Professional Cloud Security Engineer Exam Prep Workshop
DreamsPlus offers a comprehensive exam preparatory workshop for cloud engineers aiming to achieve the Professional Cloud Security Engineer certification from Google. Our expert trainers will provide in-depth guidance on the latest cloud security concepts and best practices, ensuring you are well-prepared for the exam. Through our Cloud Security Engineer Training, you’ll gain a thorough understanding of essential topics and hands-on experience to boost your confidence. We offer a range of Cloud Security Engineer courses designed to equip you with the skills and knowledge needed to excel and secure your certification with confidence.
Prepare for Google Certification with Confidence
At DreamsPlus, we understand that achieving Google certification requires more than just studying; it involves a strategic approach to mastering the material. Our expert-led programs provide you with a robust framework to prepare for certifications such as the Professional Cloud Developer, Cloud Security Engineer, and other Google Cloud certifications. We combine up-to-date content, practical exercises, and expert guidance to ensure you’re well-prepared and confident when you sit for your exam.
Professional Cloud Security Engineer
Section 1: Configuring access (~27% of the exam)
1.1 Managing Cloud Identity. Considerations include:
- Configuring Workforce Identity Federation
- Automating the user lifecycle management process
- Managing a super administrator account
- Administering user accounts and groups programmatically
- Setting up Google Cloud Directory Sync and third-party connectors
1.2 Managing service accounts. Considerations include:
- The topics covered include safeguarding and maintaining service accounts, including default service accounts;
- Recognising situations that call for service accounts;
- Setting up, enabling, and approving service accounts;
- Safeguarding, auditing, and reducing the use of service account keys;
- Managing and generating temporary credentials;
- Configuring Workload Identity Federation
- Controlling service account impersonation.
1.3 Managing authentication. Considerations include:
- Configuring and implementing two-step verification;
- establishing a password and session management policy for user accounts;
- configuring Security Assertion Markup Language (SAML) and OAuth;
1.4 Managing and implementing authorization controls. Considerations include:
- Separating responsibilities and controlling privileged roles using Identity and Access Management (IAM) roles and permissions
- Handling IAM and access control list (ACL) permissions
- Giving permissions to various identity types, via IAM deny policies and IAM conditions ● Creating identity roles at the level of the organisation, folder, project, and resource
- Setting up Access Context Manager
- Using Policy Intelligence for enhanced permission management
- Managing permissions via groups
1.5 Defining resource hierarchy. Considerations include:
- Establishing and overseeing large-scale organisations
- Managing policies for projects, resources, and organisation folders
- Utilising resource hierarchy for permits inheritance and access control
Section 2: Securing communications and establishing boundary protection (~21% of the exam)
2.1 Designing and configuring perimeter security. Considerations include:
- Setting up firewall rules, hierarchical firewall policies, load balancers, Identity-Aware Proxy (IAP), and Certificate Authority Service are examples of network perimeter controls.
- Distinguishing between IP addresses that are private and public
- Setting up web application firewall (Google Cloud Armour)
- Setting up Cloud DNS security settings
- Implementing Secure Web Proxy
- Monitoring and limiting defined APIs continuously
2.2 Configuring boundary segmentation. Considerations include:
- Setting up firewall rules, VPC peering, shared VPCs, and security features of a VPC network
- Setting up network isolation and data encapsulation for N-tier applications
- Setting up VPC service controls
2.3 Establishing private connectivity. Considerations include:
- Creating and setting up private connectivity for Google Cloud projects (Private Google Access for on-premises hosts, VPC peering, and shared VPC networks)
- Creating and setting up private connections (HA-VPN, IPsec, MACsec, and Cloud Interconnect) between data centres and VPC networks
- Setting up restricted Google access, private service connect, private Google access, and private Google access for on-premises hosts to establish private connectivity between VPC and Google APIs
- Enabling outgoing traffic via Cloud NAT
Section 3: Ensuring data protection (~20% of the exam)
3.1 Protecting sensitive data and preventing data loss. Considerations include:
- Protecting and managing compute instance metadata;
- Ensuring continuous discovery of sensitive data (structured and unstructured);
- Configuring pseudonymization;
- Configuring format-preserving encryption;
- Limiting access to BigQuery, Cloud Storage, and Cloud SQL datastores;
- Securing secrets with Secret Manager;
3.2 Managing encryption at rest, in transit, and in use. Considerations include:
- Determine the applications for Cloud HSM, Cloud External Key Manager (EKM), customer-managed encryption keys (CMEK), and Google default encryption
Making and keeping track of CMEK and EKM encryption keys.
- Implementing use cases for Google’s encryption technique
Setting up object lifecycle rules for cloud storage.
- Enabling Data Privacy Protection
3.3 Planning for security and privacy in AI. Considerations include:
- Setting up security measures for AI/ML systems (such as guarding against inadvertent data or model exploitation)
- Establishing security specifications for training models hosted on PaaS and IaaS platforms.
Section 4: Managing operations (~22% of the exam)
4.1 Automating infrastructure and application security. Considerations include:
- Automating security scanning using a continuous integration and delivery (CI/CD) pipeline to find Common Vulnerabilities and Exposures (CVEs).
Setting up Binary Authorisation to Protect Cloud Run or GKE Clusters
- Automating patch management, maintenance, hardening, and virtual machine image building
- Automating patch management, maintenance, hardening, verification, and container image creation
- Scaling up policy management and drift detection (custom organisation policies and custom Security Health Analytics modules)
4.2 Configuring logging, monitoring, and detection. Considerations include:
- Setting up and examining network logs (Firewall Rules Logging, VPC flow logs, Packet Mirroring, Cloud Intrusion Detection System [Cloud IDS], Log Analytics)
- Creating a strategy for efficient logging
- Recording, tracking, addressing, and resolving security incidents
- Creating a secure log-accessible environment
- Exporting logs to external security systems
- Setting up and reviewing Google Cloud audit logs and data access logs
- Setting up log exports (log sinks and aggregated sinks)
- Setting up and overseeing Security Command Centre
Section 5: Supporting compliance requirements (~10% of the exam)
5.1 Determining regulatory requirements for the cloud. Considerations include:
- Identifying issues with computation, data, networks, and storage
- Assessing the shared responsibility model
- Setting up security settings in cloud environments to meet compliance needs (data and service regionalisation)
Determine which Google Cloud environment is in scope for regulatory compliance.
- Limiting computation and data for regulatory compliance (Assured Workloads, organisational policies, Access Transparency, Access Approval).