This post breaks down the core topics and visuals that will help you master GCP security and compliance—while keeping your infrastructure both safe and audit-ready.
🛡️ 3.1: Designing for Security
GCP provides robust tools for implementing identity and access management, policy enforcement, encryption, and secure remote access. Expect the exam to test you on how these pieces work together to enforce the principle of least privilege, separation of duties, and defense in depth.
🔧 GCP Resource Hierarchy & IAM Inheritance
GCP Resource Hierarchy
├── Organization Node
│ ├── Folders
│ │ └── Projects
│ │ └── Resources (VMs, Buckets, Databases)
└── IAM Policies (Inherited by all levels unless overridden)
├── Organization Level
├── Folder Level
└── Project Level
graph TD
A[Organization Node] --> B[Folders]
B --> C[Projects]
C --> D[Resources - VMs Buckets Databases]
subgraph Authentication - Cloud Identity
AA[User and Group Management]
AB[Single Sign On]
AC[Two Step Verification]
end
subgraph Authorization - IAM
E[IAM Policy]
F[Organization Policy]
end
A --> E
A --> F
B --> E
B --> F
C --> E
C --> F
D --> E
E --> G[IAM Policy Inheritance unless Overridden]
F --> H[Org Policy Inheritance with Restrictions]
👉 Key concept: IAM is for authorization, while Cloud Identity handles authentication.
🧩 IAM Roles: Primitive, Predefined, and Custom
flowchart LR
A[IAM Roles] --> B[Primitive Roles]
A --> C[Predefined Roles]
A --> D[Custom Roles]
subgraph Primitive Roles
B --> E[Owner Editor Viewer]
B --> F[Overly Permissive]
B --> G[Should Be Avoided]
end
subgraph Predefined Roles
C --> H[Fine Grained Access Control]
C --> I[Examples like Storage Object Viewer Compute Admin]
C --> J[Aligned with Least Privilege Principle]
C --> K[Recommended Default Choice]
end
subgraph Custom Roles
D --> L[User Defined Permission Sets]
D --> M[Use When Predefined Roles Are Insufficient]
D --> N[Scoped at Project or Organization Level]
end
O[IAM Policy] --> P[Grants Role to Member]
Choose predefined roles whenever possible—they align with least privilege and are service-specific. Use custom roles only when necessary, and avoid primitive roles for production environments.
🔒 Separation of Duties (SoD)
flowchart LR
subgraph Developer Persona
A[Developer Identity] --> B{Needs to Deploy Code}
B -- Yes --> C[Grant Compute Developer Role in Dev Project]
B -- No --> D[Grant Compute Viewer Role in Dev Project]
E[No Admin or Editor Role in Production Project]
end
subgraph Security Admin Persona
F[Security Admin Identity] --> G[Grant IAM Policy Admin Role]
H[Grant Org Policy Admin Role]
I[Should Not Have Resource Modification Permissions]
end
subgraph Billing Admin Persona
J[Billing Admin Identity] --> K[Grant Billing Admin Role]
L[No Permissions to Deploy Compute Resources]
end
subgraph Service Account for Deployment
M[Deployment Service Account] --> N[Grant Only Needed Roles Like Compute Admin and Storage Writer]
O[Avoid Granting Broad Roles Like Editor or Owner]
end
Separation of duties minimizes risk by ensuring no single entity has full control. Roles should be carefully assigned per persona or service account, following the principle of least privilege.
🔐 Authentication in GCP
flowchart LR A[Authentication Methods] --> B[Google Accounts for Users] A --> C[Service Accounts for Apps] A --> D[Groups for Access Management] A --> E[Cloud Identity Provider] E --> F[Password Authentication] E --> G[Two Step Verification] E --> H[Single Sign On Integration] E --> I[Hardware Keys like Titan Key]
Know the difference:
- Cloud Identity manages users and groups.
- Use 2SV and SSO to harden access.
- Service accounts should have minimal permissions for automation.
🛡️ Security Controls Overview
flowchart LR A[Security Controls] --> B[Audit Logging with Cloud Audit Logs] A --> C[VPC Service Controls] A --> D[Organization Policies] A --> E[IAM Conditions - Context Aware Access] A --> F[VPC Firewall Rules] A --> G[Identity Aware Proxy - IAP]
Expect questions around which tools to use for:
- Perimeter protection: VPC Service Controls
- Access restrictions: IAM Conditions, Context-Aware Access
- Application-level security: IAP
- Policy enforcement: Org Policies
🔐 Data Encryption in GCP
flowchart LR A[Data Security] --> B[Encryption in Transit] B --> C[TLS Protocols] B --> D[IPsec Tunnels - VPN and Interconnect] A --> E[Encryption at Rest] E --> F[Google Managed Keys] E --> G[Customer Managed Keys - CMEK] E --> H[Customer Supplied Keys - CSEK] A --> I[Encryption in Use - Confidential VMs]
Understand encryption layers:
- In transit: Default with TLS/IPsec
- At rest: Default with Google-managed keys, CMEK/CSEK for more control
- In use: Use Confidential VMs for sensitive workloads
🧪 Secret Management
flowchart LR A[Secret Management] --> B[Use Secret Manager Service] A --> C[Avoid Hardcoding Secrets] A --> D[Rotate Secrets Frequently] A --> E[Apply IAM for Access Control]
Secret Manager is the go-to service for managing credentials and sensitive configs. Ensure strict IAM control and enable versioning and rotation policies.
🔐 Remote Access and Network Hardening
flowchart LR A[Remote Access] --> B[Use OS Login with Cloud Identity] A --> C[Secure Tunnels via Cloud VPN] A --> D[Private Connectivity via Cloud Interconnect] A --> E[Use Identity Aware Proxy for App Access] A --> F[Avoid External IPs on Compute Instances]
GCP promotes zero trust:
- Prefer OS Login over SSH keys.
- Use VPN or Interconnect for hybrid networks.
- Secure web access with IAP.
- Disable external IPs where possible.
📜 3.2: Designing for Compliance
Compliance in GCP involves mapping legal, regulatory, and business requirements to technical controls, logging, and policies. As a cloud architect, you’re responsible for ensuring customer configurations meet these obligations.
🧭 Compliance Requirements Map
flowchart LR A[Compliance Types] --> B[Legal Examples HIPAA GDPR CCPA] A --> C[Commercial Examples PCI DSS] A --> D[Industry Certifications SOC 2 ISO 27001] B --> E[Data Residency] B --> F[Consent and Privacy Management] C --> G[Sensitive Data Controls] D --> H[Audit Readiness] E --> I[Region Selection for Resources] E --> J[Cloud Storage Location Constraints] G --> K[Cloud DLP for Sensitive Data] G --> L[Encryption with Customer Managed Keys] H --> M[Cloud Audit Logs Admin and Data Access] M --> N[Long Term Retention in Storage or BigQuery] A --> O[Shared Responsibility Model]
Understand that compliance is shared:
- Google secures the infrastructure.
- You configure services and apply controls like CMEK, Cloud DLP, and Audit Logs.
🛡️ GCP Controls for Compliance
flowchart LR A[GCP Controls for Compliance] --> B[Organization Policy Service] A --> C[Cloud Audit Logs for Admin and Data Access] A --> D[VPC Service Controls] A --> E[Cloud Armor Web Application Firewall] A --> F[Context Aware Access for Granular Permissions] A --> G[Cloud DLP for Sensitive Data Detection] A --> H[Secret Manager for Secure Secret Storage] A --> I[IAM for Role Based Access Control] A --> J[Encryption at Rest and In Transit] A --> K[Security Command Center for Compliance Visibility]
Know which GCP tools map to which compliance requirements:
- Cloud DLP: Data classification and protection
- Cloud Armor: Protect web workloads
- Security Command Center: Security insights and misconfiguration detection
⚙️ Designing for Compliance (Decision Flow)
flowchart LR
A[Identify Applicable Compliance Requirements] --> B{Data Residency Required}
B -- Yes --> C[Deploy Resources in Required Regions]
B -- No --> D[Select Optimal Regions]
A --> E{PII Data Handling Required}
E -- Yes --> F[Use Cloud DLP for Sensitive Data]
E --> G[Apply Tokenization or Anonymization]
A --> H{Specific Security Controls Required}
H --> I[Use VPC Service Controls]
H --> J[Apply Required Encryption Standards]
H --> K[Configure Cloud Armor Web Firewall]
A --> L{Audit Logging and Retention Required}
L --> M[Enable Data Access Logs]
L --> N[Store Logs in Cloud Storage or BigQuery]
A --> O[Map Compliance to GCP Configurations]
O --> P[Document Implementation and Evidence]
This flow represents how architects translate compliance frameworks into GCP service configurations, logging practices, and documentation for auditors.
🧾 Audit Logging for Compliance
flowchart LR A[Compliance Audit Requirements] --> B[Enable Cloud Audit Logs] B --> C[Admin Activity Logs Always On] B --> D[Data Access Logs Must Be Enabled] A --> E[Set Up Log Sinks] E --> F[Cloud Storage for Long Term Retention] E --> G[BigQuery for Audit Analysis] A --> H[Set Required Retention Periods] A --> I[Review and Monitor Logs Regularly] I --> J[Create Alerts for Suspicious Behavior]
Audit logs are the backbone of GCP compliance. Key points:
- Enable Data Access Logs—they’re not on by default.
- Use log sinks for retention and analysis.
- Alerting is essential for incident response.
🔄 Shared Responsibility for Compliance
flowchart LR A[Shared Responsibility for Compliance] --> B[Google Cloud Responsibilities] A --> F[Customer Responsibilities] B --> C[Physical Security of Data Centers] B --> D[Platform Security and Updates] B --> E[Global Certifications like SOC 2 PCI ISO] F --> G[Configure GCP Services Securely] F --> H[Manage IAM and Access Policies] F --> I[Encrypt and Protect Customer Data] F --> J[Use GCP Tools to Meet Regulations] F --> K[Monitor and Audit Environments]
This diagram reinforces the critical idea: Google secures the platform; you secure your implementation. Know this model well—it’s guaranteed to show up in real-world scenarios and on the exam.
✅ Final Thoughts
GCP gives you a powerful security toolkit, but it’s your job to configure it right.
Section 3 of the PCA exam focuses on:
- Identity and access control
- Policy inheritance and enforcement
- Encryption best practices
- Regulatory mapping and auditability
Master the tools. Understand the architecture. Think like an auditor and a security engineer. You’ll be ready.