Preparing for your

Professional
Cloud Security
Engineer Journey
Module 1: Configuring Access

Welcome to Module 1: Configuring Access.

 Proprietary + Confidential

Module 01 Planning Cymbal Bank’s cloud identity and access

management

agenda 02 Diagnostic questions

03 Review and study planning

In this module you’ll learn about defining a high level plan for an organization’s cloud
identity and access management, which corresponds to the first section of the
Professional Cloud Security Engineer Exam Guide.

We’ll start by discussing some different aspects of Cymbal Bank’s identity and access
management structure. Next, you’ll assess your skills in this section through 10
diagnostic questions.

Then, we’ll review these questions. Based on the areas you need to learn more
about, you’ll identify resources to include in your study plan.
 Proprietary + Confidential

Planning Cymbal
Bank’s cloud identity
and access
management

Let’s begin by exploring how a Professional Cloud Security Engineer would plan
Cymbal Bank’s cloud identity and access management.
Setting a secure
● Configuring Cloud Identity
identity and access ● Managing service accounts

foundation ● Managing authentication

● Managing and implementing
authorization controls
● Defining Resource Hierarchy

Cymbal Bank is extending its on-premises office and data center infrastructure to
connect into Google Cloud to support a hybrid cloud model. As a Professional Cloud
Security Engineer, you play an integral role in securing the cloud environment and the
data stored therein.

In the cloud, Cymbal Bank will leverage the shared responsibility model to secure its
virtual infrastructure, workloads, and data on top of the hardware and physical
infrastructure security provided by Google. You will help design their systems
incorporating security features provided by Google Cloud along with the
recommended approaches and best practices to ensure a layered defense in depth.

You will begin by helping them synchronize and federate their current identity
management system to Cloud Identity. This will let employees use the existing
Cymbal Bank authentication system to be granted access to Cymbal Bank’s Google
Cloud resources via their user or group identities.

You will also help Cymbal Bank define service account identities for their workloads
running both on-premises and in the cloud to provide access to protected resources
and data in Google Cloud. Those resources and data will be arranged in an
organization hierarchy that aligns with their access control requirements and helps
them achieve least privilege access control and separation of duties.
 Proprietary + Confidential

Synchronizing Cymbal Bank’s identities to Google Cloud

One-way synchronization of LDAP

or Active Directory (AD) identities
using Google Cloud Directory Sync Microsoft Active Google Cloud
(GCDS) Directory or LDAP Directory Sync

● AD users and groups Users and groups in Users and groups

in your Cloud
your existing Scheduled one-way sync
synchronized to Cloud Identity directory service Identity domain

by GCDS on daily schedule after

daily updates to AD system

Cymbal Bank will synchronize their on-premises Active Directory (AD) users and
groups to Cloud Identity (CI) using the Google Cloud directory sync tool. They will set
up a cron job to run the tool on a daily schedule right after the daily updates to the AD
system to ensure any changes to organization users, groups, and group
memberships are synchronized from the AD system into Google Cloud.

Cymbal Bank will then be able continue to use their existing Active Directory
authentication system for which they have a long-term contract. This system is
configured for multi-factor authentication.
 Proprietary + Confidential

Configuring Cymbal
Bank’s single sign-on
to Google Cloud
SAML2 single sign-on configuration
● Federate using SAML2 for Single
sign-on (SSO)
● Active Directory is the Identity
provider (IdP) and Google Cloud is
the service provider (SP)

Cymbal Bank will synchronize their on-premises Active Directory (AD) users and
groups to Cloud Identity (CI) using the Google Cloud directory sync tool and configure
CI to use the corporate AD as a SAML2 Identity provider (IdP) and Google Cloud as
Service provider (SP).

This will allow Google Cloud roles to be bound to their existing AD user and group
identities and they can continue to manage the users, groups, and group membership
as well as authentication for users and groups in AD.
 Proprietary + Confidential

Service accounts Identity IAM role Resource

provide service access
to Google Cloud
Service account InstanceAdmin role Compute Instances
Service accounts used as service identities for
workloads running in or outside Google Cloud
● Given access to resources like user and
group identities
● Authenticate with private keys
User/Group ServiceAccountUser Role Service Account
● Leverage Google key management for
most secure usage

Cymbal Bank will create separate service accounts for all their Google Cloud
workloads running in Compute Engine VMs and GKE containers as well as for any
on-premises workloads that require access to Google Cloud resources.

Cymbal Bank will primarily leverage Google key management (provisioning and
rotation) for these service accounts to reduce risk of key exposure by using features
such as GKE Workload identity and Workload Identity Federation.

They will prevent users creating service account keys with rare exceptions, use
automated rotation of such keys when they do, and carefully audit that usage. They
will also carefully control who has access to which service accounts and audit how
they are used to ensure alignment with security best practices.
 Proprietary + Confidential

Organization hierarchy helps example.com

organize access control and Folder A

policy for resources Folder B

Folders provide for flexible

hierarchy of Projects
project 1 project 2 project 3 project 4 project 5
● Organization policy and access
control can be bound at any level
and flow downwards

Compute Cloud App Cloud

Pub/Sub Bigtable BigQuery
Engine Storage Engine Storage

Cymbal Bank will create their Organization in Google Cloud with a Folder hierarchy
aligning with their departments, teams, products and shared services. They will utilize
separate projects for development, QA, and production environments.

Projects may or may not have standalone VPCs for workloads that require isolation,
and there will be a set of development, QA, and production shared VPC host projects
for cross-project communication.
 Proprietary + Confidential

Organization policy helps

Constraint

restrict to authorized usage + ∞

Organization policies composed of a set of

organizational policy constraints can be
Organization
bound at multiple levels of hierarchy Node

+
● Large number of optional constraint types
across various Google cloud services
● Policies may be configured for inheritance
down hierarchy or not
Resource 1 Resource 2 Resource 3 Resource 4

● With inheritance, ancestor policy + - + +∞

constraints can be overridden or merged

Cymbal Bank will utilize Organizational policy constraints in multiple policies bound at
different levels of the hierarchy to restrict activity across projects to approved and
expected services and processes.

They will set constraints on which services can be enabled in parts of the hierarchy as
well as which regions or zones can be used. They will also set constraints around
which identities from which domains can be granted access and how service
accounts can be used.
 Proprietary + Confidential

Bind roles to identities to

provide access to resources
Basic
Roles are collections of permissions which
align with the required access for an
abstract job function
● Facilitate least privilege access control
and separation of duties
Predefined
● Can be bound at organization, folder,
project, or resource level and
flows downwards

Custom

Cymbal Bank will primarily assign access by binding predefined roles to groups
aligning with the principles of least privilege and separation of duties. They will always
bind roles as low in the hierarchy as possible when the access is not required across
multiple resources or projects. They will also partition access to minimize the damage
any single actor can do.

Providing access primarily via groups rather than individuals minimizes maintenance
as individuals join or leave teams or the organization, and reduces effort and
complexity for auditing activity.
 Proprietary + Confidential

IAM conditions to control

Google Group
the where, when, how of
access to resources
IAM conditions can be added to role Resource
IAM Role
access
bindings to control from where, when,
and how the access can be used
● Allows for even better least privilege
access control IAM Conditions

Cymbal Bank will utilize IAM conditions when binding roles to identities to restrict from
which locations, agent types, and time frames access can be used. This will provide
further flexibility and granularity in least privilege access control.
 Proprietary + Confidential

Diagnostic questions

Now it’s your turn to assess your experience and skills related to this section with
some diagnostic questions. Remember, the purpose of these questions is to help you
better understand what is involved in this section of the exam guide and identify which
areas you’ll want to focus on in your study plan.
 Proprietary + Confidential

Please complete the

diagnostic questions now
● The diagnostic questions are available in
the workbook.

Please take 15 minutes to complete the diagnostic questions for this section.
 Proprietary + Confidential

Review and
study planning

Now let’s review how to use these diagnostic questions to help you identify what to
include in your study plan.
 Proprietary + Confidential

Your study plan:

Configuring access
1.1 Managing Cloud Identity

1.2 Managing service accounts

1.3 Managing authentication

1.4 Managing and implementing

authorization controls

1.5 Defining resource hierarchy

We’ll approach this review by looking at the key areas of this exam section and the
questions you just answered about each one. We’ll talk about where you can find out
more about each area in the learning path for this certification and/or where to find the
information in Google Cloud documentation.

As we go through each one, take notes on the specific courses (and modules!), skill
badges, and documentation pages you’ll want to emphasize in your study plan.
 Proprietary + Confidential

1.1 Managing Cloud Identity

Considerations include:
● Configuring Google Cloud Directory Sync and third-party connectors
● Managing a super administrator account
● Automating the user lifecycle management process
● Administering user accounts and groups programmatically
● Configuring Workforce Identity Federation

As Professional Cloud Security Engineer, you should be able to design and

implement and identity and access management scheme for the Google Cloud
resources of an organization. This includes managing users, groups, and group
membership, optionally synchronizing and federating to external identity management
systems and designing and leveraging an organizational hierarchy for policy and
access control.

Question 1 tested your knowledge of the process used to sync external identities to
Cloud Identity. Question 2 asked you to create dynamic groups in Cloud Identity.
 Proprietary + Confidential

1.1 Diagnostic Question 01 Discussion

Cymbal Bank has acquired a A. Run Microsoft System Center Configuration Manager (SCCM) on a
non-banking financial company Compute Engine instance. Leave the channel unencrypted because
(NBFC). This NBFC uses Active you are in a secure Google Cloud environment. Deploy Google Cloud
Directory as their central Directory Sync on the Compute Engine instance. Connect to the
directory on an on-premises on-premises Windows Server environment from the instance, and migrate users to Cloud Identity.
Windows Server. You have been B. Run Configuration Manager on a Compute Engine instance. Copy the resulting configuration file from
tasked with migrating all the this machine onto a new Compute Engine instance to keep the production environment separate from
NBFC users and employee the staging environment. Leave the channel unencrypted because you are in a secure Google Cloud
information to Cloud Identity. environment. Deploy Google Cloud Directory Sync on this new instance. Connect to the on-premises
Windows Server environment from the new instance, and migrate users to Cloud Identity.
C. Use Cloud VPN to connect the on-premises network to your Google Cloud environment. Select an
on-premises domain-joined Windows Server. On the domain-joined Windows Server, run Configuration
What should you do? Manager and Google Cloud Directory Sync. Use Cloud VPN’s encrypted channel to transfer users from
the on-premises Active Directory to Cloud Identity.
D. Select an on-premises domain-joined Windows Server. Run Configuration Manager on the
domain-joined Windows Server, and copy the resulting configuration file to a Compute Engine instance.
Run Google Cloud Directory Sync on the Compute Engine instance over the internet, and use Cloud
VPN to sync users from the on-premises Active Directory to Cloud Identity.

Feedback:
A. Incorrect. Active Directory uses unencrypted LDAP. When you use a Compute
Engine instance, the communication channel must be encrypted even if it is a trusted
Google Cloud environment. Use either LDAPs or Cloud VPN.

B. Incorrect. Active Directory uses unencrypted LDAP. When you use a Compute
Engine instance, the communication channel must be encrypted. Use either LDAPs or
Cloud VPN.

C. Correct! If you are in an on-premises environment, you can access Active Directory
using LDAP. Google Cloud Directory Sync to Cloud Identity communication will be
over an HTTPs channel using Cloud VPN.

D. Incorrect. Copying configuration files will not give desired results. Google Cloud
Directory Sync on a Compute Engine instance would also need this instance to be a
part of an on-premises Windows Active Directory server farm.

Where to look:
● https://cloud.google.com/architecture/identity/federating-gcp-with-active-direct
ory-synchronizing-user-accounts
● https://support.google.com/a/answer/6126578?hl=en#:~:text=Configuration%2
0Manager%20is%20a%20step,test%2C%20and%20run%20a%20synchroniza
tion
Content mapping:
● ILT course: Security in Google Cloud
○ M2 Securing Access to Google Cloud

● On-demand course: Managing Security in Google Cloud

○ M2 Securing Access to Google Cloud

Summary:
Google Cloud Directory Sync deployment requires a secure, isolated environment.
Because Active Directory uses LDAP, which is unencrypted, the safest choice is to
deploy on-premises. When running Google Cloud Directory Sync remotely or on
Google Cloud, ensure that the communication channel is encrypted. You can do this
by using Secure LDAP or Cloud VPN. Although this might add a layer of complexity to
the process, it ensures that your data transfers are secure. If the source servers
support GUI, you can run Configuration Manager to ease the process.
 Proprietary + Confidential

1.1 Diagnostic Question 02 Discussion

Cymbal Bank has certain default A. Leave all user permissions as-is in the
permissions and access for their analyst, small bank’s IAM. Use the Directory API in
finance, and teller teams. These teams are the Google Workspace Admin SDK to create
organized into groups that have a set of Google Groups. Use a Python script to
role-based IAM permissions assigned to allocate users to the Google Groups.
them. After a recent acquisition of a small B. Reset all user permissions in the small bank’s IAM. Use Cloud Identity to
bank, you find that the small bank directly create dynamic groups for each of the bank’s teams. Use the dynamic
assigns permissions to their employees in groups’ metadata field for team type to allocate users to their appropriate
IAM. You have been tasked with applying group with a Python script.
Cymbal Bank’s organizational structure to
C. Reset all user permissions in the small bank’s IAM. Use Cloud Identity to
the small bank. Employees will need
create the required Google Groups. Upgrade the Google Groups to
access to Google Cloud services.
Security Groups. Use a Python script to allocate users to the groups.
D. Reset all user permissions in the small bank’s IAM. Use the Directory API in
What should you do? the Google Workspace Admin SDK to create Google Groups. Use a Python
script to allocate users to the groups.

Feedback:
A. Incorrect. You need to reset permissions in IAM and create Dynamic Groups. Using
Google Groups from the Workspace Admin SDK Directory APIs allows access to
Google Drive and Docs, but not to Google Cloud resources. Dynamic groups allow
you to create and automatically manage users based on identity attributes.

B. Correct! Use Dynamic Groups to create groups based on Identity attributes, such
as department, and place the users in a flat hierarchy. Dynamic group metadata helps
build the structure to identify the users.

C. Incorrect. Upgrading to Security Groups helps create a protective access layer, but
does not fulfill your criterion to apply Cymbal Bank’s structure.

D. Incorrect. Using Google Groups from the Workspace Admin SDK Directory APIs
allows access to Google Drive and Docs, but not to Google Cloud resources.

Where to look:
● https://support.google.com/a/answer/10286834
● https://cloud.google.com/identity/docs/how-to/create-dynamic-groups
● https://support.google.com/a/answer/10427204

Content mapping:
● ILT course: Security in Google Cloud
○ M2 Securing Access to Google Cloud
 ● On-demand course: Managing Security in Google Cloud
○ M2 Securing Access to Google Cloud

Summary:
Cloud Identity supports creating groups and then placing users inside those groups.
Groups help with managing permissions, access controls, and organizational policies.
In Dynamic Groups, users are automatically managed and added based on Identity
attributes, such as department.
 Proprietary + Confidential

1.1 Managing Cloud Identity

Courses Documentation
Active Directory user account provisioning |
Identity and access management | Google
Cloud
Security in Google Cloud Managing Security in Google Cloud What is Configuration Manager? - Google
M2 Securing Access to Google Cloud M2 Securing Access to Google Cloud Workspace Admin Help
Manage membership automatically with
dynamic groups - Google Workspace Admin
Help
Creating and updating a dynamic group | Cloud
Identity
Create and manage groups using APIs - Google
Workspace Admin Help

Let’s take a moment to consider resources that can help you build your knowledge
and skills in this area.

The concepts in the diagnostic questions we just reviewed are covered in these
modules and in this documentation. Reviewing the documentation is highly
recommended. You’ll find this list in your workbook so you can take a note of what
you want to include later when you build your study plan. Based on your experience
with the diagnostic questions, you may want to include some or all of these.

● https://cloud.google.com/architecture/identity/federating-gcp-with-active-direct
ory-synchronizing-user-accounts
● https://support.google.com/a/answer/6126578?hl=en#:~:text=Configuration%2
0Manager%20is%20a%20step,test%2C%20and%20run%20a%20synchroniza
tion
● https://support.google.com/a/answer/10286834
● https://cloud.google.com/identity/docs/how-to/create-dynamic-groups
● https://support.google.com/a/answer/10427204
 Proprietary + Confidential

1.2 Managing service accounts

Considerations include:
● Securing and protecting service accounts (including
default service accounts)
● Identifying scenarios requiring service accounts
● Creating, disabling, and authorizing service accounts
● Securing, auditing and mitigating the usage of service
account keys
● Managing and creating short-lived credentials
● Configuring Workload Identity Federation
● Managing service account impersonation

A Professional Cloud Security Engineer should be familiar with Google Cloud service
accounts, the key details of their usage and maintenance, and best practices for using
them securely.

Question 3 tested your knowledge of applying Google-recommended practices to

create and manage service accounts. Question 4 asked you to define service account
usage policy based on organizational requirements.
 Proprietary + Confidential

1.2 Diagnostic Question 03 Discussion

Cymbal Bank leverages Google Cloud A. Create a service account with appropriate
storage services, an on-premises permissions. Authenticate the Spark Cluster
Apache Spark Cluster, and a web and the web application as direct requests
application hosted on a third-party and share the service account key.
cloud. The Spark cluster and web B. Create a service account with appropriate permissions. Have the Spark
application require limited access to Cluster and the web application authenticate as delegated requests, and
Cloud Storage buckets and a Cloud share the short-lived service account credential as a JWT.
SQL instance for only a few hours per
C. Create a service account with appropriate permissions. Authenticate the
day. You have been tasked with
Spark Cluster and the web application as a delegated request, and share the
sharing credentials while minimizing
service account key.
the risk that the credentials will be
compromised. D. Create a service account with appropriate permissions. Have the Spark
Cluster and the web application authenticate as a direct request, and share
the short-lived service account credentials as XML tokens.
What should you do?

Feedback:
A. Incorrect. Sharing a service account key creates unnecessary exposure, which
increases the possibility of spoofing and unauthorized impersonation. This also
violates the principle of least privilege.

B. Correct! Delegated requests allow a service account to authenticate into a chain of

services. Using short-lived service account credentials provides limited access to
trusted services.

C. Incorrect. Although a delegate request is the correct method, sharing a service

account key for long durations increases the risk exposure to unauthorized parties.

D. Incorrect. Although short-lived service account credentials are the most secure
option, delegated requests instead of direct requests should be used by applications.

Where to look:
https://cloud.google.com/iam/docs/create-short-lived-credentials-direct

Content mapping:
● ILT course: Security in Google Cloud
○ M3 Identity and Access Management (IAM)
○ M5 Securing Compute Engine: Techniques and Best Practices
○ M8 Securing Google Kubernetes Engine: Techniques and Best
Practices
 ● On-demand course: Managing Security in Google Cloud
○ M3 Identity and Access Management (IAM)

● On-demand course: Security Best Practices in Google Cloud

○ M1 Securing Compute Engine: Techniques and Best Practices
○ M4 Securing Google Kubernetes Engine: Techniques and Best
Practices

● Skill badge: Implement Cloud Security Fundamentals on Google Cloud

Summary:
Short-lived credentials help a service account share credentials to trusted requests
without compromising the access key and similar credentials. Credential types could
be self-signed JWT or blobs, OAuth 2.0 access tokens, or OpenID Connect ID
Tokens. Delegated requests help a service account authenticate to a chain of
services, with limited and separate permissions for each service.
 Proprietary + Confidential

1.2 Diagnostic Question 04 Discussion

Cymbal Bank recently discovered A. Navigate to Organizational policies in the
service account key misuse in one Google Cloud Console. Select your organization. Select
of the teams during a security iam.disableServiceAccountKeyCreation.
audit. As a precaution, going Customize the applied to property, and set Enforcement to ‘On’. Click Save. Repeat the
forward you do not want any team process for iam.disableCrossProjectServiceAccountUsage.
in your organization to generate
B. Run the gcloud resource-manager org-policies enable-enforce command with
new external service account keys.
the constraints iam.disableServiceAccountKeyCreation, and
You also want to restrict every new
iam.disableCrossProjectServiceAccountUsage and the Project IDs you want the
service account’s usage to its
constraints to apply to.
associated Project.
C. Navigate to Organizational policies in the Google Cloud Console. Select your organization.
Select iam.disableServiceAccountKeyCreation. Under Policy Enforcement, select
Merge with parent. Click Save. Repeat the process for
iam.disableCrossProjectServiceAccountLienRemoval.
D. Run the gcloud resource-manager org-policies allow command with the boolean
What should you do? constraints iam.disableServiceAccountKeyCreation and
iam.disableCrossProjectServiceAccountUsage with Organization ID.

Feedback:
A. Correct! Boolean constraints help you limit service account usage.
iam.disableServiceAccountKeyCreation will restrict the creation of new
external service account keys.
iam.disableCrossProjectServiceAccountUsage will prevent service
accounts from being attached to resources in other projects.

B. Incorrect. You use the enable-enforce command with individual boolean

constraints. You would also pass the organization ID, not the Project ID, to enforce
the constraint.

C. Incorrect. Policy Enforcement and Merge with parent are used to merge list
constraints to parent policies. For boolean constraints, first select the constraint, and
then under Applies to, click Customize. Set Enforcement to On.

D. Incorrect. The command org-policies allow is used to consume list

constraints, not boolean constraints. Run the command to select boolean constraints
individually with the Organization ID.

Where to look:
https://cloud.google.com/resource-manager/docs/organization-policy/restricting-servic
e-accounts

Content mapping:
 ● ILT course: Security in Google Cloud
○ M3 Identity and Access Management (IAM)
○ M5 Securing Compute Engine: Techniques and Best Practices
○ M8 Securing Google Kubernetes Engine: Techniques and Best
Practices

● On-demand course: Managing Security in Google Cloud

○ M3 Identity and Access Management (IAM)

● On-demand course: Security Best Practices in Google Cloud

○ M1 Securing Compute Engine: Techniques and Best Practices
○ M4 Securing Google Kubernetes Engine: Techniques and Best
Practices

● Skill badge: Implement Cloud Security Fundamentals on Google Cloud

Summary:
Service account usage policies can expose or limit the actions that service accounts
can take. At an organization level, it is important to limit the service account activities
because service accounts are prone to impersonation. Sharing between projects and
exposing their keys for a long time can compromise the key.
 Proprietary + Confidential

1.2 Managing service accounts

Courses Skill Badges Documentation

Security in Google Cloud Creating short-lived service account credentials
| IAM Documentation
● M3 Identity and Access Management
(IAM) Google Cloud Restricting service account usage | Resource
● M5 Securing Compute Engine: Manager Documentation | Google Cloud
Techniques and Best Practices Implement Cloud
● M8 Securing Kubernetes: Techniques Security Fundamentals
and Best Practices on Google Cloud
Managing Security in Google Cloud
● M3 Identity and Access Management
(IAM)
Security Best Practices in Google Cloud
● M1 Securing Compute Engine:
Techniques and Best Practices
● M4 Securing Google Kubernetes
Engine: Techniques and Best
Practices

Let’s take a moment to consider resources that can help you build your knowledge
and skills in this area.

The concepts in the diagnostic questions we just reviewed are covered in these
modules and in this documentation. Reviewing the documentation is highly
recommended. You’ll find this list in your workbook so you can take a note of what
you want to include later when you build your study plan. Based on your experience
with the diagnostic questions, you may want to include some or all of these.

● https://cloud.google.com/iam/docs/creating-short-lived-service-account-creden
tials#before_you_begin
● https://cloud.google.com/resource-manager/docs/organization-policy/restrictin
g-service-accounts
 Proprietary + Confidential

1.3 Managing authentication

Considerations include:
● Creating a password and session management policy for
user accounts
● Setting up Security Assertion Markup Language (SAML)
and OAuth
● Configuring and enforcing two-step verification

As a Professional Cloud Security Engineer, you should be able to define the

authentication process for an organization based on requirements. You should be
familiar with federated identity authentication and single-sign on with SAML and the
benefits and details of configuration for enforcing two step verification.

Question 5 tested your ability to enable SSO for Google Cloud using SAML
configuration. Question 6 tested your knowledge of the steps to create custom IAM
roles.
 Proprietary + Confidential

1.3 Diagnostic Question 05 Discussion

Cymbal Bank publishes its APIs A. Use openssl to generate public and
through Apigee. Cymbal Bank has private keys. Store the public key in an
recently acquired ABC Corp, which X.509 certificate, and encrypt using RSA or
uses a third-party identity provider. DSA for SAML. Sign in to the Google Admin console, and under Security,
You have been tasked with upload the certificate.
connecting ABC Corp’s identity B. Use openssl to generate a private key. Store the private key in an X.509
provider to Apigee for single sign-on certificate, and encrypt using AES or DES for SAML. Sign in to the Google
(SSO). You need to set up SSO so that Workspace Admin Console and upload the certificate.
Google is the service provider. You
C. Use openssl to generate public and private keys. Store the private key in an
also want to monitor and log high-risk
X.509 certificate, and encrypt using AES or DES for SAML. Sign in to the
activities. Which two choices would
Google Admin console, and under Security, upload the certificate.
you select to enable SSO?
D. Review Network mapping results, and assign SSO profiles to required users.
Which two choices would you
E. Review Network mapping results, and assign SAML profiles to required
select to enable SSO?
users.

Feedback:
A. Correct! The first step is to generate a set of public and private keys. The public
key is then stored in an X.509 certificate encrypted with RSA or DSA. Navigate to the
Google Admin console to upload the certificate. The generated private key will be
used to sign the SAML messages and responses.

B. Incorrect. AES and DES are symmetric encryptions and generate only private keys.
You need an asymmetric encryption to generate two keys: public and private. To
upload the certificate, you need to use the Google Admin console, not the Google
Workspace Admin Console.

C. Incorrect. AES and DES are symmetric encryptions and generate only private keys.
You need an asymmetric encryption to generate two keys: public and private. The
public key will be stored in an X.509 certificate. The private key will be used to sign
the SAML messages and responses. However, using the Google Admin console to
upload the certificate is the right choice.

D. Correct! Network maps and masks control the allocated IP address ranges and
redirections.

E. Incorrect. An SSO profile must be assigned to the selected users. SAML profiles
are assertions and policies to enable SSO profiles.

Where to look:
 ● https://cloud.google.com/apigee/docs/api-platform/system-administration/saml-
overview
● https://support.google.com/a/answer/60224
● https://support.google.com/a/answer/10723804
● https://support.google.com/a/answer/6369487

Content mapping:
● ILT course: Security in Google Cloud
○ M2 Securing Access to Google Cloud

● On-demand course: Managing Security in Google Cloud

○ M2 Securing Access to Google Cloud

Summary:
SAML allows third-party identity services to enable single sign-on to Google platforms
(Google being the service provider). Apigee uses SAML to enable single sign-on
capabilities that are managed through the Google Admin console and require you to
generate encrypted X.509 certificates storing public keys.
 Proprietary + Confidential

1.3 Diagnostic Question 06 Discussion

You are an administrator for Cymbal A. Open all Google Cloud projects that belong to
Bank’s Mobile Development Team. You Cymbal Bank’s Mobile Development team.
want to control how long different users Find each project’s Google Cloud session control
can access the Google Cloud console, setting, and configure a reauthentication policy that
the Cloud SDK, and any applications that requires reauthentication. Choose the reauthentication frequency from the
require user authorization for Google drop-down list.
Cloud scopes without having to B. In the Admin console, select Google Cloud session control and set a reauthentication
reauthenticate. More specifically, you policy that requires reauthentication. Choose the reauthentication frequency from
want users with elevated privileges the drop-down list.
(project owners and billing C. Create a custom role for project owners and billing administrators at the organization
administrators) to reauthenticate more level in the Google Cloud console. Add the reauthenticationRequired
frequently than regular users at the permission to this role. Assign this role to each project owner and billing
organization level. administrator.
D. Create a custom role for project owners and billing administrators at the organization
What should you do? level in the Google Cloud console. Add the reauthenticationRequired
permission to this role. Create a Google Group that contains all billing administrators
and project owners. Apply the custom role to the group.

Feedback:
A. Incorrect. Reauthentication policies are configured in the Admin console. The
question also asks to configure this at the organization, not project level.

B. Correct! Session control settings are configured in the Admin console. These
settings will be set at the organization level and will include all project owners and
billing administrators in the organization.

C. Incorrect. The reauthenticationRequired permissions do not exist. Your set

reauthentication policies are configured in the Admin console.

D. Incorrect. While applying roles to Google Groups is a best practice, the

reauthenticationRequired permission does not exist. Your set reauthentication policies
are configured in the Admin console.

Where to look:
● https://support.google.com/a/answer/9368756?hl=en

Summary:
As an administrator, you can control how long different users can access the Google
Cloud console and Cloud SDK without having to reauthenticate. For example, you
might want users with elevated privileges, like project owners, billing administrators,
or others with administrator roles, to reauthenticate more frequently than regular
users. If you set a session length, they’re prompted to sign in again to start a new
session.

The session length setting applies to:

● The Google Cloud console
● The gcloud command-line tool (Cloud SDK)
● Any applications (including third-party applications, or your own applications)
that require user authorization for Google Cloud scopes. To review the apps
requiring Google Cloud scopes in the Apps access control UI, see Control
which third-party & internal apps access Google Workspace data.
 Proprietary + Confidential

1.3 Managing authentication

Courses Documentation
SAML overview | Apigee X | Google Cloud
Set up single sign-on for managed Google
Accounts using third-party Identity providers -
Security in Google Cloud Managing Security in Google Cloud Google Workspace Admin Help
M3 Identity and Access M3 Identity and Access Assign SSO profile to organizational units or
Management (IAM) Management (IAM) groups - Google Workspace Admin Help
Network Mapping results - Google Workspace
Admin Help
Creating and managing custom roles | IAM
Documentation
Understanding IAM custom roles | IAM
Documentation | Google Cloud
Understanding roles | IAM Documentation

Let’s take a moment to consider resources that can help you build your knowledge
and skills in this area.

The concepts in the diagnostic questions we just reviewed are covered in these
modules and in this documentation. Reviewing the documentation is highly
recommended. You’ll find this list in your workbook so you can take a note of what
you want to include later when you build your study plan. Based on your experience
with the diagnostic questions, you may want to include some or all of these.

● https://cloud.google.com/apigee/docs/api-platform/system-administration/saml-
overview
● https://support.google.com/a/answer/60224
● https://support.google.com/a/answer/10723804
● https://support.google.com/a/answer/6369487
● https://cloud.google.com/iam/docs/creating-custom-roles
● https://cloud.google.com/iam/docs/understanding-custom-roles
● https://cloud.google.com/iam/docs/understanding-roles#billing-roles
 Proprietary + Confidential

Managing and implementing

1.4 authorization controls

Considerations include:
● Managing privileged roles and separation of duties with Identity and Access
Management (IAM) roles and permissions
● Managing IAM and access control list (ACL) permissions
● Granting permissions to different types of identities, including using IAM
conditions and IAM deny policies
● Designing identity roles at the organization, folder, project, and resource level
● Configuring Access Context Manager
● Applying Policy Intelligence for better permission management
● Managing permissions through groups

A Professional Cloud Security Engineer should be familiar with the authorization

model of Google Cloud. You should be familiar with the Google Cloud concept of
members (or identities or principals), roles, and permissions. You should be able to
leverage basic, predefined, and custom roles bound to identities at various levels of
the organization hierarchy to enforce least privilege access and separation of duties.
Additionally, you should understand supplementary access control capabilities such
as access levels in the Access Context Manager.

Question 7 tested your understanding of using roles at different levels of an

organizational hierarchy. Question 8 asked you to select basic, predefined, or custom
IAM roles for a specific scenario.
 Proprietary + Confidential

1.4 Diagnostic Question 07 Discussion

Cymbal Bank’s organizational hierarchy divides the A. Assign the Project Editor role in
Organization into departments. The Engineering each individual project to the
Department has a ‘product team’ folder. This folder contains technical product manager. Assign
folders for each of the bank’s products. Each product folder the Project Editor role in each individual project to the web developer.
contains one Google Cloud Project, but more may be added.
B. Assign the Project Owner role in each individual project to the
Each project contains an App Engine deployment.
technical product manager. Assign the App Engine Deployer role in
each individual project to the web developer.
Cymbal Bank has hired a new technical product manager
and a new web developer. The technical product manager C. Assign the Project Editor role at the Engineering Department folder
must be able to interact with and manage all services in level to the technical product manager. Assign the App Engine
projects that roll up to the Engineering Department folder. Deployer role at the specific product’s folder level to the web
The web developer needs read-only access to App Engine developer.
configurations and settings for a specific product. D. Assign the Project Editor role at the Engineering Department folder
level to the technical product manager. Create a Custom Role in the
product folder that the web developer needs access to. Add the
How should you provision the new employees’ roles into appengine.versions.create and appengine.versions.delete permissions
your hierarchy following principles of least privilege? to that role, and assign it to the web developer.

Feedback:
A. Incorrect. Binding the technical product manager on each project separately will
provide the required access, but is not the most efficient approach. This also doesn’t
address the possibility of new folders (and new projects) that can be added in the
future. Providing the web developer with Editor access on the required Project will
allow them unnecessary access to other Google Cloud services.

B. Incorrect. Assigning Owner roles in all projects to the technical product manager
will provide them with more access than necessary. The web developer should be
assigned the predefined ‘App Engine Deployer’ role, but only for the appropriate
folder.

C. Correct! Because the technical product manager must be able to work with
services across all projects, you should provide permissions at the Department folder
level. The web developer should only be able to administer App Engine deployments
in their product folder.

D. Incorrect. Although the correct permissions are assigned to the technical product
manager, the web developer is provided permissions that are overly permissive.
Custom roles are also not required because the App Engine Deployer role gives the
web developer all the required permissions.

Where to look:
● https://cloud.google.com/resource-manager/docs/access-control-proj
 ● https://cloud.google.com/resource-manager/docs/access-control-org
● https://cloud.google.com/resource-manager/docs/access-control-folders

Content mapping:
● ILT course: Security in Google Cloud
○ M3 Identity and Access Management (IAM)

● On-demand course: Managing Security in Google Cloud

○ M3 Identity and Access Management (IAM)

Summary:
Folders help create layers of hierarchy and access control between Organization and
Projects. Use Folders to create an inheritance of roles and permissions. Provide
access at the Project level when the target role needs to work with limited resources.
Provide access at the Folder level when the target role needs to work with multiple
roles, permissions, and projects.
 Proprietary + Confidential

1.4 Diagnostic Question 08 Discussion

Cymbal Bank’s organizational hierarchy divides the A. Create custom roles for all three user types at the
Organization into departments. The Engineering “analytics” folder level. For the team lead, provide
Department has a ‘product team’ folder. This folder all appengine.* and cloudsql.* permissions.
contains folders for each of the bank’s products. For the developer, provide appengine.applications.* and
One folder titled “analytics” contains a Google appengine.instances.* permissions. For the code reviewer, provide the
Cloud Project that contains an App Engine appengine.instances.* permissions.
deployment and a Cloud SQL instance.
B. Assign the basic ‘App Engine Admin’ and ‘Cloud SQL Admin” roles to the team lead.
Assign the ‘App Engine Admin’ role to the developer. Assign the ‘App Engine Code
A team needs specific access to this project. The
Viewer’ role to the code reviewer. Assign all these permissions at the analytics project
team lead needs full administrative access to App
level.
Engine and Cloud SQL. A developer must be able to
configure and manage all aspects of App Engine C. Create custom roles for all three user types at the project level. For the team lead,
deployments. There is also a code reviewer who provide all appengine.* and cloudsql.* permissions. For the developer, provide
may periodically review the deployed App Engine appengine.applications.* and appengine.instances.* permissions. For the code reviewer,
source code without making any changes. provide the appengine.instances.* permissions.
D. Assign the basic ‘Editor’ role to the team lead. Create a custom role for the developer.
What types of permissions would you Provide all appengine.* permissions to the developer. Provide the predefined ‘App
provide to each of these users? Engine Code Viewer’ role to the code reviewer. Assign all these permissions at the
“analytics” folder level.

Feedback:
A. Incorrect. Custom roles are not required in this scenario. The team lead, developer,
and code reviewer can all be assigned predefined roles to match their job functions.
Permissions also need to be set at the project, not folder, level.

B. Correct! The team lead needs full access to the App Engine and Cloud SQL
services. The developer needs to administer App Engine deployments. The ‘App
Engine Code Viewer’ role allows the code reviewer to access deployed source code.

C. Incorrect. Although the permissions are set at the project level, there is no
requirement for custom roles. Also, the developer would need more than
appengine.applications.* and appengine.instances.* for full administrative access to
the tool.

D. Incorrect. The basic ‘Editor’ role is too coarse-grained for the team lead. The
Developer needs the predefined role of ‘App Engine Admin’. You can assign the ‘App
Engine Code Viewer’ for the code reviewer; a custom role is not required.
Permissions also need to be set at the project, not folder, level.

Where to look:
● https://cloud.google.com/iam/docs/understanding-roles
● https://cloud.google.com/iam/docs/understanding-roles#app-engine-roles

Content mapping:
 ● ILT course: Security in Google Cloud
○ M3 Identity and Access Management (IAM)

● On-demand course: Managing Security in Google Cloud

○ M3 Identity and Access Management (IAM)

● Skill badge: Implement Cloud Security Fundamentals on Google Cloud

Summary:
IAM roles are of 3 types: basic, predefined, and custom. Basic roles of ‘Owner,’
‘Editor,’ and ‘Viewer’ provide a large set of broad permissions that existed before IAM.
Most often, basic roles are not recommended because of the large number of
permissions they contain. Predefined roles limit the permissions and access that a
role has and are defined separately for each Google Cloud resource. Create custom
roles when the predefined roles provide more permission than required.
 Proprietary + Confidential

Managing and implementing

1.4 authorization controls

Courses Skill Badges Documentation

Security in Google Cloud Access control for projects with IAM | Resource
Manager Documentation | Google Cloud
M3 Identity and Access
Management (IAM) Google Cloud Access control for organizations with IAM |
Resource Manager Documentation | Google
Implement Cloud Cloud
Security Fundamentals
Managing Security in Google Cloud on Google Cloud Access control for folders with IAM | Resource
Manager Documentation | Google Cloud
M3 Identity and Access
Management (IAM) Understanding roles | IAM Documentation

Let’s take a moment to consider resources that can help you build your knowledge
and skills in this area.

The concepts in the diagnostic questions we just reviewed are covered in these
modules and in this documentation. Reviewing the documentation is highly
recommended. You’ll find this list in your workbook so you can take a note of what
you want to include later when you build your study plan. Based on your experience
with the diagnostic questions, you may want to include some or all of these.

● https://cloud.google.com/resource-manager/docs/access-control-proj
● https://cloud.google.com/resource-manager/docs/access-control-org
● https://cloud.google.com/resource-manager/docs/access-control-folders
● https://cloud.google.com/iam/docs/understanding-roles
● https://cloud.google.com/iam/docs/understanding-roles#app-engine-roles
 Proprietary + Confidential

1.5 Defining resource hierarchy

Considerations include:
● Creating and managing organizations at scale
● Managing organization policies for organization
folders, projects, and resources
● Using resource hierarchy for access control and
permissions inheritance

As a Professional Cloud Security Engineer, you are expected to help design and
implement the organizational hierarchy. You will leverage this hierarchy to set trust
and security boundaries via access control and organizational policy constraints
bound at various levels of the hierarchy.

Question 9 asked you to create a resource hierarchy that aligns with a given
organizational structure and access control requirements. Question 10 tested your
knowledge of designing a hierarchy and policies to control access to Google Cloud
resources.
 Proprietary + Confidential

1.5 Diagnostic Question 09 Discussion

Cymbal Bank is divided into separate A. Create an Organization node. Under the
departments. Each department is divided Organization node, create Department
into teams. Each team works on a distinct folders. Under each Department, create
product that requires Google Cloud Product folders. Under each Product, create Teams folders. In the Teams
resources for development. folder, add Projects.
B. Create an Organization node. Under the Organization node, create
Department folders. Under each Department, create Product folders. Add
Projects to the Product folders.
How would you design a Google C. Create an Organization node. Under the Organization node, create
Cloud organization hierarchy to best Department folders. Under each Department, create Teams folders. Add
match Cymbal Bank’s organization Projects to the Teams folders.
structure and needs?
D. Create an Organization node. Under the Organization node, create
Department folders. Under each Department, create a Teams folder. Under
each Team, create Product folders. Add Projects to the Product folders.

Feedback:
A. Incorrect. This hierarchy would place Teams under Product. Teams should be
above products.

B. Incorrect. This hierarchy is missing the Teams layer.

C. Incorrect. Creating Projects directly inside Teams would make it difficult to

distinguish teams and their roles in different Projects. Teams should have Product
folders with Projects inside them.

D. Correct! Departments have teams, which work on products. This hierarchy best fits
Cymbal Bank’s organization structure.

Where to look:
https://cloud.google.com/resource-manager/docs/organization-policy/understanding-hi
erarchy

Content mapping:
● ILT course: Security in Google Cloud
○ M3 Identity and Access Management (IAM)

● On-demand course: Managing Security in Google Cloud

○ M3 Identity and Access Management (IAM)
Summary:
Organization hierarchy helps build an inheritance of policies and permissions.
Although Projects can be placed directly in an Organization, creating layers of folders
in between helps with managing different permissions for different access. You can
also use folders to derive an inheritance of policies and permissions.
 Proprietary + Confidential

1.5 Diagnostic Question 10 Discussion

Cymbal Bank has a team of A. Deny Serial Port Access and Service Account Creation at the
developers and administrators Organization level. Create an ‘admin’ folder and set enforced: false for
working on different sets of constraints/compute.disableSerialPortAccess. Create a new
‘dev’ folder inside the ‘admin’ folder, and set enforced: false for
Google Cloud resources. The
constraints/iam.disableServiceAccountCreation. Give developers access to the ‘dev’ folder, and
Bank’s administrators should be
administrators access to the ‘admin’ folder.
able to access the serial ports on
B. Deny Serial Port Access and Service Account Creation at the organization level. Create a ‘dev’ folder and
Compute Engine Instances and
set enforced: false for constraints/compute.disableSerialPortAccess. Create a new ‘admin’ folder inside
create service accounts.
the ‘dev’ folder, and set enforced: false for constraints/iam.disableServiceAccountCreation. Give
Developers should only be able to developers access to the ‘dev’ folder, and administrators access to the ‘admin’ folder.
access serial ports.
C. Deny Serial Port Access and Service Account Creation at the organization level. Create a ‘dev’ folder and
set enforced: true for constraints/compute.disableSerialPortAccess and enforced: true for
constraints/iam.disableServiceAccountCreation. Create a new ‘admin’ folder inside the ‘dev’ folder, and
How would you design the set enforced: false for constraints/iam.disableServiceAccountCreation. Give developers access to the ‘dev’
organization hierarchy to provide folder, and administrators access to the ‘admin’ folder.
the required access?
D. Allow Serial Port Access and Service Account Creation at the organization level. Create a ‘dev’ folder and
set enforced: true for constraints/iam.disableServiceAccountCreation. Create another ‘admin’ folder that
inherits from the parent inside the organization node. Give developers access to the ‘dev’ folder, and
administrators access to the ‘admin’ folder.

Feedback:
A. Incorrect. Although this hierarchy allows serial port access in the ‘admin’ folder, it
will not allow Admins to create service accounts. This hierarchy incorrectly lets
Developers create service accounts.

B. Correct! These organizational constraints will prevent all users from accessing
serial ports on Compute Engine instances and creating service accounts. You can
override these constraints in a new folder by setting the common constraint for serial
port access. Creating another folder inside a parent folder will allow you to inherit the
constraint and will allow you to add additional constraints to create a service account.
Admins and developers are added appropriately.

C. Incorrect. This hierarchy disables serial port access for developers and service
account creation for admins. Hierarchies should be defined cleanly and with the
fewest contradictions to avoid confusion.

D. Incorrect. Allowing Serial Port Access and Service Account Creation at the
organization level defeats the problem statement, which specifies that only the bank’s
Administrators should be able to access the serial ports on Compute Engine
Instances and create service accounts. You should ‘DENY’ the permissions at the
organization level and enable them at the folder or Project level.

Where to look:
● https://cloud.google.com/resource-manager/docs/creating-managing-organizat
 ● ion
● https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organiz
ations

Content mapping:
● ILT course: Security in Google Cloud
○ M3 Identity and Access Management (IAM)

● On-demand course: Managing Security in Google Cloud

○ M3 Identity and Access Management (IAM)

Summary:
Organization hierarchies allow you to place lists and boolean constraints. These
constraints can be inherited into folders and subsequently into sub-folders and
Projects.
 Proprietary + Confidential

1.5 Defining resource hierarchy

Courses Documentation
Understanding hierarchy evaluation | Resource
Manager Documentation | Google Cloud
Creating and managing organizations |
Security in Google Cloud Managing Security in Google Cloud Resource Manager Documentation | Google
M3 Identity and Access M3 Identity and Access Cloud
Management (IAM) Management (IAM) Best practices for enterprise organizations |
Documentation | Google Cloud

Let’s take a moment to consider resources that can help you build your knowledge
and skills in this area.

The concepts in the diagnostic questions we just reviewed are covered in these
modules and in this documentation. Reviewing the documentation is highly
recommended. You’ll find this list in your workbook so you can take a note of what
you want to include later when you build your study plan. Based on your experience
with the diagnostic questions, you may want to include some or all of these.

● https://cloud.google.com/resource-manager/docs/organization-policy/understa
nding-hierarchy
● https://cloud.google.com/resource-manager/docs/creating-managing-organizat
ion
● https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organiz
ations
Knowledge Check 1
Which tool will Cymbal Bank use to synchronize their
identities from their on-premise identity management system
to Google Cloud?

A. Active Directory

B. Service Accounts

C. Google Cloud Directory Sync

D. Cloud Identity
Knowledge Check 1
Which tool will Cymbal Bank use to synchronize their
identities from their on-premise identity management system
to Google Cloud?

A. Active Directory

B. Service Accounts

C. Google Cloud Directory Sync

D. Cloud Identity

Answer: C. Google Cloud Directory Sync

Rationale:
A. Incorrect. Active Directory is an identity management system and is used by
Cymbal Bank for their identity management. Active Directory can’t be used to
synchronize those identities to Google Cloud.

B. Incorrect. Service Accounts are service identities in Google Cloud and can’t be
used to synchronize user and group identities to Google Cloud.

*C. Correct. Cymbal Bank will use Google Cloud Directory Sync to synchronize
identities from their on-premises Active Directory system to Google Cloud.

D. Incorrect. Cloud Identity is Google’s identity management system and can’t be

used to synchronize external identities to Google Cloud, although it can receive
imported identities.
Knowledge Check 2
Which feature of Google Cloud will Cymbal Bank use to
control the source locations and times that authorized
identities will be able to access resources?

A. IAM Conditions

B. IAM Roles

C. Service Accounts

D. Identity-aware Proxy
Knowledge Check 2
Which feature of Google Cloud will Cymbal Bank use to
control the source locations and times that authorized
identities will be able to access resources?

A. IAM Conditions

B. IAM Roles

C. Service Accounts

D. Identity-aware Proxy

Answer: A. IAM Conditions

Rationale:
*A. Correct. IAM Conditions let Cymbal Bank control when or from where authorized
identities can access resources.

B. Incorrect. IAM Roles are necessary to authorize identities to access resources, but
can’t be used alone to control when or from where the authorized identities can
access the resources.

C. Incorrect. Service Accounts are service identities in Google Cloud, and can’t be
used to control when or from where authorized identities can access resources.

D. Incorrect. Identity-aware Proxy is a service that can be used to provide

authentication and authorization for access to resources.