Associate Cloud Engineer · Domain 4 · 20% of exam

Configuring access and security

Drill 20 practice questions focused entirely on Configuring access and security for the Google Cloud ACE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.

Verified answer20 questions
Question 1 of 20

A critical firewall rule protecting your production VPC was unexpectedly deleted, causing a brief security exposure. Your security team asks you to identify exactly which user or service account deleted the firewall rule and when. Which Google Cloud audit log type should you examine to find this information?

Reviewed for accuracy · Report an issue
Question 2 of 20

During a security review, you discover that five developers were granted the basic role 'Editor' at the project level so they could deploy and manage Cloud Run services. Your security team wants you to follow the principle of least privilege while preserving the developers' ability to deploy and manage Cloud Run. What should you do?

Reviewed for accuracy · Report an issue
Question 3 of 20

A contractor needs temporary read access to a Compute Engine project only until the end of the current month. Your security team requires that the access automatically expire without any manual cleanup, and they want to avoid creating a custom role. What is the best way to grant this access?

Reviewed for accuracy · Report an issue
Question 4 of 20

Your organization has 12 projects. The security team has defined a custom IAM role with a specific set of permissions that they want to reuse and grant to principals in several of these projects. They want to manage a single definition of this custom role so that any future permission changes only need to be made once. Where should they create the custom role?

Reviewed for accuracy · Report an issue
Question 5 of 20

Your organization must ensure that no principal — regardless of any allow role they hold — can delete Cloud Storage buckets anywhere in the 'production' folder. Several project owners already have roles like roles/owner and roles/storage.admin that include the storage.buckets.delete permission. You want a solution that enforces this restriction centrally and takes precedence over existing allow grants. What should you do?

Reviewed for accuracy · Report an issue
Question 6 of 20

Your company has an organization with a folder named 'production' that contains 15 projects. The security team wants a new group, gcp-prod-auditors@example.com, to have read-only visibility across all resources in every current and future project under the 'production' folder. You want to minimize administrative effort while following the principle of least privilege. What should you do?

Reviewed for accuracy · Report an issue
Question 7 of 20

A data analyst on your team needs read-only access to objects in a single Cloud Storage bucket named 'finance-reports'. Your company follows the principle of least privilege. Other buckets in the same project contain sensitive data the analyst must not access. What is the best way to grant this access?

Reviewed for accuracy · Report an issue
Question 8 of 20

Your company hires and onboards new data analysts every month. Each analyst needs identical read access to a set of BigQuery datasets and Cloud Storage buckets across one project. The security team complains that manually granting IAM bindings to each new user is error-prone and hard to audit. What is the recommended approach to grant these permissions while minimizing administrative overhead?

Reviewed for accuracy · Report an issue
Question 9 of 20

A data analyst on your team needs to run queries in BigQuery and view existing datasets in a specific project, but must not be able to delete datasets, modify IAM policies, or create new datasets. Your company enforces the principle of least privilege. Which approach best satisfies this requirement?

Reviewed for accuracy · Report an issue
Question 10 of 20

A user was granted the Editor role at the organization level to help bootstrap several projects. The security team now wants this user to retain edit access only on the project called 'sandbox-dev' and lose edit access on all other current and future projects in the organization. What should you do?

Reviewed for accuracy · Report an issue
Question 11 of 20

Your organization has a folder named 'Production' that contains three projects. A new platform team needs to view resources across all three projects, and any project added to the 'Production' folder in the future should automatically grant the same access to this team. You want to follow Google-recommended practices and minimize ongoing administrative effort. What should you do?

Reviewed for accuracy · Report an issue
Question 12 of 20

A new financial auditor joins your company and needs to review the configuration and metadata of all resources across a single GCP project without being able to modify anything or read the actual data stored in Cloud Storage buckets or BigQuery tables. Following the principle of least privilege, how should you grant this access?

Reviewed for accuracy · Report an issue
Question 13 of 20

Your finance team runs a nightly batch job on a Compute Engine VM that uses a dedicated service account to export billing data and read cost information via the Cloud Billing API. The job currently fails with permission errors when calling the billing API. Following the principle of least privilege, what should you do to allow the service account to view billing account information?

Reviewed for accuracy · Report an issue
Question 14 of 20

A team runs a Python application inside a GKE Standard cluster. The app needs to write objects to a Cloud Storage bucket. Following Google-recommended security practices, how should you provide the app with credentials to authenticate to Cloud Storage without managing long-lived key files?

Reviewed for accuracy · Report an issue
Question 15 of 20

A Compute Engine VM was created with the default service account and the access scope set to 'Allow default access'. The application on the VM needs to write objects to a Cloud Storage bucket, but writes fail with a permission error even though the service account has been granted the Storage Object Admin IAM role at the project level. What is the most likely cause, and how should you fix it?

Reviewed for accuracy · Report an issue
Question 16 of 20

A developer needs an application running on their laptop to temporarily act as a service account named 'batch-runner@project.iam.gserviceaccount.com' to call BigQuery, without downloading a long-lived JSON key. Your security policy prohibits creating service-account keys. Which role must you grant the developer's user account on the service account so they can generate short-lived credentials for it?

Reviewed for accuracy · Report an issue
Question 17 of 20

A developer needs to create a Cloud Scheduler job that triggers a Cloud Function. The function runs as a dedicated service account named 'fn-runtime@project.iam.gserviceaccount.com'. The developer's account can create scheduler jobs but receives a permission error when configuring the job to authenticate as that service account. Following the principle of least privilege, what is the minimal IAM change to resolve the error?

Reviewed for accuracy · Report an issue
Question 18 of 20

Your security team must know exactly when your application's service account reads objects from a specific Cloud Storage bucket. You check Cloud Logging but see no records of these read operations, even though you can see who changed the bucket's IAM policy. What must you do to capture the read events?

Reviewed for accuracy · Report an issue
Question 19 of 20

Your security team reports that the IAM policy on a sensitive Cloud Storage bucket was modified last week, granting an unexpected user the Storage Object Viewer role. You need to determine which principal made the SetIamPolicy change and exactly when it occurred. Which Cloud Audit Log type should you query to find this information?

Reviewed for accuracy · Report an issue
Question 20 of 20

A developer reports that they cannot start a Compute Engine instance in the project, even though a teammate with a similar role can. You need to quickly determine exactly which IAM roles and permissions are granted to this specific user across the project and its inherited hierarchy, and understand why an operation is allowed or denied. Which Google Cloud tool should you use?

Reviewed for accuracy · Report an issue

More ACE practice

Keep going with the other Associate Cloud Engineer domains, or take a full timed mock exam.

← Back to ACE overview