Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide: Become an expert and get Google Cloud certified with this practitioner's guide 1800564929, 9781800564923
Master designing, developing, and operating secure infrastructures on Google cloud Key FeaturesPrepare for the certifica
1,341 169 13MB
English Pages 496 Year 2023
Table of contents :
Cover
FM
Copyright
Foreword
Contributors
Table of Contents
Preface
Chapter 1: About the GCP Professional Cloud Security Engineer Exam
Benefits of being certified
Registering for the exam
Some useful tips on how to prepare
Summary
Further reading
Chapter 2: Google Cloud Security Concepts
Overview of Google Cloud security
Shared security responsibility
Addressing compliance on Google Cloud
Security by design
Operational security
Network security
Data security
Services and identity
Physical and hardware security
Threat and vulnerability management
Summary
Further reading
Chapter 3: Trust and Compliance
Establishing and maintaining trust
Access Transparency and Access Approval
Access Transparency
Enabling Access Transparency
Access Approval
Configuring Access Approval
Security and privacy of data
Third-party risk assessments
Compliance in the cloud
Compliance reports
Continuous compliance
Summary
Further reading
Chapter 4: Resource Management
Overview of Google Cloud Resource Manager
Understanding resource hierarchy
Organization
Folders
Projects
Applying constraints using the Organization Policy Service
Organization policy constraints
Policy inheritance
Asset management using Cloud Asset Inventory
Asset search
Asset export
Asset monitoring
Asset analyzer
Best practices and design considerations
Summary
Further reading
Chapter 5: Understanding Google Cloud Identity
Overview of Cloud Identity
Cloud Identity domain setup
Super administrator best practices
Securing your account
2-step verification
User security settings
Session length control for Google Cloud
SAML-based SSO
Additional security features
Directory management
Google Cloud Directory Sync
GCDS features and capabilities
How does GCDS work?
Using GCDS Configuration Manager
User provisioning in Cloud Identity
Automating user lifecycle management with Cloud Identity as the IdP
Administering user accounts and groups programmatically
Summary
Further reading
Chapter 6: Google Cloud Identity and Access Management
Overview of IAM
IAM roles and permissions
Policy binding
Service accounts
Creating a service account
Disabling a service account
Deleting a service account
Undeleting a service account
Service account keys
Key rotation
Service account impersonation
Cross-project service account access
Configuring Workload Identity Federation with Okta
Best practices for monitoring service account activity
Service agents
IAM policy bindings
Policy structure
Policy inheritance and resource hierarchy
IAM Conditions
Policy best practices
Policy Intelligence for better permission management
Tag-based access control
Tag structure
Best practices for tags
Cloud Storage ACLs
Access Control Lists (ACLs)
Uniform bucket-level access
IAM APIs
IAM logging
Log name
Service account logs
Summary
Further reading
Chapter 7: Virtual Private Cloud
Overview of VPC
Google Cloud regions and zones
VPC deployment models
VPC modes
Shared VPC
VPC peering
Micro-segmentation
Subnets
Custom routing
Firewall rules
Cloud DNS
Configuring Cloud DNS – create a public DNS zone for a domain name
DNSSEC
Load balancers
Configuring external global HTTP(S) load balancers
Hybrid connectivity options
Best practices and design considerations
VPC best practices
Key decisions
Summary
Further reading
Chapter 8: Advanced Network Security
Private Google Access
DNS configuration
Routing options
Firewall rules
Identity-Aware Proxy
Enabling IAP for on-premises
Using Cloud IAP for TCP forwarding
Cloud NAT
Google Cloud Armor
Security policies
Named IP lists
Summary
Further reading
Chapter 9: Google Cloud Key Management Service
Overview of Cloud KMS
Current Cloud KMS encryption offerings
Encryption and key management in Cloud KMS
Key hierarchy
Envelope encryption
Key management options
Google Cloud’s default encryption
Customer-managed encryption keys (CMEKs)
Customer-supplied encryption key
Symmetric key encryption
Creating a symmetric key
Encrypting content with a symmetric key
Decrypting content with a symmetric key
Asymmetric key encryption
Step 1: Creating a key ring
Step 2: Creating an asymmetric decryption key
Step 3: (Optional) Creating an asymmetric signing key
Encrypting data with an asymmetric key
Decrypting data with an asymmetric key
Importing a key (BYOK)
Step 1: Creating a blank key
Step 2: Importing the key using an import job
Step 3: Verifying key encryption and decryption
Key lifecycle management
Key IAM permissions
Cloud HSM
HSM key hierarchy
Key creation flow in HSM
Cryptographic operation flow in HSM
Cloud EKM
The architecture of Cloud EKM
Cloud KMS best practices
Cloud KMS infrastructure decisions
Application data encryption
Integrated Google Cloud encryption
CMEKs
Importing keys into Cloud KMS
Cloud KMS API
Cloud KMS logging
Summary
Further reading
Chapter 10: Cloud Data Loss Prevention
Overview of Cloud DLP
DLP architecture options
Content methods
Storage methods
Hybrid methods
Cloud DLP terminology
DLP infoTypes
Data de-identification
Creating a Cloud DLP inspection template
Defining the template
Configuring detection
Best practices for inspecting sensitive data
Inspecting and de-identifying PII data
De-identification transformations
Tutorial: How to de-identify and tokenize sensitive data
Step 1: Creating a key ring and a key
Step 2: Creating a base64-encoded AES key
Step 3: Wrapping the AES key using the Cloud KMS key
Step 4: Sending a de-identify request to the Cloud DLP API
Step 5: Sending a de-identity request to the Cloud DLP API
Step 6: Sending a re-identify request to the Cloud DLP API
DLP use cases
Best practices for Cloud DLP
Data exfiltration and VPC Service Controls
Architecture of VPC Service Controls
Allowing access to protected resources within the VPC Service Controls perimeter
Configuring a VPC Service Controls perimeter
Best practices for VPC Service Controls
Summary
Further reading
Chapter 11: Secret Manager
Overview of Secret Manager
Secret Manager concepts
Managing secrets and versions
Creating a secret
Adding a new secret version
Disabling a secret
Enabling a secret
Accessing a secret
Accessing a binary secret version
Accessing secrets from your application
Secret replication policy
Automatic
User-managed (user-selected)
CMEKs for Secret Manager
Best practices for secret management
Best practices for development
Best practices for deployment
Secret Manager logs
Summary
Further reading
Chapter 12: Cloud Logging
Introduction to Google Cloud logging
Log categories
Security logs
User logs
Platform logs
Log retention
Log management
Log producers
Log consumers
Log Router
Log sinks and exports
Log archiving and aggregation
Real-time log analysis and streaming
Exporting logs for compliance
Log compliance
Logging and auditing best practices
Summary
Further reading
Chapter 13: Image Hardening and CI/CD Security
Overview of image management
Custom images for Google Compute Engine
Manual baking
Automated baking
Importing existing images
Encrypting images
Image management pipeline
Creating a VM image using Packer and Cloud Build
Step 1: Creating an infrastructure for the image creation
Step 2: Creating the Packer template
Step 3: Installing the Packer binary
Step 4: Creating the image
Step 5: Automating image creation with Cloud Build
Controlling access to the images
Image lifecycle
Image families
Deprecating an image
Enforcing lifecycle policies
Securing a CI/CD pipeline
CI/CD security
CI/CD security threats
How to secure a CI/CD pipeline
Source Composition Analysis (SCA)
Static Application Security Testing (SAST)
CI/CD IAM controls
Container registry scanning
Container runtime security
Binary authorization
Best practices for CI/CD security
Shielded VMs
Secure Boot
Virtual Trusted Platform Module (vTPM)
Integrity monitoring
IAM authorization
Organization policy constraints for Shielded VMs
Confidential computing
Key features of Google Cloud Confidential Computing
Benefits of Confidential Computing
Summary
Further reading
Chapter 14: Security Command Center
Overview of SCC
Core services
Cloud Asset Inventory
Listing assets
Filtering assets
Exporting assets to BigQuery
Detecting security misconfigurations and vulnerabilities
Security Health Analytics
VM Manager
Rapid Vulnerability Detection
Web Security Scanner
Threat detection
Event Threat Detection
Container Threat Detection
VM Threat Detection
Anomaly detection
Continuous compliance monitoring
CIS benchmarks
Additional standards
Exporting SCC findings
One-time exports
Exporting data using the SCC API
Continuous exports
Automating a findings response
Summary
Further reading
Chapter 15: Container Security
Overview of containers
Container basics
What are containers?
Advantages of containers
What is Kubernetes?
GKE
Container security
Threats and risks in containers
GKE security features
Namespaces
Access control
Kubernetes RBAC
IAM
Secrets
Auditing
Logging
Network Policies
GKE private clusters
Service mesh
Container image security
Cluster Certificate Authority (CA)
GKE Workload Identity
Center for Internet Security (CIS) best practices
Container security best practices
Summary
Further reading
Google Professional Cloud Security Engineer Exam – Mock Exam I
Google Professional Cloud Security Engineer Exam – Mock Exam II
Index
Other Books You May Enjoy
![Official Google Cloud Certified Professional Data Engineer Study Guide [Study Guide ed.]
1119618436, 9781119618430](https://dokumen.pub/img/200x200/official-google-cloud-certified-professional-data-engineer-study-guide-study-guidenbsped-1119618436-9781119618430.jpg)
![Official Google Cloud Certified Professional Cloud Architect Study Guide [1st Edition]
1119602440, 9781119602446](https://dokumen.pub/img/200x200/official-google-cloud-certified-professional-cloud-architect-study-guide-1st-edition-1119602440-9781119602446.jpg)
