Google PCSE: Professional Cloud Security Engineer for Google Cloud

Google Cloud security starts with the resource hierarchy. Organisation > Folder > Project > Resource — IAM bindings at higher levels are inherited by lower levels. Security design principle: apply least-privilege bindings at the lowest level where they are needed. Organisation policies: constraints applied at organisation, folder, or project level — override child-level settings. Key constraints: constraints/compute.disableSerialPortAccess, constraints/compute.requireOsLogin, constraints/iam.disableServiceAccountKeyCreation, constraints/iam.allowedPolicyMemberDomains (restrict IAM bindings to specific domains — prevents external email addresses from being granted roles). Essential Contacts: designate contacts for security, legal, and technical notifications at organisation and project level. Cloud Asset Inventory: export and query all assets and their IAM policies across the organisation — use for compliance audits and privilege discovery. Policy Troubleshooter: diagnose why a user has or does not have access — evaluates all applicable IAM policies in the hierarchy for a specific principal and action.

Google Cloud encryption by default: all data at rest and in transit is encrypted. Encryption hierarchy: data encrypted with Data Encryption Key (DEK), DEK encrypted with Key Encryption Key (KEK) managed by Google's Cloud KMS. CMEK (Customer-Managed Encryption Keys): you manage the KEK in Cloud KMS — revoke key access to prevent Google or anyone from accessing data. CSEK (Customer-Supplied Encryption Keys): you provide the key material with each API call — Google never stores the key — highest control, highest management burden. Cloud HSM: hardware security modules for FIPS 140-2 Level 3 key storage within Cloud KMS. Cloud EKM (External Key Manager): keys stored outside Google's infrastructure (on-premises HSM or third-party KMS) — Google requests key material per-operation — most stringent regulatory compliance option. Data classification with DLP API: Cloud Data Loss Prevention API detects and classifies sensitive data (PII, payment card data, credentials) in text, images, and structured data — de-identify by redacting, masking, or tokenising sensitive fields before storing or sharing data.

PCSE network security: VPC Service Controls create API perimeters around Google Cloud services — access to BigQuery, Cloud Storage, and other APIs is blocked from outside the perimeter, even for authenticated users. This prevents data exfiltration through compromised credentials or insider threat. Access context defines conditions for access (device posture, IP range, user identity) — access levels are used in VPC Service Controls and IAP. Cloud Armor: global DDoS protection and WAF at the Google network edge — security policies define rules (IP allow/deny, geo-blocking, OWASP CRS pre-configured rules, rate limiting, adaptive protection for DDoS). Cloud Armor Adaptive Protection: ML detects anomalous traffic patterns and suggests protective rules during an attack. Private Google Access: VMs without external IPs access Google APIs via private routing — no public internet exposure. Private Service Connect: access Google APIs or third-party services via private IP in your VPC — replaces Private Google Access for more granular control. Cloud NAT: outbound internet access for VMs without external IPs — no inbound connections allowed.

PCSE security operations. Audit logs: Admin Activity logs (always on, who called what API — 400-day retention), Data Access logs (must enable manually — read/write of user data, high volume), System Event logs (Google Cloud system actions), Policy Denied logs (access denied by IAM or VPC Service Controls). Log routing: Cloud Logging log sinks export to Cloud Storage (long-term retention), BigQuery (SQL analysis), Pub/Sub (real-time streaming to external SIEM), Chronicle (Google's cloud-native security analytics platform). Chronicle: petabyte-scale security telemetry ingestion — indexed for YARA-L rule detection, supports UDM (Unified Data Model) event normalisation, retroactive detection (run new rules against historical data). Security Command Center (SCC): unified security posture management — threat findings from Event Threat Detection (detects crypto mining, data exfiltration, privilege escalation in real time using Cloud Logging), vulnerability findings from Security Health Analytics (misconfiguration detection: public buckets, overly permissive IAM), and Web Security Scanner (identifies OWASP Top 10 vulnerabilities in deployed web applications).