Google Cloud Security Engineer Exam Notes
12 Big Exam Topics
I took the Google Cloud Security Engineer exam yesterday and thought I’d share some notes for people studying for it. This isn’t groundbreaking stuff — the canonical exam guide provided by Google is still the best place to start. I also hold the Google Cloud Architect and Developer certifications. The Security exam covers a really wide area, and there’s definitely value in doing the Architect exam first to get a broad picture of all the services in Google Cloud. I finished the exam in 55 minutes, so 2 hours should be more than enough time. You’ll either know the material or you won’t.
I think I study for these exams a bit differently. I don’t watch any videos on ACG or Coursera or anywhere like that, I just read the docs and take notes, and take the official practice exam to gauge where I am. I find that this is the most effective way for me to learn the material, but as always, YMMV.
Here’s a non-exhaustive list of topics that you’ll need to know, roughly in order of importance:
- There’s no way around it: you’ve gotta know everything there is to know about Cloud Identity. Know your way around GCDS (Google Cloud Directory Sync), when to use GCDS, what it does, and what it doesn’t/can’t do. Understand the differences between IdP and SdP, and how that relates to Identity, GCDS, and federated authentication and SSO with third-party apps.
- KMS Object Hierarchy and DEK vs KEK. You’ll need to know much more than D means Data and K means Key. Make sure you understand the KMS Object Hierarchy, and how each layer comes into play when dealing with regulatory compliance, and IAM permissioning.
- Google Cloud’s compliance certifications: know the ISOs, FedRAMP, SOC, and what each of them means. You’ll need to know what they are, not simply that they exist. It also wouldn’t hurt to spend a day or two reading the actual PCI DSS document in its full PDF glory. Some surprisingly specific concepts are referenced in the exam, such as PCI scope and some specific encryption requirements.
- Understand CSEK and CMEK. Again, you’ll need to know much more than S means Supplied and M means Managed. Know under which compliance frameworks each are required, and how that translates into encryption at rest vs. in transit, and how you’d use KMS and other services differently for each approach.
- Know how to set Organization Policy constraints, and understand how you’d actually make use of one in the real world. Knowing which constraints exist is a good start: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
- Like the Architect exam, you’ll need to know a bit about the outside world. Understand Forseti and Vault, when you’d use them, and how to incorporate into a Google Cloud security posture. (hint: KMS doesn’t store secrets!)
- Understand the different load balancers, pass-through vs. proxy, what they do, and the security implications of each, particularly around SSL termination. This is where the Architect Cert will help.
- Know how each service replicates across regions and zones, how they are encrypted (expect a tie-in with CSEK/CMEK) and what the security implications are.
- Understand hybrid cloud security: how would you export logs to an on-premises SIEM system? when would you use Interconnect vs. VPN in a security context? When to use VPC Peering vs. Shared and why?
- Firewalls. When to tag by VM instances vs. service accounts, how to secure complex environments.
- Data Loss Prevention is a critical tool for security, as well as regulatory compliance. Know the different components — infoTypes, detectors, etc — what transforms are available, and when to use each.
- Google Cloud Storage. Again, the Architect Cert comes in handy here. Know in detail the various lifecycle options, data retention and Bucket Lock, and how each approach may help satisfy various regulatory compliance requirements.
- Honorable mention: Stackdriver. Because it touches everything, you’ll need to understand it, and how you’d use it to satisfy the auditing, monitoring and logging requirements are for various compliance frameworks. This exam doesn’t directly reference it that much because the fact that you already know it — and of course you do — is taken as a given.
Good luck to everyone taking this exam!