Book Image

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

By : Ankush Chowdhary, Prashant Kulkarni
Book Image

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

By: Ankush Chowdhary, Prashant Kulkarni

Overview of this book

Google Cloud security offers powerful controls to assist organizations in establishing secure and compliant cloud environments. With this book, you’ll gain in-depth knowledge of the Professional Cloud Security Engineer certification exam objectives, including Google Cloud security best practices, identity and access management (IAM), network security, data security, and security operations. The chapters go beyond the exam essentials, helping you explore advanced topics such as Google Cloud Security Command Center, the BeyondCorp Zero Trust architecture, and container security. With step-by-step explanations, practical examples, and practice exams to help you improve your skills for the exam, you'll be able to efficiently review and apply key concepts of the shared security responsibility model. Finally, you’ll get to grips with securing access, organizing cloud resources, network and data security, and logging and monitoring. By the end of this book, you'll be proficient in designing, developing, and operating security controls on Google Cloud and gain insights into emerging concepts for future exams.

Related Content you might be interested in

Current Title:

Small book image
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
Ankush Chowdhary | Prashant Kulkarni
Aug, 2023 | 496 pages
Small book image
Google Cloud Certified Professional Cloud Network Engineer Guide
Maurizio Ipsale | Mirko Gilioli
Jan, 2022 | 406 pages
Small book image
The Ultimate Guide to Building a Google Cloud Foundation
Patrick Haggerty
Aug, 2022 | 284 pages
Small book image
Professional Cloud Architect Google Cloud Certification Guide
Brian Gerrard | Konrad Clapa
Dec, 2021 | 664 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share your thoughts
Free Chapter
1
Chapter 1: About the GCP Professional Cloud Security Engineer Exam
Chapter 1: About the GCP Professional Cloud Security Engineer Exam
Benefits of being certified
Registering for the exam
Some useful tips on how to prepare
Summary
Further reading
2
Chapter 2: Google Cloud Security Concepts
Chapter 2: Google Cloud Security Concepts
Overview of Google Cloud security
Shared security responsibility
Security by design
Threat and vulnerability management
Summary
Further reading
3
Chapter 3: Trust and Compliance
Chapter 3: Trust and Compliance
Establishing and maintaining trust
Access Transparency and Access Approval
Security and privacy of data
Third-party risk assessments
Compliance in the cloud
Summary
Further reading
4
Chapter 4: Resource Management
Chapter 4: Resource Management
Overview of Google Cloud Resource Manager
Understanding resource hierarchy
Applying constraints using the Organization Policy Service
Asset management using Cloud Asset Inventory
Best practices and design considerations
Summary
Further reading
5
Chapter 5: Understanding Google Cloud Identity
Chapter 5: Understanding Google Cloud Identity
Overview of Cloud Identity
Securing your account
Directory management
Summary
Further reading
6
Chapter 6: Google Cloud Identity and Access Management
Chapter 6: Google Cloud Identity and Access Management
Overview of IAM
Service accounts
IAM policy bindings
Tag-based access control
Cloud Storage ACLs
IAM APIs
IAM logging
Summary
Further reading
7
Chapter 7: Virtual Private Cloud
Chapter 7: Virtual Private Cloud
Overview of VPC
Google Cloud regions and zones
VPC deployment models
Micro-segmentation
Cloud DNS
Load balancers
Hybrid connectivity options
Best practices and design considerations
Summary
Further reading
8
Chapter 8: Advanced Network Security
Chapter 8: Advanced Network Security
Private Google Access
Identity-Aware Proxy
Cloud NAT
Google Cloud Armor
Summary
Further reading
9
Chapter 9: Google Cloud Key Management Service
Chapter 9: Google Cloud Key Management Service
Overview of Cloud KMS
Encryption and key management in Cloud KMS
Key management options
Symmetric key encryption
Asymmetric key encryption
Importing a key (BYOK)
Key lifecycle management
Key IAM permissions
Cloud HSM
Cloud EKM
Cloud KMS best practices
Cloud KMS API
Cloud KMS logging
Summary
Further reading
10
Chapter 10: Cloud Data Loss Prevention
Chapter 10: Cloud Data Loss Prevention
Overview of Cloud DLP
DLP architecture options
Cloud DLP terminology
Creating a Cloud DLP inspection template
Best practices for inspecting sensitive data
Inspecting and de-identifying PII data
Tutorial: How to de-identify and tokenize sensitive data
DLP use cases
Best practices for Cloud DLP
Data exfiltration and VPC Service Controls
Best practices for VPC Service Controls
Summary
Further reading
11
Chapter 11: Secret Manager
Chapter 11: Secret Manager
Overview of Secret Manager
Managing secrets and versions
Accessing a secret
Secret replication policy
CMEKs for Secret Manager
Best practices for secret management
Secret Manager logs
Summary
Further reading
12
Chapter 12: Cloud Logging
Chapter 12: Cloud Logging
Introduction to Google Cloud logging
Log categories
Log management
Logging and auditing best practices
Summary
Further reading
13
Chapter 13: Image Hardening and CI/CD Security
Chapter 13: Image Hardening and CI/CD Security
Overview of image management
Custom images for Google Compute Engine
Image management pipeline
Controlling access to the images
Image lifecycle
Enforcing lifecycle policies
Securing a CI/CD pipeline
Best practices for CI/CD security
Shielded VMs
Confidential computing
Summary
Further reading
14
Chapter 14: Security Command Center
Chapter 14: Security Command Center
Overview of SCC
Core services
Cloud Asset Inventory
Detecting security misconfigurations and vulnerabilities
Threat detection
Continuous compliance monitoring
Automating a findings response
Summary
Further reading
15
Chapter 15: Container Security
Chapter 15: Container Security
Overview of containers
Container basics
What is Kubernetes?
Container security
GKE security features
Container security best practices
Summary
Further reading
16
Google Professional Cloud Security Engineer Exam – Mock Exam I
Google Professional Cloud Security Engineer Exam – Mock Exam I
17
Google Professional Cloud Security Engineer Exam – Mock Exam II
Google Professional Cloud Security Engineer Exam – Mock Exam II
Why subscribe?
18
Other Books You May Enjoy
Other Books You May Enjoy
Share your thoughts

CMEKs for Secret Manager

By default, secrets are encrypted with Google default encryption. However, some highly regulated customers require control of keys, so Secret Manager supports customer-managed encryption keys (CMEKs) (within Cloud KMS) for encrypting:

Note

However, if you disable or permanently destroy the CMEK, the secret encrypted with that key cannot be decrypted.

  • Secret payloads are encrypted by Google-managed keys before being written to persistent storage with no additional configuration required.
  • Secret Manager encrypts data with a unique data encryption key (DEK) before writing it to persistent storage in a specific location. The Secret Manager service owns a replica-specific key called a key encryption key (KEK), which is used to encrypt the DEK. This is commonly referred to as envelope encryption.
  • The CMEK is a symmetric key that you control within Cloud KMS when using CMEKs with Secret Manager. The CMEK must be stored in the same GCP region...
Previous Section
End of Section 6
Next Section