Last week I sat the brand new Google Cloud Professional Security Engineer BETA exam. I didn't book too far in advance (about 2 weeks) as I had created the only course on the market for the current GA exam and all I needed was a quick review before going into the exam. FYI. I created my first very first course with Linux Academy (now acloud.guru) when the first BETA came out.
My high level thoughts on this exam are as follows:
- Yet another impressive refresh to a Google Cloud exam and of high quality
- A REALLY hard test of skills on how to secure the Google Cloud environment.
- Quite a few new topics and a deep dive into those topics.
(Full disclosure, I create GCP courses at https://training.anonit.com which are focused on teaching in-depth theory and practical hands-on skills, rather than solely concentrating on exams)
I didn't spend alot of time preparing as I quickly reviewed my last course and went over some of the new topics by digging into the documentation. Many of the newer services were covered by my Professional Cloud Architect course, yet there was still so much granular information that I later realized was needed.
The exam itself was 4 hours long, with?110?questions, and the question quality was incredibly good. The question were pretty straight forward, yet were incredibly difficult and I had to read each one a couple of times to make sure I understood it.
After answering the 110 questions, I was prompted to review the questions along with those I had marked. Although I had finished with an hour left, my brain was numb due to the level of difficulty of each question. Thank God, I only had marked a few questions for review, and so it was easy for me to quickly rifle through them.
Again, with all my reviews, I want to be really careful here re. NDA. What I will do is give a list of things I think you should know - without revealing anything about question content.
- Be really familiar with hybrid connectivity options, how each one connects, and when to use each - Interconnect, VPN and Peering - KNOW IT WELL
- VPC's - This is a huge topic. Know how to secure VPC's and Shared VPC's by locking them down using firewall rules, VPC peering, Cloud NAT as well as understanding private connectivity between services. Also understand when to use private.googleapis.com vs restricted.googleapis.com. To add to the mix, know VPC Flow logs and their use case along with packet mirroring.
- Cloud Storage - Classes, Securing access, Lifecycle Policies, and Versioning - KNOW IT WELL
- All the different ways to lock down secrets... know which to use and when
- VPC service controls - service perimeter, perimeter bridge, dry run - KNOW THIS EXTREMELY WELL!
- IAM - Domain restriction
- Resource Manager - know the hierarchy well and know where to anchor organizational policies to satisfy the flow of permissions
- Organizational Policies - know the exact permissions and the syntax
- DLP - redact and throw away keys, de-identification, pseudonimization, hashing
- Compliance - PII, FIPS, HIPAA, PCI-DSS (know how to architect around PCI-DSS with tokenization) Also know which services are PCI compliant.
- Identity - This come up ALOT covering Active Directory, Cloud Identity and how GCDS works between the two. Know which side to set permissions on when it comes to creating accounts and setting passwords as well as MFA and which mechanism uses it (AD or Cloud Identity)
- SSO, SAML, LDAP - This was another topic under identity that came up alot. Know when to use each and how it fits into Cloud Identity
- Know how to secure CI/CD Pipeline - Using container registry, cloud build, binary authorization (with attestation), as well as using secrets in the pipeline
- KMS, EKM, CSEK, CMEK, Default encryption (How to use and when to use)
- DEK, KEK and assymetric and symmetric keys
- Web Security Scanner and Security Command Center - know these at a high level
- GFE - Google Front End - high level understanding about what it does and how it integrates with other services
- Cloud Armor - Know how it integrates with other services and what it can protect as it comes up alot
- Load Balancers - Know which to use for different scenarios as well as how organizational policies can affect them
- Cloud DNS and DNSSEC - know when to use DNSSEC and how it protects
- Logging - This is a HUGE topic that comes up alot in many different ways - Audit logs, admin logs, access transparency logs, and how to use a SIEM to identify security threats.
- BigQuery - know the best way to assign permissions when divvying access to different groups
- VM Security - Shielded VM's (secure boot, trusted module)
- Billing - know how to set it up and using a sink with it's permissions
- When to use Dataflow
- Compute Services - know when to use each (Compute Engine, GKE, App Engine, Cloud Run, Cloud Functions)
Main Product Coverage - Learn These
- IAM
- Resource Manager
- IAP
- VPC
- VPC peering
- VPC Service Controls
- Shared VPC (service and host vpc)
- VPC Flow Logs
- Direct Connect
- Partner connect
- Carrier Peering
- VPN
- FIPS, HIPAA, PCI-DSS
- PII
- DLP
- KMS, EKM, CSEK, CMEK, Default encryption
- GCDS
- Active Directory (high level)
- SSO, SAML, LDAP, MFA
- Firewall rules
- Cloud NAT
- Cloud Armor
- GFE
- Encryption at rest and in transit
- Load balancers
- KMS
- HSM
- Web Security Scanner
- SCC - Security command center
- Secret management
- DNSSEC
- Cloud DNS
- Kubernetes security
- Shielded VMs
- Cloud Logging
- BigQuery
- Billing
- Confidential VM's
- Cloud Identity
- Recommender
- Cloud storage
- App engine
- Cloud run
- Cloud functions
- Bigtable
- Private service connect
- Pub/sub
- Dataflow
- Splunk - SIEM
- Next-generation firewall
- Prometheus
- Jenkins
All in all, this was a very well done, yet very difficult exam and should be taken seriously as Google has stepped up the difficulty level alot! With some study and practice, I have no doubt that this exam can be aced.
I really enjoyed this exam despite it's difficulty and will really make a Google Cloud security expert shine through on this exam.
BTW, if you're looking for a course for this beta exam for when it goes into general availability, mine will be complete for when this exam is released with all the topics needed to know and is currently available in pre-release at https://training.antonit.com/p/google-cloud-professional-cloud-security-engineer
Please follow me for updates, and share this post anywhere you think someone might benefit.
Health and Performance Coach for Executive Men. Over 6 years of coaching experience and over 400 lives transformed.
3 年Well done
Senior Security Architect | CISSP | CCSP | OSCP | GPEN | GSEC | CCZT | CISA | CEH | CRISC | ? Azure | M365 | AWS | GCP ? | NSE 7 | Associate C|CISO | Helping Companies adopt Zero Trust Architecture
3 年Antoni Tzavelas! Thanks for sharing!
GCP 13x certified | youtube/AwesomeGCP | tech architect, tutor, investor | Google Developer Expert | Go
3 年Very useful and detailed review. Thank you. Added this to the github repo - noticed that it's been more than a year and a half since somebody has written a good article like this on the PCSE. Thanks, Antoni.