Google Cloud Professional Cloud Security Engineer Exam

Prep Notes by
 My white paper must review list
1 - 7-best-practices-for-building-containers 7 - Envelope encryption 14 - Scenarios for Exporting Stackdriver
Google Cloud Professional Cloud Security Engineer
2 - Best practices for enterprise 8 - Federating Google Cloud Platform with AD 15 - Logging Secret management with
Exam Prep Sheet by Ammett organizations 9 - Firewall Rules Overview _ VPC Cloud KMS
This is my guide based on my preparation for the exam achieved during my 3 - Choosing a Load Balancer 10 - Forseti Security 16 - Securing your app with signed headers
4 - Cloud Audit Logs _ Stackdriver Logging 11 - Key rotation _ Cloud KMS 17- DLP
90 days of cloud challenge. References from Google Docs and other sources.
V1.5: 02-2020 5 - Cloud IAP for on-premises apps 12 - PCI_DSS_Shared_Responsibility_GCP
6 - DNS Security (DNSSEC) 13 - Retention policies using Bucket Lock-
Organisation What it is What you should know Review documents Video My experience
Structures GCP resources are 1- Flow (Organisation, Folders, https://cloud.google.com/resource-manager/docs/cloud- https://www.coursera.org/lecture/gcp- This area is fundamental
organized hierarchically. projects, resources) platform-resource-hierarchy fundamentals/the-google-cloud-platform-resource- however you really need to
This allows you to map 2- Where to manage permissions for hierarchy-K85Wf understand how to control
groups, department, entire
your enterprise's to get the separation, how
organisation, etc
operational structure to it should be designed and
3- Permissions level necessary
GCP, and to manage restrictions applied
access control and
permissions for groups of
related resources.
Cloud What it is What you should know Review documents Video My experience
Identity A unified identity, access, 1- Federations https://cloud.google.com/identity/ https://www.youtube.com/watch?v=L5_GyNtMvbg&li This is a core area in the
app, and device 2- AD integrations / Hybrid LDAP https://cloud.google.com/solutions/authenticating- st=PLIivdWyY5sqJbqze_8sohTh2U9wtZ6JNH&index exam. You should know
management (IAM/EMM) 3- Saml 2.0 & OpenID corporate-users-in-a-hybrid-environment =8 the various scenarios and
4- Single Sign On https://cloud.google.com/solutions/federating-gcp-with-
platform. (similar to how integrations work.
5-Service accounts active-directory-introduction
Microsoft AD)

Organisation Structure - diagram Federating Active Directory with Cloud Identity-diagram

pg-1 by Ammett
 Cloud IAM What it is What you should know Review documents Video My experience
Cloud IAM which lets you 1- Best way to manage (use groups) https://cloud.google.com/iam/docs/overview https://www.youtube.com/watch?v=ZMC8Ng3E3LQ This wasn’t too bad
manage access control by 2- MFA Multiple factor authentication. https://ai.google/research/pubs/pub45409 &list=PLAFY3hrExHFF4Df4TTXlvKCdiKIF7SZz2&inde however if you don’t know
defining who (identity) 3- Roles (primitive, predefined & https://support.google.com/accounts/answer/9094506 x=10&t=0s it gets confusing and leads
custom)
has what access (role) to misinterpretation of
4- Roles necessary to do certain
for which resource. questions
functions
6- Password min requirements
Identity What it is What you should know Review documents Video My experience
Aware Proxy Cloud Identity-Aware Proxy 1- How it works (HTTPS) https://cloud.google.com/iap/docs/concepts-overview https://www.youtube.com/watch?v=XqMY-rPk3MY Understanding the flow is
(Cloud IAP) controls 2- JWT (signed headers) https://cloud.google.com/iap/docs/signed-headers-howto https://www.youtube.com/playlist?list=PLIivdWyY5s important and where and
access to your cloud 3- How to configure https://cloud.google.com/iap/docs/cloud-iap-for-on-prem- qLvoPf2pMI2uIz1FLSfphCh when to use it. That made
4- On prem flow apps-overview
applications and VMs the difference in selecting
5- TCP forwarding
running on (GCP) the correct answer if it
wasn’t obvious
Google What it is What you should know Review documents Video My experience
security Google’s end to end 1- Shared responsibilities on various https://cloud.google.com/security/overview/ https://www.youtube.com/watch?v=7TdGWpttmMA A few of these types came
security process built up service types (PaaS, IaaS, SaaS) https://cloud.google.com/security/overview/whitepaper &list=PLAFY3hrExHFF4Df4TTXlvKCdiKIF7SZz2&inde up not much but I can tell
model 2- Compliance (ISO 27001 etc, PCI) https://cloud.google.com/files/PCI_ x=24
over 15+ year to secure you these can easily cost
3- Default security google applies DSS_Shared_Responsibility_GCP_v32.pdf https://www.youtube.com/watch?v=D2zf0SgNdUw&l
their various offering you a mark or 3 if you are
4- Encryption on by default ist=PLIivdWyY5sqJbqze_8sohTh2U9wtZ6JNH&index
including Google Cloud not familiar at a
5- Data removal, hardware handling =15
Platform reasonable level
Cloud IAP flows - diagram On Prem flow - diagram TCP forwarding-diagram

pg-2 by Ammett
 VPC What it is What you should know Review documents Video My experience
A VPC network, is your 1- Default network, https://cloud.google.com/vpc/docs/vpc https://www.youtube.com/watch?v=wmP6SQe5J7g Can’t have security without
virtual network in the cloud How to design your own custom VPC &list=PLAFY3hrExHFF4Df4TTXlvKCdiKIF7SZz2&inde networking understand
just like an on prem for your production projects x=17 very well. Well featured in
2- How to get traffic flowing
physical network or data the exam
3- RFC1918
center or office network.
4- Internal and external access
Firewall What it is What you should know Review documents Video My experience
Allow or deny traffic to and 1- How they work (Stateful) & Scope https://cloud.google.com/vpc/docs/firewalls#default_firewa https://www.youtube.com/watch?v=HTVV9YzGw5k There are some implied
from your virtual machine 2- Implied rules ll_rules and default rule know
(VM) etc, based on a 3- Default rules these. Also how to define
4- Effect of sharing, peering, etc
configurations you specify. your rules (source, dest,
pot, protocol, action,
priority)
Cloud Armor What it is What you should know Review documents Video My experience
Google Cloud Armor 1- Where it works (Edge, HTTPS load https://cloud.google.com/armor/docs/security-policy- https://www.youtube.com/watch?v=0XbQG2QX6mY Goes well with security
security policies are made balancing proxy) concepts &list=PLIivdWyY5sqJbqze_8sohTh2U9wtZ6JNH&ind and securing apps and
2- How works (whitelist, blacklist, IAP, ex=2 load balancers.
up of rules that allow or
etc)
prohibit traffic from IP
3- Restrictions Cloud armour and
addresses or ranges CDN
defined in the rule.
Flow Logs What it is What you should know Must review documents Video My experience
VPC Flow Logs record a 1- Cases to use this to gather info to https://cloud.google.com/vpc/docs/using-flow-logs https://www.youtube.com/watch?v=as9mXNEcaDo Another one of the areas
sample of network flows lock down access etc where a question or two
sent from and to by VM 2- What it records, how to read it came up and can easily
3- How to enable
instances. These are used gain you a much needed
for monitoring, forensics, mark.
real-time security analysis,
and expense optimization.
VPC - diagram Cloud Armor - diagram

pg-3 by Ammett
 HTTP(S) Load balancer SSL Proxy TCP Proxy Network Load balancer Internal load balancer Review documents
https://cloud.google.com/load-balancing/docs/choosing-
load-balancer

What it is What it is What it is What it is What it is

Load balancer for HTTP(S) Load balancer for TCP with Load balancer for TCP without Load balancer for TCP/UDP no Load balancer for TCP /UDP Video
traffic, global, external, 80 or SSL offload, global, external. SSL, global, external. SSL offload, regional, external. regional, Internal traffic (any port) CLOUD LOAD BALANCERS
8080 on 443 (25, 43, 110, 143,195, 443, 465, 587, (25, 43, 110, 143,195, 443, 465, 587, (any port)
700, 993, 995, 1883, and 5222) 700, 993, 995, 1883, and 5222) My experience
What you should know What you should know What you should know What you should know What you should know This is tricky so know the main points (Global vs Regional,
1- Scope global 1- Scope Global 1- Global 1- Scope regional 1- Scope Regional External vs Internal, Traffic type)
2-HTTPS traffic 2- Non HTTPS traffic SSL 2 – TCP/UDP traffic 2- TCP/UDP traffic 2 - Internal TCP/UDP traffic
termination

pg-4 by Ammett
 VPC Sharing VPC Peering VPN Dedicated Interconnect Partner Connect Review documents
https://cloud.google.com/hybrid-connectivity/
https://cloud.google.com/vpc/docs/shared-vpc

What it is What it is What it is What it is What it is Video

Used to connect to a common Access G Suite and Google Connect your on-premises or Use dedicated Interconnect to Use Google Cloud Interconnect - Partner CONNECTIVITY
VPC network. Resources in Cloud features over VPN or other public cloud networks to connect to Google's network (Partner Interconnect) to connect to
those projects can the internet, while cutting GCP Virtual Private Cloud (VPC) through a highly available, low Google through a supported service
communicate with each other egress fees. Connect directly securely over the internet latency connection. (10GB provider. (from 50 MB up) My experience
securely and efficiently across with Direct Peering, or through IPSec VPN higher) The perfect question area to test if a person knows how
project boundaries using internal choose a partner with Carrier each of these really work. I mean all connections are not
IPs. Peering. the same or are they?
What you should know What you should know What you should know What you should know What you should know
1- Centralised management 1- When to peer what 1- Over internet 1- Reason to use this 1- Best case use
2- Firewall control 2 - services you have access 2 – IPSEC used 2- Min 10GB 2 – Min size 50MB
3 – internal RFC1918 to 3 – dynamic SETUP 3 – Not over the internet 3 – not over the internet

DNS SEC Private Access Cloud NAT Bastion Host CIDR Subnets Review documents
https://cloud.google.com/dns/docs/dnssec
https://cloud.google.com/nat/docs/overview
https://cloud.google.com/vpc/docs/private-access-
options
What it is What it is What it is What it is What it is
Prevents attackers from Allows VM instances with Google Cloud Platform (GCP) Bastion hosts provide an You can choose any private RFC My experience
manipulating or poisoning the internal (RFC 1918) IP virtual machine (VM) instances external facing point of entry 1918 CIDR block for the primary IP Some of these may pop up if not all so just know these and
responses to DNS requests. addresses to reach certain without external IP addresses into a network containing private address range of the subnet. they are pretty straight forward.
APIs and services without and private (GKE) clusters to network instances from the
internet access. connect to the Internet. Internet
What you should know What you should know What you should know What you should know What you should know
1- What it protects 1- How to enable (this is 1. How it works 1- Where it sits 1- Overlapping ranges,
important) 2 – Subnet Mask based on required host
3- Reserved IP addresses

pg-5 by Ammett
 Cloud KMS CMEK CSEK Key rotation Managing secrets Review documents
https://cloud.google.com/compute/docs/disks/customer-
supplied-encryption
https://cloud.google.com/kms/docs/envelope-encryption

What it is What it is What it is What it is What it is https://cloud.google.com/kms/docs/key-rotation

Cloud KMS is a cloud-hosted key For greater control you can If you supply your own In Cloud KMS, a key rotation is Applications often require access to https://cloud.google.com/kms/docs/secret-management
management service that lets use customer-managed encryption keys, Google uses represented by generating a new small pieces of sensitive data at build or
you manage encryption for your encryption keys (CMEK). your key to protect the Google- key version of a key, and run time. These pieces of data are often Video
cloud services the same way This way you control and generated keys used to encrypt marking that version as the referred to as secrets. KEYS
you do on-premises. You can manage key encryption keys and decrypt your data primary version.
generate, use, rotate, and in Cloud KMS
destroy cryptographic keys. My experience
What you should know What you should know What you should know What you should know What you should know Key management, encryption stuff is super important. I
1- It’s purpose 1- What products support 1- Supported by Compute and 1- Reason to rotate keys 1- Choosing a secret management think one of the more featured areas of the exam. You will
2- What are the cases you this service (BigQuery, Cloud Cloud storage 2- Method automatic or manual, solution get questions on this. Know all situations, a bit on HSM,
should use it. Build, Cloud Dataproc, Cloud 2 – This key replaces the KEK regular, irregular 2 – Rotating secrets and which key type is used & most importantly, which
Storage, Compute Engine) 3 – Know the step (very 3 – Commands products support which type. Know like the alphabet.
important)

Cloud Security Scanner Forseti Kubernetes DLP G Suite Review documents

https://cloud.google.com/security-scanner/docs/scanning
https://forsetisecurity.org/about/
https://cloud.google.com/blog/products/gcp/7-best-
practices-for-building-containers
https://cloud.google.com/kubernetes-
What it is What it is What it is What it is What it is engine/docs/concepts/network-overview
The Cloud Security Scanner If you want to monitor your The Kubernetes networking With the Cloud DLP, you can Google’s SaaS offering comprised of https://cloud.google.com/dlp/docs/
identifies security vulnerabilities GCP resources to ensure model relies heavily on IP easily classify and redact Gmail, Docs, Drive, Calendar, Meet and https://cloud.google.com/dlp/docs/creating-custom-
in your App Engine, Compute that access controls are set addresses. Services, Pods, sensitive data contained in text- more for business. infotypes-regex
Engine and Google Kubernetes as intended, this will allow Containers, and nodes based content and images, Video
Engine web applications. creating rule-based communicate using IP including content stored in DLP
It can automatically scan and Policies to codify your addresses and ports. Google Cloud Platform storage KUBERNETES
detect four common security stance. repositories.
vulnerabilities, including cross- My experience
site-scripting (XSS), Flash Forseti, CSS, Kubernetes and DLP are topic that you should
injection, mixed content (HTTP know especially DLP which is super cool. You will get
in HTTPS), and questions on these.
outdated/insecure libraries.
What you should know What you should know What you should know What you should know What you should know
1- Use cases scanning 1- How to enable (this is 1- How it works 1-How it works (redact) 1-High level administration
important) 2- Containers and pods 2 - How to configure 2 - Managing users, setting up domain,
3- How to secure and regex IAM, Super user account.
4- Updating

pg-6
by Ammett
 BigQuery Cloud Storage Compute Engine Stackdriver SIEM Review documents
https://cloud.google.com/solutions/design-patterns-for-
exporting-stackdriver-logging
https://cloud.google.com/solutions/exporting-stackdriver-
logging-for-splunk

What it is What it is What it is What it is What it is https://cloud.google.com/blog/products/gcp/4-steps-for-

BigQuery is a serverless, highly- Unified object storage for Google Compute Engine delivers Stackdriver Logging allows you Security Information and Event hardening-your-cloud-storage-buckets-taking-charge-of-
scalable, and cost-effective developers and enterprises virtual machines running in to store, search, analyze, Management (SIEM) software has a your-security
cloud enterprise data warehouse Google's innovative data centers monitor, and alert on log data variety of uses. GCP has integration to https://cloud.google.com/storage/docs/bucket-lock
that enables super-fast SQL and worldwide fiber network and events from Google Cloud these and many others
queries using the processing Platform and Amazon Web
power of Google's infrastructure. Services (AWS). Video
What you should know What you should know What you should know What you should know What you should know CLOUD STORAGE
1- Authorised views 1- Types (nearline, coldline) 1- Secured images 1- Used for compliance 1- How you would set up integrations Exporting
2- How to export data Object storage. 2 – How to secure access 2- Used for security analytics BIGQUERY
3 – Cloud DLP 2 – Encryption options 3 – How to update 3 – Used for SIEM
(default, CSEK CMEK)
3- How to retain Data My experience
You can’t have security without audit, storage and logging.
These areas will come in one form or the other be familiar
with and integrations also.

Super User accounts DDoS Dataproc App Engine Cloud Audit logs Review documents
https://cloud.google.com/dns/docs/dnssec
https://cloud.google.com/files/GCPDDoSprotection-
04122016.pdf
https://cloud.google.com/appengine/

What it is What it is What it is What it is What it is Video

To configure your Google Cloud A (DDoS) attack is a Cloud Dataproc is a fast, easy- Build and deploy applications on Cloud Audit Logs are a collection of logs DDoS
Platform (GCP) Organization malicious attempt to disrupt to-use, fully managed cloud a fully managed platform. Scale provided by Google Cloud Platform that AUDIT LOGS
resource, you need to use a G normal traffic to a targeted service for running Apache your applications seamlessly provide insight into operational concerns
Suite or Cloud Identity super service or network by Spark and Apache from zero to planet scale related to your use of Google Cloud My experience
admin account. overwhelming the target Hadoop clusters without having to worry about services Be familiar with types of access certain accounts have,
infrastructure with a flood of managing the underlying deployment methods, types of audit logs you may need.
Internet traffic. infrastructure. These will be featured

What you should know What you should know What you should know What you should know What you should know
1- What they are used for 1- How to prevent with GCP 1. How it works, what it is 1- Discovers 1- Data access
2- Recommended limits tools used for vulnerabilities 2- System
3- Admin

pg-7 by Ammett
 IaaS What it is What you should know Review documents My experience
Think Datacenter (compute, 1- Shared responsibility for these and https://cloud.google.com/docs/overview/cloud-platform- Understand the shared
storage, networking). what they are services responsibility model and
the basics also. These can
be tricky if you don’t know
them.
PaaS What it is What you should know Review documents
Think code provisioning 1- Shared responsibility for these and https://cloud.google.com/docs/overview/cloud-platform-
without infrastructure what they are services
hassle

Migrations What it is What you should know Review documents Video

From legacy apps to cloud, 1- Set up in cloud https://cloud.google.com/solutions/migration-to-gcp- https://www.youtube.com/watch?v=hjwJoTmEnBo
from on prem to cloud. 2- Secure in cloud getting-started
3- Network in the cloud

Thanks for reviewing

Please visit the official certification outline HERE

Practice test HERE

ps. These are my notes and tips that helped me pass

the exam on the second attempt. I kept them light and
not too comprehensive. The actual exam requirements
may change as technology evolves so please review
Google’s outline.

The sheet is free it just cost me some time to put

together. So please share with your network who may
be interested in GCP security.

Update: Check out all my Google prep sheets for the

Engineer, Network and DevOps HERE

Bonne Journée
pg-8 by Ammett