Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsACEDomainsConfiguring Access and Security
ACEFree — No Signup

Configuring Access and Security

Practice ACE Configuring Access and Security questions with full explanations on every answer.

100questions

Start practicing

Configuring Access and Security — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

ACE Domains

Configuring Access and SecurityPlanning and Configuring a Cloud SolutionEnsuring Successful Operation of a Cloud SolutionDeploying and Implementing a Cloud SolutionSetting Up a Cloud Solution Environment

Practice Configuring Access and Security questions

10Q20Q30Q50Q

All ACE Configuring Access and Security questions (100)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

An engineer needs to grant an external auditor read-only access to a subset of Cloud Storage buckets in a project. The auditor's identity is a Google account. Which IAM approach should the engineer use?

2

A security team wants to ensure that all Compute Engine instances in a project automatically use a custom service account with minimal permissions. What must the engineer do when creating new instances?

3

An engineer created a firewall rule to allow inbound HTTP traffic on port 80 from the internet to instances with the tag 'web-server'. However, after applying the rule, a test instance with the tag 'web-server' is still not reachable on port 80. What is a likely cause?

4

A company wants to use Cloud NAT to allow private instances in a VPC to send outbound traffic to the internet and to receive inbound responses. Which two resources must be configured to set up Cloud NAT?

5

An engineer needs to view the current IAM policy for a project in JSON format. Which gcloud command should they use?

6

A developer created a service account with the roles/storage.admin role and wants to use it from a Compute Engine instance without downloading a key file. What is the best practice?

7

Which Google Cloud service provides a managed, scalable, and secure way to store API keys, passwords, and certificates?

8

A company has a VPC with a subnet that has Private Google Access enabled. They want their Compute Engine instances to access Google APIs and services through internal IP addresses. Which additional configuration is required?

9

An organization needs to audit all data access (read/write) to a Cloud Storage bucket for compliance. Which type of audit log should they enable?

10

A company has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They want to allow traffic from instances in subnet-a to reach a specific instance in subnet-b only on TCP port 443. What is the most specific firewall rule to achieve this?

11

An engineer wants to create a Google-managed SSL certificate for a domain and attach it to an HTTPS load balancer. Which gcloud command should they use to create the certificate?

12

A team needs to create a new service account and grant it the roles/storage.objectViewer role on a project. Which two gcloud commands are required?

13

A company wants to ensure that a Compute Engine instance can access only a specific Cloud Storage bucket and no other resources in the project. Which TWO steps should the engineer take? (Select 2 correct answers)

14

Which THREE configurations are required to enable Private Google Access for Compute Engine instances in a custom VPC subnet? (Select 3 correct answers)

15

Which TWO of the following are valid ways to grant IAM roles to a service account for accessing a Cloud Storage bucket? (Select 2 correct answers)

16

An engineer needs to grant a user the ability to create and manage service accounts in a project, but not delete them. Which predefined IAM role should be assigned?

17

You want to allow HTTP traffic from the internet to a set of Compute Engine instances tagged 'web-server'. Which gcloud command creates the appropriate firewall rule?

18

A security team wants to audit all Data Access attempts in a project for a specific Cloud Storage bucket, including who accessed which object and when. Which configuration is required?

19

You need to create a service account for a Compute Engine instance to allow it to access Cloud Storage objects. The service account should have minimal permissions. What is the recommended approach?

20

An organization has multiple projects under a folder. They want to grant a network admin the ability to create firewall rules in all projects in the folder. Which IAM policy binding achieves this with least privilege?

21

You are configuring a Cloud NAT to allow private Compute Engine instances to access the internet for updates. What other resource is required to set up Cloud NAT?

22

To meet compliance requirements, a company must encrypt all data at rest in Cloud SQL using customer-managed encryption keys (CMEK). What is required to enable CMEK on a Cloud SQL instance?

23

An engineer created a VPC with a subnet in us-central1 and enabled Private Google Access on that subnet. Compute Engine instances in that subnet can reach Google APIs and services using internal IPs. However, the instances cannot reach external IP addresses on the internet. What should the engineer configure to allow internet access while minimizing cost and management overhead?

24

An organization uses Secret Manager to store database credentials. A new application runs on Compute Engine and needs to access a secret. The application uses the default compute engine service account. What is the most secure way to grant access to the secret?

25

A company has a Google Cloud organization with multiple folders and projects. The security team wants to audit all actions that create or modify IAM policies across the entire organization. Which type of audit log should they examine?

26

You need to create a Google-managed SSL certificate for an external HTTPS load balancer. The domain is 'www.example.com'. Which command creates the certificate?

27

An engineer needs to view the current IAM policy for a project in JSON format to analyze bindings. Which command should be used?

28

An organization wants to enforce that all Compute Engine instances in a project use customer-managed encryption keys (CMEK) for their boot disks. Which TWO steps should the security team take?

29

A company wants to allow developers to create and manage secrets in Secret Manager, but prevent them from viewing secret values. Which TWO predefined roles should be combined to achieve this?

30

An engineer needs to audit all Data Access logs for a project to detect unauthorized access to sensitive data. The engineer must ensure that logs are retained for 5 years and are immutable. Which THREE steps should the engineer take?

31

A DevOps engineer needs to grant a service account the ability to pull images from a specific Container Registry repository in project 'my-project'. The service account is in project 'other-project'. Which command should the engineer use?

32

An organization uses Organization Policies to restrict the use of certain IAM roles. The security team wants to audit all modifications to IAM policies across the organization, including at the project level. Which log type should be enabled and analyzed?

33

A company wants to automate the rotation of encryption keys for Cloud Storage buckets every 30 days. Which key type should be used?

34

A security engineer needs to ensure that Compute Engine instances in a VPC can only communicate with each other on port 443 and cannot receive traffic from the internet. The VPC has a default network with default firewall rules. What should the engineer do?

35

An organization wants to use Cloud NAT to allow private Compute Engine instances to access the internet for updates. They have a VPC with a custom subnet and a Cloud Router configured. However, instances cannot reach the internet. What is the most likely cause?

36

You need to grant a user the ability to view audit logs for a project but not modify any resources. Which predefined IAM role should you assign?

37

A company has a Cloud SQL instance with CMEK enabled. The Cloud KMS key used for encryption is accidentally disabled. What is the impact on the Cloud SQL instance?

38

An engineer wants to create a Google-managed SSL certificate for an HTTPS load balancer. Which command should they use?

39

You need to view the current IAM policy for a project named 'my-project' in JSON format. Which command should you use?

40

An organization has a hierarchy: Organization -> Folder A -> Project 1. An IAM policy at the organization level grants roles/editor to user@example.com. A policy at Folder A denies roles/editor to the same user. What is the effective role for the user in Project 1?

41

A developer wants to create a service account for an application running on Compute Engine. The application needs to access Cloud Storage. What is the best practice for granting this access?

42

An engineer creates a firewall rule allowing ingress on port 8080 from source range 10.0.0.0/8 with priority 1000. Another rule denies ingress on port 8080 from source range 10.0.0.0/24 with priority 500. What is the effective behavior for traffic from 10.0.0.1?

43

Which of the following is required to enable Private Google Access on a subnet?

44

A security team wants to ensure that all new projects in an organization automatically have Data Access audit logs enabled for all services. What is the most efficient way to achieve this?

45

A developer wants to store a database password securely and make it accessible to a Compute Engine instance. Which Google Cloud service should be used?

46

An engineer needs to allow a set of Compute Engine instances (with tag 'web-server') to receive traffic on port 443 from the internet. The VPC has a default network with default firewall rules. Which TWO actions should the engineer take? (Choose TWO)

47

A company wants to implement a least-privilege security model for a service account that needs to read secrets from Secret Manager and publish messages to Pub/Sub. Which TWO IAM roles should be granted? (Choose TWO)

48

A security engineer wants to audit all attempts to access a specific Cloud Storage bucket, including successful and failed read requests. Which THREE steps should they take? (Choose THREE)

49

An engineer needs to grant an external auditor read-only access to view IAM policies on a GCP project. The auditor should not have access to any other resources. Which IAM role should be assigned?

50

A security team wants to ensure that all Compute Engine instances in a project are created with a specific custom service account attached. What is the most effective way to enforce this?

51

You need to allow inbound HTTP traffic to a set of Compute Engine instances that have the tag 'web-server'. All other inbound traffic should be denied. Which firewall rule configuration should you create?

52

A company is using Cloud NAT to allow private Compute Engine instances to access the internet. They notice that traffic from some instances is not being NATed. What is the most likely cause?

53

You are creating a new service account for an application that needs to read from a Cloud Storage bucket and write to Cloud Pub/Sub. What is the most secure way to grant these permissions?

54

You want to view the current IAM policy for a project in JSON format using the gcloud command-line tool. Which command should you run?

55

An organization wants to enforce encryption at rest for all data in Cloud Storage using Customer-Managed Encryption Keys (CMEK). They have created a Cloud KMS key ring and key. What additional step is required when creating a new bucket to use CMEK?

56

You need to allow a Compute Engine instance to securely access a Cloud Storage bucket without managing service account keys. The instance already has a service account attached. What is the best practice to grant access?

57

An engineer needs to enable Private Google Access for a subnet to allow instances without external IPs to access Google APIs and services. Which flag should be used when creating or updating the subnet?

58

You need to add an IAM binding for a user to a project using the gcloud command. Which command should you use?

59

A company uses Cloud SQL with Customer-Managed Encryption Keys (CMEK). The security team wants to rotate the encryption key. What is the impact on the Cloud SQL instance?

60

You need to store a database password securely in Google Cloud. The password will be used by a Compute Engine instance. Which service should you use?

61

A company needs to audit all actions that modify a Cloud Storage bucket. Which TWO steps should they take to enable this? (Choose 2 answers.)

62

An organization is designing a VPC with multiple subnets. They want instances in a private subnet to access the internet for updates. They also need to allow SSH access from a bastion host. Which THREE components must they configure? (Choose 3 answers.)

63

A developer wants to automate the creation of a service account and assign it a role using the gcloud command-line tool. Which TWO commands are needed? (Choose 2 answers.)

64

An engineer needs to grant a service account the ability to impersonate another service account when making API calls. Which IAM role should be assigned to the impersonating service account?

65

A security team wants to enable audit logging for all Data Access (ADMIN_READ, DATA_READ, DATA_WRITE) on a specific Google Cloud project. They plan to use gcloud commands to configure this. What is the correct approach?

66

Which command creates a Google-managed SSL certificate for the domain 'example.com'?

67

An engineer needs to allow HTTP traffic from the internet to a set of Compute Engine instances that have the network tag 'web-server'. The instances are in a VPC with a default firewall rule that denies all ingress. Which command creates the required firewall rule?

68

A company wants to use Customer-Managed Encryption Keys (CMEK) for encrypting data in a Cloud Storage bucket. They have created a key in Cloud KMS. Which step is required when creating the bucket to use CMEK?

69

A developer created a service account for an application running on a Compute Engine instance. The instance was started without specifying the service account. What must the developer do to make the application use the service account?

70

Which IAM role should be granted to a user to allow them to create and manage secrets in Secret Manager?

71

A company has multiple VPC networks in their project. They want Compute Engine instances in one VPC to communicate with instances in another VPC using internal IP addresses. Which feature should they use?

72

An engineer is configuring a Cloud NAT to allow private Compute Engine instances to access the internet. After creating the Cloud Router and NAT gateway, the instances still cannot connect to the internet. What is the most likely missing configuration?

73

Which command is used to view the current IAM policy for a Google Cloud project in JSON format?

74

An organization requires that all Compute Engine instances be created with a specific service account. Which organization policy can enforce this?

75

A developer needs to store a database password in Secret Manager and then allow a Compute Engine instance to access it. The instance uses the default compute engine service account. Which role should be granted to the service account?

76

A company needs to enable Private Google Access for a subnet in a VPC so that Compute Engine instances without external IPs can access Google APIs and services. Which two steps are required? (Choose TWO.)

77

A security engineer wants to audit all actions that modify VPC firewall rules in their project. They need to enable the appropriate audit logs. Which three steps should they take? (Choose THREE.)

78

An engineer wants to create a VPC with a custom subnet mode and then create a subnet with Private Google Access enabled. Which two commands should they use? (Choose TWO.)

79

An engineer needs to create a firewall rule that allows incoming HTTPS traffic only from a specific IP range to instances tagged 'web-server'. Which command should they use?

80

What is the primary benefit of using a Google-managed SSL certificate for an HTTPS Load Balancer?

81

An organization wants to enable Data Access audit logs for all Cloud Storage buckets in a project. Which step is necessary?

82

A developer wants to allow a Compute Engine instance to access Cloud Storage without using a service account key file. What is the recommended approach?

83

A security engineer needs to ensure that all VMs in a subnet use Private Google Access to reach Google APIs without external IP addresses. What must be enabled?

84

Which IAM role should be granted to a service account to allow it to access a secret stored in Secret Manager?

85

An organization has a folder hierarchy with multiple projects. They want to grant a support team the ability to view all IAM policies across the entire folder. What is the most efficient way?

86

A company wants to use Customer-Managed Encryption Keys (CMEK) for a Cloud SQL instance. What must be done first?

87

What is the purpose of creating a Cloud NAT gateway?

88

An engineer wants to view the current IAM policy for a project in JSON format. Which command should they use?

89

A company has multiple firewall rules. Rule A (priority 1000) allows TCP 80 from 0.0.0.0/0. Rule B (priority 500) denies TCP 80 from 10.0.0.0/8. An instance with IP 10.0.0.1 tries to connect to TCP 80. What happens?

90

A DevOps team needs to grant a CI/CD service account the ability to create secrets in Secret Manager. Which role should be assigned?

91

A company needs to allow a group of external auditors to view Cloud Audit Logs for a project but not modify any resources. Which two steps should be taken? (Choose 2)

92

An engineer needs to create a service account and grant it the ability to impersonate other service accounts. Which two permissions are required? (Choose 2)

93

A security team wants to restrict access to a Cloud Storage bucket so that only objects encrypted with a specific CMEK key can be uploaded. Which three actions are needed? (Choose 3)

94

An engineer needs to grant a service account the ability to start and stop Compute Engine instances in a specific project. The service account should not have permissions to delete instances or modify other resources. Which IAM role should be assigned?

95

A company has an organization with multiple folders and projects. They want to audit all IAM policy changes across the entire organization. Which approach meets the requirement with minimal effort?

96

An engineer wants to allow HTTP traffic from the internet to a set of Compute Engine instances that have the network tag 'web-server'. Which firewall rule should they create?

97

A company is migrating a legacy application to Compute Engine. The application requires access to a Cloud Storage bucket for storing logs. The application runs on a VM with a service account attached. Which TWO steps should the engineer take to grant the application access to the bucket?

98

An organization has a VPC with several subnets. They want Compute Engine instances in one subnet to have outbound internet access for updates but not be reachable from the internet. The instances have no external IP addresses. Which THREE components must be configured?

99

A security engineer needs to ensure that all secrets stored in Secret Manager are encrypted with a customer-managed encryption key (CMEK). Which TWO actions are required?

100

An engineer wants to view the current IAM policy for a project. Which TWO commands will accomplish this?

Practice all 100 Configuring Access and Security questions

Other ACE exam domains

Planning and Configuring a Cloud SolutionEnsuring Successful Operation of a Cloud SolutionDeploying and Implementing a Cloud SolutionSetting Up a Cloud Solution Environment

Frequently asked questions

What does the Configuring Access and Security domain cover on the ACE exam?

The Configuring Access and Security domain covers the key concepts tested in this area of the ACE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all ACE domains — no account required.

How many Configuring Access and Security questions are in the ACE question bank?

The Courseiva ACE question bank contains 100 questions in the Configuring Access and Security domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Configuring Access and Security for ACE?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Configuring Access and Security questions for ACE?

Yes — the session launcher on this page draws questions exclusively from the Configuring Access and Security domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your ACE domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

GCDLPCASAA-C03AZ-104