Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Configuring access and security practice sets

Google ACE Configuring access and security • Complete Question Bank

Google ACE Configuring access and security — All Questions With Answers

Complete Google ACE Configuring access and security question bank — all 0 questions with answers and detailed explanations.

98
Questions
Free
No signup
Certifications/Google ACE/Practice Test/Configuring access and security/All Questions
Question 1easymultiple choice
Read the full Configuring access and security explanation →

A junior developer needs read-only access to all GCP resources in a project. Which IAM role grants the minimum permissions required?

Question 2mediummultiple choice
Read the full Configuring access and security explanation →

A security review identifies that service account JSON key files are stored on multiple developer laptops, posing a data exfiltration risk. What is the recommended remediation?

Question 3mediummultiple choice
Read the full Configuring access and security explanation →

A team wants to allow inbound HTTPS traffic (TCP port 443) from the internet to instances tagged 'web-server', while blocking all other inbound traffic. What firewall configuration achieves this?

Question 4hardmultiple choice
Read the full Configuring access and security explanation →

An enterprise stores sensitive customer data in Cloud Storage. Regulatory requirements mandate that the company controls its own encryption keys — Google must not be able to decrypt data unilaterally. Which encryption configuration satisfies this?

Question 5mediummultiple choice
Read the full Configuring access and security explanation →

A Cloud Run service needs to access a database password at runtime. Where should the password be stored according to GCP security best practices?

Question 6mediummultiple choice
Read the full Configuring access and security explanation →

A compliance team needs a log of every time a user or service account accessed data in a BigQuery dataset — specifically read operations. Which Cloud Audit Log type captures this?

Question 7hardmultiple choice
Read the full Configuring access and security explanation →

A security team wants to prevent authorized users from copying BigQuery query results to a dataset in a different GCP project that is outside the team's security boundary — even if the user has valid IAM permissions. Which control enforces this?

Question 8mediummultiple choice
Read the full Configuring access and security explanation →

A GKE Pod needs to call the Cloud Storage API. The team wants to avoid creating and managing service account key files. What is the recommended approach?

Question 9hardmultiple choice
Read the full Configuring access and security explanation →

A public API receives global traffic but has been targeted by both volumetric DDoS attacks and SQL injection attempts in HTTP request parameters. Which single GCP service provides protection against both threats?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A team wants to grant a contractor the Storage Object Viewer role on a specific bucket path, but only during business hours (Monday–Friday, 9am–5pm local time). Which IAM feature supports these conditions?

Question 11mediummultiple choice
Read the full Configuring access and security explanation →

A team wants to grant three developers access to view Cloud SQL instance details and connection strings, but not create, delete, or modify any Cloud SQL instances. Which predefined IAM role is the most appropriate?

Question 12hardmultiple choice
Read the full Configuring access and security explanation →

A compliance requirement mandates that all VM-to-VM traffic within a GCP project must be encrypted in transit, even for internal VPC traffic. Which feature enforces this for Compute Engine?

Question 13mediummultiple choice
Read the full Configuring access and security explanation →

An organization needs to ensure that only images from their approved Container Registry (gcr.io/approved-project) can be deployed on GKE clusters in their organization. Which GCP control enforces this?

Question 14mediummultiple choice
Read the full Configuring access and security explanation →

A DevOps engineer creates a service account for a CI/CD pipeline. The pipeline needs to push container images to Artifact Registry. Which role grants the minimum required permission?

Question 15hardmultiple choice
Read the full Configuring access and security explanation →

A security team discovers that a service account key was accidentally committed to a public GitHub repository 48 hours ago. What should be the immediate steps to remediate this incident?

Question 16mediummultiple choice
Read the full Configuring access and security explanation →

A team's Cloud Storage bucket containing backups has been accidentally made publicly readable. A monitoring alert fires. What is the fastest way to remove public access?

Question 17mediummultiple choice
Read the full Configuring access and security explanation →

A GKE cluster hosts both a public-facing web application and an internal data processing service. The data processing service should only accept traffic from the web application Pods, not from the internet. Which Kubernetes feature enforces this policy?

Question 18easymultiple choice
Read the full Configuring access and security explanation →

A developer accidentally grants the Owner role to a test service account on the production project. The team wants to remove only this specific IAM binding without affecting other members' access. Which gcloud command achieves this?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A regulated financial company must ensure that all GCP API calls made by employees are logged with full request and response payloads for audit purposes. Which combination of Cloud Audit Log types captures this?

Question 20mediummultiple choice
Read the full Configuring access and security explanation →

A GCP project needs to allow outbound internet access from VMs that have only private IP addresses, without exposing those VMs to inbound internet traffic. Which GCP service provides this?

Question 21mediummultiple choice
Read the full VPN explanation →

An internal web application running on GKE must be accessible only to employees who are authenticated with the company's Google Workspace account — without exposing it to the internet or using a VPN. Which GCP service provides identity-based access without a VPN?

Question 22mediummultiple choice
Read the full Configuring access and security explanation →

A Compute Engine VM with only a private IP address needs to download software updates from the internet (apt-get update). What must be configured in the VPC to enable outbound internet access for private VMs?

Question 23hardmultiple choice
Read the full Configuring access and security explanation →

A CI/CD pipeline running outside GCP (on GitHub Actions) needs to authenticate to GCP to push images to Artifact Registry, without storing any long-lived service account key files. Which authentication mechanism achieves this?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

An application uses the S3-compatible API to interact with Cloud Storage. The team needs credentials compatible with HMAC-based S3 authentication. Which credential type does Cloud Storage support for this?

Question 25hardmultiple choice
Read the full Configuring access and security explanation →

An organization policy at the organization level sets `constraints/compute.requireOsLogin` to enforced (true) on all projects. A specific project needs an exception — VMs there should not require OS Login. How can this exception be configured?

Question 26mediummultiple choice
Read the full Configuring access and security explanation →

Two GCP projects, A and B, have VPC peering configured. Project A is peered with B, and Project B is peered with Project C. Can VMs in Project A reach VMs in Project C through Project B?

Question 27mediummultiple choice
Read the full Configuring access and security explanation →

A security team wants to centrally identify misconfigured GCP resources across their organization — such as publicly accessible Cloud Storage buckets, unencrypted disks, and overly permissive firewall rules. Which GCP service provides these findings?

Question 28hardmultiple choice
Read the full Configuring access and security explanation →

A regulated company requires a log of all actions taken by Google support engineers when they access customer GCP environments during support cases. Which Cloud Audit Log type captures this?

Question 29hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company stores patient data in Cloud Storage. Compliance requires that even GCP (Google) cannot decrypt this data. The company manages encryption keys entirely on their own infrastructure. Which encryption option satisfies this?

Question 30mediummultiple choice
Read the full NAT/PAT explanation →

A network security team wants to capture metadata about all TCP flows entering and leaving VMs in a specific subnet — source IP, destination IP, port, and bytes transferred — for security analysis. Which GCP feature collects this data?

Question 31mediummultiple choice
Read the full Configuring access and security explanation →

A team needs to give a third-party vendor read-only access to specific Cloud Storage objects for 48 hours. The vendor uses an AWS account (not a Google account). What is the most secure way to grant this temporary access?

Question 32mediummultiple choice
Read the full Configuring access and security explanation →

A developer accidentally creates a firewall rule allowing all inbound traffic (0.0.0.0/0) on all ports to all instances in a production VPC. The rule has priority 1000. The team has an existing rule allowing only SSH (port 22) from the corporate IP range at priority 999. Which traffic is actually allowed?

Question 33hardmultiple choice
Read the full Configuring access and security explanation →

A security team wants to ensure that a service account created for an application cannot create new service accounts or modify IAM policies within the project. Which IAM role restriction achieves this?

Question 34mediummultiple choice
Read the full Configuring access and security explanation →

A team enables OS Login on their GKE node pool. What does OS Login provide for SSH access to GKE nodes compared to the default metadata-based SSH key approach?

Question 35hardmultiple choice
Read the full Configuring access and security explanation →

A GCP organization mandates that all new Cloud SQL instances must require SSL/TLS for connections. No exceptions are allowed. Which enforcement mechanism ensures this across all projects in the organization?

Question 36mediummultiple choice
Study the full ACL explanation →

A team's Cloud Storage bucket has fine-grained access control (ACLs) enabled. They want to switch to a simpler model where IAM policies alone control access, and object-level ACLs are ignored. What should they enable?

Question 37mediummultiple choice
Read the full Configuring access and security explanation →

A GCP organization has recently experienced a credential theft incident involving a service account key. The CISO requires that all service account keys in the organization be inventoried and those older than 90 days be rotated. Which tool identifies old service account keys across all projects?

Question 38mediummultiple choice
Read the full Configuring access and security explanation →

An application receives the error 'Permission denied on resource project [PROJECT_ID] (or it may not exist)' when making an API call with a service account. The service account has the correct IAM role. What else might be missing?

Question 39hardmultiple choice
Read the full Configuring access and security explanation →

A team builds a GKE application that processes healthcare data. Regulatory requirements mandate that data in transit between GKE nodes must be encrypted. GKE is running on GCP. What provides encrypted node-to-node traffic within the cluster?

Question 40mediummultiple choice
Read the full Configuring access and security explanation →

A developer reports that a Cloud Function is failing with '403 Forbidden' when calling the BigQuery API. The function's service account has the BigQuery Data Viewer role. What is a likely additional requirement that may be missing?

Question 41mediummultiple choice
Read the full Configuring access and security explanation →

A Cloud Run service needs to read secrets from Secret Manager. The service is deployed with a custom runtime service account. Which IAM role should be granted to the runtime service account, and on which resource?

Question 42hardmultiple choice
Read the full Configuring access and security explanation →

Your security team wants to prevent any user or service account from creating firewall rules that allow ingress from `0.0.0.0/0` (the internet) to any VM in your organization. Which approach enforces this without requiring per-project IAM changes?

Question 43mediummultiple choice
Read the full Configuring access and security explanation →

A developer accidentally committed a service account key JSON file to a public GitHub repository. The key was valid for a service account with broad Editor permissions. What should you do FIRST?

Question 44mediummultiple choice
Read the full Configuring access and security explanation →

You want to allow a vendor to upload files to a specific Cloud Storage bucket in your project without creating a GCP account for them. The upload URL should expire after 24 hours. Which mechanism should you use?

Question 45hardmultiple choice
Read the full Configuring access and security explanation →

A GKE cluster hosts multiple teams' workloads in separate namespaces. One team's pods should not be able to make API calls to Google Cloud services (e.g., they should not call BigQuery or Cloud Storage). The pods currently use the node's service account via the Compute Engine metadata server. How do you restrict these specific pods from accessing GCP APIs while allowing other pods on the same node to continue using GCP APIs?

Question 46easymultiple choice
Read the full Configuring access and security explanation →

What is the purpose of Cloud Audit Logs' Data Access audit logs, and why are they NOT enabled by default for most services?

Question 47mediummultiple choice
Read the full Configuring access and security explanation →

Your organization mandates that all service-to-service communication within a GKE cluster must be encrypted in transit using mutual TLS (mTLS). The team does not want to manage certificates or modify application code. Which solution meets these requirements?

Question 48mediummultiple choice
Read the full Configuring access and security explanation →

A Cloud Storage bucket contains sensitive PII data. You need to ensure that objects in this bucket are encrypted using a key that your security team controls, and that the key can be revoked if needed to render all data inaccessible. Which encryption option should you use?

Question 49hardmultiple choice
Read the full Configuring access and security explanation →

You need to ensure that a Cloud Run service can only be invoked by specific Cloud Scheduler jobs and not from the public internet, while still receiving HTTP requests. The Cloud Run service currently allows unauthenticated invocations. What configuration changes are required?

Question 50mediummultiple choice
Read the full Configuring access and security explanation →

You are reviewing a GCP project's IAM policy and find that the `allUsers` principal has `storage.objectViewer` on a Cloud Storage bucket. The bucket contains internal documentation. What are the security implications, and what should you do?

Question 51mediummultiple choice
Read the full NAT/PAT explanation →

You need to ensure that Cloud DLP scans all data uploaded to a specific Cloud Storage bucket and redacts any Social Security Numbers (SSNs) before storing the data. Which Cloud DLP feature and trigger enables this pattern?

Question 52hardmultiple choice
Read the full Configuring access and security explanation →

Your organization uses VPC Service Controls to protect BigQuery and Cloud Storage. A data pipeline service account needs to read from a protected Cloud Storage bucket and write results to a protected BigQuery dataset. Both resources are in the same perimeter. The service account is outside the perimeter (it runs in a Cloud Run service in a different project). How do you grant the pipeline access?

Question 53mediummultiple choice
Read the full Configuring access and security explanation →

A security audit found that several Cloud Storage buckets in your project have `allAuthenticatedUsers` in their IAM policy with `storage.objectViewer`. What does `allAuthenticatedUsers` grant, and why is it a security risk?

Question 54mediummultiple choice
Read the full Configuring access and security explanation →

You need to grant a third-party monitoring vendor's service account `roles/monitoring.viewer` on your project, but only for the next 90 days. After 90 days, the access should automatically expire. Which IAM feature enables time-limited access?

Question 55hardmultiple choice
Read the full Configuring access and security explanation →

You are enabling OS Login for a GCP project to manage SSH access to Compute Engine VMs. A developer cannot SSH to a VM despite having `roles/compute.osLogin` granted. The VM has OS Login enabled. What is the most likely missing configuration?

Question 56mediummultiple choice
Read the full Configuring access and security explanation →

Your security team wants to monitor all privileged IAM changes in your GCP organization (e.g., when anyone is granted `roles/owner` or `roles/editor`). They need real-time notifications. Which approach achieves this?

Question 57easymultiple choice
Read the full Configuring access and security explanation →

Which GCP service protects internet-facing applications against SQL injection, cross-site scripting (XSS), and other OWASP Top 10 attacks?

Question 58hardmultiple choice
Read the full Configuring access and security explanation →

A Cloud KMS key used to encrypt a Cloud Storage bucket's data is being destroyed. What happens to the data in the bucket when the KMS key is destroyed?

Question 59mediummultiple choice
Read the full Configuring access and security explanation →

You need to prevent developers from creating Compute Engine VMs with external IP addresses in a specific folder. Developers must still be able to create VMs with internal IPs only. Which org policy constraint enforces this?

Question 60hardmultiple choice
Read the full Configuring access and security explanation →

Your company's compliance policy requires that all customer data stored in Cloud Storage must be encrypted using keys stored in a Hardware Security Module (HSM). The encryption keys must be managed by your security team and must not be exportable. Which configuration meets these requirements?

Question 61mediumdrag order
Read the full Configuring access and security explanation →

Arrange the steps to create a Cloud SQL MySQL instance, configure a database, and connect using the Cloud SQL Proxy.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 62mediumdrag order
Read the full Configuring access and security explanation →

Order the steps to set up a Cloud IAM policy that grants a user the 'roles/compute.admin' role on a specific project.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 63mediummatching
Read the full Configuring access and security explanation →

Match each Cloud Storage storage class to its typical use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Frequently accessed data

Data accessed less than once a month

Data accessed less than once a quarter

Data accessed less than once a year

Automatically transitions objects to optimal class

Question 64mediummatching
Read the full Configuring access and security explanation →

Match each Google Cloud security term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Key management service for encryption

Hardware security module for key storage

Security perimeters to prevent data exfiltration

Web application firewall and DDoS protection

Centralized security and risk management platform

Question 65easymultiple choice
Read the full Configuring access and security explanation →

A security auditor needs read-only access to Compute Engine instance metadata but should not be able to start or stop instances. Which predefined IAM role should be assigned?

Question 66mediummultiple choice
Read the full Configuring access and security explanation →

A developer is running a batch process on a Compute Engine instance that needs to write logs to Cloud Logging. The instance uses the default Compute Engine service account. What must be done?

Question 67hardmultiple choice
Read the full Configuring access and security explanation →

A company has multiple projects under an organization. They want to enforce that all service accounts created in any project must use the naming prefix 'sa-'. Which policy should be used?

Question 68mediummultiple choice
Read the full Configuring access and security explanation →

A developer creates a Cloud Storage bucket and sets a uniform bucket-level access policy. What is the implication?

Question 69hardmultiple choice
Read the full Configuring access and security explanation →

An organization needs to allow a third-party SIEM tool to ingest audit logs from their Google Cloud organization. The SIEM tool should only have read access to logs. Which IAM role should be granted?

Question 70easymultiple choice
Read the full Configuring access and security explanation →

Which console page would you use to create and manage custom IAM roles?

Question 71mediummultiple choice
Read the full Configuring access and security explanation →

Refer to the exhibit. An application running on this instance is unable to write to a Cloud Storage bucket. What is the most likely cause?

Exhibit

serviceAccounts:
  - email: '123456789-compute@developer.gserviceaccount.com'
    scopes:
    - 'https://www.googleapis.com/auth/devstorage.read_only'
    - 'https://www.googleapis.com/auth/logging.write'
    - 'https://www.googleapis.com/auth/pubsub'
Question 72easymultiple choice
Read the full Configuring access and security explanation →

Refer to the exhibit. After applying this IAM policy to a bucket, what access is granted?

Exhibit

{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": [
        "allAuthenticatedUsers"
      ]
    }
  ]
}
Question 73hardmultiple choice
Read the full Configuring access and security explanation →

Refer to the exhibit. A user attempts to create a Deployment Manager deployment that references a service account. What is the most likely issue?

Exhibit

ERROR: (gcloud.deployment-manager.deployments.create) The user does not have permission to use service account 'my-sa@project.iam.gserviceaccount.com'. Required 'iam.serviceAccounts.actAs' permission.
Question 74mediummulti select
Read the full Configuring access and security explanation →

A company wants to allow developers to create Compute Engine instances with a specific set of persistent disk types (e.g., only pd-ssd). Which TWO methods can be used to enforce this? (Choose two.)

Question 75hardmulti select
Read the full Configuring access and security explanation →

Which THREE are valid ways to authenticate a user for gcloud commands? (Choose three.)

Question 76easymulti select
Read the full Configuring access and security explanation →

A developer wants to configure a firewall rule to allow HTTP traffic from the internet to a specific Compute Engine instance tagged 'web-server'. Which TWO conditions must be true? (Choose two.)

Question 77easymultiple choice
Read the full Configuring access and security explanation →

A company has a Compute Engine instance that needs to read files from a Cloud Storage bucket. The instance is running a custom application. What is the recommended way to grant the instance access to the bucket?

Question 78easymultiple choice
Read the full Configuring access and security explanation →

A user needs to view the list of firewall rules in a project but should not be able to create or modify them. Which predefined IAM role should you grant?

Question 79easymultiple choice
Read the full Configuring access and security explanation →

You want to ensure that all Cloud Storage buckets in your organization require customer-managed encryption keys (CMEK). What is the most efficient way to enforce this?

Question 80mediummultiple choice
Read the full Configuring access and security explanation →

A developer accidentally assigned the 'roles/editor' role to a user for a project. After revoking the role, the user still has permissions to modify resources. What is the most likely reason?

Question 81mediummultiple choice
Read the full Configuring access and security explanation →

You need to allow a Cloud Function to write logs to Cloud Logging. The function uses a default service account. What IAM role should you grant to the service account?

Question 82mediummultiple choice
Read the full Configuring access and security explanation →

A security team wants to restrict access to a Google Cloud project such that only virtual machines with a specific tag 'web' can connect to a Compute Engine instance on port 443. Which configuration is required?

Question 83hardmultiple choice
Read the full Configuring access and security explanation →

You are configuring Identity-Aware Proxy (IAP) for a web application running on Compute Engine. Users authenticate through IAP and are granted access based on their email addresses. However, some users report that they are prompted to sign in multiple times during the same session. What is the most likely cause?

Question 84hardmultiple choice
Read the full Configuring access and security explanation →

A company uses VPC Service Controls to protect Cloud Storage. They have a service perimeter that includes the storage API and the project where the stored data resides. Users inside the perimeter can access the data, but users outside cannot. However, a group of users outside the perimeter are able to access the data using a signed URL generated by a service inside the perimeter. Why does this happen?

Question 85hardmultiple choice
Read the full Configuring access and security explanation →

You need to audit all IAM policy changes in your project. You want to ensure that every change is logged with the identity of the user who made the change. Which type of audit log should you enable?

Question 86easymulti select
Read the full Configuring access and security explanation →

A company wants to ensure that only users from a specific domain (@example.com) can access Cloud Storage buckets in a project. Which two steps should be taken? (Choose two.)

Question 87mediummulti select
Read the full NAT/PAT explanation →

You are configuring a VPC with multiple subnets. You need to allow traffic from the internet to a specific instance on port 80, but only if the traffic originates from a set of known IP addresses. Which three resources must be configured? (Choose three.)

Question 88hardmulti select
Read the full Configuring access and security explanation →

A company requires that all service account keys be automatically rotated every 90 days. Which two steps should the administrator take to enforce this? (Choose two.)

Question 89mediummultiple choice
Read the full Configuring access and security explanation →

Your company runs a microservices application on Google Kubernetes Engine (GKE) with a shared VPC. The security team requires that all pod-to-pod traffic be encrypted using TLS. Additionally, you need to restrict which pods can communicate with each other. The application uses a service mesh with Istio. You have enabled Istio mTLS in STRICT mode, but you notice that some pods are still able to communicate with other pods without TLS. You have verified that all pods have the Istio sidecar injected. What should you do to fix the issue?

Question 90easymultiple choice
Read the full Configuring access and security explanation →

A startup wants to grant developers the ability to create and manage Compute Engine instances, but prevent them from deleting instances or changing firewall rules. Which IAM approach should they use?

Question 91hardmultiple choice
Read the full Configuring access and security explanation →

A company's security team wants to enforce that all service account keys in production projects are rotated every 30 days and prevent creation of keys that never expire. Which single solution should they implement?

Question 92mediummulti select
Read the full Configuring access and security explanation →

A systems administrator needs to grant a group of external auditors read-only access to all resources in a GCP project, except for Cloud Storage buckets that contain sensitive data. The auditors should not be able to view the contents of those buckets. Which two IAM policies should the administrator implement? (Choose two.)

Question 93easymultiple choice
Read the full Configuring access and security explanation →

Your company recently migrated to GCP and you are the new cloud administrator. You need to ensure that only specific members of the DevOps team can perform administrative actions on Compute Engine instances, such as starting, stopping, and resetting instances, but not creating or deleting them. You also want to prevent them from modifying firewall rules or other network settings. The team consists of 10 members. You have already created a custom role with the necessary permissions and assigned it to a Google Group that contains all team members. However, you receive a report that a team member was able to accidentally delete a production instance. Upon investigation, you find that the team member had been granted the roles/compute.instanceAdmin role in addition to your custom role by another administrator. What should be the best course of action to prevent this from happening again while still allowing the team to perform their intended tasks?

Question 94mediummultiple choice
Read the full Configuring access and security explanation →

Your organization has multiple GCP projects and wants to implement least privilege access for operations teams. Each operations team manages a specific set of projects. You have created custom roles that grant permissions to start and stop Compute Engine instances, view logs, and monitor resources. You are using Google Groups to assign roles to users. Recently, a user from the network operations team was able to modify firewall rules in a project managed by the compute operations team, causing a security incident. During the root cause analysis, you discover that the user is a member of both the network operations group and the compute operations group. The compute operations group is assigned a custom role that does not include firewall permissions. The network operations group is assigned a role that includes firewall admin permissions. How should you redesign the IAM structure to prevent cross-team access while maintaining required permissions?

Question 95hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare company uses GCP to store sensitive patient data in Cloud Storage buckets. Their security policy requires that all data access be logged and that any attempt to access data from outside the corporate network is blocked. They have implemented VPC Service Controls to create a service perimeter around the projects containing the buckets. They have also enabled Data Access audit logs. However, during an audit, they find that a few access attempts from an IP address outside the corporate network succeeded. The logs show that the requests were made using service account credentials. The service account has the storage.objectViewer role on the bucket. The VPC Service Controls perimeter is configured to block all access from outside the perimeter, but the logs show that some requests were allowed. What is the most likely reason?

Question 96mediummulti select
Read the full Configuring access and security explanation →

A company uses Cloud Armor to protect an HTTP Load Balancer. They want to allow traffic only from specific IP ranges (198.51.100.0/24 and 203.0.113.0/24) and block common web attacks like SQL injection and XSS. Which TWO actions should they take?

Question 97hardmultiple choice
Read the full Configuring access and security explanation →

Alice is trying to create a Pub/Sub topic in the us-east1 region using the gcloud command-line tool from her local machine. She has the roles/pubsub.editor role. The command fails with a permission denied error. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "bindings": [
    {
      "role": "roles/pubsub.editor",
      "members": ["user:alice@example.com"],
      "condition": {
        "title": "only_us_central1",
        "expression": "resource.location == 'us-central1'"
      }
    }
  ]
}
Question 98easymultiple choice
Review the full subnetting walkthrough →

A small business has a single Google Cloud project with a few Compute Engine instances running a web application. The instances are all in the same VPC and subnet. The security team wants to ensure that only HTTP (port 80) and HTTPS (port 443) traffic from the public internet is allowed to the instances, and that all other inbound traffic is blocked. They have already configured Cloud Armor for the load balancer. However, they notice that SSH traffic (port 22) is still reaching the instances from the internet, even though they do not have any explicit firewall rules allowing SSH. The project was just created and uses the default VPC network. What should they do to resolve this?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

Google ACE Practice Test 1 — 10 Questions→Google ACE Practice Test 2 — 10 Questions→Google ACE Practice Test 3 — 10 Questions→Google ACE Practice Test 4 — 10 Questions→Google ACE Practice Test 5 — 10 Questions→Google ACE Practice Exam 1 — 20 Questions→Google ACE Practice Exam 2 — 20 Questions→Google ACE Practice Exam 3 — 20 Questions→Google ACE Practice Exam 4 — 20 Questions→Free Google ACE Practice Test 1 — 30 Questions→Free Google ACE Practice Test 2 — 30 Questions→Free Google ACE Practice Test 3 — 30 Questions→Google ACE Practice Questions 1 — 50 Questions→Google ACE Practice Questions 2 — 50 Questions→Google ACE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Setting up a cloud solution environmentPlanning and configuring a cloud solutionDeploying and implementing a cloud solutionEnsuring successful operation of a cloud solutionConfiguring access and security

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Configuring access and security setsAll Configuring access and security questionsGoogle ACE Practice Hub