Google Cloud Platform (GCP) Professional Cloud Security Engineer Certification Companion: Learn and Apply Security Design Concepts to Ace the Exam (Certification Study Companion Series)

Table of Contents
About the Author
About the Technical Reviewer
Acknowledgments
Foreword
Introduction
Chapter 1: Exam Overview
Exam Content
Exam Subject Areas
Exam Format
Supplementary Study Materials
Sign Up for a Free Tier
Register for the Exam
Schedule the Exam
Rescheduling and Cancellation Policy
Exam Results
Retake Policy
Summary
Chapter 2: Configuring Access
Introduction to Information Security Principles
Least Privilege
Defense in Depth
Separation of Duties
Minimize the Attack Surface
Limiting the Blast Radius
Managing Cloud Identity
Understanding Identities, Principals, and Accounts
Federating Cloud Identity
Configuring Google Cloud Directory Sync (GCDS)
Managing a Super Administrator Account
Configuring an Organization Resource
Protecting Your Organization Super Admin Account
Automating the User Lifecycle Management Process
Administering User Accounts and Groups Programmatically
Cloud Identity Automated Provisioning
Third-Party Just-in-Time (JIT) Provisioning
Managing Service Accounts
Understanding Service Accounts
Creating Service Accounts
Authorizing Service Accounts
Securing and Protecting Service Accounts
Protecting Against Credential Leakage
Protecting Against Privilege Escalation
Supporting Non-repudiation
Disabling Service Accounts
Managing Service Account Impersonation
Impersonating a Service Account with the gcloud-Wide Flag
Impersonating a Service Account with Short-Lived Access Tokens
Impersonating a Service Account with a Configuration File
Attaching a Service Account to a Resource in the Same Project
Attaching a Service Account to a Resource in a Different Project
Auditing Service Accounts
Auditing Logs for Service Account Creation
Auditing Logs for Service Account Impersonation
Auditing Logs for Service Account Authorization
Auditing Logs for Service Account Attached to a VM
Automating the Rotation of User-Managed Service Account Keys
Identifying Scenarios That Require Service Accounts
Configuring Workload Identity Federation
Securing Default Service Accounts
Managing Authentication
Creating a Password and Session Management Policy for User Accounts
Opening User Security Settings
Configuring Password Reset
Configuring Session Length
Setting Up Security Assertion Markup Language (SAML) and OAuth
SAML
How It Works
Configuration in GCP
Use Cases
OAuth
How It Works
Configuration in GCP
Use Cases
Configuring and Enforcing Two-Factor Authentication
Notify Users of 2-Step Verification Deployment
Allow Users to Turn on 2-Step Verification
Tell Your Users to Enroll in 2-Step Verification
Track Users’ Enrollment
Enforce 2-Step Verification (Optional)
Managing and Implementing Authorization
Managing Privileged Roles and Separation of Duties with Identity and Access Management (IAM) Roles and Permissions
Granting Permissions to Different Types of Identities
Viewing IAM Allow Policy for Your Project, Folder, or Organization
Granting or Revoking a Single Role
Granting or Revoking Multiple Roles
Denying Permissions with IAM Deny Policies
Understanding Required IAM Roles
Selecting Permissions to Deny
Selecting Principals
Selecting an Attachment Point
Creating IAM Deny Policies
Viewing IAM Deny Policies
Updating IAM Deny Policies
Deleting IAM Deny Policies
Managing IAM and Access Control List (ACL) Permissions
Configuring Access Context Manager
Applying Policy Intelligence for Better Permission Management
Analyzing Access
Analyzing Organization Policies
Troubleshooting Access Issues
Understanding Service Account Usage and Permissions
Managing Permissions Through Groups
Defining Resource Hierarchy
Introducing Organization Policies
Creating and Managing Organizations
Understanding Super Admin and IAM Organization Administrator Roles
Managing Organization Policies for Organization, Folders, Projects, and Resources
Using Resource Hierarchy for Access Control and Permission Inheritance
Summary
Chapter 3: Configuring Perimeter and Boundary Security
Designing Perimeter Security
Configuring Network Perimeter Controls
Configuring Firewall Rules
Target Network Tags and Service Accounts
Syntax for Creating Firewall Rules
Priority
Example
Protocols and Ports
Direction
Example
Firewall Rules Logs
Firewall Rule Summary
Configuring Hierarchical Firewall Rules
Configuring Load Balancers
Configuring Certificate Authority Service
Creating a CA Pool
Creating a Root CA
Creating a Certificate
Identifying Differences Between Private and Public Addressing
Configuring Web Application Firewall (Google Cloud Armor)
Security Policies
Adaptive Protection
Web Application Firewall (WAF) Rules
Configure Custom Rules Language Attributes
Attaching Security Policies to Backend Services
Example
Configuring Cloud DNS Security Settings
Managing Zones and Records
Creating Public Zones
Creating Private Zones
Creating Forwarding Zones
Creating Peering Zones
Managing Records
Configuring Boundary Segmentation
Configuring Security Properties of a VPC Network, VPC Peering, Shared VPC, and Firewall Rules
Configuring VPC Peering
Creating a Shared VPC and Sharing Subnets with Other Projects
Host and Service Project Concepts
Shared VPC Deep Dive
Assigning Roles to Principals
Creating the Shared VPC
Creating the Service Projects
Enabling Compute API for Service and Host Projects
Enabling Host Project
Attaching Service Projects
Assigning Individual Subnet-Level Roles to Service Project Admins
Using a Shared VPC
Listing Usable Subnets
Creating VMs
Verifying VM Connectivity
Deleting VMs
Configuring Network Isolation and Data Encapsulation for N-Tier Application Design
Configuring VPC Service Controls
Creating and Configuring Access Levels and Service Perimeters
Understanding Service Perimeters
Understanding Access Levels
Service Perimeter Deep Dive
Enabling Access Context Manager and Cloud Resource Manager APIs
Creating an Access Policy for the Organization
Creating an Access Level
Creating a Perimeter
Testing the Perimeter
Deleting the Buckets
VPC Accessible Services
Establishing Private Connectivity
Designing and Configuring Private Connectivity Between Data Centers and a VPC Network
IPsec
High Availability VPN (Dynamic Routing)
How It Works
Cloud Interconnect
Dedicated Interconnect Connections and VLAN Attachments
Prerequisites
How It Works
VLAN Attachments
Partner Interconnect Connections and VLAN Attachments
Prerequisites
How It Works
VLAN Attachments
Establishing Private Connectivity Between VPC and Google APIs
Configuring Private Google Access (PGA)
Configuring Private Service Connect (PSC)
Using Cloud NAT (Network Address Translation) to Enable Outbound Traffic
Architecture
Creating a Cloud NAT Instance
Addressing and Port Allocations
Static Port Allocation
Dynamic Port Allocation
Customizing Timeouts
Summary
Chapter 4: Ensuring Data Protection
Protecting Sensitive Data and Preventing Data Loss
Understanding Data De-identification Process
Configuring Sensitive Data Protection Go Client Libraries
Inspecting and Redacting Personally Identifiable Information (PII) from Text
Inspecting and Redacting Personally Identifiable Information (PII) from Images
Configuring Tokenization (Pseudonymization)
Configuring Format-Preserving Encryption (FPE)
De-identifying and Re-identifying Personally Identifiable Information (PII) with Format-Preserving Encryption
Restricting Column Access to BigQuery Datasets
Column-Level Access Control Deep Dive
Securing Secrets with Secret Manager
Creating a Secret
Accessing a Secret
Best Practices: How Do I Keep My Secrets Secret?
Managing Encryption at Rest, in Transit, and in Use
Understanding Encryption Use Cases
Fit for Purpose
Understanding Use Cases for Google Default Encryption
Understanding Use Cases for Customer-Managed Encryption Keys (CMEK)
Understanding Use Cases for Customer-Supplied Encryption Keys (CSEK)
Understanding Use Cases for Cloud External Key Manager (EKM)
Understanding Use Cases for Cloud Hardware Security Module (HSM)
Creating and Managing Encryption Keys for CMEK, CSEK, and EKM
Using Symmetric Encryption Keys for CMEK
Using Asymmetric Encryption Keys for CMEK
Using Encryption Keys with CSEK
Using Key Encryption Keys (KEKs) with Cloud EKM
Configuring Object Lifecycle Policies for Cloud Storage
Understanding Google Cloud Storage Classes
Understanding Object Lifecycle Policies
Enforcing Object Lifecycle Policies
Delete Older Object Versions
Change an Object’s Storage Class
Remove the Lifecycle Configuration
Enabling Encryption in Transit
Enabling Confidential Computing
Confidential VMs
AMD SEV
AMD SEV-SNP
Confidential GKE Nodes
Confidential Dataflow
Confidential Dataproc
Confidential Space
Planning for Security and Privacy in AI
Implementing Security Controls for AI/ML Systems (e.g., Protecting Against Unintentional Exploitation of Data or Models)
Summary
Chapter 5: Managing Security Operations
Automating Infrastructure and Application Security
Automating Security Scanning for Common Vulnerabilities and Exposures (CVEs) Through a Continuous Integration and Delivery (CI/CD) Pipeline
Google Kubernetes Engine (GKE)
Container Registry Vulnerability Scanning
Third-Party Tools
Deep Dive Using On-Demand Scanning in Your Cloud Build Pipeline
Configuring Binary Authorization to Secure GKE Clusters or Cloud Run
Binary Authorization Deep Dive
Automating Virtual Machine Image Creation, Hardening, Maintenance, and Patch Management
Understanding Images
Choosing a Boot Image
Creating Customized Images
Manual Baking
Automatic Baking
Importing Existing Images
Encrypting Images
Image Lifecycle
Sharing Images Between Projects
Using Shielded VMs
Automating Container Image Creation, Verification, Hardening, Maintenance, and Patch Management
Automating Container Image Scan and Verification
Hardening Container Images
Managing Policy and Drift Detection at Scale
Custom Organization Policies
Custom Modules for Security Health Analytics
Configuring Logging, Monitoring, and Detection
Understanding Cloud Logging
Understanding Log Categories
Configuring and Analyzing Network Logs
Firewall Rules Logging
VPC Flow Logs
Packet Mirroring
Designing an Effective Logging Strategy
Define Purpose and Objectives
Understand Log Types and Sources
Decide Logging Architecture Pattern
Understand Data Residency Requirements
Determine Granularity and Retention
Enforce Access Control
Set Up Granular Alerting
Assess Cost
Test and Iterate
Logging, Monitoring, Responding to, and Remediating Security Incidents
Designing Secure Access to Logs
Control Access to Logs with a RACI Matrix
Consider Using Data Access Audit Logs
Protect Your Audit Logs with Customer-Managed Encryption Keys
Set Your Log Bucket Retention Period
Set Your Log Bucket Region
Use VPC Service Controls
Exporting Logs to External Security Systems
Configuring Log Exports (Log Sinks and Aggregated Sinks)
Single Project with Multiple Buckets
Separate Projects
Aggregating Logs
Creating a Log Bucket to Store Aggregated Logs
Creating a Sink at the Organization Level to Route Logs to the New Bucket
Configuring Read Access to the New Bucket
Searching Logs
Troubleshooting Log Sinks
Configuring and Monitoring Security Command Center
Activation Levels
Service Tiers
Built-In Services
Detectors
Summary
Chapter 6: Supporting Compliance Requirements
Determining Regulatory Requirements for the Cloud
Determining Concerns Relative to Compute, Data, Network, and Storage
Compute Concerns
Data Concerns
Network Concerns
Storage Concerns
Evaluating the Shared Responsibility Model
Understanding the Model
Customer Responsibilities
Google Cloud Responsibilities
Evaluating the Model
Additional Remarks
Configuring Security Controls Within Cloud Environments to Support Compliance Requirements (Regionalization of Data and Services)
Understanding Compliance Obligations
Addressing Compliance Needs
Deploying Assured Workloads
Leveraging Security Blueprints
Configuring Security Command Center
Understanding Regionalization of Data and Services
Restricting Compute and Data for Regulatory Compliance (Assured Workloads, Organization Policies, Access Transparency, Access Approval)
Google Cloud and Regulatory Compliance
Restricting Compute Access
Restricting Data Access
Monitoring and Auditing
Building Trust and Transparency
Enabling Access Transparency
Enabling Access Approval
Determining the Google Cloud Environment in Scope for Regulatory Compliance
Understanding Regulatory Requirements
Identifying Relevant Google Cloud Services
Data Classification and Inventory
Network Configuration and Security
Access Control and Identity Management
Audit Logs and Monitoring
Appendix: Google Cloud Policy Summary
Index