Module 1: Configuring access within a cloud solution environment
1.1 Managing Cloud Identity. Considerations include:
- Configuring Google Cloud Directory Sync and third-party connectors
- Managing a super administrator account
- Automating the user lifecycle management process
- Administering user accounts and groups programmatically
1.2 Managing service accounts. Considerations include:
- Protecting and auditing service accounts and keys
- Automating the rotation of user-managed service account keys
- Identifying scenarios that require service accounts
- Creating, disabling, authorizing, and securing service accounts
- Managing and creating short-lived credentials
- Configuring workload identity federation
- Securing default service accounts
- Managing service account impersonation
1.3 Managing authentication. Considerations include:
- Creating a password and session management policy for user accounts
- Setting up Security Assertion Markup Language (SAML) and OAuth
- Configuring and enforcing two-factor authentication
1.4 Managing and implementing authorization controls. Considerations include:
- Managing privileged roles and separation of duties with Identity and Access Management (IAM) roles and permissions
- Granting permissions to different types of identities
- Managing IAM and access control list (ACL) permissions
- Designing identity roles at the organization, folder, project, and resource level
- Configuring Access Context Manager
- Applying Policy Intelligence for better permission management
- Managing permissions through groups
1.5 Defining resource hierarchy. Considerations include:
- Creating and managing organizations
- Managing organization policies for organization folders, projects, and resources
- Using resource hierarchy for access control and permissions inheritance
Module 2: Configuring perimeter and boundary security
2.1 Designing perimeter security. Considerations include:
- Configuring network perimeter controls (firewall rules, hierarchical firewalls, Identity-Aware Proxy [IAP], load balancers, and Certificate Authority Service)
- Identifying differences between private and public addressing
- Configuring web application firewall (Google Cloud Armor)
- Configuring Cloud DNS security settings
2.2 Configuring boundary segmentation. Considerations include:
- Configuring security properties of a VPC network, VPC peering, Shared VPC, and firewall rules
- Configuring network isolation and data encapsulation for N-tier application design
- Configuring VPC Service Controls
2.3 Establishing private connectivity. Considerations include:
- Designing and configuring private connectivity between VPC networks and Google Cloud projects (Shared VPC, VPC peering, and Private Google Access for on-premises hosts)
- Designing and configuring private connectivity between data centers and VPC network (IPsec and Cloud Interconnect)
- Establishing private connectivity between VPC and Google APIs (Private Google Access, restricted Google access, Private Google Access for on-premises hosts, Private Service Connect)
- Using Cloud NAT to enable outbound traffic
Module 3: Ensuring data protection
3.1 Protecting sensitive data and preventing data loss. Considerations include:
- Inspecting and redacting personally identifiable information (PII)
- Configuring pseudonymization
- Configuring format-preserving substitution
- Restricting access to BigQuery, Cloud Storage, and Cloud SQL datastores
- Securing secrets with Secret Manager
- Protecting and managing compute instance metadata
3.2 Managing encryption at rest, in transit, and in use. Considerations include:
- Understanding use cases for Google default encryption, customer-managed encryption keys (CMEK), customer-supplied encryption keys (CSEK), Cloud External Key Manager (EKM), and Cloud HSM
- Creating and managing encryption keys for CMEK, CSEK, and EKM
- Applying Google’s encryption approach to use cases
- Configuring object lifecycle policies for Cloud Storage
- Enabling Confidential Computing
- Encryption in transit
Module 4: Managing operations within a cloud solution environment
4.1 Building and deploying secure infrastructure and applications. Considerations include:
- Automating security scanning for Common Vulnerabilities and Exposures (CVEs) through a continuous integration and delivery (CI/CD) pipeline
- Automating virtual machine image creation, hardening, maintenance, and patch management
- Automating container image creation, verification, hardening, maintenance, and patch management
- Automating policy as code and drift detection
4.2 Configuring logging, monitoring, and detection. Considerations include:
- Configuring and analyzing network logs (firewall rule logs, VPC flow logs, packet mirroring, Cloud Intrusion Detection System Cloud IDS)
- Designing an effective logging strategy
- Logging, monitoring, responding to, and remediating security incidents
- Exporting logs to external security systems
- Configuring and analyzing Google Cloud audit logs and data access logs
- Configuring log exports (log sinks and aggregated sinks)
- Configuring and monitoring Security Command Center (Security Health Analytics, Event Threat Detection, Container Threat Detection, Web Security Scanner)
Module 5: Supporting compliance requirements
5.1 Determining regulatory requirements for the cloud. Considerations include:
- Determining concerns relative to compute, data, and network
- Evaluating the security shared responsibility model (Access Transparency)
- Configuring security controls within cloud environments (regionalization of data and services)
- Limiting compute and data for regulatory compliance
- Determining the Google Cloud environment in scope for regulatory compliance
