Notes from my beta Google Cloud Professional Security Engineer Certification Exam

sathish vj
Feb 27 · 7 min read

Update on March 29th, 2019: Results are out and I passed! I’m now a …

And now, back to the original programme …

I wrote the beta Google Cloud Security Engineer certification exam. I think I did fairly ok, but I won’t be convinced that I passed until I see the result. Checking my answers post the exam, I definitely got a few wrong, but will I pass despite those? Have I made way more errors than I thought? I’ll just have to wait and see.

The exam was easier compared to the Network Engineer — but then, according to me, the Network Engineer exam was the toughest of the six so far. On the Security exam, many of the questions were straightforward. I sometimes doubted if they could be that straightforward and I re-read the questions a few times to ensure that I wasn’t missing some catch. Nope, they actually were fairly direct. Then again, not all of it was easy.

In the other GCP exams, I was often able to come to a logical conclusion based on the use case. You look to eliminate a few obviously wrong ones, then search the question for further clues on what is the requirement in the use case to arrive at the answer. Here though, sometimes, the questions were a little too straightforward — the kind that you have to mug up for. Imagine if somebody questioned you on capitals of countries. There is no use-case there, no logic. It’s just straight up by-hearting. There were at least 10 questions like that.

On a personal note of judgement, I wasn’t very appreciative of the Security exam. The Networking exam was challenging and I felt it takes a certain amount of merit to pass that. The bar for the Security exam was lower. If somebody came in with a GCP Networking Certification, I would consider them at a higher level in their area than one who had the GCP Security Certification in their own area. I feel this exam needs to be different; not just needlessly difficult but more relevant with use cases and questions that you have to reason through given all the security tools in the GCP ecosystem.

Let me also mention one exam question I got annoyed with. And if the exam creators are seeing this, please fix it. There was a similar one on the networking exam too. It’s a question about firewall rules priority. Here’s a made up similar one. A default rule is created with priority 1000. To overrule this with another, a) set a higher priority or b) set a lower priority. It’s impossible to answer this question with confidence because effective priority and numerical priority value are inversely related. One could interpret it either ways. The options would be clearer as a) set a priority value of 999 or b) set a priority value of 1001.

Preparation

For preparation, I did the Coursera GCP Security Specialization. But I didn’t delve on it too much. For other exams I’d watched the related Coursera videos at least a couple of times. But not this time. This time I went mostly for documentation. The Linux Academy GCP Security course is currently free btw. And while it is free, you might as well take it. I watched about one or two videos on that but then abandoned it. There’s no denying that they are competitively good compared to the Coursera ones, but once you’ve done one of those, the relative benefit of the other is only trivially incremental. Moreover, my experience with the Networking exam changed my approach. As I’d mentioned in my notes on that exam, I was underprepared. I learnt way more in the exam than prior to it. Duh. After the exam I was strongly motivated to learn more about GCP networking, and learn I did. Primarily from the documentation only. Similarly, I was really keen to learn about GCP Security (not just for the certification) and I found greater depth and breadth in the documentation.

If you are preparing for the Networking or Security certification, my suggestion is that you prepare for both together. A large part of Security is also about Networking and therefore there is considerable overlap. Between the two, the Security exam is easier, so you might want to take that first.

Questions

Onwards to the questions I got. Unfortunately, because many of the questions were straightforward, I have less to give you from this exam as mentioning them might be revealing them. So I apply my own Data Loss Prevention API on the questions I can remember and am redacting anything that is Question Identifiable Information. I got 113 questions for 4 hours. Because of time spent switching between questions and general network delays, plan to be in there for about 4.5 hours if you are taking the beta. That by itself is going to wear you down and make you lose focus. A regular exam is more reasonable at 2 hours and about 50 questions.

IAM — questions covering Folders, Organizations, IAM Permissions, Organizational Constraints, Google Groups.

IAM — managing users can be via GSuite or Cloud Identity. There were questions on GSuite and I wasn’t expecting those. I haven’t done the GSuite course, but I wonder now if there would have been value in skimming those topics.

Networking — shared VPC, VPN, VPC peering, interconnect, Private Google Access. Here, you are better off doing the full Networking specialization. There is significant overlap.

DLP — Some straightforward and some were that by-hearting type. So, if you find lists of items related to this, spend some time on it.

DLP — what are the various ways to de-identify data? How can you completely redact them and never get it back? And how can you get it back? What are the various algorithms you can use?

DLP — using custom dictionaries and regex. Creating custom infoTypes.

DLP — how to manage data when in BigQuery and on Cloud Storage.

PCI DSS — What solutions are compliant with PCI and what requires additional work?

DNSSEC — how to protect your domain to the extent possible?

GCDS — How do you sync users, groups, third party tools, etc. There were mentions of LDAP and Active Directory, but you don’t need to really know them.

SIEM — how to connect, export, etc.

KMS — An important topic that is covered well in the courses. Do the exercises to really get a hang of what’s happening. One of the QwikLabs exercises on working with Cloud Storage and KMS was what really made me understand some parts of this.

KMS — know all about the process of how DEKs, KEKs, Key Rings, etc. are used within GCP. Where are they stored? Where are they retrieved from when used? There was some post on how keys are managed even above that. It isn’t relevant for the exam, but it was good reading.

KMS — Google managed keys, CMEK, CSEK, Application Security with keys.

Compliance — Know what these are about at a high level: GDPR, HIPAA, COPPA, FIPS 104, PCI-DSS.

Cloud Build — what are the best practices on ensuring secure builds and safe images?

Cloud Build — what base images do you start off with when you do your build? How do you ensure those are safe?

Cloud Security Scanner — where do you use this? What kind of situations is it used in? What kinds of issues does it catch? What are the downsides of using it?

Firewalls — when is it better to use firewall rules as opposed to other options? Priority values on rules. What are the default rules?

GKE —Aliases and GKE with private access.

Shared Responsibility Model — know what you are responsible for beyond what Google takes care of.

Stackdriver — there was something about capturing and viewing logs. Can’t remember where or what that was.

Forseti — under what circumstances is Forseti an appropriate choice? What are the various components of Forseti and when are they used?

My Certification

Notes from the beta Professional Cloud Security Engineer Exam

Notes from each of my exams

For those appearing for the various certification exams, here is a list of sanitized notes (no direct question, only general topics) about the exam.

Overall notes across all GCP certification exams

Notes from the Professional Cloud Architect exam

Notes from the beta Professional Cloud Developer exam

Notes from the Professional Data Engineer exam

Notes from the Associate Cloud Engineer exam

Notes from the beta Professional Cloud Network Engineer Exam

A collection of other people’s notes and other exam details for all exams: https://github.com/ddneves/awesome-gcp-certifications

Official Links

Main Link — https://cloud.google.com/certification/cloud-security-engineer

Topics Outline-https://cloud.google.com/certification/guides/cloud-security-engineer/

Practice Exam-https://cloud.google.com/certification/practice-exam/cloud-security-engineer

Free Qwiklabs Codes to Practice

I’ve collected here a bunch of free Qwiklabs codes which are awesome to get lots of hands-on practice. Use them well.

Wish you the very best with your GCP certifications. You can reach out to me at LinkedIn and Twitter, especially for training for the certifications, short term consulting on GCP, and anything related to GoLang.