Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Configuring Access and Security practice sets

Google ACE Configuring Access and Security • Complete Question Bank

Google ACE Configuring Access and Security — All Questions With Answers

Complete Google ACE Configuring Access and Security question bank — all 0 questions with answers and detailed explanations.

100
Questions
Free
No signup
Certifications/Google ACE/Practice Test/Configuring Access and Security/All Questions
Question 1mediummultiple choice
Read the full Configuring Access and Security explanation →

An engineer needs to grant an external auditor read-only access to a subset of Cloud Storage buckets in a project. The auditor's identity is a Google account. Which IAM approach should the engineer use?

Question 2mediummultiple choice
Read the full Configuring Access and Security explanation →

A security team wants to ensure that all Compute Engine instances in a project automatically use a custom service account with minimal permissions. What must the engineer do when creating new instances?

Question 3hardmultiple choice
Read the full Configuring Access and Security explanation →

An engineer created a firewall rule to allow inbound HTTP traffic on port 80 from the internet to instances with the tag 'web-server'. However, after applying the rule, a test instance with the tag 'web-server' is still not reachable on port 80. What is a likely cause?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to use Cloud NAT to allow private instances in a VPC to send outbound traffic to the internet and to receive inbound responses. Which two resources must be configured to set up Cloud NAT?

Question 5easymultiple choice
Read the full Configuring Access and Security explanation →

An engineer needs to view the current IAM policy for a project in JSON format. Which gcloud command should they use?

Question 6hardmultiple choice
Read the full Configuring Access and Security explanation →

A developer created a service account with the roles/storage.admin role and wants to use it from a Compute Engine instance without downloading a key file. What is the best practice?

Question 7easymultiple choice
Read the full Configuring Access and Security explanation →

Which Google Cloud service provides a managed, scalable, and secure way to store API keys, passwords, and certificates?

Question 8mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a subnet that has Private Google Access enabled. They want their Compute Engine instances to access Google APIs and services through internal IP addresses. Which additional configuration is required?

Question 9mediummultiple choice
Read the full Configuring Access and Security explanation →

An organization needs to audit all data access (read/write) to a Cloud Storage bucket for compliance. Which type of audit log should they enable?

Question 10hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They want to allow traffic from instances in subnet-a to reach a specific instance in subnet-b only on TCP port 443. What is the most specific firewall rule to achieve this?

Question 11easymultiple choice
Read the full Configuring Access and Security explanation →

An engineer wants to create a Google-managed SSL certificate for a domain and attach it to an HTTPS load balancer. Which gcloud command should they use to create the certificate?

Question 12mediummultiple choice
Read the full Configuring Access and Security explanation →

A team needs to create a new service account and grant it the roles/storage.objectViewer role on a project. Which two gcloud commands are required?

Question 13mediummulti select
Read the full Configuring Access and Security explanation →

A company wants to ensure that a Compute Engine instance can access only a specific Cloud Storage bucket and no other resources in the project. Which TWO steps should the engineer take? (Select 2 correct answers)

Question 14hardmulti select
Review the full subnetting walkthrough →

Which THREE configurations are required to enable Private Google Access for Compute Engine instances in a custom VPC subnet? (Select 3 correct answers)

Question 15easymulti select
Read the full Configuring Access and Security explanation →

Which TWO of the following are valid ways to grant IAM roles to a service account for accessing a Cloud Storage bucket? (Select 2 correct answers)

Question 16easymultiple choice
Read the full Configuring Access and Security explanation →

An engineer needs to grant a user the ability to create and manage service accounts in a project, but not delete them. Which predefined IAM role should be assigned?

Question 17easymultiple choice
Read the full Configuring Access and Security explanation →

You want to allow HTTP traffic from the internet to a set of Compute Engine instances tagged 'web-server'. Which gcloud command creates the appropriate firewall rule?

Question 18mediummultiple choice
Read the full Configuring Access and Security explanation →

A security team wants to audit all Data Access attempts in a project for a specific Cloud Storage bucket, including who accessed which object and when. Which configuration is required?

Question 19mediummultiple choice
Read the full Configuring Access and Security explanation →

You need to create a service account for a Compute Engine instance to allow it to access Cloud Storage objects. The service account should have minimal permissions. What is the recommended approach?

Question 20mediummultiple choice
Read the full Configuring Access and Security explanation →

An organization has multiple projects under a folder. They want to grant a network admin the ability to create firewall rules in all projects in the folder. Which IAM policy binding achieves this with least privilege?

Question 21mediummultiple choice
Read the full NAT/PAT explanation →

You are configuring a Cloud NAT to allow private Compute Engine instances to access the internet for updates. What other resource is required to set up Cloud NAT?

Question 22mediummultiple choice
Read the full Configuring Access and Security explanation →

To meet compliance requirements, a company must encrypt all data at rest in Cloud SQL using customer-managed encryption keys (CMEK). What is required to enable CMEK on a Cloud SQL instance?

Question 23hardmultiple choice
Review the full subnetting walkthrough →

An engineer created a VPC with a subnet in us-central1 and enabled Private Google Access on that subnet. Compute Engine instances in that subnet can reach Google APIs and services using internal IPs. However, the instances cannot reach external IP addresses on the internet. What should the engineer configure to allow internet access while minimizing cost and management overhead?

Question 24hardmultiple choice
Read the full Configuring Access and Security explanation →

An organization uses Secret Manager to store database credentials. A new application runs on Compute Engine and needs to access a secret. The application uses the default compute engine service account. What is the most secure way to grant access to the secret?

Question 25hardmultiple choice
Read the full Configuring Access and Security explanation →

A company has a Google Cloud organization with multiple folders and projects. The security team wants to audit all actions that create or modify IAM policies across the entire organization. Which type of audit log should they examine?

Question 26easymultiple choice
Read the full Configuring Access and Security explanation →

You need to create a Google-managed SSL certificate for an external HTTPS load balancer. The domain is 'www.example.com'. Which command creates the certificate?

Question 27mediummultiple choice
Read the full Configuring Access and Security explanation →

An engineer needs to view the current IAM policy for a project in JSON format to analyze bindings. Which command should be used?

Question 28mediummulti select
Read the full Configuring Access and Security explanation →

An organization wants to enforce that all Compute Engine instances in a project use customer-managed encryption keys (CMEK) for their boot disks. Which TWO steps should the security team take?

Question 29hardmulti select
Read the full Configuring Access and Security explanation →

A company wants to allow developers to create and manage secrets in Secret Manager, but prevent them from viewing secret values. Which TWO predefined roles should be combined to achieve this?

Question 30hardmulti select
Read the full Configuring Access and Security explanation →

An engineer needs to audit all Data Access logs for a project to detect unauthorized access to sensitive data. The engineer must ensure that logs are retained for 5 years and are immutable. Which THREE steps should the engineer take?

Question 31mediummultiple choice
Read the full Configuring Access and Security explanation →

A DevOps engineer needs to grant a service account the ability to pull images from a specific Container Registry repository in project 'my-project'. The service account is in project 'other-project'. Which command should the engineer use?

Question 32hardmultiple choice
Read the full Configuring Access and Security explanation →

An organization uses Organization Policies to restrict the use of certain IAM roles. The security team wants to audit all modifications to IAM policies across the organization, including at the project level. Which log type should be enabled and analyzed?

Question 33easymultiple choice
Read the full Configuring Access and Security explanation →

A company wants to automate the rotation of encryption keys for Cloud Storage buckets every 30 days. Which key type should be used?

Question 34mediummultiple choice
Read the full Configuring Access and Security explanation →

A security engineer needs to ensure that Compute Engine instances in a VPC can only communicate with each other on port 443 and cannot receive traffic from the internet. The VPC has a default network with default firewall rules. What should the engineer do?

Question 35hardmultiple choice
Read the full NAT/PAT explanation →

An organization wants to use Cloud NAT to allow private Compute Engine instances to access the internet for updates. They have a VPC with a custom subnet and a Cloud Router configured. However, instances cannot reach the internet. What is the most likely cause?

Question 36easymultiple choice
Read the full Configuring Access and Security explanation →

You need to grant a user the ability to view audit logs for a project but not modify any resources. Which predefined IAM role should you assign?

Question 37mediummultiple choice
Read the full Configuring Access and Security explanation →

A company has a Cloud SQL instance with CMEK enabled. The Cloud KMS key used for encryption is accidentally disabled. What is the impact on the Cloud SQL instance?

Question 38mediummultiple choice
Read the full Configuring Access and Security explanation →

An engineer wants to create a Google-managed SSL certificate for an HTTPS load balancer. Which command should they use?

Question 39easymultiple choice
Read the full Configuring Access and Security explanation →

You need to view the current IAM policy for a project named 'my-project' in JSON format. Which command should you use?

Question 40hardmultiple choice
Read the full Configuring Access and Security explanation →

An organization has a hierarchy: Organization -> Folder A -> Project 1. An IAM policy at the organization level grants roles/editor to user@example.com. A policy at Folder A denies roles/editor to the same user. What is the effective role for the user in Project 1?

Question 41mediummultiple choice
Read the full Configuring Access and Security explanation →

A developer wants to create a service account for an application running on Compute Engine. The application needs to access Cloud Storage. What is the best practice for granting this access?

Question 42mediummultiple choice
Read the full Configuring Access and Security explanation →

An engineer creates a firewall rule allowing ingress on port 8080 from source range 10.0.0.0/8 with priority 1000. Another rule denies ingress on port 8080 from source range 10.0.0.0/24 with priority 500. What is the effective behavior for traffic from 10.0.0.1?

Question 43easymultiple choice
Review the full subnetting walkthrough →

Which of the following is required to enable Private Google Access on a subnet?

Question 44hardmultiple choice
Read the full Configuring Access and Security explanation →

A security team wants to ensure that all new projects in an organization automatically have Data Access audit logs enabled for all services. What is the most efficient way to achieve this?

Question 45easymultiple choice
Read the full Configuring Access and Security explanation →

A developer wants to store a database password securely and make it accessible to a Compute Engine instance. Which Google Cloud service should be used?

Question 46mediummulti select
Read the full Configuring Access and Security explanation →

An engineer needs to allow a set of Compute Engine instances (with tag 'web-server') to receive traffic on port 443 from the internet. The VPC has a default network with default firewall rules. Which TWO actions should the engineer take? (Choose TWO)

Question 47hardmulti select
Read the full Configuring Access and Security explanation →

A company wants to implement a least-privilege security model for a service account that needs to read secrets from Secret Manager and publish messages to Pub/Sub. Which TWO IAM roles should be granted? (Choose TWO)

Question 48mediummulti select
Read the full Configuring Access and Security explanation →

A security engineer wants to audit all attempts to access a specific Cloud Storage bucket, including successful and failed read requests. Which THREE steps should they take? (Choose THREE)

Question 49mediummultiple choice
Read the full Configuring Access and Security explanation →

An engineer needs to grant an external auditor read-only access to view IAM policies on a GCP project. The auditor should not have access to any other resources. Which IAM role should be assigned?

Question 50mediummultiple choice
Read the full Configuring Access and Security explanation →

A security team wants to ensure that all Compute Engine instances in a project are created with a specific custom service account attached. What is the most effective way to enforce this?

Question 51easymultiple choice
Read the full Configuring Access and Security explanation →

You need to allow inbound HTTP traffic to a set of Compute Engine instances that have the tag 'web-server'. All other inbound traffic should be denied. Which firewall rule configuration should you create?

Question 52hardmultiple choice
Read the full NAT/PAT explanation →

A company is using Cloud NAT to allow private Compute Engine instances to access the internet. They notice that traffic from some instances is not being NATed. What is the most likely cause?

Question 53mediummultiple choice
Read the full Configuring Access and Security explanation →

You are creating a new service account for an application that needs to read from a Cloud Storage bucket and write to Cloud Pub/Sub. What is the most secure way to grant these permissions?

Question 54easymultiple choice
Read the full Configuring Access and Security explanation →

You want to view the current IAM policy for a project in JSON format using the gcloud command-line tool. Which command should you run?

Question 55hardmultiple choice
Read the full Configuring Access and Security explanation →

An organization wants to enforce encryption at rest for all data in Cloud Storage using Customer-Managed Encryption Keys (CMEK). They have created a Cloud KMS key ring and key. What additional step is required when creating a new bucket to use CMEK?

Question 56mediummultiple choice
Read the full Configuring Access and Security explanation →

You need to allow a Compute Engine instance to securely access a Cloud Storage bucket without managing service account keys. The instance already has a service account attached. What is the best practice to grant access?

Question 57mediummultiple choice
Review the full subnetting walkthrough →

An engineer needs to enable Private Google Access for a subnet to allow instances without external IPs to access Google APIs and services. Which flag should be used when creating or updating the subnet?

Question 58easymultiple choice
Read the full Configuring Access and Security explanation →

You need to add an IAM binding for a user to a project using the gcloud command. Which command should you use?

Question 59hardmultiple choice
Read the full Configuring Access and Security explanation →

A company uses Cloud SQL with Customer-Managed Encryption Keys (CMEK). The security team wants to rotate the encryption key. What is the impact on the Cloud SQL instance?

Question 60easymultiple choice
Read the full Configuring Access and Security explanation →

You need to store a database password securely in Google Cloud. The password will be used by a Compute Engine instance. Which service should you use?

Question 61mediummulti select
Read the full Configuring Access and Security explanation →

A company needs to audit all actions that modify a Cloud Storage bucket. Which TWO steps should they take to enable this? (Choose 2 answers.)

Question 62hardmulti select
Review the full subnetting walkthrough →

An organization is designing a VPC with multiple subnets. They want instances in a private subnet to access the internet for updates. They also need to allow SSH access from a bastion host. Which THREE components must they configure? (Choose 3 answers.)

Question 63mediummulti select
Read the full Configuring Access and Security explanation →

A developer wants to automate the creation of a service account and assign it a role using the gcloud command-line tool. Which TWO commands are needed? (Choose 2 answers.)

Question 64mediummultiple choice
Read the full Configuring Access and Security explanation →

An engineer needs to grant a service account the ability to impersonate another service account when making API calls. Which IAM role should be assigned to the impersonating service account?

Question 65hardmultiple choice
Read the full Configuring Access and Security explanation →

A security team wants to enable audit logging for all Data Access (ADMIN_READ, DATA_READ, DATA_WRITE) on a specific Google Cloud project. They plan to use gcloud commands to configure this. What is the correct approach?

Question 66easymultiple choice
Read the full Configuring Access and Security explanation →

Which command creates a Google-managed SSL certificate for the domain 'example.com'?

Question 67mediummultiple choice
Read the full Configuring Access and Security explanation →

An engineer needs to allow HTTP traffic from the internet to a set of Compute Engine instances that have the network tag 'web-server'. The instances are in a VPC with a default firewall rule that denies all ingress. Which command creates the required firewall rule?

Question 68mediummultiple choice
Read the full Configuring Access and Security explanation →

A company wants to use Customer-Managed Encryption Keys (CMEK) for encrypting data in a Cloud Storage bucket. They have created a key in Cloud KMS. Which step is required when creating the bucket to use CMEK?

Question 69hardmultiple choice
Read the full Configuring Access and Security explanation →

A developer created a service account for an application running on a Compute Engine instance. The instance was started without specifying the service account. What must the developer do to make the application use the service account?

Question 70easymultiple choice
Read the full Configuring Access and Security explanation →

Which IAM role should be granted to a user to allow them to create and manage secrets in Secret Manager?

Question 71mediummultiple choice
Read the full Configuring Access and Security explanation →

A company has multiple VPC networks in their project. They want Compute Engine instances in one VPC to communicate with instances in another VPC using internal IP addresses. Which feature should they use?

Question 72hardmultiple choice
Read the full NAT/PAT explanation →

An engineer is configuring a Cloud NAT to allow private Compute Engine instances to access the internet. After creating the Cloud Router and NAT gateway, the instances still cannot connect to the internet. What is the most likely missing configuration?

Question 73easymultiple choice
Read the full Configuring Access and Security explanation →

Which command is used to view the current IAM policy for a Google Cloud project in JSON format?

Question 74mediummultiple choice
Read the full Configuring Access and Security explanation →

An organization requires that all Compute Engine instances be created with a specific service account. Which organization policy can enforce this?

Question 75mediummultiple choice
Read the full Configuring Access and Security explanation →

A developer needs to store a database password in Secret Manager and then allow a Compute Engine instance to access it. The instance uses the default compute engine service account. Which role should be granted to the service account?

Question 76mediummulti select
Review the full subnetting walkthrough →

A company needs to enable Private Google Access for a subnet in a VPC so that Compute Engine instances without external IPs can access Google APIs and services. Which two steps are required? (Choose TWO.)

Question 77hardmulti select
Read the full Configuring Access and Security explanation →

A security engineer wants to audit all actions that modify VPC firewall rules in their project. They need to enable the appropriate audit logs. Which three steps should they take? (Choose THREE.)

Question 78mediummulti select
Review the full subnetting walkthrough →

An engineer wants to create a VPC with a custom subnet mode and then create a subnet with Private Google Access enabled. Which two commands should they use? (Choose TWO.)

Question 79mediummultiple choice
Read the full Configuring Access and Security explanation →

An engineer needs to create a firewall rule that allows incoming HTTPS traffic only from a specific IP range to instances tagged 'web-server'. Which command should they use?

Question 80easymultiple choice
Read the full Configuring Access and Security explanation →

What is the primary benefit of using a Google-managed SSL certificate for an HTTPS Load Balancer?

Question 81hardmultiple choice
Read the full Configuring Access and Security explanation →

An organization wants to enable Data Access audit logs for all Cloud Storage buckets in a project. Which step is necessary?

Question 82mediummultiple choice
Read the full Configuring Access and Security explanation →

A developer wants to allow a Compute Engine instance to access Cloud Storage without using a service account key file. What is the recommended approach?

Question 83mediummultiple choice
Review the full subnetting walkthrough →

A security engineer needs to ensure that all VMs in a subnet use Private Google Access to reach Google APIs without external IP addresses. What must be enabled?

Question 84easymultiple choice
Read the full Configuring Access and Security explanation →

Which IAM role should be granted to a service account to allow it to access a secret stored in Secret Manager?

Question 85hardmultiple choice
Read the full Configuring Access and Security explanation →

An organization has a folder hierarchy with multiple projects. They want to grant a support team the ability to view all IAM policies across the entire folder. What is the most efficient way?

Question 86mediummultiple choice
Read the full Configuring Access and Security explanation →

A company wants to use Customer-Managed Encryption Keys (CMEK) for a Cloud SQL instance. What must be done first?

Question 87easymultiple choice
Read the full NAT/PAT explanation →

What is the purpose of creating a Cloud NAT gateway?

Question 88mediummultiple choice
Read the full Configuring Access and Security explanation →

An engineer wants to view the current IAM policy for a project in JSON format. Which command should they use?

Question 89hardmultiple choice
Read the full Configuring Access and Security explanation →

A company has multiple firewall rules. Rule A (priority 1000) allows TCP 80 from 0.0.0.0/0. Rule B (priority 500) denies TCP 80 from 10.0.0.0/8. An instance with IP 10.0.0.1 tries to connect to TCP 80. What happens?

Question 90mediummultiple choice
Read the full Configuring Access and Security explanation →

A DevOps team needs to grant a CI/CD service account the ability to create secrets in Secret Manager. Which role should be assigned?

Question 91mediummulti select
Read the full Configuring Access and Security explanation →

A company needs to allow a group of external auditors to view Cloud Audit Logs for a project but not modify any resources. Which two steps should be taken? (Choose 2)

Question 92hardmulti select
Read the full Configuring Access and Security explanation →

An engineer needs to create a service account and grant it the ability to impersonate other service accounts. Which two permissions are required? (Choose 2)

Question 93mediummulti select
Read the full Configuring Access and Security explanation →

A security team wants to restrict access to a Cloud Storage bucket so that only objects encrypted with a specific CMEK key can be uploaded. Which three actions are needed? (Choose 3)

Question 94mediummultiple choice
Read the full Configuring Access and Security explanation →

An engineer needs to grant a service account the ability to start and stop Compute Engine instances in a specific project. The service account should not have permissions to delete instances or modify other resources. Which IAM role should be assigned?

Question 95hardmultiple choice
Read the full Configuring Access and Security explanation →

A company has an organization with multiple folders and projects. They want to audit all IAM policy changes across the entire organization. Which approach meets the requirement with minimal effort?

Question 96easymultiple choice
Read the full Configuring Access and Security explanation →

An engineer wants to allow HTTP traffic from the internet to a set of Compute Engine instances that have the network tag 'web-server'. Which firewall rule should they create?

Question 97mediummulti select
Read the full Configuring Access and Security explanation →

A company is migrating a legacy application to Compute Engine. The application requires access to a Cloud Storage bucket for storing logs. The application runs on a VM with a service account attached. Which TWO steps should the engineer take to grant the application access to the bucket?

Question 98hardmulti select
Review the full subnetting walkthrough →

An organization has a VPC with several subnets. They want Compute Engine instances in one subnet to have outbound internet access for updates but not be reachable from the internet. The instances have no external IP addresses. Which THREE components must be configured?

Question 99mediummulti select
Read the full Configuring Access and Security explanation →

A security engineer needs to ensure that all secrets stored in Secret Manager are encrypted with a customer-managed encryption key (CMEK). Which TWO actions are required?

Question 100easymulti select
Read the full Configuring Access and Security explanation →

An engineer wants to view the current IAM policy for a project. Which TWO commands will accomplish this?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

Google ACE Practice Test 1 — 25 Questions→Google ACE Practice Test 2 — 25 Questions→Google ACE Practice Test 3 — 25 Questions→Google ACE Practice Test 4 — 25 Questions→Google ACE Practice Test 5 — 25 Questions→Google ACE Practice Exam 1 — 20 Questions→Google ACE Practice Exam 2 — 20 Questions→Google ACE Practice Exam 3 — 20 Questions→Google ACE Practice Exam 4 — 20 Questions→Free Google ACE Practice Test 1 — 30 Questions→Free Google ACE Practice Test 2 — 30 Questions→Free Google ACE Practice Test 3 — 30 Questions→Google ACE Practice Questions 1 — 50 Questions→Google ACE Practice Questions 2 — 50 Questions→Google ACE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuring Access and SecurityPlanning and Configuring a Cloud SolutionEnsuring Successful Operation of a Cloud SolutionDeploying and Implementing a Cloud SolutionSetting Up a Cloud Solution Environment

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Configuring Access and Security setsAll Configuring Access and Security questionsGoogle ACE Practice Hub