Next Generation Firewall [Cloud NGFW] rules and policies, Identity-Aware Proxy [IAP], load balancers, and Certificate Authority Service).

Hierarchical firewall policies

Identity-Aware Proxy overview

Certificate Authority Service documentation

Setting up application layer inspection on Cloud NGFW (e.g., layer 7).

VPC firewall rules

Hierarchical firewall policies

Differentiating between private and public IP addressing.

Private Google Access

Configure Private Google Access

Access APIs from VMs with external IP addresses

Configuring web application firewalls (e.g., Google Cloud Armor).

Cloud Armor overview

Security policy overview

Create and manage security policies

Deploying Secure Web Proxy.

Secure Web Proxy overview

Quickstart: Deploy a Secure Web Proxy instance

Configuring Cloud DNS security settings.

Cloud DNS overview

DNS Security Extensions (DNSSEC) overview

Advanced threat detection with DNS Armor

Continually monitoring and restricting configured APIs.

Restrict service usage

Manage service enablement

Restrict endpoint usage

2.2 Configuring boundary segmentation. Considerations include:

Configuring security properties of a VPC network, VPC peering, Shared VPC, and firewall rules.

Virtual Private Cloud (VPC) overview

VPC Network Peering

Shared VPC

VPC firewall rules

Configuring network isolation and data encapsulation for N-tier applications.

Shared VPC

Hierarchical firewall policies

Identifying use cases and configuring VPC Service Controls.

Overview of VPC Service Controls

Protecting resources with VPC Service Controls

2.3 Establishing private connectivity. Considerations include:

Designing and configuring private connectivity between VPC networks and Google Cloud projects (Shared VPC, VPC peering, and Private Google Access for on-premises hosts).

Shared VPC

Set up and manage VPC Network Peering

Configure Private Google Access for on-premises hosts

Designing and configuring private connectivity and encryption between data centers and VPC network (e.g., HA VPN, Cloud Interconnect).

Cloud VPN overview

HA VPN over Cloud Interconnect overview

Cloud Interconnect overview

Establishing private connectivity between VPC and Google APIs (Private Google Access, Private Google Access for on-premises hosts, restricted Google access, Private Service Connect).

Private Google Access

Private Google Access for on-premises hosts

Set up private connectivity to Google APIs and services

About Private Service Connect interfaces

Using Cloud NAT to enable outbound traffic.

Cloud NAT overview

Private NAT

Content Domain 3: Ensuring data protection (~23% of the exam)

3.1 Protecting sensitive data and preventing data loss. Considerations include:

Configuring Sensitive Data Protection (SDP) (e.g., discovering and redacting personally identifiable information (PII), configuring pseudonymization and format preserving encryption).

Sensitive Data Protection documentation

Classification, redaction, and de-identification

Pseudonymization

De-identifying sensitive data

Restricting access to Google Cloud data services (e.g., BigQuery, Cloud Storage, and Cloud SQL datastores).

Overview of VPC Service Controls

IAM roles for Cloud Storage

Securing secrets with Secret Manager.

Secret Manager overview

Secret Manager best practices

Access the Secret Manager API

Protecting and managing compute instance metadata.

About VM metadata

Set and remove custom metadata

Protecting resources with VPC Service Controls

3.2 Managing encryption at rest, in transit, and in use. Considerations include:

Identifying use cases for Google default encryption, customer-managed encryption keys (CMEK), and Cloud External Key Manager (EKM).

Customer-managed encryption keys (CMEK)

Cloud Key Management Service encryption

Cloud External Key Manager

Determining when to use software and hardware keys

Cloud Key Management Service overview

Cloud Key Management Service encryption

Creating and managing encryption keys for CMEK and EKM (e.g., key rotation and revocation, key import).

Customer-managed encryption keys (CMEK)

Cloud External Key Manager

Customer-managed encryption keys

Applying encryption methods to various use cases.

Cloud Key Management Service encryption

Protect resources with Cloud KMS keys

Configuring object lifecycle policies for Cloud Storage.

Object Lifecycle Management

Manage object lifecycles

Configuration examples for Object Lifecycle Management

Enabling Confidential Computing.

Confidential Computing overview

Confidential VM overview

Create a Confidential VM instance

3.3 Securing AI workloads. Considerations include:

Implementing security and privacy controls for AI/ML systems to protect against unintentional exploitation of data or models.

Security controls for Generative AI

Security controls for machine learning services

Determining security requirements for IaaS-hosted and PaaS-hosted training models.

Security controls for machine learning services

Confidential computing for data analytics, AI, and federated learning

Implementing security controls for Gemini Enterprise Agent Platform.

Govern your agents

Agent Gateway overview

View security findings

Content Domain 4: Managing operations (~19% of the exam)

4.1 Automating infrastructure and application security. Considerations include:

Automating security scanning for Common Vulnerabilities and Exposures (CVEs) through a continuous integration and delivery (CI/CD) pipeline.

Container scanning overview

Artifact analysis and vulnerability scanning

Scan OS packages automatically

Configuring Binary Authorization to secure GKE clusters or Cloud Run.

Binary Authorization overview

Automating virtual machine and container image creation (e.g., hardening, maintenance, VM patch management).

About VM Manager

About Patch

Set up VM Manager

Managing policy and drift detection at scale (e.g., cloud security posture management, custom organization policies and custom modules for Security Health Analytics).

Security posture overview

Overview of custom modules for Security Health Analytics

Create custom constraints

4.2 Configuring logging, monitoring, and detection. Considerations include:

Configuring and analyzing network logs (Cloud Next Generation Firewall [Cloud NGFW], VPC flow logs, Packet Mirroring, Cloud Intrusion Detection System [Cloud IDS], Log Analytics).

VPC Flow Logs

Packet Mirroring

Cloud IDS logging information

Analyze logs using Logs Explorer and Observability Analytics

Designing an effective logging strategy.

Security log analytics in Google Cloud

Cloud Logging overview

Logging, monitoring, responding to, and remediating security incidents.

Detective controls

Security Command Center overview

Designing secure access to logs.

Route log entries

Route logs to supported destinations

Exporting logs to external security systems.

Route logs to supported destinations

Export logs to Cloud Logging

Configuring and analyzing Google Cloud Audit Logs and data access logs.

Cloud Audit Logs overview

Configuring log exports (log sinks and aggregated sinks).

Aggregated sinks overview

Collate and route organization- and folder-level logs to supported destinations

Aggregate and store your organization’s logs

Configuring and monitoring Security Command Center.

Security Command Center overview

Configure Security Command Center services

Use Security Command Center in the Google Cloud console

Content Domain 5: Supporting compliance requirements (~11% of the exam)

5.1 Adhering to regulatory and industry standards requirements for the cloud. Considerations include:

Determining technical needs relative to compute, data, network, and storage.

Shared responsibilities and shared fate on Google Cloud

Organize resources

Evaluating the shared responsibility model.

Shared responsibilities and shared fate on Google Cloud

Shared responsibility in Assured Workloads

Configuring security controls within cloud environments to support compliance requirements (e.g., Assured Workloads, organizational policies, Access Transparency, Access Approval, regionalization of data and services).

Overview of Assured Workloads

Introduction to Access Transparency

Introduction to Access Approval

Data residency

Determining the Google Cloud environment in scope for regulatory compliance.

Overview of Assured Workloads

Assured Workloads locations

Control packages

Mapping compliance requirements to Google Cloud services and security controls (e.g., network and access segmentation, audit log coverage).

Control packages

Cloud Audit Logs overview

Overview of VPC Service Controls

Cloud Security Engineer – Final Thoughts

This guide covers every domain, task, and objective in the Professional Cloud Security Engineer exam guide, from identity and access management through data protection, secure operations, and regulatory compliance. Working through each linked resource will give you hands-on familiarity with the exact services Google tests you on.

Security engineering on Google Cloud spans a lot of surface area, so pace yourself and revisit the trickier domains like encryption key management and VPC Service Controls more than once. You can also explore more GCP certification study guides on the GCP Certifications category page to keep building your skills. Have a question or tip? Leave a comment below.

Receive Updates on Cloud Security Engineer Exam


Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.

Share the Cloud Security Engineer Study Guide in Your Network

You may also like

Leave a Reply

Your email address will not be published. Required fields are marked *