Google Cloud Professional Cloud Security Engineer Exam

Prep Notes by

By Ammett:
 White papers you must review
1 - 7-best-practices-for-building-containers 7 - Envelope encryption 14 - Scenarios for Exporting Logging Data
Google Cloud Professional Cloud Security Engineer
2 - Best practices for enterprise 8 - Federating Google Cloud Platform with AD 15 - Logging Secret management with
Exam Prep Sheet by Ammett organizations 9 - Firewall Rules Overview _ VPC Cloud KMS
3 - Choosing a Load Balancer 10 - Pseudonymization 16 - DLP
This is and updated guide based on my preparation for the exam. References
4 - Cloud Audit Logs 11 - Key rotation _ Cloud KMS 17- Google Cloud security foundation guide
from Google Docs and other sources.
5 - Cloud IAP for on-premises apps 12 - PCI_DSS_Shared_Responsibility_GCP
V4: 02-2024
6 - DNS Security (DNSSEC) 13 - Retention policies using Bucket Lock
Organisation What it is What you should know Review documents Video My experience
Structures GCP resources are 1- Flow (Organisation, Folders, This area is fundamental however you really need to
organized hierarchically. projects, resources) Resource Hierarchy Google Cloud Platform resource understand how to control to get the separation, how it
This allows you to map 2- Where to manage permissions for hierarchy should be designed and restrictions applied. Understand
groups, department, entire
your enterprise's constraints.
organisation, etc
operational structure to 3- Permissions level necessary
GCP, and to manage
access control and
permissions for groups of
related resources.
Cloud What it is What you should know Review documents Video My experience
Identity A unified identity, access, 1- Federations -Cloud Identity Identity and authorization Spend some time to understand well how you integrate and
app, and device 2- AD integrations / Hybrid LDAP -Authenticating corporate users in a also manager the account and security. How Two factor
management (IAM/EMM) 3- SAML 2.0 & OpenID hybrid environment Exploring Cloud Identity authentication may come into effect. Super user account. A
4- Set up SSO -Federating Google Cloud with Active
platform. (similar to tricky bunch of question my come on this topic.
5- Service accounts Directory
Microsoft AD) 6- Cloud Directory Sync -Workload Identity Pool & Service
7- Groups control workspace admin account impersonation
Organisation Structure - diagram Federating Active Directory with Cloud Identity-diagram

1
By Ammett:
Organization What it is What you should know Review documents Video My experience
policies The Organization Policy 1- How to restrict access Understand constraints you may come across various types
Service gives you 2- Which level to apply constraints at Organization policy Service of constraints.
centralized and 3- Permissions level necessary GCP resource Organisation and Access
Organisation policy resource
4 – How list at higher level affect
programmatic control Hierarchy management
other level
over your organization's 5 – review list of constraints Resource constraints
cloud resources constraints/compute.restrictXpn Restricting Resource locations What is Google Cloud's Organization
ProjectLienRemoval Restricting domain Policy Service

VPC service What it is What you should know Review documents Video My experience
controls VPC Service Controls lets 1- How it work VPC service control VPC service controls Important topics to control security in your VPC.
you mitigate data 2- How to allow access (ingress and VPC service perimeter bridges
exfiltration risks by egress) VPC ingress and egress
3- How to prevent data exfiltration Dry Run mode
isolating resources of
4-Enforced and dry run mode
multi-tenant Google Cloud
services.
Organization policy VPC-SC

2
By Ammett:
 Cloud IAM What it is What you should know Review documents Video Labs My experience
Cloud IAM which lets you 1- Best way to manage (use groups) How IAM works Cloud IAM: Qwik Core component of security integrated
manage access control by 2- Roles (primitive, predefined & Create a strong password What is Cloud IAM Start across all services. Check out the
defining who (identity) custom) Modern password security Custom Roles concept of constrains and service
3- Roles necessary to do certain Roles Better Practices for Cloud IAM Service Account
has what access (role) accounts.
functions Service account constraints Roles
for which resource. 4- Password min requirements Limit spoofing threats
2FA What it is What you should know Review documents Video My experience
Two factor authentication 1- Recovery with 2FA Protect your business with 2FA How to choose the right 2FA Understand the various uses of 2FA
is an added layer of 2- MFA Multiple factor authentication. and which account should always be
security to secure your 3- Account you should use MFA on OS Login with 2FA secured.
4- OS login 2FA Recovery acc protected by 2fa
identities.
Identity What it is What you should know Review documents Video Labs My experience
Aware Proxy Cloud Identity-Aware Proxy 1- How it works (HTTPS) - Identity-Aware Proxy overview Centralize access to your Understanding the flow is important
(Cloud IAP) controls 2- JWT (signed headers) - Securing your app with signed organization’s websites with Identity User authentication and where and when to use it. That
access to your cloud 3- How to configure headers Aware Proxy (IAP) with Identity-Aware makes the difference in selecting the
4- On prem flow -IAP for on-premises apps Proxy
applications and VMs correct answer if it isn’t obvious. TCP
5- TCP forwarding Beyond Corp
running on (GCP) forwarding understand concept.
6-IAM roles
Google What it is What you should know Review documents Video My experience
security Google’s end to end 1- Shared responsibilities on various Trust and Security Security and compliance Nice section to get asked about. Check
security process built up service types (PaaS, IaaS, SaaS) the compliance standard like PCI,
model 2- Compliance (ISO 27001 etc, PCI) Shared Responsibility: What This
over 15+ year to secure Google security whitepaper HIPPA, ISO 27001, 27017, 27018
3- Default security google applies Means for You as a CISO
their various offering
4- Encryption on by default
including Google Cloud PCI DSS shared security model
5- Data removal, hardware handling
Platform
Cloud IAP flows - diagram On Prem flow - diagram TCP forwarding-diagram

3
By Ammett:
 VPC What it is What you should know Review documents Video Labs My experience
A VPC network, is your 1- How to design your own custom VPC network overview Can’t have security without networking
virtual network in the cloud VPC for your production projects VPC’s Multiple VPC understand very well. Understand
just like an on prem 2- How to get traffic flowing Securing Data with VPC service control networks service control also.
3- RFC1918
physical network or data
4- Internal and external access
centre or office network.
Default VPC What it is What you should know Review documents My experience
Default network is created 1- Default network Securing your VPC can be done in
by default when you create 2-How do disable it VPC default network various ways. One such way is using
a project. constraints. Take a look at a few
common ones.
Migrating What it is What you should know Review documents My experience
projects Migrating project can occur 1- How to migrate projects Migration can get tricky especially if
and is not out of the way. 2- How to handle permission and Migrating projects there are various security elements
constraints on projects that are to be applied on the project. Check out the
migrated flow.
Firewall What it is What you should know Review documents Video Labs My experience
Allow or deny traffic to and 1- How they work (Stateful) & Scope Implied rules How firewall protect your environment There are some implied and default
from your virtual machine 2- Implied rules, Default rules Filtering by service accounts VPC Networks - rule know these. Also, how to define
(VM) etc, based on a 3- Firewall hierarchy Firewall hierarchy Firewall Insights Controlling Access your rules (source, dest, port, protocol,
4- Effect of sharing, peering, etc
configurations you specify. action, priority)
5- Filtering methods (IP, Tags, SA)
Cloud Armor What it is What you should know Review documents Video Labs My experience
Google Cloud Armor 1- Where it works (Edge, HTTPS load Goes well with security and securing
security policies are made balancing proxy) Cloud Armor Security policy Journey with Cloud Armor HTTP Load Balancer apps and load balancers. Know this
2- How works (whitelist, blacklist, with Cloud Armor may get you a point or 2.
up of rules that allow or
IAP)
prohibit traffic from IP 3- Restrictions Cloud armour and
addresses or ranges CDN
defined in the rule. 4- Security policy requirements
Flow Logs What it is What you should know Must review documents Video Labs My experience
VPC Flow Logs record a 1- Cases to use this to gather info to Another one of the areas where a
sample of network flows lock down access etc Using VPC Flow Logs GCP Network and Security VPC Flow Logs - question or two came up and can
sent from and to by VM 2- What it records, how to read it Analyzing Network easily gain you a much-needed mark.
3- How to enable Traffic
instances. These are used
for monitoring, forensics,
real-time security analysis,
and expense optimization.
NGFW What it is What you should know Must review documents My experience
A centralized set of 1- How to configure Get familiar
firewalls run as virtual 2- Filter traffic Centralized network appliances on
machines that deliver 3- reasons to use Google Cloud
features
Deploying FortiGate-VM Next
Generation Firewall

4
By Ammett:
 Cloud Armor - diagram

5
By Ammett:
 HTTP(S) Load balancer SSL Proxy TCP Proxy Network Load balancer Internal load balancer Review documents
Choosing a load balancer

Note: Load balancer types updated in 2023

now (Application and Network)

What it is What it is What it is What it is What it is

Load balancer for HTTP(S) Load balancer for TCP with SSL Load balancer for TCP without Load balancer for TCP/UDP no SSL Load balancer for TCP /UDP Video
traffic, global, external, 80 or offload. SSL. offload. regional, Internal traffic (any port) Cloud Load balancers
8080 on 443 (25, 43, 110, 143,195, 443, 465, 587, (25, 43, 110, 143,195, 443, 465, 587, (any port)
700, 993, 995, 1883, and 5222) 700, 993, 995, 1883, and 5222)
My experience
This is tricky so know the main points (Global
vs Regional, External vs Internal, Traffic type)
Old pattern 2023 Pattern

6
By Ammett:
 VPC Sharing VPC Peering VPN Dedicated Interconnect Partner Connect Review documents
▪ Hybrid connectivity options

▪ Shared VPC overview

What it is What it is What it is What it is What it is Video

Used to connect to a common Access G Suite and Google Connect your on-premises or Use dedicated Interconnect to Use Google Cloud Interconnect - Partner Connectivity Hybrid
VPC network. Resources in Cloud features over VPN or the other public cloud networks to connect to Google's network (Partner Interconnect) to connect to Google
those projects can internet, while cutting egress GCP Virtual Private Cloud (VPC) through a highly available, low through a supported service provider. (from 50
communicate with each other fees. Connect directly with securely over the internet latency connection. (10GB higher) MB up) My experience
securely and efficiently across Direct Peering, or choose a through IPSec VPN The perfect question area to test if a person
project boundaries using partner with Carrier Peering. knows how each of these really work. I mean all
internal IPs. connections are not the same, or are they?

What you should know What you should know What you should know What you should know What you should know
1- Centralised management 1- When to peer what 1- Over internet 1- Reason to use this 1- Best case use
2- Firewall control 2 - services you have access to 2 – IPSEC used 2- Min 10GB 2 – Min size 50MB
3 – internal RFC1918 3 – dynamic setup 3 – Not over the internet 3 – Not over the internet
DNS SEC Private Access Cloud NAT Bastion Host Mirror ports Review documents
▪ DNSSEC
▪ Cloud NAT
▪ Private Access
▪ Private access on prem
What it is What it is What it is What it is What it is Labs
Prevents attackers from Allows VM instances with Google Cloud Platform (GCP) Bastion hosts provide an external Packet Mirroring clones the traffic of specified Config private access and cloud NAT
manipulating or poisoning the internal (RFC 1918) IP virtual machine (VM) instances facing point of entry into a network instances in your Virtual Private Cloud (VPC) My experience
responses to DNS requests. addresses to reach certain APIs without external IP addresses containing private network network and forwards it for examination. Some of these may pop up if not all so just know
and services without internet and private (GKE) clusters to instances from the Internet these and they are pretty straight forward.
access. connect to the Internet.
What you should know What you should know What you should know What you should know What you should know
1- What it protects 1- How to enable 1. How it works 1- Where it sits
2- Restricted and private 1- How it works
3- Configure for on prem envs
and cloud
4- DNS config

7
By Ammett:
 Cloud KMS CMEK CSEK Cloud EKM Cloud HSM Review documents
▪ Customer managed encryption keys (CMEK)
▪ Customer supplied encryption keys (CSEK)
▪ Envelop encryption
▪ EKM
▪ Cloud HSM
What it is What it is What it is What it is What it is Video -
Cloud KMS is a cloud-hosted key For greater control you can use If you supply your own With Cloud EKM, you can use keys You can generate encryption keys and perform KEYS
management service that lets customer-managed encryption encryption keys, Google uses that you manage within a supported cryptographic operations in FIPS 140-2 Level 3 EKMS and KAJ
you manage encryption for your keys (CMEK). This way you your key to protect the Google- external key management partner to certified HSMs
cloud services the same way control and manage key generated keys used to encrypt protect data within Google Cloud. Labs
you do on-premises. You can encryption keys in Cloud KMS and decrypt your data You can protect data at rest in ▪ Encrypt and decrypt data with Cloud KMS
generate, use, rotate, and supported CMEK integration ▪ Encrypt and decrypt Cloud KMS Asymmetric
destroy cryptographic keys. services, or by calling the Cloud Key
Management Service API directly.
▪ Sign and verify data with Cloud KMS
What you should know What you should know What you should know What you should know What you should know My experience
1- It’s purpose 1- What products support this 1- Supported by Compute and 1- How to configure the steps 1- Where to use it Key management, encryption stuff is super
2- What are the cases you service (BigQuery, Cloud Build, Cloud storage 2 - What cases to use it 2 - Meets FIPS Level 3 requirement important. You will get questions on this. Know
should use it. Cloud Dataproc, Cloud Storage, 2 – This key replaces the KEK 3 - Know the step (very important) 3 - How it works all situations, and which key type is used & most
Compute Engine) 3 – Know the step (very 4 - Key access Justification importantly, which products support which type.
2 – Know the step important) Know like the alphabet.
3- gcp.restrictNonCmekServices
Key rotation Managing secrets DLP DLP cryptographic methods Crypto-delete Review documents
▪ REGEX
▪ Pseudonymization
▪ DLP
▪ Cryptographic methods
▪ Transformation
What it is What it is What it is What these are What it is
▪ Secret manager
In Cloud KMS, a key rotation is Applications often require With the Cloud DLP, you can These are AES-SIV, FPE-FFX, HMAC. Crypto-deletion, or crypto-shredding, is the
represented by generating a new access to small pieces of easily classify and redact process of rendering data unrecoverable by ▪ Key rotation
key version of a key, and sensitive data at build or run sensitive data contained in text- deleting the key used to encrypt it. Since the ▪ Crypto-delete aka crypto-shredding
marking that version as the time. These pieces of data are based content and images, data can no longer be decrypted, it is
primary version. often referred to as secrets. including content stored in effectively deleted Video:
Google Cloud Platform storage DLP
repositories. Secret manager
My experience

What you should know What you should know What you should know What you should know What you should know DLP should be well known especially how to
1- Reason to rotate keys 1- Choosing a secret 1-How it works (Redact, Crypto- Spend some time to understand 1- Know what it does and how it works achieve various results. This topic is tricky
2- Method automatic or manual, management solution based, Masking, date shifting) what methods help you achieve spend some time on it.
regular, irregular 2 – Rotating secrets 2 - How to configure and regex what. What’s reversible and what’s
3 – Commands 3- Reversible vs Non reversible not.
DLP (know which methods do
what)
4- CloudStorageRegexFileSet

8
By Ammett:
Cloud EKM diagram

9
By Ammett:
 Data Sovereignty Kubernetes G Suite Web Security Scanner Security Command Center Review documents
▪ Web Security Scanner
▪ Security Command Center
▪ Data Sovereignty
▪ 7 best practices for building containers
What it is What it is What it is What it is What it is ▪ Kubernetes
Data residency and sovereignty The Kubernetes networking Google’s SaaS offering The Cloud (Web)Security Scanner Security Command Center lets you filter and ▪ Container threat detection
requirements are based on your model relies heavily on IP comprised of Gmail, Docs, Drive, identifies security vulnerabilities in view vulnerabilities and threat findings in many ▪ Event Threat Detection
regional and industry-specific addresses. Services, Pods, Calendar, Meet and more for your App Engine, Compute Engine different ways, like filtering on a specific ▪ Container analysis
regulations, and different Containers, and nodes business. and Google Kubernetes Engine web finding type, resource type, or for a specific
▪ RBAC GKE
organizations might have communicate using IP applications. asset.
different data sovereignty addresses and ports.
Video
requirements ▪ GKE security basics
▪ Security Command Center Playlist
▪ KUBERNETES
▪ GKE shared security
What you should know What you should know What you should know What you should know What you should know Labs
1- Enforce residency and 1- How it works 1-High level administration 1- Reason to use this 1- The components Web security scanner, VM Mitigate Threat with SCC
operational sovereignty 2- Containers and pods 2 - Managing users, setting up manager, Container Threat Detection, Event
3- How to secure domain, IAM, Super user Lab Threat Detection
Video 4- Updating account Web Security Scanner: Qwik Start 2-Crypto mining protection with Virtual My experience
Meeting your digital sovereignty 5- GKE security Basics Machine Threat Detection Important for the exam
3- Mute findings
4- Security Health Analytics vulnerability
5 - Patch management

Binary authorization Key Access Justification Cloud IDS Policy Intelligence Review documents
▪ Binary authorization
▪ Key Access Justification
▪ Policy Analyzer
What it is What it is What it is What it is Video
Binary Authorization is a deploy- Key Access Justifications Provides cloud-native network Helps enterprises understand and Policy Intelligence
time security control that provides a reason every time threat detection with industry- manage their policies to reduce Cloud IDS
ensures only trusted container your externally managed keys leading security. their risk. By providing more
images are deployed on Google are accessed visibility and automation, customers
Kubernetes Engine (GKE) or can increase security without
Cloud Run increasing their workload
What you should know What you should know What you should know What you should know
1- How it works 1- Use cases for this 1- General awareness 1- How it works
2 - How to enforce 2 – Components, Policy
3 - With VPC service controls Lab Troubleshooter, Policy Analyzer,
Cloud IDS Policy Simulator
Lab
GKE: Binary Authorization

10
By Ammett:
Binary authorization KAJ and EKM

SCC

11
By Ammett:
 BigQuery Cloud Storage Compute Engine Google Cloud's operations SIEM Review documents
suite (formerly Stackdriver) ▪ Design patterns for exporting logging
data
▪ Scenarios for exporting Cloud Logging
data
▪ 4 steps for hardening your Cloud Storage
buckets
What it is What it is What it is What it is What it is ▪ Retention policies and retention policy
BigQuery is a serverless, highly- Unified object storage for Google Compute Engine delivers Stackdriver Logging allows you to Security Information and Event Management locks
scalable, and cost-effective developers and enterprises virtual machines running in store, search, analyze, monitor, and (SIEM) software has a variety of uses. GCP ▪ BigQuery Column—level security
cloud enterprise data warehouse Google's innovative data centers alert on log data and events from has integration to these and many others ▪ Row level security
that enables super-fast SQL and worldwide fibre network Google Cloud Platform and Amazon ▪ Encryption BigQuery
queries using the processing Web Services (AWS).
power of Google's Video
infrastructure. CLOUD STORAGE
What you should know What you should know What you should know What you should know What you should know Exporting
1- Authorised views 1-Types (nearline, coldline) 1- Secured images 1- Used for compliance 1- How you would set up integrations BIGQUERY
2- How to export data Object storage. 2- How to secure access 2- Used for security analytics
3-- Cloud DLP 2- Encryption options (default, 3- How to update 3- Used for SIEM My experience
4- Keys CMEK CSEK, CMEK) 4- Secure image pipeline 4- Log sink for Org You can’t have security without audit,
3- How to retain Data 5- Shielded VM 5- set default location for storage and logging. These areas will come
4- Migrate Data 6- Confidential VM logging in one form or the other be familiar with and
5- Public access prevention integrations also.
Super User accounts DDoS Dataproc App Engine Cloud Audit logs Review documents
▪ DNS Security Extensions (DNSSEC)
▪ DDoS
▪ AppEngine
▪ Access Transparency Log
▪ Type of audit logs
What it is What it is What it is What it is What it is
Video
To configure your Google Cloud A (DDoS) attack is a malicious Cloud Dataproc is a fast, easy- Build and deploy applications on a Cloud Audit Logs are a collection of logs
DDoS
Platform (GCP) Organization attempt to disrupt normal traffic to-use, fully managed cloud fully managed platform. Scale your provided by Google Cloud Platform that
AUDIT LOGS
resource, you need to use a G to a targeted service or network service for running Apache applications seamlessly from zero to provide insight into operational concerns
Suite or Cloud Identity super by overwhelming the target Spark and Apache planet scale without having to worry related to your use of Google Cloud services
My experience
admin account. infrastructure with a flood of Hadoop clusters about managing the underlying
Be familiar with types of access certain
Internet traffic. infrastructure. accounts have, deployment methods, types
of audit logs you may need. Restricting
access by Google personnel my pop up.
What you should know What you should know What you should know What you should know What you should know
1- What they are used for 1- How to prevent with GCP 1- How it works, what 1- Discovers vulnerabilities 1- Data access
2- Recommended limits tools it is used for 2- Shared responsibility of service 2- System Events
3- 2FA 3- Admin Activity
4-Discourage use 4- Transparency Access Logs

12
By Ammett:
private.googleap What it is What you should know My experience
is.com Use 1- Choose when you don't use VPC Some tricky stuff here.
private.googleapis.com to Service Controls.
access Google APIs and 2- Choose when you do use VPC
Service Controls, but you also need to
services using a set of IP
access Google APIs and services that
addresses only routable are not supported by VPC Service
from within Google Cloud. Controls.
3- 199.36.153.8/30

Review documents
restricted.google What it is What you should know configure
apis.com Use 1- Choose when you only need access
restricted.googleapis.com to Google APIs and services
to access Google APIs and that are supported by VPC Service
Controls
services using a set of IP
3- 199.36.153.4/30
addresses only routable
from within Google Cloud.
Firewall Insights What it is What you should know Review documents
Firewall Insights helps you 1- Part Network Intelligence Center
better understand and 2- What’s it’s used for Firewall Insights
safely optimize your
firewall rules
Thanks for reviewing

Please visit the official certification outline HERE

Practice test HERE

ps. These are my notes and tips that helped me pass the exam on the second attempt.
I kept them light and not too comprehensive. The actual exam requirements may
change as technology evolves so please review Google’s outline.

The sheet is free it just cost me some time to put together. So please share with your
network who may be interested in GCP Security. If it helps give me a shoutout on
LinkedIn.

Check out all my Google prep sheets for the Network, DevOps and others HERE

Bonne Journée

13
By Ammett: