Skip to content

GCP Security Study Plan

This page is updated based on jassics/security-study-plan/gcp-security-study-plan

I am making this study plan irrespective of job role under the GCP Security category. It can be Cloud Security Analyst, Cloud Security Researcher, Cloud Security Engineer, Cloud Security Operations Expert, Cloud Security Manager, or Cloud Governance.

So, check how much you can cover and learn practically. The more you are good at these concepts, the better candidate you are for the job role. Also, I assume you have already checked and are comfortable with the Common Security Skills study plan.

ToC

  1. GCP Security Skills Learning and Checklist
  2. GCP Native Security Skills
  3. GCP Security Whitepapers
  4. Check Your GCP Pentesting Skills
  5. Check Your Knowledge Against Common Security Benchmarks and Frameworks
  6. GCP Security Videos and Courses
  7. GCP Security Interview Questions

GCP Security Skills Learning and Checklist

My only suggestion here is to ask below 4 questions while learning each topic/concept:

  1. What is this? (For example: What is an instance group, where is it used, and why?)
  2. Why am I learning this specific service or concept now? Will it help me for my job role and in future?
  3. How can I implement this? (Practical/hands-on knowledge always has an extra edge.)
  4. How will this make things secure, or how do I make it secure, depending on the topic or concept?

GCP Fundamentals

Duration: 2-3 weeks

I am listing only the topic names with a few pointers. How much you learn and how comfortable you get with each concept is up to you - feel free to go deeper for better candidacy and experience.

Week 1: IAM Deep Dive

A very important topic for any cloud role. Try to understand it practically, as much as your job demands.

  1. Start with the GCP IAM official docs
  2. Understand IAM roles and permissions - the second most important thing to excel at IAM
  3. User, Group, Roles - understand when to use which, and don't forget to ask why this, why not that
  4. Custom role vs Google-managed role
  5. Cross-account IAM policy across different roles, services, accounts
  6. Understand the IAM policy from a security mindset - why this, why not this?
  7. Using IAM Securely

Week 2-3: Core Services

For any GCP service, follow this strategy:

  1. What does this service do?
  2. What business problem does it solve?
  3. Security best practices for that service (e.g. GCS security best practices, VPC security best practices)
  4. What permissions should each role/principal/service account have to maintain least privilege?
  5. How is it typically misused or misconfigured?
  6. Is multi-tier/multi-region required for this service?
  7. How can you achieve encryption at rest and in transit?
  8. Is logging required? If so, what data, and for how long?
  9. Are we monitoring it - and why or why not?
  10. Any service-specific security settings (e.g. bucket permissions for a specific GCS bucket)?

Key services to cover:

  1. GCS (Google Cloud Storage)
  2. GKE
  3. VPC (Virtual Private Cloud)
  4. Firewall rules and policies
  5. Load Balancer
  6. Cloud DNS
  7. Cloud CDN
  8. Google Cloud Armor
  9. Google Cloud Logging
  10. BigQuery
  11. API Gateway
  12. Certificate Manager
  13. Secret Manager
  14. Cloud Run
  15. Cloud Functions

GCP Native Security Skills

Duration: 4-6 weeks

What I mean here is:

  1. GCP core services related to security
  2. GCP security services hands-on knowledge

Week 4-6: Core Services Security

These are the core services:

  1. IAM - super important
  2. Compute Instances
  3. GCS (Storage Object)
  4. VPC - I feel it's the toughest one so far, apart from GKE
  5. Cloud SQL (RDS equivalent)
  6. Bigtable (NoSQL)
  7. API Gateway
  8. GKE
  9. Cloud Run
  10. Cloud Functions
  11. Cloud Composer
  12. BigQuery
  13. Datastore
  14. Dataproc
  15. Secret Manager
  16. Cloud Key Management

Week 7-9: Security Services Hands-On

GCP core security services you should know and try hands-on as much as possible:

  1. IAM Policy Analyzer
  2. IAM Organization Policies

GCP Security Whitepapers

Duration: 2 weeks

GCP has an excellent set of whitepapers on GCP Security - a few important ones are listed here.

Week 10-11: Reading & Analysis

  1. GCP Overview - an important starting point to understand GCP
  2. Introduction to GCP Security Whitepaper
  3. Google Cloud Security Foundation Guide
  4. GCP Well-Architected Security Pillar
  5. Risk Governance of Digital Transformation
  6. GCP Security Checklist
  7. Google Infrastructure Security Design Overview
  8. NIST Cybersecurity Framework in the GCP cloud
  9. NIST 800-144 Security and Privacy in Public Cloud Computing

Check Your GCP Pentesting Skills

Duration: 2-3 weeks

Week 12-14: Practical Labs

  1. GCPGoat - a damn vulnerable GCP infrastructure
  2. Try out the scenarios in Cloud Goat
  3. GCP Pentest Lab
  4. GCP Pentesting on HackTricks

Check Your Knowledge Against Common Security Benchmarks and Frameworks

  1. CIS Benchmark for Google Cloud
  2. CSA Cloud Matrix and STAR Framework
  3. NIST CSF for GCP
  4. ISO 27017

GCP Security Videos and Courses

  1. GCP Cloud Security Features
  2. GCP Full Course from Intellipaat
  3. Google Cloud Security Fundamentals - Level 1
  4. Managing Security in Google Cloud

GCP Security Interview Questions

Practice with GCP Security interview questions, also kept up to date on GitHub - star it or fork it.

Practice next: this site's own GCP Security Overview, and the security-study-plan repo for the latest updates to this plan.