What does the Google Cloud Professional Security Engineer exam cover?
The Professional Cloud Security Engineer exam tests your ability to configure and manage GCP security controls, design secure infrastructure, manage identity and access, protect data, and respond to security events. It covers IAM, VPC security, Cloud KMS, Security Command Center, data loss prevention, network security, and compliance frameworks relevant to regulated industries.
The Google Cloud Professional Cloud Security Engineer certification is one of the more specialized credentials in the GCP portfolio, targeting cloud engineers whose primary responsibility is securing GCP infrastructure and data. As organizations run increasingly sensitive workloads on public cloud, demand for certified cloud security engineers has grown sharply. According to the 2025 (ISC)2 Cybersecurity Workforce Study, cloud security is the single most cited skills gap among enterprise security teams globally [1].
This guide covers all exam domains, the specific GCP services and features you must master, a study approach calibrated to the difficulty of this exam, and guidance on distinguishing security concepts that the exam uses to test nuanced understanding. Sources include Google's official security engineer exam guide [2], the Cloud Security Command Center documentation [3], NIST SP 800-53 [4], and Tutorials Dojo's security engineer practice exam analysis [5].
Exam Overview
| Attribute | Detail |
|---|---|
| Exam cost | $200 USD |
| Exam duration | 120 minutes |
| Number of questions | 50-60 multiple-choice and multiple-select |
| Validity period | 2 years |
| Delivery | Remote proctored or test center |
| Prerequisites | None (Google recommends 3+ years security experience, 1+ year GCP) |
| Difficulty | High; ranks among the harder GCP professional exams |
This exam is most accessible to candidates with a background in security engineering, network security, or identity management. Candidates from a pure development or infrastructure background should invest additional time in cloud security fundamentals before beginning the GCP-specific study phase.
Exam Domains
| Domain | Title | Approximate Weight |
|---|---|---|
| 1 | Configuring access within a cloud solution environment | 27% |
| 2 | Configuring network security | 21% |
| 3 | Ensuring data protection | 20% |
| 4 | Managing operations | 22% |
| 5 | Supporting compliance requirements | 10% |
Domain 1: Configuring Access Within a Cloud Solution Environment (27%)
The highest-weighted domain covers Identity and Access Management in depth. This goes significantly beyond the IAM coverage in the ACE or PCA exams.
Resource Hierarchy and IAM Inheritance
GCP's resource hierarchy flows: Organization > Folder > Project > Resource. IAM policies at each level are inherited downward. Key rules:
- A role granted at the organization level applies to all resources in all projects
- A Deny policy overrides Allow policies and can be applied at any hierarchy level (Organization, Folder, Project)
- The effective policy for a resource is the union of all ancestor policies
Understanding IAM Deny policies is critical for this exam. Deny policies were introduced to allow explicit blocking of specific principals from specific actions, overcoming the limitation that IAM Allow policies could not prevent inherited permissions.
Service Account Security
Service accounts are a frequent exam focus. Key concepts:
- Service account impersonation: allow a human user to act as a service account without downloading a key file, using
iam.serviceAccounts.actAspermission - Workload Identity Federation: the recommended alternative to service account keys for external workloads (GitHub Actions, AWS Lambda, on-premises systems) connecting to GCP; eliminates key management entirely
- Service account key rotation: when keys are required, automate rotation and audit key age using Security Command Center
- Constraining service account usage with organization policies:
iam.disableServiceAccountCreation,iam.disableServiceAccountKeyCreation
"Service account keys represent one of the most significant security risks in GCP environments. The Professional Security Engineer exam consistently tests candidates on how to eliminate key usage in favor of Workload Identity Federation and short-lived tokens." -- Google Cloud IAM documentation [6]
Groups and Directory Integration
- Cloud Identity: Google's managed identity service for creating users and groups without requiring Google Workspace
- Workforce Identity Federation: allows enterprise users from external identity providers (Okta, Azure AD, Active Directory via SAML/OIDC) to authenticate to GCP without creating Cloud Identity accounts
- Google Groups for IAM: assigning roles to groups rather than individuals is both a security best practice and a scalability requirement; direct user bindings do not scale in large organizations
Organization Policy Constraints
Organization Policy Service allows defining constraints that restrict resource configuration across the organization:
| Constraint | Effect |
|---|---|
compute.vmExternalIpAccess |
Restricts which VMs can have external IP addresses |
compute.requireShieldedVm |
Requires all VMs to use Shielded VM configuration |
iam.disableServiceAccountKeyCreation |
Prevents creation of service account keys |
iam.allowedPolicyMemberDomains |
Restricts IAM bindings to identities from specified domains |
storage.publicAccessPrevention |
Prevents Cloud Storage buckets from being made public |
gcp.resourceLocations |
Restricts which regions can be used for resource creation |
Domain 2: Configuring Network Security (21%)
Network security architecture is the second-largest domain. It tests both conceptual design and specific configuration knowledge.
VPC Security Architecture
- Shared VPC: centralizes network management in a host project while allowing service projects to use the shared network. Network admin roles stay in the host project; this prevents individual teams from misconfiguring firewall rules.
- VPC Peering: connects two VPCs without a shared hub. Peering is non-transitive: if VPC A peers with VPC B and VPC B peers with VPC C, VPC A cannot reach VPC C through VPC B.
- Private Google Access: allows VM instances without external IPs to reach Google APIs and services (BigQuery, Cloud Storage) over Google's internal network
- Private Service Connect: provides private access to Google-managed services and third-party services via internal IP addresses, replacing older Private Google Access patterns for supported services
Firewall Rules and Policies
GCP firewall rules are stateful and applied at the network level. Key concepts:
- Firewall rules are evaluated by priority (lower number = higher priority); first matching rule wins
- Implied rules: every VPC has an implied allow-all egress rule and an implied deny-all ingress rule with very low priority
- Network firewall policies (formerly Hierarchical Firewall Policies): apply at organization, folder, or network level and are evaluated before VPC firewall rules
- Firewall rule logging: enables per-rule logging of allowed or denied connections to Cloud Logging for security auditing
Cloud Armor
Cloud Armor is GCP's managed DDoS protection and Web Application Firewall (WAF) service:
- Operates at the HTTP(S) Load Balancer layer (Layer 7)
- Security policies contain ordered rules with allow, deny, or redirect actions
- Pre-configured WAF rules based on OWASP Top 10 categories
- Adaptive Protection: machine learning-based DDoS detection that auto-generates mitigation rules during attacks
- Bot Management: reCAPTCHA integration for distinguishing humans from automated traffic
Cloud Interconnect and VPN Security
- Cloud VPN: encrypted IPsec tunnels; suitable for lower bandwidth requirements (up to 3 Gbps per tunnel)
- Cloud Interconnect: dedicated (Direct Interconnect) or partner-based (Partner Interconnect) private connectivity; traffic does not traverse the public internet; no encryption by default
- Cloud Interconnect with MACsec: Layer 2 encryption for Dedicated Interconnect connections where traffic confidentiality is required on the private link
Domain 3: Ensuring Data Protection (20%)
Cloud Key Management Service (KMS)
Cloud KMS is Google's managed encryption key service. Key concepts:
- Key ring: a container for keys in a specific location; cannot be deleted
- CryptoKey: the encryption key; supports multiple key versions
- Key rotation: automatic rotation generates new key version on a schedule; older versions continue to decrypt data encrypted with them but new data uses the latest version
- CMEK (Customer-Managed Encryption Keys): GCP services encrypt data with a KMS key you control; revoke access to the key to prevent GCP from accessing your data
- CSEK (Customer-Supplied Encryption Keys): you provide the raw key material; Google never stores it; higher operational risk
- Cloud HSM: hardware security module-backed keys for compliance requirements mandating HSM protection
Data Loss Prevention (Cloud DLP)
Cloud DLP identifies, classifies, and optionally transforms sensitive data:
- 150+ built-in infoTypes: CREDIT_CARD_NUMBER, US_SOCIAL_SECURITY_NUMBER, EMAIL_ADDRESS, and many more
- Inspection: scan Cloud Storage, BigQuery, or Datastore for sensitive data
- De-identification transformations: masking, tokenization (format-preserving encryption), bucketing, and redaction
- Re-identification risk analysis: evaluate quasi-identifiers in datasets that could be combined to re-identify individuals even without direct PII
"Data Loss Prevention is tested both as a standalone service and as a component of data governance pipelines. Candidates must understand when to use DLP in real-time (via the DLP API in application code) vs. batch inspection jobs against Cloud Storage or BigQuery." -- Tutorials Dojo Security Engineer exam analysis [5]
VPC Service Controls
VPC Service Controls create a security perimeter around GCP services that restricts API access to only authorized networks and identities:
- Access policies define the organization-level policy
- Service perimeters group projects; API calls from outside the perimeter to services inside are blocked
- Access levels define conditions under which external access is permitted: IP ranges, device policy, identity
- Dry-run mode: evaluates what would be blocked without enforcing, essential for testing before enabling enforcement
Domain 4: Managing Operations (22%)
Security Command Center (SCC)
Security Command Center is GCP's centralized security management platform:
- Findings: security vulnerabilities and threats detected by SCC and integrated partners
- Assets: inventory of all GCP resources with configuration details
- Standard tier: free, provides basic vulnerability detection
- Premium tier: adds Event Threat Detection (ETD), Container Threat Detection, Web Security Scanner, and compliance reports (CIS, PCI DSS, NIST)
- Event Threat Detection: near-real-time analysis of Cloud Logging for indicators of compromise (cryptomining, data exfiltration, brute force)
Audit Logging
Cloud Audit Logs are central to security operations on GCP:
- Admin Activity logs: record modifications to resources; always enabled, cannot be disabled
- Data Access logs: record API calls that read resource configuration or user data; disabled by default; must be enabled per service
- System Event logs: non-human administrative actions
- Policy Denied logs: record when a request is denied due to an organization policy
- Log retention: default retention varies by log type; configure log sinks to Cloud Storage or BigQuery for long-term retention required by compliance frameworks
Incident Response
The exam tests process knowledge alongside technical configuration:
- Chronicle: Google's cloud-native SIEM for storing and analyzing security telemetry at scale
- Security Posture Management: continuously compares current configuration against defined security baselines
- Forensic investigation: use Cloud Audit Logs, VPC flow logs, and firewall rule logs to reconstruct attack timelines
Domain 5: Supporting Compliance Requirements (10%)
Regulatory Frameworks and GCP Controls
| Framework | Relevant GCP Mechanisms |
|---|---|
| HIPAA | BAA with Google, CMEK, VPC Service Controls, audit logging |
| PCI DSS | Network segmentation, Cloud Armor WAF, encryption at rest/transit, SCC Premium |
| FedRAMP | GCP FedRAMP authorized services, region restrictions, Assured Workloads |
| SOC 2 | Audit logging, IAM least privilege, change management, monitoring |
| GDPR | Cloud DLP for PII, data residency via organization policies, right-to-erasure via BigQuery DML |
Assured Workloads
Assured Workloads is Google's managed compliance framework for regulated industries:
- Enforces data residency, personnel access restrictions, and supported services for compliance regimes
- Supported frameworks: FedRAMP Moderate, FedRAMP High, ITAR, IL2, IL4, IL5, CJIS, EU GDPR, CA Protected B
- Automatically applies organization policies and access restrictions; creates a workload folder with compliance controls enabled
Study Approach
This exam rewards depth over breadth. Unlike the ACE exam where covering all services matters, the Security Engineer exam goes deep on a smaller set of services.
Phase 1: Foundation (Weeks 1-3)
Start with general cloud security concepts if your background is not primarily security:
- Study the Cloud Security Alliance (CSA) Cloud Controls Matrix to understand cloud security responsibilities
- Read NIST SP 800-53 control families relevant to cloud: AC (Access Control), AU (Audit), SC (System Communications), SI (System Integrity)
- Complete Google Cloud Skills Boost "Security in Google Cloud" Specialization
Phase 2: GCP Security Services Deep Dive (Weeks 4-8)
Focus on the highest-weighted services:
| Week | Focus Area |
|---|---|
| 4 | IAM, Organization Policy, Service Accounts, Workforce Identity Federation |
| 5 | VPC security, Firewall policies, Cloud Armor, Private connectivity |
| 6 | Cloud KMS, CMEK, Cloud DLP, Secret Manager |
| 7 | Security Command Center, Cloud Audit Logs, VPC Service Controls |
| 8 | Compliance frameworks, Assured Workloads, Chronicle |
Phase 3: Practice and Gaps (Weeks 9-10)
- Complete Tutorials Dojo Professional Cloud Security Engineer practice exams
- For every incorrect answer, locate the relevant GCP documentation page and read the full section
- Pay special attention to questions about Organization Policy constraints; these require memorizing specific constraint names and their effects
References
[1] (ISC)2. "Cybersecurity Workforce Study 2025." isc2.org. Accessed May 2026.
[2] Google Cloud. "Professional Cloud Security Engineer Exam Guide." cloud.google.com/certification/cloud-security-engineer. Accessed May 2026.
[3] Google Cloud. "Security Command Center Documentation." cloud.google.com/security-command-center/docs. Accessed May 2026.
[4] NIST. "Special Publication 800-53 Rev. 5: Security and Privacy Controls." nvlpubs.nist.gov. Accessed May 2026.
[5] Tutorials Dojo. "Google Cloud Professional Security Engineer Practice Exams." tutorialsdojo.com. Accessed May 2026.
[6] Google Cloud. "IAM Documentation: Service Accounts." cloud.google.com/iam/docs/service-accounts. Accessed May 2026.
[7] Google Cloud. "VPC Service Controls Documentation." cloud.google.com/vpc-service-controls/docs. Accessed May 2026.
[8] Cloud Security Alliance. "Cloud Controls Matrix v4." cloudsecurityalliance.org. Accessed May 2026.