Google Cloud Professional Cloud Security Engineer
Validates ability to design and implement secure workloads and infrastructure on Google Cloud. Covers configuring access through Cloud Identity, service accounts, authentication, authorization controls, and resource hierarchy; securing communications and establishing boundary protection with perimeter security, boundary segmentation, and private connectivity; ensuring data protection through sensitive data handling, encryption management, and AI workload security; managing operations with security automation, logging, monitoring, and detection; and supporting compliance requirements with regulatory standards. 50-60 multiple-choice and multiple-select questions in 2 hours. Recommended 3+ years industry experience; 2-year validity.
Exam domains
- Configuring access25%
Managing Cloud Identity (configuring Google Cloud Directory Sync and third-party connectors; managing super administrator account; automating user lifecycle management; administering user accounts and groups). Managing service accounts (auditing service accounts and keys; configuring, using, and securing service accounts; identifying scenarios requiring service accounts; protecting against persistent credential exfiltration; managing and creating short-lived credentials; using attribute-based access control - workload identity federation, GKE Workload Identity). Managing authentication (creating a password policy for user accounts; setting up Security Assertion Markup Language - SAML, OAuth, OIDC; configuring and enforcing two-factor authentication - 2SV, FIDO security keys; configuring SAML and OIDC trust between Google Cloud and external identity providers). Managing authorization and access controls (using resource hierarchy - organization, folders, projects; designing IAM roles - basic, predefined, custom; granting roles to identities - users, groups, service accounts, Google Workspace groups, Cloud Identity domains; configuring Cloud Identity-Aware Proxy - IAP; configuring Access Context Manager; managing public services and resources; managing privileged access; permissions/Resource Manager IAM in BigQuery; deny policies). Defining resource hierarchy (creating and managing organizations; resource policies for folders and projects; using organization policies, custom roles, asset inventory; building hierarchies that comply with policy requirements; using Identity-Aware Proxy - IAP - to control access to applications).
- Ensuring data protection23%
Protecting sensitive data and preventing data loss (Cloud Data Loss Prevention - DLP - inspection, classification, redaction, tokenization; managing encryption at rest and in transit; default encryption; customer-managed encryption keys - CMEK; customer-supplied encryption keys - CSEK; Cloud HSM; Cloud External Key Manager - EKM; key access justification; cryptographic key rotation; certificate manager). Managing encryption at rest (Google-managed encryption keys; customer-managed encryption keys - CMEK with Cloud KMS; customer-supplied encryption keys - CSEK; Cloud HSM; Cloud External Key Manager - EKM; preventing data exfiltration with VPC Service Controls; secret management with Secret Manager). Planning for security and privacy in AI - AI workload security (model deployment, prompt injection, data poisoning, model theft, output filtering, governance of model use, fine-tuning safety, Vertex AI security best practices).
Sources
Questions are grounded in 50 references from official and authoritative materials.