I found the following links useful as the foundation of the study guide. Sign in with your company’s Google account to check if you have access.
Google Cloud Fundamentals: Core Infrastructure
Managing Security in Google Cloud Platform
Security Best Practices in Google Cloud
Mitigating Security Vulnerabilities on Google Cloud Platform
Google cloud practice exam questions
This is the 2nd time taking the exam and I found the renewal offer gave the flexibility of the same expiry date if I take and pass the exam between the offer start date to the current certification’s expiry date. It’s almost 2 months in my case since I got the email of [Your Google Cloud certification will expire soon]. I’m listing the topics covered in the exam:
- Google identity platform Admin SDK’s features such as using the directory API to create Google accounts. Remember that’s outside of Google cloud’s Identity and access management (IAM) API to bind IAM roles. It’s wrong to think or choose an option of binding IAM roles within Cloud Identity platform. Likewise, Cloud IAM can’t create users or groups.
- Synchronizing from active directory on premises to Google cloud using Google cloud directory sync versus using the Admin SDK to create users and groups. research common use cases and best practices.
- learn different techniques of using Cloud data loss prevention API such as generalization and bucketing, De-identifying sensitive data, Pseudonymization, especially on the format preserving encryption which is a reversible for those who need to access sensitive data to decrypt the tokens using
CryptoReplaceFfxFpeConfig. - Know the differences between iso 27017, iso 27018, iso 27001, iso 27002, and some other cloud security ISO standards.
- VPC service control, service perimeter, perimeter bridge. Learn how to add projects and select data services to a service perimeter. Don’t add test projects to a production data service perimeter or perimeter bridge
- Learn how to restrict access using firewall rules. Understand there are 2 implied firewall rules. A lower priority number means higher priority. For example, to override a deny egress rule at priority 1000, create a firewall rule to allow egress to an IP range at priority 999. It’s possible for an ingress rule to have [source and destination service accounts] or [source tags and destination tags]. However, if the requirement states port 3306, choosing options without TCP:3306 would be foolish.
- Understand basic security IAM role bindings such as security reviewer is best for bound at the organization level for IAM policy audits. Security admin role allows setting IAM policies.
- Learn what Google cloud components Identity aware proxy supports: Compute engine backend with HTTP load balancing, GKE, Anthos service mesh, App engine. The purpose is to avoid VPN but implement BeyondCorp as Google’s implementation of the zero trust model.
- Understand which load balancing is best for a typical web application’s security. Start from External HTTP(S) Load Balancing.
- Learn how to use Cloud armor to configure SQL injection rules in a policy. Cloud armor works with external HTTP(s) load balancing.
- Learn the applicable targets of the web security scanner, best practices such as using an authenticated test user for POST requests in a test project without production data.
- Learn how to use process health in monitoring to create alerts. If the question has the requirements to notify users, make sure to choose an option that alerts the user on the condition. Options that only create the log based metrics would not satisfy. You’d need to create alert from the metric.
- Learn how to encrypt Cloud storage data in a scenario where customer allows key encryption key to be stored in the cloud but mandates key lifecycle management (CMEK) vs customer does not want to store the key in the cloud.
- Learn the process of envelope encryption
- In a PCI DSS compliant environment, learn common practices of reducing the audit scope of putting payment card data handing components in a dedicated project while other e-commerce components such as user accounts or order complete pub/sub subscriptions in different projects.
- Learn security command center features such as listing assets at a point in time.
