Configuring access and security
Drill 20 practice questions focused entirely on Configuring access and security for the Google Cloud ACE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A critical firewall rule protecting your production VPC was unexpectedly deleted, causing a brief security exposure. Your security team asks you to identify exactly which user or service account deleted the firewall rule and when. Which Google Cloud audit log type should you examine to find this information?
During a security review, you discover that five developers were granted the basic role 'Editor' at the project level so they could deploy and manage Cloud Run services. Your security team wants you to follow the principle of least privilege while preserving the developers' ability to deploy and manage Cloud Run. What should you do?
A contractor needs temporary read access to a Compute Engine project only until the end of the current month. Your security team requires that the access automatically expire without any manual cleanup, and they want to avoid creating a custom role. What is the best way to grant this access?
Your organization has 12 projects. The security team has defined a custom IAM role with a specific set of permissions that they want to reuse and grant to principals in several of these projects. They want to manage a single definition of this custom role so that any future permission changes only need to be made once. Where should they create the custom role?
Your organization must ensure that no principal — regardless of any allow role they hold — can delete Cloud Storage buckets anywhere in the 'production' folder. Several project owners already have roles like roles/owner and roles/storage.admin that include the storage.buckets.delete permission. You want a solution that enforces this restriction centrally and takes precedence over existing allow grants. What should you do?
Your company has an organization with a folder named 'production' that contains 15 projects. The security team wants a new group, gcp-prod-auditors@example.com, to have read-only visibility across all resources in every current and future project under the 'production' folder. You want to minimize administrative effort while following the principle of least privilege. What should you do?
A data analyst on your team needs read-only access to objects in a single Cloud Storage bucket named 'finance-reports'. Your company follows the principle of least privilege. Other buckets in the same project contain sensitive data the analyst must not access. What is the best way to grant this access?
Your company hires and onboards new data analysts every month. Each analyst needs identical read access to a set of BigQuery datasets and Cloud Storage buckets across one project. The security team complains that manually granting IAM bindings to each new user is error-prone and hard to audit. What is the recommended approach to grant these permissions while minimizing administrative overhead?
A data analyst on your team needs to run queries in BigQuery and view existing datasets in a specific project, but must not be able to delete datasets, modify IAM policies, or create new datasets. Your company enforces the principle of least privilege. Which approach best satisfies this requirement?
A user was granted the Editor role at the organization level to help bootstrap several projects. The security team now wants this user to retain edit access only on the project called 'sandbox-dev' and lose edit access on all other current and future projects in the organization. What should you do?
Your organization has a folder named 'Production' that contains three projects. A new platform team needs to view resources across all three projects, and any project added to the 'Production' folder in the future should automatically grant the same access to this team. You want to follow Google-recommended practices and minimize ongoing administrative effort. What should you do?
A new financial auditor joins your company and needs to review the configuration and metadata of all resources across a single GCP project without being able to modify anything or read the actual data stored in Cloud Storage buckets or BigQuery tables. Following the principle of least privilege, how should you grant this access?
Your finance team runs a nightly batch job on a Compute Engine VM that uses a dedicated service account to export billing data and read cost information via the Cloud Billing API. The job currently fails with permission errors when calling the billing API. Following the principle of least privilege, what should you do to allow the service account to view billing account information?
A team runs a Python application inside a GKE Standard cluster. The app needs to write objects to a Cloud Storage bucket. Following Google-recommended security practices, how should you provide the app with credentials to authenticate to Cloud Storage without managing long-lived key files?
A Compute Engine VM was created with the default service account and the access scope set to 'Allow default access'. The application on the VM needs to write objects to a Cloud Storage bucket, but writes fail with a permission error even though the service account has been granted the Storage Object Admin IAM role at the project level. What is the most likely cause, and how should you fix it?
A developer needs an application running on their laptop to temporarily act as a service account named 'batch-runner@project.iam.gserviceaccount.com' to call BigQuery, without downloading a long-lived JSON key. Your security policy prohibits creating service-account keys. Which role must you grant the developer's user account on the service account so they can generate short-lived credentials for it?
A developer needs to create a Cloud Scheduler job that triggers a Cloud Function. The function runs as a dedicated service account named 'fn-runtime@project.iam.gserviceaccount.com'. The developer's account can create scheduler jobs but receives a permission error when configuring the job to authenticate as that service account. Following the principle of least privilege, what is the minimal IAM change to resolve the error?
Your security team must know exactly when your application's service account reads objects from a specific Cloud Storage bucket. You check Cloud Logging but see no records of these read operations, even though you can see who changed the bucket's IAM policy. What must you do to capture the read events?
Your security team reports that the IAM policy on a sensitive Cloud Storage bucket was modified last week, granting an unexpected user the Storage Object Viewer role. You need to determine which principal made the SetIamPolicy change and exactly when it occurred. Which Cloud Audit Log type should you query to find this information?
A developer reports that they cannot start a Compute Engine instance in the project, even though a teammate with a similar role can. You need to quickly determine exactly which IAM roles and permissions are granted to this specific user across the project and its inherited hierarchy, and understand why an operation is allowed or denied. Which Google Cloud tool should you use?
More ACE practice
Keep going with the other Associate Cloud Engineer domains, or take a full timed mock exam.
← Back to ACE overview