Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›ACE›Objectives›Configuring access and security
Objective 5.0

Configuring access and security

ACE Practice Questions

Use this page to practise Configuring access and security questions for this certification. Focus on how the exam tests configuring access and security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Full Practice Test →All Objectives

What this objective tests

ACE Configuring access and security — Key Topics

Configuring access and security questions on this certification test your ability to deploy and manage configuring access and security concepts in scenario-based situations.

  • Core Configuring access and security concepts and how they apply in real-world cloud scenarios.
  • How to deploy configuring access and security correctly and verify the outcome.
  • Troubleshooting configuring access and security issues by interpreting error output and system state.
  • Cloud best practices and Configuring access and security design trade-offs tested by this certification.

Common exam traps

Where candidates lose marks on Configuring access and security

  • ⚠Selecting the most expensive service when a simpler managed option meets the requirement.
  • ⚠Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • ⚠Choosing a global service fix when the issue is region-specific.
  • ⚠Overlooking cost implications of cross-region data transfer in architecture questions.

ACE Configuring access and security — Practice Questions

30 questions from this objective

Question 2easymultiple choice
Full question →

A junior developer needs read-only access to all GCP resources in a project. Which IAM role grants the minimum permissions required?

Question 3mediummultiple choice
Full question →

A security review identifies that service account JSON key files are stored on multiple developer laptops, posing a data exfiltration risk. What is the recommended remediation?

Question 4mediummultiple choice
Full question →

A team wants to allow inbound HTTPS traffic (TCP port 443) from the internet to instances tagged 'web-server', while blocking all other inbound traffic. What firewall configuration achieves this?

Question 5hardmultiple choice
Full question →

An enterprise stores sensitive customer data in Cloud Storage. Regulatory requirements mandate that the company controls its own encryption keys — Google must not be able to decrypt data unilaterally. Which encryption configuration satisfies this?

Question 6mediummultiple choice
Full question →

A Cloud Run service needs to access a database password at runtime. Where should the password be stored according to GCP security best practices?

Question 7mediummultiple choice
Full question →

A compliance team needs a log of every time a user or service account accessed data in a BigQuery dataset — specifically read operations. Which Cloud Audit Log type captures this?

Question 8hardmultiple choice
Full question →

A security team wants to prevent authorized users from copying BigQuery query results to a dataset in a different GCP project that is outside the team's security boundary — even if the user has valid IAM permissions. Which control enforces this?

Question 9mediummultiple choice
Full question →

A GKE Pod needs to call the Cloud Storage API. The team wants to avoid creating and managing service account key files. What is the recommended approach?

Question 10hardmultiple choice
Full question →

A public API receives global traffic but has been targeted by both volumetric DDoS attacks and SQL injection attempts in HTTP request parameters. Which single GCP service provides protection against both threats?

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

A team wants to grant a contractor the Storage Object Viewer role on a specific bucket path, but only during business hours (Monday–Friday, 9am–5pm local time). Which IAM feature supports these conditions?

Question 12mediummultiple choice
Full question →

A team wants to grant three developers access to view Cloud SQL instance details and connection strings, but not create, delete, or modify any Cloud SQL instances. Which predefined IAM role is the most appropriate?

Question 13hardmultiple choice
Full question →

A compliance requirement mandates that all VM-to-VM traffic within a GCP project must be encrypted in transit, even for internal VPC traffic. Which feature enforces this for Compute Engine?

Question 14mediummultiple choice
Full question →

An organization needs to ensure that only images from their approved Container Registry (gcr.io/approved-project) can be deployed on GKE clusters in their organization. Which GCP control enforces this?

Question 15mediummultiple choice
Full question →

A DevOps engineer creates a service account for a CI/CD pipeline. The pipeline needs to push container images to Artifact Registry. Which role grants the minimum required permission?

Question 16hardmultiple choice
Full question →

A security team discovers that a service account key was accidentally committed to a public GitHub repository 48 hours ago. What should be the immediate steps to remediate this incident?

Question 17mediummultiple choice
Full question →

A team's Cloud Storage bucket containing backups has been accidentally made publicly readable. A monitoring alert fires. What is the fastest way to remove public access?

Question 18mediummultiple choice
Full question →

A GKE cluster hosts both a public-facing web application and an internal data processing service. The data processing service should only accept traffic from the web application Pods, not from the internet. Which Kubernetes feature enforces this policy?

Question 19easymultiple choice
Full question →

A developer accidentally grants the Owner role to a test service account on the production project. The team wants to remove only this specific IAM binding without affecting other members' access. Which gcloud command achieves this?

Question 20hardmultiple choice
Read the full NAT/PAT explanation →

A regulated financial company must ensure that all GCP API calls made by employees are logged with full request and response payloads for audit purposes. Which combination of Cloud Audit Log types captures this?

Question 21mediummultiple choice
Full question →

A GCP project needs to allow outbound internet access from VMs that have only private IP addresses, without exposing those VMs to inbound internet traffic. Which GCP service provides this?

Question 22mediummultiple choice
Read the full VPN explanation →

An internal web application running on GKE must be accessible only to employees who are authenticated with the company's Google Workspace account — without exposing it to the internet or using a VPN. Which GCP service provides identity-based access without a VPN?

Question 23mediummultiple choice
Full question →

A Compute Engine VM with only a private IP address needs to download software updates from the internet (apt-get update). What must be configured in the VPC to enable outbound internet access for private VMs?

Question 24hardmultiple choice
Full question →

A CI/CD pipeline running outside GCP (on GitHub Actions) needs to authenticate to GCP to push images to Artifact Registry, without storing any long-lived service account key files. Which authentication mechanism achieves this?

Question 25mediummultiple choice
Read the full NAT/PAT explanation →

An application uses the S3-compatible API to interact with Cloud Storage. The team needs credentials compatible with HMAC-based S3 authentication. Which credential type does Cloud Storage support for this?

Question 26hardmultiple choice
Full question →

An organization policy at the organization level sets `constraints/compute.requireOsLogin` to enforced (true) on all projects. A specific project needs an exception — VMs there should not require OS Login. How can this exception be configured?

Question 27mediummultiple choice
Full question →

Two GCP projects, A and B, have VPC peering configured. Project A is peered with B, and Project B is peered with Project C. Can VMs in Project A reach VMs in Project C through Project B?

Question 28mediummultiple choice
Full question →

A security team wants to centrally identify misconfigured GCP resources across their organization — such as publicly accessible Cloud Storage buckets, unencrypted disks, and overly permissive firewall rules. Which GCP service provides these findings?

Question 29hardmultiple choice
Full question →

A regulated company requires a log of all actions taken by Google support engineers when they access customer GCP environments during support cases. Which Cloud Audit Log type captures this?

Question 30hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company stores patient data in Cloud Storage. Compliance requires that even GCP (Google) cannot decrypt this data. The company manages encryption keys entirely on their own infrastructure. Which encryption option satisfies this?

Question 31mediummultiple choice
Read the full NAT/PAT explanation →

A network security team wants to capture metadata about all TCP flows entering and leaving VMs in a specific subnet — source IP, destination IP, port, and bytes transferred — for security analysis. Which GCP feature collects this data?

More Configuring access and security questions available in the full practice test.

Continue Practising →
←

Previous objective

Ensuring successful operation of a cloud solution

All ACE Objectives

  • 1.Setting up a cloud solution environment
  • 2.Planning and configuring a cloud solution
  • 3.Deploying and implementing a cloud solution
  • 4.Ensuring successful operation of a cloud solution
  • 5.Configuring access and security