Professional Cloud Security Engineer
π Passed: January 17, 2025
Exam Overview:
Post-Exam Reflectionsβ
Impressions:
It was difficult.
The questions were fundamentally based on documentation, but they were definitely more applied than the practice exam.
I don't think there were many questions similar to those in the (Indian) practice sets.
Many questions required logical reasoning and using test-taking techniques for multiple-choice questions.
There also seemed to be many questions related to network architecture and general cloud architecture.
Objective Notes:
- Number of questions: 40, which was fewer than expected and added to the pressure.
- Time: I completed the first pass in about 70/120 minutes and was able to review everything.
Topic Trends:β
**Cryptomining Detection:**
- Google Cloud provides best practices for detecting and preventing cryptocurrency mining. This includes monitoring for unusual CPU usage and network traffic, configuring resource autoscaling, and strengthening IAM policies.
- Reference: [Best practices for cryptomining detection on Google Cloud](https://cloud.google.com/security-command-center/docs/cryptomining-detection-best-practices?hl=en)
---
**Time-based IAM Control:**
- You can use Cloud Scheduler to issue HTTP requests at specified times or intervals to automatically invoke Cloud Run or Cloud Functions. This allows for time-based access control, such as granting access permissions only during specific hours.
- Key Points:
- Cloud Scheduler's retry settings make it easy to control retries upon execution failure.
- You can programmatically manage access rights, such as granting or revoking IAM roles.
---
**External Key Management Questions:**
- Identifying Regional or Project Causes:
- Beyond external keys, regional requirements are crucial. For example, Cloud KMS keys are tied to a specific region, and their use in other regions may be restricted.
- Reference: [Cloud KMS Locations documentation](https://cloud.google.com/kms/docs/locations?hl=en)
- DLP Data De-identification Methods:
- Hashing is a one-way transformation that makes data non-reversible, preventing the original data from being recovered.
- Note: Deterministic encryption, which always produces the same output for the same input, is decryptable and different from hashing.
---
**Container Registry (Artifact Registry) Features:**
- Artifact Registry, the successor to Container Registry, provides management for container images and other packages. It integrates vulnerability scanning and monitoring features.
- Key Points:
- Vulnerability scanning can be performed with Artifact Analysis in Artifact Registry.
- Monitoring is implemented using Cloud Security Command Center (SCC) or Google Cloud Monitoring.
---
**Cloud Security Command Center (SCC) Use Cases:**
- SCC is an integrated platform for visualizing the security posture of your Google Cloud environment and managing risks.
- Use Cases:
- **Vulnerability Detection:** Discover and remediate resource misconfigurations, publicly exposed credentials, and known risks.
- **Threat Detection and Mitigation:** Detect and respond to active threats like malware, cryptomining, container runtime attacks, and DDoS attacks.
- **Posture and Policy Management:** Define and deploy security postures, and monitor and fix configuration drifts.
- **Data Management:** Ensure data residency by restricting the storage and processing of Security Command Center data to a specific region.
- **Integration:** Connect with external security systems through exports to BigQuery and Pub/Sub.
- Reference: [Security Command Center overview](https://cloud.google.com/security-command-center/docs/security-command-center-overview)
---
**Example from Practice Exam:**
- **Question:** A retail company is migrating its e-commerce site, including its point-of-sale (POS) application, to Google Cloud. Which compliance standard must they adhere to?
- A. FedRAMP High
- B. HIPAA
- C. SOX
- D. PCI DSS (Correct Answer)
- Other topics that appeared:
- Security Command Center
- Cloud NGFW
- Shielded VM, Confidential VM, Binary Authorization
- Cloud Certificate Authority Service
Exam Information (January 17, 2025)β
Exam Name: Google Cloud Certified - Professional Cloud Security Engineer (Japanese) Date & Time: January 17, 2025, 15:30 Location: 4F Kita 7-jo Yoshiya Building, Kita 7-jo Nishi 5-chome, Kita-ku
Preparation:
- Government-issued driver's license
- Credit card
π₯ Study Strategy π₯β
- Master whizlabs.com
- 1st round complete: Jan 14, 2025
- 2nd round complete: Jan 17, 2025
- Take the official practice exam
- 91%: Jan 14, 2025
- Read as many web articles as possible
- Familiarize myself with the Google Cloud console.
Weak Areasβ
New Topics Encountered:
- What is Assured Workloads?
- Defining an SSL policy
- Connecting to Google APIs
- Workload Identity Federation
- Firewall rule priority - Default priority: 1000
- VPC Flow Logs are applied at the VPC level (better than subnet).
Memos for Creating Practice Questions with Promptsβ
Tips for Generating Applied Questionsβ
December 14, 2024
Improving Practice Exams:
Copy the official practice exam and save it as a text file. β Upload it to GPTs and clean up the formatting. β Set a system prompt in Gemini (Studio) and progressively improve the questions.
Improving Foundational Questions:
Generate a set of basic questions based on the exam guide using GPTs. β Set a system prompt in Gemini (Studio) and progressively develop them into more applied, scenario-based questions.