Course Introduction
Professional certification
Google Professional Cloud Security Engineer
Design and operate secure Google Cloud environments with IAM, perimeter controls, encryption, and automated detection and response. This guide follows the official exam objectives with actionable checklists and decision trees.
Exam details (quick view)
Domains (by exam guide)
Access governance
Cloud Identity, SSO, MFA, IAM conditions, and privileged access management.
Boundary controls
Cloud NGFW, Cloud Armor, VPC Service Controls, and private connectivity.
Data protection
DLP, encryption at rest/in transit/in use, and secret management.
Security operations
Logging, monitoring, automation, and compliance-aligned response.
Exam Guide + Defense in Depth
Build layered security controls across identity, network, data, and operations while proving compliance and secure access everywhere.
Exam Overview
Length: 2 hours
Format: 50-60 multiple choice and multiple select questions
Prerequisites: networking fundamentals, IAM, and encryption standards
Focus: defense in depth with layered controls from org policies to IAM and network protections
Exam Domains (5 Sections)
Open each section for key objectives.
1) Configuring access
Cloud Identity and federation: directory sync, SSO (SAML/OIDC), workforce identity federation.
Service accounts: avoid user-managed keys, prefer workload identity federation, use impersonation.
Resource hierarchy: org, folder, project, resource policies with least privilege.
2) Securing communications and network security
Perimeter security: Cloud Armor, IAP, and zero-trust access.
VPC Service Controls: data exfiltration protection with ingress/egress rules and access levels.
Private connectivity: Private Google Access, Private Service Connect, and Cloud NGFW policies.
3) Ensuring data protection
Encryption: default encryption, CMEK, Cloud HSM, and Cloud EKM.
Sensitive data protection: discovery and de-identification via DLP.
AI security: isolate training data with VPC SC and protect against model risks.
4) Managing operations
Security Command Center: threat detection, misconfigurations, compliance dashboards.
Logging and monitoring: audit logs, packet mirroring, Cloud IDS.
Supply chain security: Binary Authorization and Artifact Analysis.
5) Supporting compliance
Assured Workloads: enforce regulated environments and data residency.
Access transparency: logs for Google support access.
Access approval: approve access requests before support can view content.
Defense in Depth Stack
- Organization policies and resource hierarchy guardrails.
- VPC Service Controls and network firewalls for boundaries.
- IAM least privilege and workload identity practices.
- Encryption and DLP for sensitive data protection.
Cheatsheet: Security Tools
| Tool | Best Use Case |
|---|---|
| Cloud Armor | DDoS defense and WAF for load balancers. |
| IAP | Zero-trust access to apps and VMs without VPN. |
| VPC Service Controls | Preventing data exfiltration from managed services. |
| CMEK | Customer-managed encryption keys with revoke control. |
| Security Command Center | Centralized threat and vulnerability dashboard. |
| Binary Authorization | Block unsigned container images in production. |
| Packet Mirroring | Deep packet inspection with third-party tools. |
| Assured Workloads | Preset compliance controls for regulated workloads. |
| Cloud IDS | Managed intrusion detection for network threats. |
Course Overview
Focus areas from the official exam guide.
Flashcards
Security Engineer service choices and best practices
Question Text
Click to reveal answerAnswer Text
Security decision trees
Click a title to show or hide the diagram. Click the diagram to zoom.
Access control flow
Click the diagram to zoom.
Boundary protection and segmentation
Click the diagram to zoom.
Data protection choices
Click the diagram to zoom.