CheapestExamDumps!

Google Cloud Exam Syllabus

Professional Cloud Security Engineer syllabus, skills measured, and exam topics

A Cloud Security Engineer allows organizations to design and implement secure workloads and infrastructure on Google Cloud. Through an understanding of security best practices and industry requirements, this individual designs, develops, and manages a secure solution by

Open the practice page

Skills measured by domain

Use the weighting table to decide where to spend the most study time.

Domain Weight
Section 1: Con￾guring access 25%
Section 2: Securing communications and establishing boundary protection 22%
Section 3: Ensuring data protection 23%
Section 4: Managing operations 19%
Section 5: Supporting compliance requirements 11%

Detailed outline

Scan each section as a working study checklist instead of one long wall of text.

Section 1: Con￾guring access (~25% of the exam)

  • 1.1 Managing Cloud Identity. Considerations include:
  • Con￾guring Google Cloud Directory Sync and implement single sign-on (SSO) with a
  • third-party identity provider.
  • Managing a super administrator account.
  • Automating the user lifecycle management process.
  • Administering user accounts and groups programmatically.
  • Con￾guring Workforce Identity Federation
  • 1.2 Managing service accounts. Considerations include:
  • Securing and protecting service accounts (including default service accounts).
  • Identifying scenarios requiring service accounts.
  • Creating, disabling, and authorizing service accounts.
  • Securing, auditing, and mitigating the usage of service account keys.

Section 2: Securing communications and establishing boundary protection (~22% of

  • the exam)
  • 2.1 Designing and con￾guring perimeter security. Considerations include:
  • Con￾guring network perimeter controls (e.g., Cloud Next Generation Firewall [Cloud
  • NGFW] rules and policies, Identity-Aware Proxy [IAP], load balancers, and Certi￾cate
  • Authority Service).
  • Se￾ing up application layer inspection on Cloud NGFW (e.g., layer 7).
  • Di￾erentiating between private and public IP addressing.
  • Con￾guring web application ￾rewalls (e.g., Google Cloud Armor).
  • Deploying Secure Web Proxy.
  • Con￾guring Cloud DNS security se￾ings.
  • Continually monitoring and restricting con￾gured APIs.
  • 2.2 Con￾guring boundary segmentation. Considerations include:

Section 3: Ensuring data protection (~23% of the exam)

  • 3.1 Protecting sensitive data and preventing data loss. Considerations include:
  • Con￾guring Sensitive Data Protection (SDP) (e.g., discovering and redacting personally
  • identi￾able information (PII), con￾guring pseudonymization and format preserving
  • encryption).
  • Restricting access to Google Cloud data services (e.g., BigQuery, Cloud Storage, and
  • Cloud SQL datastores).
  • Securing secrets with Secret Manager.
  • Protecting and managing compute instance metadata.
  • 3.2 Managing encryption at rest, in transit, and in use. Considerations include:
  • Identifying use cases for Google default encryption, customer-managed encryption
  • keys (CMEK), and Cloud External Key Manager (EKM).
  • Determining when to use so￾ware and hardware keys

Section 4: Managing operations (~19% of the exam)

  • 4.1 Automating infrastructure and application security. Considerations include:
  • Automating security scanning for Common Vulnerabilities and Exposures (CVEs)
  • through a continuous integration and delivery (CI/CD) pipeline.
  • Con￾guring Binary Authorization to secure GKE clusters or Cloud Run.
  • Automating virtual machine and container image creation (e.g., hardening,
  • maintenance, VM patch management).
  • Managing policy and dri￾ detection at scale (e.g., cloud security posture management,
  • custom organization policies and custom modules for Security Health Analytics).
  • 4.2 Con￾guring logging, monitoring, and detection. Considerations include:
  • Con￾guring and analyzing network logs (Cloud Next Generation Firewall [Cloud
  • NGFW], VPC ￾ow logs, Packet Mirroring, Cloud Intrusion Detection System [Cloud IDS],
  • Log Analytics).

Section 5: Supporting compliance requirements (~11% of the exam)

  • 5.1 Adhering to regulatory and industry standards requirements for the cloud. Considerations
  • include:
  • Determining technical needs relative to compute, data, network, and storage.
  • Evaluating the shared responsibility model.
  • Con￾guring security controls within cloud environments to support compliance
  • requirements (e.g., Assured Workloads, organizational policies, Access Transparency,
  • Access Approval, regionalization of data and services).
  • Determining the Google Cloud environment in scope for regulatory compliance.
  • Mapping compliance requirements to Google Cloud services and security controls (e.g.,
  • network and access segmentation, audit log coverage).