Security in Google Cloud

(3 days)


This training course gives you a broad study of security controls and techniques in Google Cloud. Through lectures, demonstrations, and hands-on labs, you’ll explore and deploy the components of a secure Google Cloud solution, using services like Cloud Identity, Identity and Access Management (IAM), Cloud Load Balancing, Cloud IDS, Web Security Scanner, BeyondCorp Enterprise, Cloud DNS, and much more.

Course Objectives

  • Identify the foundations of Google Cloud security.
  • Manage administration identities with Google Cloud.
  • Implement user administration with Identity and Access Management (IAM).
  • Configure Virtual Private Clouds (VPCs) for isolation, security, and logging.
  • Apply techniques and best practices for securely managing Compute Engine.
  • Apply techniques and best practices for securely managing Google Cloud data.
  • Apply techniques and best practices for securing Google Cloud applications.
  • Apply techniques and best practices for securing Google Kubernetes Engine (GKE) resources.
  • Manage protection against distributed denial of service attacks (DDoS).
  • Manage content-related vulnerabilities.
  • Implement Google Cloud monitoring, logging, auditing, and scanning solutions.


This class is intended for the following job roles:

  • Cloud information security analysts, architects, and engineers
  • Information security/cybersecurity specialists
  • Cloud infrastructure architects


To get the most out of this course, participants should have:

  • Prior completion of Google Cloud Platform Fundamentals: Core Infrastructure or equivalent experience.
  • Prior completion of Networking in Google Cloud or equivalent experience.
  • Knowledge of foundational concepts in information security, through experience or through online training such as SANS’s SEC301: Introduction to Cyber Security.
  • Basic proficiency with command-line tools and Linux operating system environments.
  • Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment.
  • Reading comprehension of code in Python or JavaScript.
  • Basic understanding of Kubernetes terminology (preferred but not required).

Course Outline


Module 1: Foundations of Google Cloud Security

  • Explain Google Cloud’s shared security responsibility model.
  • Describe Google Cloud’s approach to security.
  • Recognize the kinds of threats mitigated by Google and by Google Cloud.
  • Identify Google Cloud’s commitments to regulatory compliance.

Module 2: Securing Access to Google Cloud

  • Describe what Cloud Identity is and what it does.
  • Explain how Google Cloud Directory Sync securely syncs users and permissions between your on-premises LDAP or AD server and the cloud.
  • Explore and apply best practices for managing groups, permissions, domains and admins with Cloud Identity.
  • Demo: Defining Users with Cloud Identity Console

Module 3: Identity and Access Management (IAM)

  • Identify IAM Objects that can be used to organize resources in Google Cloud.
  • Explain the management-related features of Google Cloud projects.
  • Define IAM policies, including organization policies.
  • Implement access control with Cloud IAM.
  • Provide access to Google Cloud resources using predefined and custom IAM roles.
  • Lab: Configuring IAM

Module 4: Configuring Virtual Private Cloud for Isolation and Security

  • Describe the function of VPC networks.
  • Recognize and implement best practices for configuring VPC firewalls (both ingress and egress rules).
  • Secure projects with VPC Service Controls.
  • Apply SSL policies to load balancers.
  • Enable VPC flow logging and then use Cloud Logging to access logs.
  • Deploy Cloud IDS and view threat details in the Cloud Console.
  • Lab: Configuring VPC Firewalls
  • Lab: Configuring and Using VPC Flow Logs in Cloud Logging
  • Demo: Securing Projects with VPC Service Controls
  • Lab: Getting Started with Cloud IDS

Module 5: Securing Compute Engine: Techniques and Best Practices

  • Create and manage service accounts for Compute Engine instances (default and customer-defined).
  • Detail IAM roles and scopes for VMs.
  • Explore and apply best practices for Compute Engine instances.
  • Explain the function of the Organization Policy service.
  • Lab: Configuring, Using, and Auditing VM Service Accounts and Scopes

Module 6: Securing Cloud Data: Techniques and Best Practices

  • Use IAM permissions and roles to secure cloud resources.
  • Create and wrap encryption keys using the Google Compute Engine RSA public key certificate.
  • Encrypt persistent disks and attach them to Compute Engine instances.
  • Manage keys and encrypted data using Cloud Key Management Service (Cloud KMS) and Cloud HSM.
  • Create BigQuery authorized views.
  • Recognize and implement best practices for configuring storage options.
  • Lab: Using Customer-Supplied Encryption Keys with Cloud Storage
  • Lab: Using Customer-Managed Encryption Keys with Cloud Storage and Cloud KMS
  • Lab: Creating a BigQuery Authorized View

Module 7: Security Applications: Techniques and Best Practices

  • Recall various types of application security vulnerabilities.
  • Detect vulnerabilities in App Engine applications using Web Security Scanner.
  • Secure Compute Engine Applications using BeyondCorp Enterprise.
  • Secure application credentials using Secret Manager.
  • Identify the threats of OAuth and Identity Phishing.
  • Lab: Using Web Security Scanner to Find Vulnerabilities in an App Engine Application
  • Lab: Securing Compute Engine Applications with BeyondCorp Enterprise
  • Lab: Configuring and Using Credentials with Secret Manager

Module 8: Securing Google Kubernetes: Techniques and Best Practices

  • Explain the differences between Kubernetes service accounts and Google service accounts.
  • Recognize and implement best practices for securely configuring GKE.
  • Explain logging and monitoring options in Google Kubernetes Engine.

Module 9: Protecting against Distributed Denial of Service Attacks (DDoS)

  • Identify the four layers of DDoS Mitigation.
  • Identify methods Google Cloud uses to mitigate the risk of DDoS for its customers.
  • Use Google Cloud Armor to blocklist an IP address and restrict access to an HTTP Load Balancer.
  • Lab: Configuring Traffic Blocklisting with Google Cloud Armor

Module 10: Content-Related Vulnerabilities: Techniques and Best Practices

  • Discuss the threat of ransomware.
  • Explain ransomware mitigations strategies (backups, IAM, Cloud Data Loss Prevention API).
  • Highlight common threats to content (data misuse, privacy violations, sensitive/restricted/unacceptable content).
  • Identify solutions for threats to content (classification, scanning, redacting).
  • Detect and redact sensitive data using the Cloud DLP API.
  • Lab: Redacting Sensitive Data with the DLP API

Module 11: Monitoring, Logging, Auditing, and Scanning

  • Explain and use the Security Command Center.
  • Apply Cloud Monitoring and Cloud Logging to a project.
  • Apply Cloud Audit Logs to a project.
  • Identify methods for automating security in Google Cloud environments.
  • Lab: Configuring and Using Cloud Monitoring and Cloud Logging
  • Lab: Configuring and Viewing Cloud Audit Logs