Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

by Ankush Chowdhary, Prashant Kulkarni
Released August 2023
Publisher(s): Packt Publishing
ISBN: 9781835468869

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Master the art of designing, developing, and operating secure infrastructures on Google Cloud

Key Features

  • Prepare for the certification exam with clear explanations, real-world examples, and self-assessment questions
  • Review Google Cloud security best practices for building a secure and compliant cloud environment
  • Explore advanced concepts like Security Command Center, BeyondCorp Zero Trust, and container security

Book Description

Google Cloud security offers powerful controls to assist organizations in establishing secure and compliant cloud environments. With this book, you’ll gain in-depth knowledge of the Professional Cloud Security Engineer certification exam objectives, including Google Cloud security best practices, identity and access management (IAM), network security, data security, and security operations.

The chapters go beyond the exam essentials, helping you explore advanced topics such as Google Cloud Security Command Center, the BeyondCorp Zero Trust architecture, and container security. With step-by-step explanations, practical examples, and practice exams to help you improve your skills for the exam, you'll be able to efficiently review and apply key concepts of the shared security responsibility model. Finally, you’ll get to grips with securing access, organizing cloud resources, network and data security, and logging and monitoring.

By the end of this book, you'll be proficient in designing, developing, and operating security controls on Google Cloud and gain insights into emerging concepts for future exams.

What you will learn

  • Understand how Google secures infrastructure with shared responsibility
  • Use resource hierarchy for access segregation and implementing policies
  • Utilize Google Cloud Identity for authentication and authorizations
  • Build secure networks with advanced network features
  • Encrypt/decrypt data using Cloud KMS and secure sensitive data
  • Gain visibility and extend security with Google's logging and monitoring capabilities

Who this book is for

This book is for IT professionals, cybersecurity specialists, system administrators, and tech enthusiasts aspiring to strengthen their understanding of Google Cloud security and elevate their career trajectory. Earning this certification not only validates your expertise but also makes you part of an elite group of GCP security engineers, opening doors to opportunities that can significantly advance your career. Prior knowledge of the foundational concepts of Google Cloud or GCP Associate Engineer Certification is strongly recommended.

Table of contents

  1. Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
  2. Foreword
  3. Contributors
  4. About the authors
  5. About the reviewers
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share your thoughts
  7. Chapter 1: About the GCP Professional Cloud Security Engineer Exam
    1. Benefits of being certified
    2. Registering for the exam
    3. Some useful tips on how to prepare
    4. Summary
    5. Further reading
  8. Chapter 2: Google Cloud Security Concepts
    1. Overview of Google Cloud security
    2. Shared security responsibility
      1. Addressing compliance on Google Cloud
    3. Security by design
      1. Operational security
      2. Network security
      3. Data security
      4. Services and identity
      5. Physical and hardware security
    4. Threat and vulnerability management
    5. Summary
    6. Further reading
  9. Chapter 3: Trust and Compliance
    1. Establishing and maintaining trust
    2. Access Transparency and Access Approval
      1. Access Transparency
      2. Enabling Access Transparency
      3. Access Approval
      4. Configuring Access Approval
    3. Security and privacy of data
    4. Third-party risk assessments
    5. Compliance in the cloud
      1. Compliance reports
      2. Continuous compliance
    6. Summary
    7. Further reading
  10. Chapter 4: Resource Management
    1. Overview of Google Cloud Resource Manager
    2. Understanding resource hierarchy
      1. Organization
      2. Folders
      3. Projects
    3. Applying constraints using the Organization Policy Service
      1. Organization policy constraints
      2. Policy inheritance
    4. Asset management using Cloud Asset Inventory
      1. Asset search
      2. Asset export
      3. Asset monitoring
      4. Asset analyzer
    5. Best practices and design considerations
    6. Summary
    7. Further reading
  11. Chapter 5: Understanding Google Cloud Identity
    1. Overview of Cloud Identity
      1. Cloud Identity domain setup
      2. Super administrator best practices
    2. Securing your account
      1. 2-step verification
      2. User security settings
      3. Session length control for Google Cloud
      4. SAML-based SSO
      5. Additional security features
    3. Directory management
      1. Google Cloud Directory Sync
      2. GCDS features and capabilities
      3. How does GCDS work?
      4. Using GCDS Configuration Manager
      5. User provisioning in Cloud Identity
      6. Automating user lifecycle management with Cloud Identity as the IdP
      7. Administering user accounts and groups programmatically
    4. Summary
    5. Further reading
  12. Chapter 6: Google Cloud Identity and Access Management
    1. Overview of IAM
      1. IAM roles and permissions
      2. Policy binding
    2. Service accounts
      1. Creating a service account
      2. Disabling a service account
      3. Deleting a service account
      4. Undeleting a service account
      5. Service account keys
      6. Key rotation
      7. Service account impersonation
      8. Cross-project service account access
      9. Configuring Workload Identity Federation with Okta
      10. Best practices for monitoring service account activity
      11. Service agents
    3. IAM policy bindings
      1. Policy structure
      2. Policy inheritance and resource hierarchy
      3. IAM Conditions
      4. Policy best practices
      5. Policy Intelligence for better permission management
    4. Tag-based access control
      1. Tag structure
      2. Best practices for tags
    5. Cloud Storage ACLs
      1. Access Control Lists (ACLs)
      2. Uniform bucket-level access
    6. IAM APIs
    7. IAM logging
      1. Log name
      2. Service account logs
    8. Summary
    9. Further reading
  13. Chapter 7: Virtual Private Cloud
    1. Overview of VPC
    2. Google Cloud regions and zones
    3. VPC deployment models
      1. VPC modes
      2. Shared VPC
      3. VPC peering
    4. Micro-segmentation
      1. Subnets
      2. Custom routing
      3. Firewall rules
    5. Cloud DNS
      1. Configuring Cloud DNS – create a public DNS zone for a domain name
      2. DNSSEC
    6. Load balancers
      1. Configuring external global HTTP(S) load balancers
    7. Hybrid connectivity options
    8. Best practices and design considerations
      1. VPC best practices
      2. Key decisions
    9. Summary
    10. Further reading
  14. Chapter 8: Advanced Network Security
    1. Private Google Access
      1. DNS configuration
      2. Routing options
      3. Firewall rules
    2. Identity-Aware Proxy
      1. Enabling IAP for on-premises
      2. Using Cloud IAP for TCP forwarding
    3. Cloud NAT
    4. Google Cloud Armor
      1. Security policies
      2. Named IP lists
    5. Summary
    6. Further reading
  15. Chapter 9: Google Cloud Key Management Service
    1. Overview of Cloud KMS
      1. Current Cloud KMS encryption offerings
    2. Encryption and key management in Cloud KMS
      1. Key hierarchy
      2. Envelope encryption
    3. Key management options
      1. Google Cloud’s default encryption
      2. Customer-managed encryption keys (CMEKs)
      3. Customer-supplied encryption key
    4. Symmetric key encryption
      1. Creating a symmetric key
      2. Encrypting content with a symmetric key
      3. Decrypting content with a symmetric key
    5. Asymmetric key encryption
      1. Step 1: Creating a key ring
      2. Step 2: Creating an asymmetric decryption key
      3. Step 3: (Optional) Creating an asymmetric signing key
      4. Encrypting data with an asymmetric key
      5. Decrypting data with an asymmetric key
    6. Importing a key (BYOK)
      1. Step 1: Creating a blank key
      2. Step 2: Importing the key using an import job
      3. Step 3: Verifying key encryption and decryption
    7. Key lifecycle management
    8. Key IAM permissions
    9. Cloud HSM
      1. HSM key hierarchy
      2. Key creation flow in HSM
      3. Cryptographic operation flow in HSM
    10. Cloud EKM
      1. The architecture of Cloud EKM
    11. Cloud KMS best practices
      1. Cloud KMS infrastructure decisions
      2. Application data encryption
      3. Integrated Google Cloud encryption
      4. CMEKs
      5. Importing keys into Cloud KMS
    12. Cloud KMS API
    13. Cloud KMS logging
    14. Summary
    15. Further reading
  16. Chapter 10: Cloud Data Loss Prevention
    1. Overview of Cloud DLP
    2. DLP architecture options
      1. Content methods
      2. Storage methods
      3. Hybrid methods
    3. Cloud DLP terminology
      1. DLP infoTypes
      2. Data de-identification
    4. Creating a Cloud DLP inspection template
      1. Defining the template
      2. Configuring detection
    5. Best practices for inspecting sensitive data
    6. Inspecting and de-identifying PII data
      1. De-identification transformations
    7. Tutorial: How to de-identify and tokenize sensitive data
      1. Step 1: Creating a key ring and a key
      2. Step 2: Creating a base64-encoded AES key
      3. Step 3: Wrapping the AES key using the Cloud KMS key
      4. Step 4: Sending a de-identify request to the Cloud DLP API
      5. Step 5: Sending a de-identity request to the Cloud DLP API
      6. Step 6: Sending a re-identify request to the Cloud DLP API
    8. DLP use cases
    9. Best practices for Cloud DLP
    10. Data exfiltration and VPC Service Controls
      1. Architecture of VPC Service Controls
      2. Allowing access to protected resources within the VPC Service Controls perimeter
      3. Configuring a VPC Service Controls perimeter
    11. Best practices for VPC Service Controls
    12. Summary
    13. Further reading
  17. Chapter 11: Secret Manager
    1. Overview of Secret Manager
      1. Secret Manager concepts
    2. Managing secrets and versions
      1. Creating a secret
      2. Adding a new secret version
      3. Disabling a secret
      4. Enabling a secret
    3. Accessing a secret
      1. Accessing a binary secret version
      2. Accessing secrets from your application
    4. Secret replication policy
      1. Automatic
      2. User-managed (user-selected)
    5. CMEKs for Secret Manager
    6. Best practices for secret management
      1. Best practices for development
      2. Best practices for deployment
    7. Secret Manager logs
    8. Summary
    9. Further reading
  18. Chapter 12: Cloud Logging
    1. Introduction to Google Cloud logging
    2. Log categories
      1. Security logs
      2. User logs
      3. Platform logs
      4. Log retention
    3. Log management
      1. Log producers
      2. Log consumers
      3. Log Router
      4. Log sinks and exports
      5. Log archiving and aggregation
      6. Real-time log analysis and streaming
      7. Exporting logs for compliance
      8. Log compliance
    4. Logging and auditing best practices
    5. Summary
    6. Further reading
  19. Chapter 13: Image Hardening and CI/CD Security
    1. Overview of image management
    2. Custom images for Google Compute Engine
      1. Manual baking
      2. Automated baking
      3. Importing existing images
      4. Encrypting images
    3. Image management pipeline
      1. Creating a VM image using Packer and Cloud Build
      2. Step 1: Creating an infrastructure for the image creation
      3. Step 2: Creating the Packer template
      4. Step 3: Installing the Packer binary
      5. Step 4: Creating the image
      6. Step 5: Automating image creation with Cloud Build
    4. Controlling access to the images
    5. Image lifecycle
      1. Image families
      2. Deprecating an image
    6. Enforcing lifecycle policies
    7. Securing a CI/CD pipeline
      1. CI/CD security
      2. CI/CD security threats
      3. How to secure a CI/CD pipeline
      4. Source Composition Analysis (SCA)
      5. Static Application Security Testing (SAST)
      6. CI/CD IAM controls
      7. Container registry scanning
      8. Container runtime security
      9. Binary authorization
    8. Best practices for CI/CD security
    9. Shielded VMs
      1. Secure Boot
      2. Virtual Trusted Platform Module (vTPM)
      3. Integrity monitoring
      4. IAM authorization
      5. Organization policy constraints for Shielded VMs
    10. Confidential computing
      1. Key features of Google Cloud Confidential Computing
      2. Benefits of Confidential Computing
    11. Summary
    12. Further reading
  20. Chapter 14: Security Command Center
    1. Overview of SCC
    2. Core services
    3. Cloud Asset Inventory
      1. Listing assets
      2. Filtering assets
      3. Exporting assets to BigQuery
    4. Detecting security misconfigurations and vulnerabilities
      1. Security Health Analytics
      2. VM Manager
      3. Rapid Vulnerability Detection
      4. Web Security Scanner
    5. Threat detection
      1. Event Threat Detection
      2. Container Threat Detection
      3. VM Threat Detection
      4. Anomaly detection
    6. Continuous compliance monitoring
      1. CIS benchmarks
      2. Additional standards
      3. Exporting SCC findings
      4. One-time exports
      5. Exporting data using the SCC API
      6. Continuous exports
    7. Automating a findings response
    8. Summary
    9. Further reading
  21. Chapter 15: Container Security
    1. Overview of containers
    2. Container basics
      1. What are containers?
      2. Advantages of containers
    3. What is Kubernetes?
      1. GKE
    4. Container security
      1. Threats and risks in containers
    5. GKE security features
      1. Namespaces
      2. Access control
      3. Kubernetes RBAC
      4. IAM
      5. Secrets
      6. Auditing
      7. Logging
      8. Network Policies
      9. GKE private clusters
      10. Service mesh
      11. Container image security
      12. Cluster Certificate Authority (CA)
      13. GKE Workload Identity
      14. Center for Internet Security (CIS) best practices
    6. Container security best practices
    7. Summary
    8. Further reading
  22. Google Professional Cloud Security Engineer Exam – Mock Exam I
  23. Google Professional Cloud Security Engineer Exam – Mock Exam II
    1. Why subscribe?
  24. Other Books You May Enjoy
    1. Share your thoughts

Product information

  • Title: Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
  • Author(s): Ankush Chowdhary, Prashant Kulkarni
  • Release date: August 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781835468869