What does the Google Cloud Professional Cloud Security Engineer exam cover?
The Google Cloud Professional Cloud Security Engineer exam covers configuring access within a cloud solution environment, managing operations, configuring network security, ensuring data protection, and managing operations security using GCP services like Cloud IAM, VPC Service Controls, Cloud Armor, Cloud KMS, and Security Command Center. The exam costs $200 USD.
The Google Cloud Professional Cloud Security Engineer (PCSE) certification validates expertise in designing and implementing secure workloads on GCP. Security engineers with this certification demonstrate the ability to configure access controls, network security, data protection, and threat detection at enterprise scale.
The PCSE is commonly pursued after the Associate Cloud Engineer or Professional Cloud Architect certifications by engineers who are specializing in cloud security.
Exam Overview
| Detail | Information |
|---|---|
| Certification | Professional Cloud Security Engineer |
| Provider | Google Cloud |
| Number of Questions | 50 |
| Time Limit | 2 hours |
| Passing Score | Not published |
| Cost | $200 USD |
| Prerequisites | None (ACE or PCA recommended) |
| Validity | 2 years |
The exam covers five domains:
- Configuring access within a cloud solution environment (27%)
- Securing communications and establishing boundary protection (21%)
- Ensuring data protection (20%)
- Managing operations within a cloud solution environment (22%)
- Supporting compliance requirements (10%)
"The PCSE exam is heavily weighted toward IAM and network security. If you deeply understand IAM policy evaluation (allow vs. deny, role inheritance, service account impersonation), VPC Service Controls, and the difference between Cloud Armor and VPC firewall rules, you have covered most of the highest-value exam domains. Security Command Center and DLP API are secondary focus areas." -- GCP Security Engineer community
Cloud IAM Deep Dive
IAM Policy Evaluation
IAM evaluates access using a hierarchy of policies. Understanding evaluation order is critical for the PCSE exam:
Policy evaluation logic:
Request to access resource
│
1. Check for DENY policies (organization policies, IAM deny)
If denied → DENY immediately
│
2. Check for ALLOW policies at each level:
Organization → Folder → Project → Resource
If allowed at any level → ALLOW (inherited downward)
│
3. If no explicit allow → DENY (implicit deny)
IAM deny policies: Added in 2022, deny policies take precedence over allow policies and support exception-based access patterns:
{
"name": "policies/cloudresourcemanager.googleapis.com/projects/PROJECT_ID/denypolicies/deny-external-access",
"rules": [
{
"denyRule": {
"deniedPrincipals": ["principalSet://goog/public:all"],
"deniedPermissions": ["bigquery.tables.getData"],
"exceptionPrincipals": ["serviceAccount:approved-sa@project.iam.gserviceaccount.com"]
}
}
]
}
Service Account Security
Service account best practices:
| Practice | Why |
|---|---|
| Use Workload Identity instead of keys | Keys are long-lived and can be compromised |
| Grant minimum necessary roles | Limit blast radius of compromise |
| Avoid using default service accounts | Default accounts have broad permissions |
| Enable service account key rotation | If keys must be used, rotate regularly |
| Audit service account usage | Cloud Audit Logs show SA authentication events |
Workload Identity Federation (recommended for GKE):
# Service account annotation for Workload Identity
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-ksa
namespace: my-namespace
annotations:
iam.gke.io/gcp-service-account: my-gsa@PROJECT_ID.iam.gserviceaccount.com
Network Security
VPC Service Controls
VPC Service Controls create security perimeters around GCP APIs to prevent data exfiltration:
Without VPC Service Controls:
Compromised user credentials → access BigQuery from anywhere
Data → exfiltrated to unauthorized project or internet
With VPC Service Controls:
Perimeter enforced → access only from within perimeter
Data → cannot leave perimeter even with valid credentials
Perimeter configuration:
| Component | Description |
|---|---|
| Service perimeter | Boundary around protected resources |
| Restricted services | GCP APIs protected (BigQuery, Cloud Storage, etc.) |
| Access policies | Organization-level policy containing perimeters |
| Access levels | Conditions that grant perimeter access (IP, device, identity) |
| Ingress/Egress rules | Allow specific cross-perimeter communication |
Cloud Armor
Cloud Armor provides DDoS protection and WAF capabilities for external load balancers:
# Cloud Armor security policy (Terraform)
resource "google_compute_security_policy" "policy" {
name = "my-security-policy"
rule {
action = "deny(403)"
priority = "1000"
match {
expr {
expression = "evaluatePreconfiguredExpr('xss-stable')"
}
}
description = "XSS attack prevention"
}
rule {
action = "deny(403)"
priority = "2000"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["192.0.2.0/24"]
}
}
description = "Block specific IP range"
}
rule {
action = "allow"
priority = "2147483647"
match {
versioned_expr = "SRC_IPS_V1"
config {
src_ip_ranges = ["*"]
}
}
description = "Default allow rule"
}
}
Data Protection
Encryption Options
| Option | Key Management | Use Case |
|---|---|---|
| Google-managed (default) | Google manages keys | Default encryption, no overhead |
| CMEK (Cloud KMS) | Customer manages keys in GCP | Audit key usage, revoke access |
| CSEK | Customer provides keys per-request | Maximum key control (limited services) |
| Cloud HSM | Hardware-protected keys | FIPS 140-2 Level 3 compliance |
Cloud Data Loss Prevention (DLP) API
DLP API discovers, classifies, and de-identifies sensitive data:
from google.cloud import dlp_v2
client = dlp_v2.DlpServiceClient()
# Inspect content for PII
response = client.inspect_content(
request={
"parent": f"projects/my-project",
"inspect_config": {
"info_types": [
{"name": "EMAIL_ADDRESS"},
{"name": "PHONE_NUMBER"},
{"name": "CREDIT_CARD_NUMBER"},
],
"min_likelihood": dlp_v2.Likelihood.POSSIBLE,
},
"item": {"value": "Call me at 555-1234 or email user@example.com"},
}
)
for finding in response.result.findings:
print(f"Found {finding.info_type.name} with likelihood {finding.likelihood}")
Security Command Center
Security Command Center (SCC) provides threat detection and security posture management:
Finding categories:
| Category | Examples | Severity |
|---|---|---|
| Vulnerabilities | Open firewall to 0.0.0.0/0, public bucket, unpatched OS | HIGH/CRITICAL |
| Threats | Cryptomining, data exfiltration attempts, brute force | CRITICAL |
| Misconfigurations | Over-privileged service accounts, default SA usage | MEDIUM |
| Observations | Audit log disabling, suspicious IAM activity | LOW |
Frequently Asked Questions
What is the difference between Cloud Armor and VPC firewall rules? VPC firewall rules filter traffic at the network layer (Layer 4) within your VPC — they control which source IPs and protocols can reach your instances. Cloud Armor is a Layer 7 WAF and DDoS protection service that integrates with external load balancers — it can inspect HTTP request content, apply WAF rules (OWASP ModSecurity Core Rule Set), rate limit requests, and mitigate DDoS attacks before traffic reaches your VPC. Both are used together: Cloud Armor at the perimeter, firewall rules within the VPC.
How does VPC Service Controls differ from IAM? IAM controls who can perform which actions on which resources, based on identity and permissions. VPC Service Controls add a network-level perimeter that restricts which network contexts (corporate network, specific VMs, specific access levels) can make API calls to protected services, even if the caller has valid IAM credentials. IAM is identity-based; VPC Service Controls is context-based. Both are often deployed together for defense in depth.
What compliance frameworks are tested on the PCSE exam? The exam tests general compliance concepts applicable to GCP rather than deep knowledge of specific frameworks. You should understand PCI DSS requirements for payment data (encryption, access controls, audit logging), HIPAA requirements for healthcare data (encryption, audit, access controls, BAA with Google), and GDPR concepts (data residency, right to erasure using CMEK key destruction). Google's compliance offerings (Assured Workloads, Access Transparency, Access Approvals) also appear.
References
- Google Cloud. (2025). Professional Cloud Security Engineer Certification. https://cloud.google.com/certification/cloud-security-engineer
- Google Cloud. (2025). VPC Service Controls Documentation. https://cloud.google.com/vpc-service-controls/docs
- Google Cloud. (2025). Cloud Armor Documentation. https://cloud.google.com/armor/docs
- Google Cloud. (2025). Security Command Center. https://cloud.google.com/security-command-center/docs
- Google Cloud. (2025). Data Loss Prevention API. https://cloud.google.com/dlp/docs
- Google Cloud. (2025). Cloud Key Management Service. https://cloud.google.com/kms/docs