book

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Name: Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
ISBN: 9781835468869

by Ankush Chowdhary, Prashant Kulkarni

August 2023

Intermediate to advanced

496 pages

11h 46m

English

Packt Publishing

Read now

Unlock full access

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
ForewordContributorsAbout the authorsAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare your thoughts
Chapter 1: About the GCP Professional Cloud Security Engineer Exam
Benefits of being certifiedRegistering for the examSome useful tips on how to prepareSummaryFurther reading
Chapter 2: Google Cloud Security Concepts
Overview of Google Cloud securityShared security responsibilityAddressing compliance on Google CloudSecurity by designOperational securityNetwork securityData securityServices and identityPhysical and hardware securityThreat and vulnerability managementSummaryFurther reading
Chapter 3: Trust and Compliance
Establishing and maintaining trustAccess Transparency and Access ApprovalAccess TransparencyEnabling Access TransparencyAccess ApprovalConfiguring Access ApprovalSecurity and privacy of dataThird-party risk assessmentsCompliance in the cloudCompliance reportsContinuous complianceSummaryFurther reading
Chapter 4: Resource Management
Overview of Google Cloud Resource ManagerUnderstanding resource hierarchyOrganizationFoldersProjectsApplying constraints using the Organization Policy ServiceOrganization policy constraintsPolicy inheritanceAsset management using Cloud Asset InventoryAsset searchAsset exportAsset monitoringAsset analyzerBest practices and design considerationsSummaryFurther reading
Chapter 5: Understanding Google Cloud Identity
Overview of Cloud IdentityCloud Identity domain setupSuper administrator best practicesSecuring your account2-step verificationUser security settingsSession length control for Google CloudSAML-based SSOAdditional security featuresDirectory managementGoogle Cloud Directory SyncGCDS features and capabilitiesHow does GCDS work?Using GCDS Configuration ManagerUser provisioning in Cloud IdentityAutomating user lifecycle management with Cloud Identity as the IdPAdministering user accounts and groups programmaticallySummaryFurther reading
Chapter 6: Google Cloud Identity and Access Management
Overview of IAMIAM roles and permissionsPolicy bindingService accountsCreating a service accountDisabling a service accountDeleting a service accountUndeleting a service accountService account keysKey rotationService account impersonationCross-project service account accessConfiguring Workload Identity Federation with OktaBest practices for monitoring service account activityService agentsIAM policy bindingsPolicy structurePolicy inheritance and resource hierarchyIAM ConditionsPolicy best practicesPolicy Intelligence for better permission managementTag-based access controlTag structureBest practices for tagsCloud Storage ACLsAccess Control Lists (ACLs)Uniform bucket-level accessIAM APIsIAM loggingLog nameService account logsSummaryFurther reading
Chapter 7: Virtual Private Cloud
Overview of VPCGoogle Cloud regions and zonesVPC deployment modelsVPC modesShared VPCVPC peeringMicro-segmentationSubnetsCustom routingFirewall rulesCloud DNSConfiguring Cloud DNS – create a public DNS zone for a domain nameDNSSECLoad balancersConfiguring external global HTTP(S) load balancersHybrid connectivity optionsBest practices and design considerationsVPC best practicesKey decisionsSummaryFurther reading
Chapter 8: Advanced Network Security
Private Google AccessDNS configurationRouting optionsFirewall rulesIdentity-Aware ProxyEnabling IAP for on-premisesUsing Cloud IAP for TCP forwardingCloud NATGoogle Cloud ArmorSecurity policiesNamed IP listsSummaryFurther reading

Chapter 9: Google Cloud Key Management Service
Overview of Cloud KMSCurrent Cloud KMS encryption offeringsEncryption and key management in Cloud KMSKey hierarchyEnvelope encryptionKey management optionsGoogle Cloud’s default encryptionCustomer-managed encryption keys (CMEKs)Customer-supplied encryption keySymmetric key encryptionCreating a symmetric keyEncrypting content with a symmetric keyDecrypting content with a symmetric keyAsymmetric key encryptionStep 1: Creating a key ringStep 2: Creating an asymmetric decryption keyStep 3: (Optional) Creating an asymmetric signing keyEncrypting data with an asymmetric keyDecrypting data with an asymmetric keyImporting a key (BYOK)Step 1: Creating a blank keyStep 2: Importing the key using an import jobStep 3: Verifying key encryption and decryptionKey lifecycle managementKey IAM permissionsCloud HSMHSM key hierarchyKey creation flow in HSMCryptographic operation flow in HSMCloud EKMThe architecture of Cloud EKMCloud KMS best practicesCloud KMS infrastructure decisionsApplication data encryptionIntegrated Google Cloud encryptionCMEKsImporting keys into Cloud KMSCloud KMS APICloud KMS loggingSummaryFurther reading
Chapter 10: Cloud Data Loss Prevention
Overview of Cloud DLPDLP architecture optionsContent methodsStorage methodsHybrid methodsCloud DLP terminologyDLP infoTypesData de-identificationCreating a Cloud DLP inspection templateDefining the templateConfiguring detectionBest practices for inspecting sensitive dataInspecting and de-identifying PII dataDe-identification transformationsTutorial: How to de-identify and tokenize sensitive dataStep 1: Creating a key ring and a keyStep 2: Creating a base64-encoded AES keyStep 3: Wrapping the AES key using the Cloud KMS keyStep 4: Sending a de-identify request to the Cloud DLP APIStep 5: Sending a de-identity request to the Cloud DLP APIStep 6: Sending a re-identify request to the Cloud DLP APIDLP use casesBest practices for Cloud DLPData exfiltration and VPC Service ControlsArchitecture of VPC Service ControlsAllowing access to protected resources within the VPC Service Controls perimeterConfiguring a VPC Service Controls perimeterBest practices for VPC Service ControlsSummaryFurther reading
Chapter 11: Secret Manager
Overview of Secret ManagerSecret Manager conceptsManaging secrets and versionsCreating a secretAdding a new secret versionDisabling a secretEnabling a secretAccessing a secretAccessing a binary secret versionAccessing secrets from your applicationSecret replication policyAutomaticUser-managed (user-selected)CMEKs for Secret ManagerBest practices for secret managementBest practices for developmentBest practices for deploymentSecret Manager logsSummaryFurther reading
Chapter 12: Cloud Logging
Introduction to Google Cloud loggingLog categoriesSecurity logsUser logsPlatform logsLog retentionLog managementLog producersLog consumersLog RouterLog sinks and exportsLog archiving and aggregationReal-time log analysis and streamingExporting logs for complianceLog complianceLogging and auditing best practicesSummaryFurther reading
Chapter 13: Image Hardening and CI/CD Security
Overview of image managementCustom images for Google Compute EngineManual bakingAutomated bakingImporting existing imagesEncrypting imagesImage management pipelineCreating a VM image using Packer and Cloud BuildStep 1: Creating an infrastructure for the image creationStep 2: Creating the Packer templateStep 3: Installing the Packer binaryStep 4: Creating the imageStep 5: Automating image creation with Cloud BuildControlling access to the imagesImage lifecycleImage familiesDeprecating an imageEnforcing lifecycle policiesSecuring a CI/CD pipelineCI/CD securityCI/CD security threatsHow to secure a CI/CD pipelineSource Composition Analysis (SCA)Static Application Security Testing (SAST)CI/CD IAM controlsContainer registry scanningContainer runtime securityBinary authorizationBest practices for CI/CD securityShielded VMsSecure BootVirtual Trusted Platform Module (vTPM)Integrity monitoringIAM authorizationOrganization policy constraints for Shielded VMsConfidential computingKey features of Google Cloud Confidential ComputingBenefits of Confidential ComputingSummaryFurther reading
Chapter 14: Security Command Center
Overview of SCCCore servicesCloud Asset InventoryListing assetsFiltering assetsExporting assets to BigQueryDetecting security misconfigurations and vulnerabilitiesSecurity Health AnalyticsVM ManagerRapid Vulnerability DetectionWeb Security ScannerThreat detectionEvent Threat DetectionContainer Threat DetectionVM Threat DetectionAnomaly detectionContinuous compliance monitoringCIS benchmarksAdditional standardsExporting SCC findingsOne-time exportsExporting data using the SCC APIContinuous exportsAutomating a findings responseSummaryFurther reading
Chapter 15: Container Security
Overview of containersContainer basicsWhat are containers?Advantages of containersWhat is Kubernetes?GKEContainer securityThreats and risks in containersGKE security featuresNamespacesAccess controlKubernetes RBACIAMSecretsAuditingLoggingNetwork PoliciesGKE private clustersService meshContainer image securityCluster Certificate Authority (CA)GKE Workload IdentityCenter for Internet Security (CIS) best practicesContainer security best practicesSummaryFurther reading
Google Professional Cloud Security Engineer Exam – Mock Exam I
Google Professional Cloud Security Engineer Exam – Mock Exam II
Why subscribe?
Other Books You May EnjoyShare your thoughts

Content preview from Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

13 Image Hardening and CI/CD Security

In this chapter, we will look at Google’s approach to Compute Engine image hardening and DevOps pipeline security. One of the most critical issues facing industries today is software supply chain attacks. To address this matter in the cloud, we need to be able to build secure infrastructure, monitor operations, and fix vulnerabilities. This is a very broad topic. We will only cover the topics required for the exam in this chapter.

In this chapter, we will cover the following topics:

Overview of image management
Custom images for Compute Engine
Image management pipeline
Controlling access to images
Image lifecycle
Enforcing lifecycle policies
Secure CI/CD pipeline
Best practices for a CI/CD pipeline
Shielded ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Official Google Cloud Certified Associate Cloud Engineer Study Guide

Dan Sullivan

Certified Cloud Security Professional (CCSP)

Michael J. Shannon

Google Cloud Platform (GCP) Professional Cloud Security Engineer Certification Companion: Learn and Apply Security Design Concepts to Ace the Exam

Dario Cabianca

Google Cloud Certified Associate Cloud Engineer Study Guide, 2nd Edition

Dan Sullivan

Publisher Resources

ISBN: 9781835468869

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

by Ankush Chowdhary, Prashant Kulkarni

13

Image Hardening and CI/CD Security

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.