GCP Professional Cloud Security Engineer Guide: Complete Exam Guide
The GCP Professional Cloud Security Engineer certification validates deep expertise in configuring and managing security on Google Cloud. It is a specialist credential — narrower than the Professional Cloud Architect, but going significantly deeper in its specific domain.
Cloud security has become a genuine specialism in its own right. The demand for engineers who understand IAM at scale, network security architecture, data encryption, and compliance frameworks is strong, and that demand has outpaced supply. Engineers who hold credible security credentials — especially backed by real security work — command a premium in the market.
This guide explains what the exam covers, who should pursue it, and how to prepare.
Who this exam is for#
The GCP Professional Cloud Security Engineer exam is designed for engineers who:
- Work in cloud security, security engineering, or DevSecOps roles on GCP
- Are responsible for IAM design, network security, data protection, or compliance on Google Cloud
- Have the GCP Associate Cloud Engineer as a base (or equivalent hands-on experience)
- Want to specialise in security after a foundation in general cloud engineering
This is not an entry-level security certification. It assumes you understand GCP fundamentals (deploy services, configure IAM, set up networking) and goes deeper into the security-specific configuration, architecture, and threat response aspects of those fundamentals.
If you are new to cloud security entirely, consider building GCP operational experience first — ideally completing the ACE — before tackling this exam.
Exam details#
Format: Approximately 50–60 questions, 2 hours, approximately $200, 2-year validity.
Domains and weightings:
| Domain | Approximate weighting |
|---|---|
| Configure access within a cloud solution environment | 27% |
| Configure network security | 20% |
| Ensure data protection | 20% |
| Manage operations within a cloud solution environment | 22% |
| Ensure compliance | 11% |
Key topics by domain#
Configure access: IAM in depth#
Access configuration is the heaviest domain and reflects the reality that most cloud security incidents involve misconfigured permissions.
IAM fundamentals revisited at depth:
- Service accounts: key types (user-managed keys vs Google-managed), service account key rotation, the security risk of downloaded key files, alternatives to key files (Workload Identity, metadata server)
- IAM roles: understanding the difference between basic, predefined, and custom roles; when to create custom roles vs use predefined ones
- IAM conditions: attribute-based access control using request attributes (time, IP, resource type)
- Workload Identity Federation: configuring GCP to trust external identity providers (OIDC, AWS, Azure AD, GitHub Actions) without long-lived credential files
Organisation policies:
- Org policy constraints: restricting which regions resources can be deployed in, preventing public IPs on VMs, requiring OS Login
- Enforcing security baselines across the entire organisation
- Policy inheritance and the ability to override at lower levels
VPC Service Controls:
- Service perimeters: creating access boundaries around GCP resources to prevent data exfiltration
- Access levels: IP-range-based, device-based, and identity-based conditions
- Access bridges: allowing controlled communication between perimeters
- Audit logging for perimeter violations
Identity-Aware Proxy (IAP):
- Zero-trust application access without VPN
- How IAP enforces context-aware access
- Configuring IAP for App Engine, GKE, and Compute Engine backends
Configure network security#
Firewall rules and policies:
- Hierarchical firewall policies vs VPC firewall rules: priority order, inheritance
- Firewall rule logging: when and why to enable it
- Firewall Insights: understanding rule hit counts, shadowed rules, and unused rules
- Network tags vs service accounts as firewall targets: why service accounts are more secure
Private connectivity:
- Private Google Access: allowing VMs without external IPs to reach Google APIs
- Private Service Connect: private connectivity to Google APIs and third-party services
- VPC peering security considerations: transitive peering not supported, firewall rules still apply
- Shared VPC: centralising network management while maintaining IAM separation
Cloud Armour:
- DDoS protection and WAF functionality
- Preconfigured WAF rules vs custom rules
- Adaptive protection: ML-based DDoS detection
Cloud NAT: Enabling outbound internet access from private VMs without exposing them to inbound traffic.
Ensure data protection#
Encryption at rest:
- Default encryption with Google-managed keys
- Customer-managed encryption keys (CMEK) via Cloud KMS: key rings, key versions, rotation periods
- Cloud HSM: FIPS 140-2 Level 3 validated hardware security module keys
- Cloud External Key Manager (EKM): holding keys outside GCP entirely
- CMEK key rotation: creating new key versions, setting rotation schedules, re-encrypting data
Encryption in transit:
- TLS requirements for GCP services
- Certificate management with Certificate Manager
- mTLS (mutual TLS) for service-to-service authentication within GKE
Data Loss Prevention (Cloud DLP):
- Discovering and classifying sensitive data: PII, financial data, credentials in Cloud Storage, BigQuery, and Datastore
- Redaction, masking, and tokenisation of sensitive values
- Inspection jobs vs hybrid inspection
- De-identification techniques and when to use each
Secret management:
- Secret Manager: storing and accessing application secrets, automatic rotation triggers via Cloud Functions
- Comparison with environment variables and other approaches
Manage operations: security monitoring and response#
Cloud Audit Logs:
- Four log types: Admin Activity, Data Access, System Event, Policy Denied
- Which logs are enabled by default vs require configuration
- Configuring Data Access logs without creating excessive log volume
- Log retention periods and exporting logs to Cloud Storage, BigQuery, or Pub/Sub for long-term storage
Security Command Center (SCC):
- Standard vs Premium tier: what each provides
- Built-in detectors: Event Threat Detection, Container Threat Detection, Virtual Machine Threat Detection
- Security findings: how to triage, acknowledge, and resolve
- SCC Enterprise: integration with SIEM tools
Chronicle (Google’s security analytics platform):
- At awareness level for this exam: what it is and when to use it vs SIEM
Security response patterns:
- Using Cloud Functions and EventBridge to automate remediation (e.g., revoke a compromised service account key when an alert fires)
- Forensic investigation of compromised VMs: preserving disk images, reviewing audit logs
Compliance#
Compliance frameworks on GCP:
- GCP’s compliance certifications and what they cover (ISO 27001, SOC 2, PCI DSS, HIPAA, GDPR)
- Shared responsibility model: what GCP is responsible for vs what the customer configures
- Assured Workloads: deploying workloads that meet specific compliance requirements (FedRAMP, IL4, IL5 for US government)
- Data residency: constraining resource deployment to specific regions using org policies
Cloud Asset Inventory:
- Searching and monitoring all GCP resources across projects
- Using Policy Analyzer to understand who has access to what
Preparation approach#
Security foundation first: If your background is in general cloud engineering, build specific hands-on experience in IAM, VPC Service Controls, Cloud KMS, and Cloud Logging before studying for this exam. Security concepts in GCP are deeply interconnected — understanding CMEK without understanding how Cloud KMS works will leave gaps.
Work through GCP security labs: Google Cloud Skills Boost has security-focused learning paths. The Security Engineer learning path provides hands-on exercises specifically covering the exam domains.
Understand the threat model behind each feature: Security exam questions often require you to understand why a security control exists, not just how to configure it. For each feature you study, ask: what attack or risk does this protect against? How would an attacker exploit the absence of this control?
Preparation time:
- Holds ACE, working in cloud security: 8–10 weeks
- Holds ACE, general cloud background but new to security focus: 3–4 months
- No GCP ACE equivalent: Get ACE experience first
Career value of this certification#
Cloud security is a growing specialism with genuine talent shortages. Engineers who can design secure GCP architectures — not just deploy secure services — are in demand at regulated industries (financial services, healthcare, government) and at organisations scaling their GCP environments.
The Professional Cloud Security Engineer, paired with real security engineering experience, positions you for:
- Cloud security engineer roles
- DevSecOps engineer positions
- Security architecture consulting
The salary premium for security specialisation in cloud engineering is real. See cloud security engineer salary for market context.
Summary#
- The GCP Security Engineer exam is a specialist credential requiring real GCP operational experience as a prerequisite
- Heaviest domain: IAM configuration (27%) — know service accounts, org policies, VPC Service Controls, and Workload Identity deeply
- Data protection covers CMEK, Cloud HSM, Cloud DLP, and Secret Manager in practical detail
- Compliance topics require understanding shared responsibility and GCP’s compliance posture frameworks
- 8–10 weeks is realistic for engineers already working in cloud security; longer for those new to the domain