Professional Cloud Security Engineer
A Professional Cloud Security Engineer enables organizations to design and implement a secure infrastructure on Google Cloud Platform. Through an understanding of security best practices and industry security requirements, this individual designs, develops, and manages a secure infrastructure leveraging Google security technologies. The Cloud Security Professional should be proficient in all aspects of Cloud Security including managing identity and access management, defining organizational structure and policies, using Google technologies to provide data protection, configuring network security defenses, collecting and analyzing Google Cloud Platform logs, managing incident responses, and an understanding of regulatory concerns.
The Professional Cloud Security Engineer exam assesses your ability to:
Configure access within a cloud solution environment
Configure network security
Ensure data protection
Manage operations within a cloud solution environment
Ensure compliance
About this certification exam
Length: 2 hours
Registration fee: $200 (plus tax where applicable)
Languages: English.
Exam format: Multiple choice and multiple select, taken in person at a test center. Locate a test center near you.
Prerequisites: None
Recommended experience: 3+ years of industry experience including 1+ years designing and managing solutions using GCP.
1. Configuring access within a cloud solution environment
1.1 Configuring Cloud Identity. Considerations include:
Managing Cloud Identity
Configuring Google Cloud Directory Sync
Management of super administrator account
1.2 Managing user accounts. Considerations include:
Designing identity roles at the project and organization level
Automation of user lifecycle management process
API usage
1.3 Managing service accounts. Considerations include:
Auditing service accounts and keys
Automating the rotation of user-managed service account keys
Identification of scenarios requiring service accounts
Creating, authorizing, and securing service accounts
Securely managed API access management
1.4 Managing authentication. Considerations include:
Creating a password policy for user accounts
Establishing Security Assertion Markup Language (SAML)
Configuring and enforcing two-factor authentication
1.5 Managing and implementing authorization controls. Considerations include:
Using resource hierarchy for access control
Privileged roles and separation of duties
Managing IAM permissions with primitive, predefined, and custom roles
Granting permissions to different types of identities
Understanding difference between Google Cloud Storage IAM and ACLs
1.6 Defining resource hierarchy. Considerations include:
Creating and managing organizations
Resource structures (orgs, folders, and projects)
Defining and managing organization constraints
Using resource hierarchy for access control and permissions inheritance
Trust and security boundaries within GCP projects
2. Configuring network security
2.1 Designing network security. Considerations include:
Security properties of a VPC network, VPC peering, shared VPC, and firewall rules
Network isolation and data encapsulation for N tier application design
Use of DNSSEC
Private vs. public addressing
App-to-app security policy
2.2 Configuring network segmentation. Considerations include:
Network perimeter controls (firewall rules; IAP)
Load balancing (global, network, HTTP(S), SSL proxy, and TCP proxy load balancers)
2.3 Establish private connectivity. Considerations include:
Private RFC1918 connectivity between VPC networks and GCP projects (Shared VPC, VPC peering)
Private RFC1918 connectivity between data centers and VPC network (IPSEC and Cloud Interconnect).
Enable private connectivity between VPC and Google APIs (private access)
3. Ensuring data protection
3.1 Preventing data loss with the DLP API. Considerations include:
Identification and redaction of PII
Configuring tokenization
Configure format preserving substitution
Restricting access to DLP datasets
3.2 Managing encryption at rest. Considerations include:
Understanding use cases for default encryption, customer-managed encryption keys (CMEK), and customer-supplied encryption keys (CSEK)
Creating and managing encryption keys for CMEK and CSEK
Managing application secrets
Object lifecycle policies for Cloud Storage
Enclave computing
Envelope encryption
4. Managing operations within a cloud solution environment
4.1 Building and deploying infrastructure. Considerations include:
Backup and data loss strategy
Creating and automating an incident response plan
Log sinks, audit logs, and data access logs for near-real-time monitoring
Standby models
Automate security scanning for Common Vulnerabilities and Exposures (CVEs) through a CI/CD pipeline
Virtual machine image creation, hardening, and maintenance
Container image creation, hardening, maintenance, and patch management
4.2 Building and deploying applications. Considerations include:
Application logs near-real-time monitoring
Static code analysis
Automate security scanning through a CI/CD pipeline
4.3 Monitoring for security events. Considerations include:
Logging, monitoring, testing, and alerting for security incidents
Exporting logs to external security systems
Automated and manual analysis of access logs
Understanding capabilities of Cloud Security Scanner and Forseti
5. Ensuring compliance
5.1 Comprehension of regulatory concerns. Considerations include:
Evaluation of concerns relative to compute, data, and network.
Security shared responsibility model
Security guarantees within cloud execution environments
Limiting compute and data for regulatory compliance
5.2 Comprehension of compute environment concerns. Considerations include:
Security guarantees and constraints for each compute environment (Compute Engine, Google Kubernetes Engine, App Engine)
Determining which compute environment is appropriate based on company compliance standards
QUESTION 1
Your team needs to make sure that a Compute Engine instance does not have access to the internet or to any Google APIs or services.
Which two settings must remain disabled to meet these requirements? (Choose two.)
A. Public IP
B. IP Forwarding
C. Private Google Access
D. Static routes
E. IAM Network User Role
Correct Answer: CD
QUESTION 2
Which two implied firewall rules are defined on a VPC network? (Choose two.)
A. A rule that allows all outbound connections
B. A rule that denies all inbound connections
C. A rule that blocks all inbound port 25 connections
D. A rule that blocks all outbound connections
E. A rule that allows all inbound port 80 connections
Correct Answer: AB
QUESTION 3
A customer needs an alternative to storing their plain text secrets in their source-code management (SCM) system.
How should the customer achieve this using Google Cloud Platform?
A. Use Cloud Source Repositories, and store secrets in Cloud SQL.
B. Encrypt the secrets with a Customer-Managed Encryption Key (CMEK), and store them in Cloud Storage.
C. Run the Cloud Data Loss Prevention API to scan the secrets, and store them in Cloud SQL.
D. Deploy the SCM to a Compute Engine VM with local SSDs, and enable preemptible VMs.
Correct Answer: B
QUESTION 4
Your team wants to centrally manage GCP IAM permissions from their on-premises Active Directory Service.
Your team wants to manage permissions by AD group membership.
What should your team do to meet these requirements?
A. Set up Cloud Directory Sync to sync groups, and set IAM permissions on the groups.
B. Set up SAML 2.0 Single Sign-On (SSO), and assign IAM permissions to the groups.
C. Use the Cloud Identity and Access Management API to create groups and IAM permissions from Active Directory.
D. Use the Admin SDK to create groups and assign IAM permissions from Active Directory.
Correct Answer: B
QUESTION 5
When creating a secure container image, which two items should you incorporate into the build if possible?
(Choose two.)
A. Ensure that the app does not run as PID 1.
B. Package a single app as a container.
C. Remove any unnecessary tools not needed by the app.
D. Use public container images as a base image for the app.
E. Use many container image layers to hide sensitive information.
Correct Answer: B,C
Actualkey Google Professional, Certkingdom Google Professional Cloud Security Engineer PDF
Best Google Professional Cloud Security Engineer Certification, Google Professional Cloud Security Engineer Training at certkingdom.com