Google Cloud Study Guide

Google Cloud Professional Cloud Security Engineer Study Guide

The Google Cloud Professional Cloud Security Engineer exam validates your ability to design, implement, and manage secure infrastructure, identity, data protection, and security operations on Google Cloud. It is a 2-hour exam covering IAM and access control, network boundary protection, data encryption, security operations and monitoring, and compliance enforcement. It targets security professionals and cloud engineers responsible for protecting Google Cloud workloads and demonstrating regulatory compliance.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5

Practice Google Cloud Professional Cloud Security Engineer questions free Create free account

Domain 1: Configuring Access

Key concepts you must know · 164 practice questions

Least privilege favors predefined roles (e.g., roles/storage.objectViewer) or custom roles over the primitive Owner/Editor/Viewer roles, which span nearly every Google Cloud service and grant far more access than any single task needs.
Custom IAM roles let you define an exact permission set; create one with 'gcloud iam roles create' using --project (or --organization) and a --file YAML definition listing includedPermissions.
Workload Identity (GKE) lets a Kubernetes service account impersonate a Google service account via the GKE metadata server, issuing short-lived tokens automatically and eliminating downloaded JSON key files.
Enabling GKE Workload Identity requires two steps: annotating the Kubernetes service account with the Google SA email and adding the IAM policy binding for roles/iam.workloadIdentityUser.
Workload Identity Federation lets external identities (AWS, Azure, on-prem OIDC/SAML providers) impersonate Google service accounts without keys, extending keyless auth beyond GKE.
IAM Conditions add context constraints to a binding (time windows, resource names, request attributes); a time-bound grant uses a --condition with a request.time expression for a temporary window.
Context-Aware Access (BeyondCorp Enterprise) uses Access Context Manager access levels to require device posture, corporate IP ranges, or user identity before granting access, so network location alone is never sufficient.
IAM Privileged Access Manager (PAM) provides just-in-time, time-bound, approval-gated elevation of privileged roles instead of standing access.
roles/iam.serviceAccountTokenCreator lets a principal generate short-lived tokens by impersonating a service account; the --impersonate-service-account flag runs a gcloud command with those credentials.
Grant IAM roles on a project with 'gcloud projects add-iam-policy-binding PROJECT --member=... --role=...'; add --condition with a timestamp expression for a time-bound binding.
Create a service account with 'gcloud iam service-accounts create NAME'; prefer one minimally scoped SA per workload over shared or broadly privileged accounts.
Policies set at the organization or folder node are inherited by all projects beneath them, making the hierarchy the place to enforce broad guardrails.
The Organization Policy constraint constraints/compute.vmExternalIpAccess blocks assigning external IPs to VMs, reducing attack surface and supporting least-privilege networking.
Reserve high-impact permissions (e.g., large committed-use purchases) for billing admins via scoped predefined roles plus IAM Conditions, keeping day-to-day principals minimally privileged.

Domain 2: Securing Communications and Boundary Protection

Key concepts you must know · 159 practice questions

VPC Service Controls draws a service perimeter around projects so API calls to supported services (BigQuery, Cloud Storage, etc.) stay inside it; requests from outside are denied even with valid IAM credentials, mitigating data exfiltration.
To extend a VPC Service Controls perimeter, create it with restricted-services and update it to add more projects; ingress/egress rules allow controlled cross-perimeter access.
Cloud Armor is the managed WAF and DDoS mitigation service for the global external HTTP(S) Load Balancer, inspecting Layer 7 attributes and applying OWASP ModSecurity Core Rule Set rules against SQLi, XSS, and similar exploits.
Attach a Cloud Armor policy with 'gcloud compute backend-services update BACKEND --security-policy=POLICY'; rate-limiting uses 'gcloud compute security-policies rules create' with --action=rate-based-ban and threshold flags.
Private Google Access lets VMs with only internal IPs reach Google APIs and services over Google's network without a public route; enable it with 'gcloud compute networks subnets update SUBNET --enable-private-ip-google-access'.
Private Service Connect gives granular, private endpoints to Google or third-party services, and pulling images from Artifact Registry over Private Google Access avoids public egress entirely.
VPC firewall rules can use service accounts (or network tags) as source/target identifiers; SA-based rules follow workload identity and survive IP changes from autoscaling, unlike IP-based rules.
Hierarchical firewall policies apply at the organization and folder levels, enforcing baseline allow/deny rules above per-VPC firewall rules.
Allow SSH via IAP with an INGRESS rule: tcp:22 from the IAP source range 35.235.240.0/20 to a target tag, removing the need for external IPs or bastion hosts.
Cloud VPN establishes IPsec tunnels over the public internet to encrypt hybrid connectivity; it is the standard choice when Dedicated Interconnect bandwidth or private circuits are not required.
Place backends on internal IPs behind an external load balancer with Cloud Armor so only the load balancer is internet-facing and L7 protection sits at the edge.
Cloud CDN in front of an external Application Load Balancer caches content at edge nodes, cutting egress cost and latency for read-heavy global traffic.
Internal load balancing keeps intra-region traffic on internal IPs, avoiding internet egress charges for service-to-service communication.
Google Cloud encrypts all traffic in transit between its data centers automatically; defense in depth combines perimeter controls (VPC SC), edge controls (Cloud Armor), and least-privilege firewalls.

Domain 3: Ensuring Data Protection

Key concepts you must know · 157 practice questions

All customer data is encrypted at rest by default with AES-256 using Google-managed keys, requiring no configuration; CMEK and CSEK/EKM are opt-in for greater key control.
Cloud KMS lets you create, rotate, import, and destroy keys used as Customer-Managed Encryption Keys (CMEK) for Cloud Storage, BigQuery, Compute Engine, and more.
Create KMS keys with 'gcloud kms keyrings create' then 'gcloud kms keys create --purpose=encryption'; key rings and keys are regional and cannot be deleted, only key versions destroyed.
Set a bucket's CMEK with 'gcloud storage buckets create --default-encryption-key=FULL_KEY_RESOURCE_NAME', and first grant the Cloud Storage service agent roles/cloudkms.cryptoKeyEncrypterDecrypter on the key.
Cloud HSM provides FIPS 140-2 Level 3 hardware-backed KMS keys; Cloud External Key Manager (EKM) keeps key material in a customer-controlled external key manager outside Google.
Customer-Supplied Encryption Keys (CSEK) let you provide your own AES-256 key per request; Google holds it only transiently and never stores it, but you bear full key-management responsibility.
Cloud DLP (Sensitive Data Protection) scans BigQuery, Cloud Storage, and Datastore to discover and classify 150+ sensitive data types (PII, PHI, payment data) and applies de-identification transformations.
DLP de-identification techniques include masking, redaction, bucketing, tokenization, and format-preserving encryption, letting you process data without storing raw PII.
Signed URLs grant time-limited access to a specific Cloud Storage object to anyone holding the URL, with no Google account or IAM permission required; the URL carries an expiration timestamp.
Secret Manager stores API keys, passwords, and certificates with versioning, IAM-scoped access, and automatic encryption, enabling rotation without breaking applications.
Object Versioning retains overwritten/deleted object generations, and Bucket Lock with a retention policy makes objects immutable (WORM) for a defined period to meet compliance.
Object Lifecycle Management automatically transitions objects to colder classes (Nearline, Coldline, Archive) or deletes them by age; Archive is cheapest for data accessed less than once a year.
Reduce BigQuery cost with partitioned and clustered tables plus partition-column filters; materialized views or scheduled result tables avoid repeated full scans.
For global read-heavy assets, a multi-region or dual-region Standard bucket fronted by Cloud CDN best balances availability, latency, and egress cost.

Domain 4: Managing Operations

Key concepts you must know · 183 practice questions

Cloud Audit Logs has four streams: Admin Activity (always on, free), Data Access (opt-in, records reads/writes), System Event, and Policy Denied; all flow to Cloud Logging.
A principal granting itself a highly privileged role (a setIamPolicy event) is a classic privilege-escalation indicator; alert on it via Cloud Monitoring or a SIEM and investigate immediately.
For forensic readiness, enable Data Access logs and route them through a log sink to a locked-down bucket or BigQuery dataset in a separate security project so an attacker cannot tamper with evidence.
Use bucket retention policies and Bucket Lock on the log-sink destination to make exported audit logs immutable and tamper-resistant.
Security Command Center aggregates findings from Security Health Analytics, Web Security Scanner, Event Threat Detection, and Container Threat Detection into one risk dashboard.
SCC Premium/Enterprise adds Event Threat Detection (log-based detection of malware, credential access, lateral movement) and compliance posture reporting against benchmarks like CIS.
Artifact Analysis (Container Analysis) continuously scans Artifact Registry images for OS- and language-package CVEs, surfacing findings in SCC and feeding Binary Authorization attestations.
For a compromised service account, disable the account and rotate (disable) its keys, then review audit logs for the account's recent activity to scope the incident.
IAM Recommender uses policy insights and 90 days of usage data to recommend removing excess permissions, helping enforce least privilege over time.
IAM Policy Troubleshooter explains why a principal does or does not have access, and Policy Analyzer answers which principals can access a given resource.
Cost optimization for steady workloads uses Committed Use Discounts (CUDs); Spot VMs give the deepest discount for fault-tolerant, preemptible jobs.
Managed instance groups with autoscaling track spiky demand cost-effectively; instance schedules (resource policies) stop/start VMs automatically on a schedule.
Memorystore (Redis) offloads hot reads from Cloud SQL, and setting a Cloud Run minimum instance count during business hours removes cold-start latency cheaply.
Cloud Billing budgets with threshold alerts warn before spend exceeds limits, while Cloud Billing reports and BigQuery billing export give detailed breakdowns by project, service, and label.

Domain 5: Supporting Compliance Requirements

Key concepts you must know · 85 practice questions

Organization Policy Service defines constraints inherited down the org/folder/project hierarchy to set guardrails on configuration; unlike IAM (who can act), it controls what configurations are allowed.
The constraints/gcp.resourceLocations constraint with an allowedValues list of approved regions prevents creating resources outside those locations regardless of IAM permissions, enforcing data residency centrally.
Set a resource-location policy via 'gcloud resource-manager org-policies set-policy' with a YAML policy listing allowed regions, applied at the org, folder, or project node.
Enforce constraints/iam.disableServiceAccountKeyCreation to block downloadable SA keys org-wide, pushing teams toward Workload Identity and short-lived tokens.
Custom Organization Policy constraints inspect resource fields at creation time (e.g., restrict allowed machineType on compute.googleapis.com/Instance) and deny non-conforming resources.
Use a policy override at a project or folder node to exempt a specific constraint where a justified exception is needed, keeping the broader guardrail intact.
Binary Authorization is deploy-time admission control for GKE and Cloud Run that allows only images with valid cryptographic attestations from trusted attestors, and it logs break-glass bypass events.
Map your Google Cloud controls to frameworks like ISO 27001, SOC 2, and PCI DSS to produce auditable evidence; SCC compliance and posture reporting can generate benchmark-mapped reports.
For long-term retention, export logs to a Cloud Storage bucket with a 7-year retention policy and Bucket Lock so records are immutable for the audit period.
Enable Uniform bucket-level access on all buckets to disable per-object ACLs and enforce consistent IAM-based access control, a common compliance baseline.
Provision projects through a landing-zone or blueprint approach using Terraform and the Cloud Foundation Toolkit so security guardrails are consistent and repeatable.
Confidential VMs encrypt data in use via AMD SEV/Intel TDX memory encryption, protecting workloads even from the underlying host.
Shielded VMs use Secure Boot, vTPM, and integrity monitoring to defend against rootkits and boot-level tampering, supporting integrity-assurance compliance requirements.
Access Transparency logs Google personnel access to your data, and Access Approval requires your explicit authorization before such access occurs, satisfying strict regulatory oversight.

Google Cloud Professional Cloud Security Engineer exam tips

Distinguish IAM (who can do what) from Organization Policy (what configurations are allowed) and VPC Service Controls (which API data flows are permitted) - exam scenarios often hinge on choosing the right layer.
When a question mentions service account keys, the preferred answer is almost always keyless: Workload Identity, Workload Identity Federation, or short-lived impersonated tokens, plus iam.disableServiceAccountKeyCreation.
Read carefully for the requirement being optimized - least privilege, data exfiltration prevention, data residency, immutability, or cost - and match it to the one mechanism designed for that goal.
Memorize key gcloud command shapes: add-iam-policy-binding with --condition, kms keyrings/keys create, subnets update --enable-private-ip-google-access, and backend-services update --security-policy.
For data residency or location compliance, the answer is the gcp.resourceLocations Organization Policy constraint, not firewall rules or IAM - centralized, hierarchy-inherited enforcement is the differentiator.

Study guide FAQ

How many questions are on the exam and how long is it?

The Professional Cloud Security Engineer exam runs 120 minutes and contains roughly 50 to 60 multiple-choice and multiple-select questions. There is no detailed score breakdown; you receive a pass or fail result against a scaled passing bar.

What is the difference between CMEK, CSEK, and EKM?

CMEK uses keys you create and manage in Cloud KMS (optionally HSM-backed) while Google performs encryption. CSEK means you supply a raw AES-256 key per request that Google never stores. EKM (External Key Manager) keeps the key material entirely in a customer-controlled external key manager outside Google Cloud.

When should I use VPC Service Controls versus firewall rules?

Firewall rules control IP/port-level network traffic to and from VMs. VPC Service Controls creates a service perimeter at the API layer for managed services like Cloud Storage and BigQuery, blocking data exfiltration even by authenticated identities outside the perimeter. They solve different problems and are often used together.

How much real Google Cloud experience should I have before taking it?

Google recommends roughly three or more years of industry experience including one or more years designing and managing solutions on Google Cloud. Hands-on practice with IAM, VPC Service Controls, Cloud KMS, Security Command Center, and Organization Policy is far more valuable than memorization alone.

Test yourself: 748 Google Cloud Professional Cloud Security Engineer practice questions