The Google GCP-PCSE exam preparation guide is designed to provide candidates with necessary information about the Professional Cloud Security Engineer exam. It includes exam summary, sample questions, practice test, objectives and ways to interpret the exam objectives to enable candidates to assess the types of questions-answers that may be asked during the Google Cloud Platform - Professional Cloud Security Engineer (GCP-PCSE) exam.
It is recommended for all the candidates to refer the GCP-PCSE objectives and sample questions provided in this preparation guide. The Google Professional Cloud Security Engineer certification is mainly targeted to the candidates who want to build their career in Professional domain and demonstrate their expertise. We suggest you to use practice exam listed in this cert guide to get used to with exam environment and identify the knowledge areas where you need more work prior to taking the actual Google Professional Cloud Security Engineer exam.
Google GCP-PCSE Exam Summary:
|
Exam Name
|
Google Professional Cloud Security Engineer |
| Exam Code | GCP-PCSE |
| Exam Price | $200 USD |
| Duration | 120 minutes |
| Number of Questions | 50-60 |
| Passing Score | Pass / Fail (Approx 70%) |
| Recommended Training / Books |
Google Cloud training Google Cloud documentation Google Cloud solutions |
| Schedule Exam | Google CertMetrics |
| Sample Questions | Google GCP-PCSE Sample Questions |
| Recommended Practice | Google Cloud Platform - Professional Cloud Security Engineer (GCP-PCSE) Practice Test |
Google Professional Cloud Security Engineer Syllabus:
| Section | Objectives |
|---|---|
Configuring access (25% of the exam) |
|
| Managing Cloud Identity. Considerations include: |
- Configuring Google Cloud Directory Sync and implement single sign-on (SSO) with a third-party identity provider. - Managing a super administrator account - Automating the user lifecycle management process - Administering user accounts and groups programmatically - Configuring Workforce Identity Federation |
| Managing service accounts. Considerations include: |
- Securing and protecting service accounts (including default service accounts) - Identifying scenarios requiring service accounts - Creating, disabling, and authorizing service accounts - Securing, auditing and mitigating the usage of service account keys - Managing and creating short-lived credentials - Configuring Workload Identity Federation - Managing service account impersonation |
| Managing authentication. Considerations include: |
- Creating a password and session management policy for user accounts - Setting up Security Assertion Markup Language (SAML) and OAuth - Configuring and enforcing 2-step verification |
| Managing and implementing authorization controls. Considerations include: |
- Managing privileged roles and separation of duties with Identity and Access Management (IAM) roles and permissions - Managing IAM and access control list (ACL) permissions - Granting permissions to dierent types of identities using IAM conditions and IAM deny policies - Dening access control at the organization, folder, project, and resource level using the principle of least privilege. - Configuring Access Context Manager - Applying Policy Intelligence. - Managing permissions through groups - Identifying use cases and configuring Privileged Access Manager |
| Defining the resource hierarchy. Considerations include: |
- Managing folders and projects at scale. - Managing pre-built or custom organization policies for the organization, folders, and projects. - Using the resource hierarchy for access control and permissions inheritance |
Securing communications and establishing boundary protection (22% of the exam) |
|
| Designing and configuring perimeter security. Considerations include: |
- Configuring network perimeter controls (e.g., Cloud Next Generation Firewall [Cloud NGFW] rules and policies, Identity-Aware Proxy [IAP], load balancers, and Certificate Authority Service). - Setting up application layer inspection on Cloud NGFW (e.g., layer 7). - Differentiating between private and public IP addressing - Configuring web application firewalls (e.g., Google Cloud Armor) - Deploying Secure Web Proxy - Configuring Cloud DNS security settings - Continually monitoring and restricting configured APIs |
| Configuring boundary segmentation. Considerations include: |
- Configuring security properties of a VPC network, VPC peering, Shared VPC, and firewall rules - Configuring network isolation and data encapsulation for N-tier applications - Identifying use cases and configuring VPC Service Controls. |
| Establishing private connectivity. Considerations include: |
- Designing and configuring private connectivity between VPC networks and Google Cloud projects (Shared VPC, VPC peering, and Private Google Access for on-premises hosts) - Designing and configuring private connectivity and encryption between data centers and VPC network (e.g., HA VPN, Cloud Interconnect). - Establishing private connectivity between VPC and Google APIs (Private Google Access, Private Google Access for on-premises hosts, restricted Google access, Private Service Connect) - Using Cloud NAT to enable outbound traffic |
Ensuring data protection (23% of the exam) |
|
| Protecting sensitive data and preventing data loss. Considerations include: |
- Configuring Sensitive Data Protection (SDP) (e.g., discovering and redacting personally identifiable information (PII), configuring pseudonymization and format preserving encryption). - Restricting access to Google Cloud data services (e.g., BigQuery, Cloud Storage, and Cloud SQL datastores). - Securing secrets with Secret Manager - Protecting and managing compute instance metadata |
| Managing encryption at rest, in transit, and in use. Considerations include: |
- Identifying use cases for Google default encryption, customer-managed encryption keys (CMEK), and Cloud External Key Manager (EKM). - Determining when to use soware and hardware keys - Creating and managing encryption keys for CMEK and EKM (e.g., key rotation and revocation, key import). - Applying encryption methods to various use cases. - Configuring object lifecycle policies for Cloud Storage - Enabling Confidential Computing |
| Securing AI workloads. Considerations include: |
- Implementing security and privacy controls for AI/ML systems to protect against unintentional exploitation of data or models. - Determining security requirements for IaaS-hosted and PaaS-hosted training models |
Managing operations (19% of the exam) |
|
| Automating infrastructure and application security. Considerations include: |
- Automating security scanning for Common Vulnerabilities and Exposures (CVEs) through a continuous integration and delivery (CI/CD) pipeline - Configuring Binary Authorization to secure GKE clusters or Cloud Run - Automating virtual machine and container image creation (e.g., hardening, maintenance, VM patch management). - Managing policy and drift detection at scale (e.g, cloud security posture management, custom organization policies and custom modules for Security Health Analytics). |
| Configuring logging, monitoring, and detection. Considerations include: |
- Configuring and analyzing network logs (Cloud Next Generation Firewall [Cloud NGFW], VPC flow logs, Packet Mirroring, Cloud Intrusion Detection System [Cloud IDS], Log Analytics) - Designing an effective logging strategy - Logging, monitoring, responding to, and remediating security incidents - Designing secure access to logs - Exporting logs to external security systems - Configuring and analyzing Google Cloud audit logs and data access logs - Configuring log exports (log sinks and aggregated sinks) - Configuring and monitoring Security Command Center |
Supporting compliance requirements (11% of the exam) |
|
| Adhering to regulatory and industry standards requirements for the cloud. Considerations include: |
- Determining technical needs relative to compute, data, network, and storage. - Evaluating the shared responsibility model - Configuring security controls within cloud environments to support compliance requirements (e.g, Assured Workloads, organizational policies, Access Transparency, Access Approval, regionalization of data and services). - Determining the Google Cloud environment in scope for regulatory compliance - Mapping compliance requirements to Google Cloud services and security controls (e.g., network and access segmentation, audit log coverage). |