Practice ACE Configuring Access and Security questions with full explanations on every answer.
Start practicing
Configuring Access and Security — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An engineer needs to grant an external auditor read-only access to a subset of Cloud Storage buckets in a project. The auditor's identity is a Google account. Which IAM approach should the engineer use?
2A security team wants to ensure that all Compute Engine instances in a project automatically use a custom service account with minimal permissions. What must the engineer do when creating new instances?
3An engineer created a firewall rule to allow inbound HTTP traffic on port 80 from the internet to instances with the tag 'web-server'. However, after applying the rule, a test instance with the tag 'web-server' is still not reachable on port 80. What is a likely cause?
4A company wants to use Cloud NAT to allow private instances in a VPC to send outbound traffic to the internet and to receive inbound responses. Which two resources must be configured to set up Cloud NAT?
5An engineer needs to view the current IAM policy for a project in JSON format. Which gcloud command should they use?
6A developer created a service account with the roles/storage.admin role and wants to use it from a Compute Engine instance without downloading a key file. What is the best practice?
7Which Google Cloud service provides a managed, scalable, and secure way to store API keys, passwords, and certificates?
8A company has a VPC with a subnet that has Private Google Access enabled. They want their Compute Engine instances to access Google APIs and services through internal IP addresses. Which additional configuration is required?
9An organization needs to audit all data access (read/write) to a Cloud Storage bucket for compliance. Which type of audit log should they enable?
10A company has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They want to allow traffic from instances in subnet-a to reach a specific instance in subnet-b only on TCP port 443. What is the most specific firewall rule to achieve this?
11An engineer wants to create a Google-managed SSL certificate for a domain and attach it to an HTTPS load balancer. Which gcloud command should they use to create the certificate?
12A team needs to create a new service account and grant it the roles/storage.objectViewer role on a project. Which two gcloud commands are required?
13A company wants to ensure that a Compute Engine instance can access only a specific Cloud Storage bucket and no other resources in the project. Which TWO steps should the engineer take? (Select 2 correct answers)
14Which THREE configurations are required to enable Private Google Access for Compute Engine instances in a custom VPC subnet? (Select 3 correct answers)
15Which TWO of the following are valid ways to grant IAM roles to a service account for accessing a Cloud Storage bucket? (Select 2 correct answers)
16An engineer needs to grant a user the ability to create and manage service accounts in a project, but not delete them. Which predefined IAM role should be assigned?
17You want to allow HTTP traffic from the internet to a set of Compute Engine instances tagged 'web-server'. Which gcloud command creates the appropriate firewall rule?
18A security team wants to audit all Data Access attempts in a project for a specific Cloud Storage bucket, including who accessed which object and when. Which configuration is required?
19You need to create a service account for a Compute Engine instance to allow it to access Cloud Storage objects. The service account should have minimal permissions. What is the recommended approach?
20An organization has multiple projects under a folder. They want to grant a network admin the ability to create firewall rules in all projects in the folder. Which IAM policy binding achieves this with least privilege?
21You are configuring a Cloud NAT to allow private Compute Engine instances to access the internet for updates. What other resource is required to set up Cloud NAT?
22To meet compliance requirements, a company must encrypt all data at rest in Cloud SQL using customer-managed encryption keys (CMEK). What is required to enable CMEK on a Cloud SQL instance?
23An engineer created a VPC with a subnet in us-central1 and enabled Private Google Access on that subnet. Compute Engine instances in that subnet can reach Google APIs and services using internal IPs. However, the instances cannot reach external IP addresses on the internet. What should the engineer configure to allow internet access while minimizing cost and management overhead?
24An organization uses Secret Manager to store database credentials. A new application runs on Compute Engine and needs to access a secret. The application uses the default compute engine service account. What is the most secure way to grant access to the secret?
25A company has a Google Cloud organization with multiple folders and projects. The security team wants to audit all actions that create or modify IAM policies across the entire organization. Which type of audit log should they examine?
26You need to create a Google-managed SSL certificate for an external HTTPS load balancer. The domain is 'www.example.com'. Which command creates the certificate?
27An engineer needs to view the current IAM policy for a project in JSON format to analyze bindings. Which command should be used?
28An organization wants to enforce that all Compute Engine instances in a project use customer-managed encryption keys (CMEK) for their boot disks. Which TWO steps should the security team take?
29A company wants to allow developers to create and manage secrets in Secret Manager, but prevent them from viewing secret values. Which TWO predefined roles should be combined to achieve this?
30An engineer needs to audit all Data Access logs for a project to detect unauthorized access to sensitive data. The engineer must ensure that logs are retained for 5 years and are immutable. Which THREE steps should the engineer take?
31A DevOps engineer needs to grant a service account the ability to pull images from a specific Container Registry repository in project 'my-project'. The service account is in project 'other-project'. Which command should the engineer use?
32An organization uses Organization Policies to restrict the use of certain IAM roles. The security team wants to audit all modifications to IAM policies across the organization, including at the project level. Which log type should be enabled and analyzed?
33A company wants to automate the rotation of encryption keys for Cloud Storage buckets every 30 days. Which key type should be used?
34A security engineer needs to ensure that Compute Engine instances in a VPC can only communicate with each other on port 443 and cannot receive traffic from the internet. The VPC has a default network with default firewall rules. What should the engineer do?
35An organization wants to use Cloud NAT to allow private Compute Engine instances to access the internet for updates. They have a VPC with a custom subnet and a Cloud Router configured. However, instances cannot reach the internet. What is the most likely cause?
36You need to grant a user the ability to view audit logs for a project but not modify any resources. Which predefined IAM role should you assign?
37A company has a Cloud SQL instance with CMEK enabled. The Cloud KMS key used for encryption is accidentally disabled. What is the impact on the Cloud SQL instance?
38An engineer wants to create a Google-managed SSL certificate for an HTTPS load balancer. Which command should they use?
39You need to view the current IAM policy for a project named 'my-project' in JSON format. Which command should you use?
40An organization has a hierarchy: Organization -> Folder A -> Project 1. An IAM policy at the organization level grants roles/editor to user@example.com. A policy at Folder A denies roles/editor to the same user. What is the effective role for the user in Project 1?
41A developer wants to create a service account for an application running on Compute Engine. The application needs to access Cloud Storage. What is the best practice for granting this access?
42An engineer creates a firewall rule allowing ingress on port 8080 from source range 10.0.0.0/8 with priority 1000. Another rule denies ingress on port 8080 from source range 10.0.0.0/24 with priority 500. What is the effective behavior for traffic from 10.0.0.1?
43Which of the following is required to enable Private Google Access on a subnet?
44A security team wants to ensure that all new projects in an organization automatically have Data Access audit logs enabled for all services. What is the most efficient way to achieve this?
45A developer wants to store a database password securely and make it accessible to a Compute Engine instance. Which Google Cloud service should be used?
46An engineer needs to allow a set of Compute Engine instances (with tag 'web-server') to receive traffic on port 443 from the internet. The VPC has a default network with default firewall rules. Which TWO actions should the engineer take? (Choose TWO)
47A company wants to implement a least-privilege security model for a service account that needs to read secrets from Secret Manager and publish messages to Pub/Sub. Which TWO IAM roles should be granted? (Choose TWO)
48A security engineer wants to audit all attempts to access a specific Cloud Storage bucket, including successful and failed read requests. Which THREE steps should they take? (Choose THREE)
49An engineer needs to grant an external auditor read-only access to view IAM policies on a GCP project. The auditor should not have access to any other resources. Which IAM role should be assigned?
50A security team wants to ensure that all Compute Engine instances in a project are created with a specific custom service account attached. What is the most effective way to enforce this?
51You need to allow inbound HTTP traffic to a set of Compute Engine instances that have the tag 'web-server'. All other inbound traffic should be denied. Which firewall rule configuration should you create?
52A company is using Cloud NAT to allow private Compute Engine instances to access the internet. They notice that traffic from some instances is not being NATed. What is the most likely cause?
53You are creating a new service account for an application that needs to read from a Cloud Storage bucket and write to Cloud Pub/Sub. What is the most secure way to grant these permissions?
54You want to view the current IAM policy for a project in JSON format using the gcloud command-line tool. Which command should you run?
55An organization wants to enforce encryption at rest for all data in Cloud Storage using Customer-Managed Encryption Keys (CMEK). They have created a Cloud KMS key ring and key. What additional step is required when creating a new bucket to use CMEK?
56You need to allow a Compute Engine instance to securely access a Cloud Storage bucket without managing service account keys. The instance already has a service account attached. What is the best practice to grant access?
57An engineer needs to enable Private Google Access for a subnet to allow instances without external IPs to access Google APIs and services. Which flag should be used when creating or updating the subnet?
58You need to add an IAM binding for a user to a project using the gcloud command. Which command should you use?
59A company uses Cloud SQL with Customer-Managed Encryption Keys (CMEK). The security team wants to rotate the encryption key. What is the impact on the Cloud SQL instance?
60You need to store a database password securely in Google Cloud. The password will be used by a Compute Engine instance. Which service should you use?
61A company needs to audit all actions that modify a Cloud Storage bucket. Which TWO steps should they take to enable this? (Choose 2 answers.)
62An organization is designing a VPC with multiple subnets. They want instances in a private subnet to access the internet for updates. They also need to allow SSH access from a bastion host. Which THREE components must they configure? (Choose 3 answers.)
63A developer wants to automate the creation of a service account and assign it a role using the gcloud command-line tool. Which TWO commands are needed? (Choose 2 answers.)
64An engineer needs to grant a service account the ability to impersonate another service account when making API calls. Which IAM role should be assigned to the impersonating service account?
65A security team wants to enable audit logging for all Data Access (ADMIN_READ, DATA_READ, DATA_WRITE) on a specific Google Cloud project. They plan to use gcloud commands to configure this. What is the correct approach?
66Which command creates a Google-managed SSL certificate for the domain 'example.com'?
67An engineer needs to allow HTTP traffic from the internet to a set of Compute Engine instances that have the network tag 'web-server'. The instances are in a VPC with a default firewall rule that denies all ingress. Which command creates the required firewall rule?
68A company wants to use Customer-Managed Encryption Keys (CMEK) for encrypting data in a Cloud Storage bucket. They have created a key in Cloud KMS. Which step is required when creating the bucket to use CMEK?
69A developer created a service account for an application running on a Compute Engine instance. The instance was started without specifying the service account. What must the developer do to make the application use the service account?
70Which IAM role should be granted to a user to allow them to create and manage secrets in Secret Manager?
71A company has multiple VPC networks in their project. They want Compute Engine instances in one VPC to communicate with instances in another VPC using internal IP addresses. Which feature should they use?
72An engineer is configuring a Cloud NAT to allow private Compute Engine instances to access the internet. After creating the Cloud Router and NAT gateway, the instances still cannot connect to the internet. What is the most likely missing configuration?
73Which command is used to view the current IAM policy for a Google Cloud project in JSON format?
74An organization requires that all Compute Engine instances be created with a specific service account. Which organization policy can enforce this?
75A developer needs to store a database password in Secret Manager and then allow a Compute Engine instance to access it. The instance uses the default compute engine service account. Which role should be granted to the service account?
76A company needs to enable Private Google Access for a subnet in a VPC so that Compute Engine instances without external IPs can access Google APIs and services. Which two steps are required? (Choose TWO.)
77A security engineer wants to audit all actions that modify VPC firewall rules in their project. They need to enable the appropriate audit logs. Which three steps should they take? (Choose THREE.)
78An engineer wants to create a VPC with a custom subnet mode and then create a subnet with Private Google Access enabled. Which two commands should they use? (Choose TWO.)
79An engineer needs to create a firewall rule that allows incoming HTTPS traffic only from a specific IP range to instances tagged 'web-server'. Which command should they use?
80What is the primary benefit of using a Google-managed SSL certificate for an HTTPS Load Balancer?
81An organization wants to enable Data Access audit logs for all Cloud Storage buckets in a project. Which step is necessary?
82A developer wants to allow a Compute Engine instance to access Cloud Storage without using a service account key file. What is the recommended approach?
83A security engineer needs to ensure that all VMs in a subnet use Private Google Access to reach Google APIs without external IP addresses. What must be enabled?
84Which IAM role should be granted to a service account to allow it to access a secret stored in Secret Manager?
85An organization has a folder hierarchy with multiple projects. They want to grant a support team the ability to view all IAM policies across the entire folder. What is the most efficient way?
86A company wants to use Customer-Managed Encryption Keys (CMEK) for a Cloud SQL instance. What must be done first?
87What is the purpose of creating a Cloud NAT gateway?
88An engineer wants to view the current IAM policy for a project in JSON format. Which command should they use?
89A company has multiple firewall rules. Rule A (priority 1000) allows TCP 80 from 0.0.0.0/0. Rule B (priority 500) denies TCP 80 from 10.0.0.0/8. An instance with IP 10.0.0.1 tries to connect to TCP 80. What happens?
90A DevOps team needs to grant a CI/CD service account the ability to create secrets in Secret Manager. Which role should be assigned?
91A company needs to allow a group of external auditors to view Cloud Audit Logs for a project but not modify any resources. Which two steps should be taken? (Choose 2)
92An engineer needs to create a service account and grant it the ability to impersonate other service accounts. Which two permissions are required? (Choose 2)
93A security team wants to restrict access to a Cloud Storage bucket so that only objects encrypted with a specific CMEK key can be uploaded. Which three actions are needed? (Choose 3)
94An engineer needs to grant a service account the ability to start and stop Compute Engine instances in a specific project. The service account should not have permissions to delete instances or modify other resources. Which IAM role should be assigned?
95A company has an organization with multiple folders and projects. They want to audit all IAM policy changes across the entire organization. Which approach meets the requirement with minimal effort?
96An engineer wants to allow HTTP traffic from the internet to a set of Compute Engine instances that have the network tag 'web-server'. Which firewall rule should they create?
97A company is migrating a legacy application to Compute Engine. The application requires access to a Cloud Storage bucket for storing logs. The application runs on a VM with a service account attached. Which TWO steps should the engineer take to grant the application access to the bucket?
98An organization has a VPC with several subnets. They want Compute Engine instances in one subnet to have outbound internet access for updates but not be reachable from the internet. The instances have no external IP addresses. Which THREE components must be configured?
99A security engineer needs to ensure that all secrets stored in Secret Manager are encrypted with a customer-managed encryption key (CMEK). Which TWO actions are required?
100An engineer wants to view the current IAM policy for a project. Which TWO commands will accomplish this?
The Configuring Access and Security domain covers the key concepts tested in this area of the ACE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all ACE domains — no account required.
The Courseiva ACE question bank contains 100 questions in the Configuring Access and Security domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Configuring Access and Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included