20+ practice questions focused on Configuring access and security — one of the most tested topics on the Google Associate Cloud Engineer exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Configuring access and security PracticeA junior developer needs read-only access to all GCP resources in a project. Which IAM role grants the minimum permissions required?
Explanation: The Viewer role (roles/viewer) grants read-only access to all GCP resources in a project, including existing and future resources, without allowing any modifications. This is the minimum permissions required for read-only access, as it provides exactly the necessary permissions (e.g., resourcemanager.projects.get, storage.objects.list) without any write or administrative capabilities.
A security review identifies that service account JSON key files are stored on multiple developer laptops, posing a data exfiltration risk. What is the recommended remediation?
Explanation: Option C is correct because storing service account JSON key files on developer laptops creates a persistent credential that can be exfiltrated. The recommended remediation is to remove these static keys entirely and instead use service account impersonation (via the `iamcredentials.googleapis.com` API) or Workload Identity (for GKE or GCE workloads) to obtain short-lived access tokens. This eliminates the long-lived secret and follows Google's principle of using federated identity rather than distributing static keys.
A team wants to allow inbound HTTPS traffic (TCP port 443) from the internet to instances tagged 'web-server', while blocking all other inbound traffic. What firewall configuration achieves this?
Explanation: Option A is correct because Google Cloud VPC firewall rules are stateful and have an implicit deny for all traffic that is not explicitly allowed. An ingress allow rule for TCP port 443 from 0.0.0.0/0 applied to instances with the 'web-server' tag permits inbound HTTPS traffic, and the implicit deny blocks all other inbound traffic without needing additional rules.
An enterprise stores sensitive customer data in Cloud Storage. Regulatory requirements mandate that the company controls its own encryption keys — Google must not be able to decrypt data unilaterally. Which encryption configuration satisfies this?
Explanation: Option B is correct because Customer-Managed Encryption Keys (CMEK) with Cloud KMS allow the enterprise to control and manage their own encryption keys, ensuring that Google cannot unilaterally decrypt the data. With CMEK, the encryption keys are stored in Cloud KMS under the customer's control, and Google only has access to the key material for encryption/decryption operations as authorized by the customer. This satisfies the regulatory requirement that the company retains sole control over key material, preventing Google from decrypting data without explicit permission.
A Cloud Run service needs to access a database password at runtime. Where should the password be stored according to GCP security best practices?
Explanation: Secret Manager is the GCP-native service designed to securely store sensitive data like database passwords. It provides encryption at rest and in transit, fine-grained access control via IAM, and supports both mounting secrets as volumes and accessing them via the API at runtime. This aligns with GCP security best practices by avoiding exposure of secrets in plain text, configuration files, or container images.
+15 more Configuring access and security questions available
Practice all Configuring access and security questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Configuring access and security. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Configuring access and security questions on the ACE frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Configuring access and security is tested as part of the Google Associate Cloud Engineer blueprint. Practicing with targeted Configuring access and security questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free ACE practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Configuring access and security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Configuring access and security practice session with instant scoring and detailed explanations.
Start Configuring access and security Practice →