Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsACETopicsConfiguring access and security
Free · No Signup RequiredGoogle Cloud · ACE

ACE Configuring access and security Practice Questions

20+ practice questions focused on Configuring access and security — one of the most tested topics on the Google Associate Cloud Engineer exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Configuring access and security Practice

Exam Domains

Setting up a cloud solution environmentPlanning and configuring a cloud solutionDeploying and implementing a cloud solutionEnsuring successful operation of a cloud solutionConfiguring access and securityAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Configuring access and security Questions

Practice all 20+ →
1.

A junior developer needs read-only access to all GCP resources in a project. Which IAM role grants the minimum permissions required?

A.Editor
B.Owner
C.Viewer
D.Browser

Explanation: The Viewer role (roles/viewer) grants read-only access to all GCP resources in a project, including existing and future resources, without allowing any modifications. This is the minimum permissions required for read-only access, as it provides exactly the necessary permissions (e.g., resourcemanager.projects.get, storage.objects.list) without any write or administrative capabilities.

2.

A security review identifies that service account JSON key files are stored on multiple developer laptops, posing a data exfiltration risk. What is the recommended remediation?

A.Rotate the key files every 90 days and redistribute them securely
B.Encrypt the JSON key files using Cloud KMS before distributing
C.Remove the key files and use service account impersonation or Workload Identity for workloads that need GCP access
D.Store the key files in Secret Manager and retrieve them at application startup

Explanation: Option C is correct because storing service account JSON key files on developer laptops creates a persistent credential that can be exfiltrated. The recommended remediation is to remove these static keys entirely and instead use service account impersonation (via the `iamcredentials.googleapis.com` API) or Workload Identity (for GKE or GCE workloads) to obtain short-lived access tokens. This eliminates the long-lived secret and follows Google's principle of using federated identity rather than distributing static keys.

3.

A team wants to allow inbound HTTPS traffic (TCP port 443) from the internet to instances tagged 'web-server', while blocking all other inbound traffic. What firewall configuration achieves this?

A.An ingress allow rule for port 443 from 0.0.0.0/0 targeting the 'web-server' tag, relying on the implied deny for other traffic
B.An ingress allow rule for port 443 and a separate egress deny rule for all other ports
C.An ingress deny rule for all ports from 0.0.0.0/0, plus an ingress allow for port 443 with lower priority
D.A Cloud Armor policy allowing only HTTPS requests to port 443

Explanation: Option A is correct because Google Cloud VPC firewall rules are stateful and have an implicit deny for all traffic that is not explicitly allowed. An ingress allow rule for TCP port 443 from 0.0.0.0/0 applied to instances with the 'web-server' tag permits inbound HTTPS traffic, and the implicit deny blocks all other inbound traffic without needing additional rules.

4.

An enterprise stores sensitive customer data in Cloud Storage. Regulatory requirements mandate that the company controls its own encryption keys — Google must not be able to decrypt data unilaterally. Which encryption configuration satisfies this?

A.Google-managed encryption keys (the default)
B.Customer-managed encryption keys (CMEK) using Cloud KMS
C.Client-side encryption before uploading to Cloud Storage, without using Cloud KMS
D.Shielded VM with vTPM enabled on the storage backend

Explanation: Option B is correct because Customer-Managed Encryption Keys (CMEK) with Cloud KMS allow the enterprise to control and manage their own encryption keys, ensuring that Google cannot unilaterally decrypt the data. With CMEK, the encryption keys are stored in Cloud KMS under the customer's control, and Google only has access to the key material for encryption/decryption operations as authorized by the customer. This satisfies the regulatory requirement that the company retains sole control over key material, preventing Google from decrypting data without explicit permission.

5.

A Cloud Run service needs to access a database password at runtime. Where should the password be stored according to GCP security best practices?

A.As a plain-text environment variable in the Cloud Run service configuration
B.In a Cloud Storage bucket accessible to the service account
C.In Secret Manager, referenced as a mounted secret or accessed via the API at runtime
D.Baked into the container image at build time

Explanation: Secret Manager is the GCP-native service designed to securely store sensitive data like database passwords. It provides encryption at rest and in transit, fine-grained access control via IAM, and supports both mounting secrets as volumes and accessing them via the API at runtime. This aligns with GCP security best practices by avoiding exposure of secrets in plain text, configuration files, or container images.

+15 more Configuring access and security questions available

Practice all Configuring access and security questions

How to master Configuring access and security for ACE

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Configuring access and security. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Configuring access and security questions on the ACE frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many ACE Configuring access and security questions are on the real exam?

The exact number varies per candidate. Configuring access and security is tested as part of the Google Associate Cloud Engineer blueprint. Practicing with targeted Configuring access and security questions ensures you can handle any format or difficulty that appears.

Are these ACE Configuring access and security practice questions free?

Yes. Courseiva provides free ACE practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Configuring access and security one of the harder ACE topics?

Difficulty is subjective, but Configuring access and security is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Configuring access and security practice session with instant scoring and detailed explanations.

Start Configuring access and security Practice →

Topic Info

Topic

Configuring access and security

Exam

ACE

Questions available

20+