Skip to content


Select a date below


Dates are listed in Pacific Time Zone

= Guaranteed to run date


Print Friendly, PDF & Email


This training course gives you a broad study of security controls and techniques in Google Cloud. Through lectures, demonstrations, and labs, you explore and deploy the components of a secure Google Cloud solution. You use services including Cloud Identity, Identity and Access Management (IAM), Cloud Load Balancing, Cloud IDS, Web Security Scanner, BeyondCorp Enterprise, and Cloud DNS.


  • Prior completion of Google Cloud Fundamentals: Core Infrastructure (GCF-CI) or equivalent experience
  • Prior completion of Networking in Google Cloud Platform (NGCP) or equivalent experience
  • Knowledge of foundational concepts in information security, through experience or through online training such as SANS’s SEC301: Introduction to Cyber Security
  • Basic proficiency with command-line tools and Linux operating system environments
  • Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment
  • Reading comprehension of code in Python or JavaScript
  • Basic understanding of Kubernetes terminology (preferred but not required)


This class is intended for the following job roles:

  • Cloud information security analysts, architects, and engineers
  • Information security or cybersecurity specialists
  • Cloud infrastructure architects


Module 1: Foundations of Google Cloud Security

  • The approach of Google Cloud to security
  • The shared security responsibility model
  • Threats mitigated by Google and Google Cloud
  • Access transparency

Module 2: Securing Access to Google Cloud

  • Cloud Identity
  • Google Cloud Directory Sync
  • Managed Microsoft AD
  • Google authentication versus SAML-based SSO
  • Identity Platform
  • Authentication best practices

Module 3: Identity and Access Management (IAM)

  • Resource Manager
  • IAM roles
  • Service accounts
  • IAM and Organization policies
  • Workload identity federation
  • Policy Intelligence
  • Lab: Configuring IAM

Module 4: Configuring Virtual Private Cloud for Isolation and Security

  • VPC firewalls
  • Load balancing and SSL policies
  • Cloud Interconnect
  • VPC Network Peering
  • VPC Service Controls
  • Access Context Manager
  • VPC Flow Logs
  • Cloud IDS
  • Labs:
    • Configuring VPC firewalls
    • Configuring and Using VPC Flow Logs in Cloud Logging
    • Demo: Securing Projects with VPC Service Controls
    • Getting Started with Cloud IDS

Module 5: Securing Compute Engine: Techniques and Best Practices

  • Service accounts, IAM roles, and API scopes
  • Managing VM logins
  • Organization policy controls
  • Shielded VMs and Confidential VMs
  • Certificate Authority Service
  • Compute Engine best practices
  • Lab: Configuring, Using, and Auditing VM Service Accounts and Scopes

Module 6: Securing Cloud Data: Techniques and Best Practices

  • Cloud Storage IAM permissions and ACLs
  • Auditing cloud data
  • Signed URLs and policy documents
  • Encrypting with Customer-managed encryption keys (CMEK) and Customer-supplied encryption keys (CSEK)
  • Cloud HSM
  • BigQuery IAM roles and authorized views
  • Storage best practices
  • Lab: Using Customer-Supplied Encryption Keys with Cloud Storage
  • Lab: Using Customer-Managed Encryption Keys with Cloud Storage and Cloud KMS
  • Lab: Creating a BigQuery Authorized View

Module 7: Securing Applications: Techniques and Best Practices

  • Types of application security vulnerabilities
  • Web Security Scanner
  • Threat Identity and OAuth phishing
  • Identity-Aware Proxy
  • Secret Manager
  • Lab: Identity Application Vulnerabilities with Security Command Center
  • Lab: Securing Compute Engine Applications with BeyondCorp Enterprise
  • Lab: Configuring and Using Credentials with Secret Manager

Module 8: Securing Google Kubernetes Engine: Techniques and Best Practices

  • Types of application security vulnerabilities
  • Web Security Scanner
  • Threat: Identity and OAuth phishing
  • Identity-Aware Proxy
  • Secret Manager

Module 9: Protecting against Distributed Denial of Service Attacks (DDoS)

  • How DDoS attacks work
  • Google Cloud mitigations
  • Types of complementary partner products
  • Lab: Configuring Traffic Blocklisting with Google Cloud Armor

Module 10: Content-Related Vulnerabilities: Techniques and Best Practices

  • Threat: Ransomware
  • Ransomware mitigations
  • Threats: data misuse, privacy violations, sensitive content
  • Content-related mitigation
  • Redacting Sensitive Data with the DLP API
  • Lab: Redacting Sensitive Data with DLP API

Module 11: Monitoring, Logging, Auditing, and Scanning

  • Security Command Center
  • Cloud Monitoring and Cloud Logging
  • Cloud Audit Logs
  • Cloud security automation
  • Lab: Configuring and Using Cloud Monitoring and Cloud Logging
  • Lab: Configuring and Viewing Cloud Audit Logs

Additional information


3 days

Guaranteed to run