Study Guide to the Google Cloud Professional Cloud Security Engineer Certification

Today (1 July 2021), I cleared the Google Cloud Professional Cloud Security Engineer certification. Here, I will present an outline guide to the key learning outcomes one should be familiar with before heading to the exam.

The exam is 2 hours in length with 50 multiple choice questions, and is recommended for those with 3+ years of industry experience including 1+ years designing and managing solutions using GCP. Note that there are no case studies included in this exam. My recommended study path is: go through the exam guide to get a feel of the topics covered, refer to the topics listed this guide, deep dive into individual topics (additional links are provided below), and then get some hands-on training on GCP via the official learning paths or Qwiklabs. Finally go through a practice exam to available to assess your readiness for the exam.

1. Organization & Resource Management

Resource Hierarchy

• Familiarize with the Resource Hierarchy with inheritance starting at Organization level down to the resource [link]

Organization Policy Service

• Understand and apply Organization Policy constraints, on a resource hierarchy [link]

Super Admin

• Best practices to managing the Super Admin account on Cloud Identity / Google Workspace [link]

2. Identity Access Management (IAM)

IAM Roles

• Understand the difference of Primitive vs Predefined vs Custom Roles, and the pros/cons of using each [link]

Service Accounts

• What are Google-managed vs User-managed service accounts [link]
• Understand service accounts act as an identity or a resource, and how users can act as service accounts [link]
• Service account key, and best practices in its usage [link]
• Service account access scopes, the legacy method for VMs to limit API methods [link]

Cloud Identity

• Use of Cloud Directory Sync (GCDS), federation with LDAP / Active Directory [link]
• Using an External Identity Provider (IdP) for SSO via SAML [link]

3. Network Security

VPC / Subnet

• Review the basic networking concepts of VPC / Subnets, how subnets can span multiple zones, IPv4 only, purpose of routes and how its used in context of bastion hosts and NAT gateway [link]
• The default VPC [link], and the default subnets, routes and firewall rules that is automatically created by GCP [link]

VPC Peering

• How VPC peering is used across GCP projects and organizations, its limitations such as Transitive Peering between VPCs and internal DNS within VPCs [link]
• How to setup a peered VPC, ensuring non-overlapping CIDR ranges [link]

Shared VPC

• Understand the benefits of a Shared VPC, with a Host Project and Service Projects [link]
• Separation of access in Shared VPC Admin vs Service Project Admin vs Network Admin vs Security Admin [link]

Firewall

• Implied rules - what are the always blocked or always allowed traffic [link]
• Priority [link], Ingress/Egress [link], Allow/Deny [link]
• Targets - Service Accounts vs Tags vs All Instances [link]

Private Google Access

• How it is used in a private IP/network level, instances without internet access [link]
• Enabled at Subnet level [link]

Load Balancing

• Review LB concepts of Global vs Regional / External vs Internal / HTTP(S) vs TCP/UDP / L7 vs L4 [link]
• HTTPS(S) LB, SSL Proxy, TCP Proxy, TCP/UDP LB (External), TCP/UDP LB (Internal)
• Secure traffic when exposing your backends to the internet via LB [link]

Cloud VPN

• On-prem connectivity to your VPC, IPSec over internet, Site-to-Site VPN [link]

Cloud Interconnect

• Dedicated Interconnect [link] via Google provided peering edge, or via Partner Interconnect [link]

Cloud DNS

• Managing Zones [link]
• Purpose of enabling DNSSEC [link]

VPC Best Practices

• How load balancers, Cloud Armor, IAP can be used to secure external access [link]
• VPC Flow Logs and Security Command Center (SCC) for monitoring [link]
• Internal IPs and environment/network isolation to segregate the data at rest / in-transit [link]

4. Encryption

Encryption At Rest

• Understand how GCP performs encryption at rest, by splitting data into chunks and using DEK for encryption, KEK for key encryption, and KMS for storage of encryption keys. [link]
• Using KMS for key rotation [link], Assymmetric vs Symmetric keys [link], storage locations [link], ACLs applied to each key [link] with auditing and logging features. [link]
• Storage and access scopes: Project level vs Key Ring vs Key Vs Key Version
• CSEK [link] vs CMEK [link]

Encryption In Transit

• Google Front End (GFE) [link]
• Virtual Network Encryption & Authentication - GFE-to-VM, VM-to-VM
• TLS - user-to-VM, user-to-GFE
• ALTS - service-to-service, GFE-to-service

5. Data Protection

IAP

• IAP TCP Forwarding [link], IAP Connector [link], Signed Headers [link], Context Aware Access [link]

DLP

• Infotype and Infotype Detector (Built-in vs Custom) [link]
• Custom Detectors - Regular word list vs Custom dictionary vs Regex [link]
• Inspection Rules - Exclusion rules vs Hotword rules [link]
• De-identification types - PII/masking, Date shifting, Generalisation/bucketing, Pseudonymisation/tokenisation, Image inspection/redaction, Text classification/redaction [link]
• Actions (scan results) - Various options available - BigQuery, Pub/Sub, SCC, Data Catalog, Email [link]

DDoS Mitigation

• Various strategies available - Reduce attack service techniques, Isolate internal traffic and external traffic, Proxy based load balancing, Scale resources to absorb attacks, CDN offloading, 3rd party DDoS protection, GCS signed URLs, API rate limiting, AppEngine via GFE [link]

Cloud Armor

• How this is used alongside external load balancers to mitigate DDoS [link]
• Using and implementing Security Policies [link], Preview Mode [link], and monitoring with Request Logging [link]

Web Security Scanner

• Understand the purpose and vulnerabilities it can detect [link] over App Engine / Compute Engine / GKE
• Starting URLs vs Excluded URLs

Security Command Center

• Understand the features of the SCC [link]
• Security Health Analytics [link]
• Event Threat Detection [link]
• Container Threat Detection [link]
• Integrate with GCP services - Cloud Armor, Anormaly Detection, DLP [link]
• Integrate with 3rd Party SIEM applications/connectors such as Forsetti [link]

Forsetti

• Basic understanding and overview of the 3rd party SIEM application [link]

6. Compute & Storage Security

GCE / Compute Engine

• Use of Service Accounts, and assigning users with ServiceAccountUser Role [link]
• Using VPCs / networking to isolate traffic/environments [link]
• Image Management - trusted images, non-public images, automate patching and updates [link]
• Restrict external access / IPs - multiple strategies - use bastion hosts, IAP with TCP Forwarding, NAT gateway, serial console access, VPN, load balancers [link]

GKE / Kubernetes Engine

• Overview of GKE architecture - Cluster / Cluster Master / Nodes / Pods / Containers, as well as Cluster IP / Node IP / Pod IP / Label / Service / Kube-Proxy [link]
• Authentication & Authorization - RBAC & service accounts [link]
• Control Plane - restrict IP access, rotate SSL certificates [link]
• Node Security - Container-Optimised OS, patching of OS / auto-upgrades, disable instance metadata [link]
• Network Security - Limit Pod-to-Pod communication, apply network policies, load balancers for services, filter traffic via Kube-Proxy, Cloud Armor / IAP with External LBs [link]
• Secure Workload - Use Pod security policies to control access to GCP resources - Workload Identity vs GCE Service Account vs Service Account JSON key [link]
• Best Practices - Lightweight containers, Container Registry Vulnerability Scanning, Binary Authorization for trusted containers deployed [link]

Secret Management

• Best Practices - Rotate regularly, monitor with Cloud Audit (Data Access) logs, use IAM / Service Accounts for access, one secret per object [link]

GCS / Cloud Storage

• Use ACLs to enable object-level permissions [link] if Uniform Bucket Access is not enabled [link]
• What is the Default ACL [link]
• Signed URLs - time limited access [link]
• Bucket Lock with Data Retention Policy [link] vs Object Lock [link] vs Object Lifecycle Management [link]

BigQuery

• Authorized Views [link]
• Using Cloud DLP to scan BigQuery data [link]

7. Operations & Monitoring

Migration

• Stages - Assess / Plan / Deploy / Optimise [link]

DR Plan

• RTO vs RPO / Recovery Time vs Cost [link]
• DR patterns - Cold Start, Warm Standby, Hot Backup/Multi-Site [link]

Logging

• Cloud Audit logs - Admin Activity, Data Access, System Events [link]
• Access Transparency Logs [link]
• Agent Logs [link]
• Log retention periods [link], and which logs can/cannot be disabled

Exporting Logs

• Sinks = Query + Destination [link]
• Aware of the Destinations - GCS, BigQuery, Pub/Sub (External SIEM) [link]

VPC Flow Logs

• Enabled at Subnet level, with a retention period [link]

Monitoring and Alerting

• Alerting = Policies + Conditions + Notifications [link]
• APM / SRE tools for Trace / Debugger / Profiler / Error Reporting [link]

8. Compliance

• Be aware of the major standards and regulations - ISO27001 / ISO27017 / ISO27018, FIPS140, HIPAA, GDPR, PCI-DSS [link]

Good luck all to your journey to Google Cloud certification!