Google Cloud Certified Professional Cloud Security Engineer Fundamentals — Quiz 1
Google Cloud Certified Professional Cloud Security Engineer Fundamentals — Quiz 1 — Study Guide
Google Cloud Professional Cloud Security Engineer — Fundamentals Study Guide
Security in the cloud isn't just a checkbox — it's a layered strategy that protects your data, infrastructure, and users from threats both external and internal. As a Google Cloud Security Engineer, you'll need to understand how services like IAM, VPC, KMS, and Cloud Armor work together to create a defense-in-depth posture. This guide walks through the core concepts you'll encounter in Quiz 1.
Networking Security: VPC, Firewall, and Shared VPC
Virtual Private Cloud (VPC)
A VPC is your private, isolated network within Google Cloud. Think of it like a walled office building — you control who enters, who can move between floors, and what exits the building.Primary benefits of VPC:
Firewall Rules
Firewall rules act as security guards at the door — they decide what traffic is allowed in or out of your VPC based on IP ranges, ports, and protocols.# Example: Allow HTTPS traffic to web servers
name: allow-https
direction: INGRESS
priority: 1000
targetTags: ["web-server"]
allow:
- protocol: tcp
ports: ["443"]
sourceRanges: ["0.0.0.0/0"]Key concepts:
Shared VPC
Shared VPC lets a host project share its VPC network with service projects. This is ideal for organizations that want centralized network control while allowing teams to deploy resources independently.| Feature | Regular VPC | Shared VPC |
|---|---|---|
| Network ownership | Per project | Centralized host project |
| Use case | Single team | Multi-team organizations |
| Firewall management | Per project | Centralized |
VPC Service Controls
VPC Service Controls create a security perimeter around Google Cloud APIs (like Cloud Storage or BigQuery) to prevent data exfiltration — the unauthorized transfer of data outside your organization. Even if credentials are stolen, data cannot leave the defined perimeter.Identity and Access Management (IAM)
Principle of Least Privilege
The principle of least privilege means granting users and services *only* the permissions they need to do their job — nothing more. If a service only reads from a bucket, it should never have write or delete permissions.IAM Roles
| Role Type | Description | Example |
|---|---|---|
| Basic | Broad permissions (avoid in prod) | roles/editor |
| Predefined | Service-specific, curated | roles/storage.objectViewer |
| Custom | You define exact permissions | Only storage.objects.get |
Service Accounts
A service account is an identity for applications and VMs — not humans. Best practices:Organization Policy
Organization Policies enforce guardrails at scale — for example, restricting which regions resources can be deployed in, or preventing public IPs on VMs. These apply across your entire organization hierarchy.Encryption and Key Management
Encryption In Transit and At Rest
Google Cloud encrypts data at rest by default using AES-256. For data in transit, use HTTPS/TLS (SSL) to protect data moving between clients and servers or between services.Cloud KMS (Key Management Service)
Cloud KMS lets you create, manage, rotate, and destroy cryptographic keys centrally. You can use:Secret Manager
Secret Manager stores sensitive configuration values like API keys, passwords, and certificates — not encryption keys. Think of KMS as the locksmith and Secret Manager as the safe.# Store a secret
echo -n "my-db-password" | gcloud secrets create db-password --data-file=-Access a secret in code (Python)
from google.cloud import secretmanager
client = secretmanager.SecretManagerServiceClient()
response = client.access_secret_version(name="projects/my-proj/secrets/db-password/versions/latest")
print(response.payload.data.decode("UTF-8"))