This chapter covers Cloud Storage bucket security in depth, a critical topic for the ACE exam (approximately 8-12% of questions). You will learn how to protect data at rest and in transit using IAM, ACLs, signed URLs, CSEK, CMEK, retention policies, and bucket lock. The exam tests your ability to choose the right security mechanism for a given scenario, understand default behaviors, and troubleshoot common misconfigurations. Mastering this chapter ensures you can answer scenario-based questions about access control, encryption, and data governance with confidence.
Jump to a section
Imagine a bank vault containing rows of safety deposit boxes. Each box has a unique number (the bucket name), and the vault itself is in a specific branch location (the multi-region or region). The bank manager (IAM) decides who can even enter the vault room (roles like Storage Admin) and which boxes they can access. Each box has its own lock (bucket-level IAM policies) and inside, individual envelopes (objects) can have additional seals (object-level ACLs). The bank also has a policy that only certain types of keys are allowed (CSEK vs CMEK), and some boxes require two-person authentication (dual control via retention policies). When a customer deposits a check (uploads an object), the bank records the transaction in a log (Cloud Audit Logs) and can notify the account holder via text (Pub/Sub notifications). If the customer wants to share a specific envelope without giving vault access, they can issue a temporary, time-limited key (signed URL) to a courier. The vault also has a shredder (Object Lifecycle Management) that automatically destroys documents after a set period. Misconfiguring the vault door (public access) could let anyone walk in and grab boxes — that's the most common security breach.
Overview of Cloud Storage Security
Cloud Storage is Google Cloud's object storage service. Security is implemented at multiple layers: network-level (VPC Service Controls), access control (IAM, ACLs, signed URLs), encryption (CSEK, CMEK, default), and data governance (retention policies, Object Lifecycle Management). The ACE exam focuses on access control and encryption choices.
Access Control Models
Cloud Storage supports two access control models: Uniform and Fine-grained (ACLs).
- Uniform bucket-level access: All access is governed by IAM policies at the bucket level. This is the recommended model because it simplifies management and avoids conflicts. When enabled, ACLs are disabled and IAM policies control access to all objects in the bucket. Default: disabled for new buckets (but Google recommends enabling it). To enable:
gsutil uniformbucketlevelaccess set on gs://my-bucketFine-grained access (ACLs): You can set IAM policies and also object-level ACLs. This allows per-object permissions but can lead to complexity and security gaps. The exam often tests when to use ACLs vs IAM. Use ACLs only when you need to grant different permissions to different objects within the same bucket.
IAM Roles for Cloud Storage
IAM roles are the primary way to grant permissions. Predefined roles include:
- Storage Object Viewer (roles/storage.objectViewer): Read objects (no listing).
- Storage Object Creator (roles/storage.objectCreator): Create objects but not read.
- Storage Object Admin (roles/storage.objectAdmin): Full control over objects.
- Storage Admin (roles/storage.admin): Full control over buckets and objects.
- Storage Legacy Bucket Reader (roles/storage.legacyBucketReader): List bucket contents.
- Storage Legacy Bucket Writer (roles/storage.legacyBucketWriter): Write objects.
- Storage Legacy Object Reader (roles/storage.legacyObjectReader): Read objects.
Important: The storage.objectViewer role does NOT allow listing objects in a bucket. To list, you need storage.legacyBucketReader or storage.objects.list permission. This is a common exam trap.
Signed URLs and Signed Policy Documents
Signed URLs allow time-limited access to a specific object without requiring authentication. A signed URL is generated using a service account key or a user's private key. It includes an expiration time (max 7 days for service accounts, 12 hours for user accounts). Signed URLs are used for:
Allowing a user to upload a file directly to Cloud Storage without giving them IAM permissions.
Sharing a private object temporarily.
A signed policy document is used for form-based uploads, allowing a browser to upload directly to Cloud Storage. The policy document specifies conditions (e.g., bucket, object prefix, content type, size range).
Encryption Options
Cloud Storage encrypts data at rest by default using Google-managed keys. You can also use: - Customer-managed encryption keys (CMEK): You manage the key via Cloud KMS. You can rotate and disable keys. Use CMEK for compliance requirements. - Customer-supplied encryption keys (CSEK): You provide your own AES-256 key for each API call. Google does not store your key; you must manage it. CSEK is for maximum control but adds operational burden.
Key points for the exam:
CSEK keys are provided per request; they are not stored by Google.
CMEK uses Cloud KMS; you can view audit logs for key usage.
Default encryption (Google-managed) is always applied, even if you add CMEK or CSEK.
Encryption is transparent to applications; they don't need to change.
Retention Policies and Bucket Lock
Retention policies prevent object deletion or modification for a specified duration. Once set, objects cannot be deleted or overwritten until the retention period expires. Bucket Lock permanently locks a retention policy, making it immutable. This is used for compliance (e.g., SEC Rule 17a-4).
- Retention policy is set at bucket level.
- Default: no retention.
- To lock: gsutil retention lock gs://my-bucket — this is irreversible.
- Objects with a retention policy cannot be deleted or replaced. Overwriting an object creates a new generation; the old generation still exists until the retention period ends.
Object Lifecycle Management
Lifecycle rules automate actions on objects based on conditions (age, creation date, storage class, etc.). Common actions: delete, set storage class (e.g., to Nearline, Coldline, Archive).
Example: Delete objects older than 365 days:
{
"lifecycle": {
"rule": [
{
"action": {"type": "Delete"},
"condition": {"age": 365}
}
]
}
}Lifecycle rules are applied asynchronously (usually within 24 hours). They cannot delete objects under retention policy.
Public Access Prevention
By default, new buckets are not public. However, you can explicitly make a bucket public by granting allUsers or allAuthenticatedUsers access. The exam tests that you must be careful with public access. Use gsutil iam ch allUsers:objectViewer gs://my-bucket to make objects publicly readable.
To prevent public access, enable Public Access Prevention at the organization or project level via Organization Policies. This blocks any attempt to make a bucket public.
VPC Service Controls
VPC Service Controls allow you to restrict access to Cloud Storage from outside a VPC. This is an advanced security feature that the ACE exam may touch on lightly. It helps prevent data exfiltration.
Logging and Monitoring
Cloud Audit Logs record admin activities (e.g., bucket creation, IAM changes) and data access (e.g., object reads). To enable data access logs, you must explicitly enable them in the project. They are not enabled by default due to volume. The exam may ask how to audit access.
Best Practices Summarized
Use uniform bucket-level access.
Grant minimum permissions using predefined roles.
Use signed URLs for temporary access.
Use CMEK for compliance; CSEK for maximum control.
Lock retention policies for immutable storage.
Enable object versioning to protect against accidental deletion.
Use lifecycle management to reduce costs.
Enable Public Access Prevention at org level.
Audit access with Cloud Audit Logs.
Create a bucket with uniform access
When you create a new bucket using `gsutil mb -p my-project -c STANDARD -l us-central1 -b on gs://my-bucket`, the `-b on` flag enables uniform bucket-level access. This ensures that all access is controlled via IAM policies and ACLs are disabled. Without this flag, the bucket defaults to fine-grained access, allowing ACLs. The exam often tests the difference between default and uniform access.
Grant IAM roles to principals
Use `gsutil iam ch serviceAccount:sa@project.iam.gserviceaccount.com:objectViewer gs://my-bucket` to grant the Storage Object Viewer role to a service account. This allows reading objects but not listing the bucket. To list, you need `legacyBucketReader` or add `storage.objects.list` permission. The exam loves to test that `objectViewer` does not include listing.
Generate a signed URL for temporary access
Use `gsutil signurl -d 10m path/to/key.json gs://my-bucket/my-object` to create a signed URL valid for 10 minutes. The key.json must be a service account key with permissions to access the object. The signed URL includes the signature and expiration. The exam tests that signed URLs can be used without IAM permissions for the end user.
Configure CMEK encryption
First, create a key ring and key in Cloud KMS. Then, when creating a bucket, specify the key using `gsutil mb -p my-project --encryption-key projects/my-project/locations/us/keyRings/my-ring/cryptoKeys/my-key gs://my-bucket`. All new objects are encrypted with that key. Existing objects are not re-encrypted. The exam tests that CMEK requires Cloud KMS permissions.
Set a retention policy and lock it
Set a retention policy with `gsutil retention set 365d gs://my-bucket`. This prevents object deletion for 365 days. To lock the policy (irreversible), use `gsutil retention lock gs://my-bucket`. Once locked, the retention period cannot be shortened or removed. The exam tests that locking is permanent.
Enterprise Scenario 1: Healthcare Data Compliance
A healthcare company stores patient records in Cloud Storage. They must comply with HIPAA, which requires encryption at rest and access controls. They use CMEK to manage keys via Cloud KMS, enabling key rotation and audit. They enable uniform bucket-level access and grant only specific service accounts the objectViewer role. They also enable VPC Service Controls to prevent data exfiltration. They set a retention policy of 7 years and lock it to comply with medical record retention laws. They use Object Lifecycle Management to delete objects older than 7 years after retention expires. Common misconfiguration: forgetting to lock the retention policy, allowing accidental deletion.
Enterprise Scenario 2: Media Sharing Platform
A media company allows users to upload and share videos. They use signed URLs for uploads to avoid giving users IAM permissions. They also use signed URLs for temporary viewing (e.g., 24 hours). They store videos in Nearline storage to reduce costs. They use Cloud CDN to serve content with signed URLs for additional security. They enable object versioning to recover from accidental overwrites. Performance consideration: signed URL generation overhead is negligible. Common issue: signed URL expiration too long, leading to unauthorized access.
Enterprise Scenario 3: Financial Records Archive
A bank archives transaction records in Cloud Storage for regulatory compliance. They use Archive storage class for cost savings. They set a retention policy of 10 years and lock it using Bucket Lock. They enable uniform bucket-level access and grant read-only access to auditors via IAM. They use CSEK for maximum control over encryption keys. They enable Cloud Audit Logs for data access to monitor who reads records. They use lifecycle rules to delete objects after 10 years. Common pitfall: not enabling data access logs, making audits impossible.
What the ACE Exam Tests
Objective 5.2 (Security Compliance) focuses on configuring bucket security. Expect scenario-based questions where you must choose the correct access control method, encryption type, or retention policy. The exam tests:
Difference between uniform and fine-grained access.
IAM roles and their exact permissions (especially objectViewer vs legacyBucketReader).
Signed URL expiration limits (7 days for service account keys, 12 hours for user keys).
CMEK vs CSEK vs default encryption.
Retention policy locking (irreversible).
Public access prevention.
Common Wrong Answers
'Use ACLs for all buckets' — Candidates think ACLs are more flexible, but Google recommends uniform access. The exam expects you to choose uniform unless there is a specific need for per-object permissions.
'Signed URLs require the end user to have IAM permissions' — Wrong. Signed URLs bypass IAM; the signer must have permissions, but the end user does not.
'CMEK keys are stored in Cloud Storage' — Wrong. CMEK keys are stored in Cloud KMS; Cloud Storage only references them.
'Retention policies can be removed after locking' — Wrong. Once locked, the policy is immutable.
Specific Numbers and Terms
objectViewer does NOT include storage.objects.list.
Signed URL max expiration: 7 days (service account), 12 hours (user).
Retention policy lock is permanent.
Default encryption is always applied.
Uniform bucket-level access is recommended.
Edge Cases
If a bucket has both IAM and ACLs, which takes precedence? ACLs are evaluated first; if an ACL denies access, the request is denied even if IAM allows. But with uniform access, ACLs are disabled.
When using CSEK, you must provide the key with every request. If you lose the key, data is unrecoverable.
Lifecycle rules cannot delete objects under retention policy.
How to Eliminate Wrong Answers
If the question mentions 'temporary access for a user without a Google account', pick signed URL.
If the question mentions 'compliance requirement to manage keys separately', pick CMEK or CSEK (CMEK if you want Google to store the key securely, CSEK if you want to manage keys yourself).
If the question mentions 'prevent deletion for a fixed period', pick retention policy with lock.
If the question mentions 'simplify permissions', pick uniform bucket-level access.
Use uniform bucket-level access unless you need per-object ACLs.
Storage Object Viewer role does NOT allow listing objects.
Signed URLs expire after max 7 days (service account) or 12 hours (user).
CMEK keys are stored in Cloud KMS, not Cloud Storage.
Retention policy locking is irreversible.
Default encryption (Google-managed) is always applied.
Lifecycle rules cannot delete objects under retention policy.
These come up on the exam all the time. Here's how to tell them apart.
Uniform Bucket-Level Access
All access controlled by IAM policies at bucket level.
Simpler to manage and audit.
Recommended by Google.
Disables ACLs.
Cannot set per-object permissions.
Fine-Grained Access (ACLs)
Allows IAM and ACLs at object level.
More complex; risk of misconfiguration.
Legacy model; not recommended for new projects.
ACLs can override IAM.
Allows per-object permissions.
CMEK
Keys managed in Cloud KMS.
Google stores the key securely.
Supports key rotation and audit.
Requires Cloud KMS permissions.
Compliance-friendly.
CSEK
Keys provided per request; not stored by Google.
You manage key storage and security.
No key rotation; you must provide new keys.
Maximum control but operational burden.
Data unrecoverable if key lost.
Mistake
ACLs are always better because they provide fine-grained control.
Correct
Google recommends uniform bucket-level access because it simplifies management and reduces the risk of misconfiguration. ACLs should only be used when you need different permissions on objects within the same bucket.
Mistake
Signed URLs require the end user to be authenticated.
Correct
Signed URLs provide access without authentication. Anyone with the URL can access the object for the duration of the URL's validity.
Mistake
CMEK encryption is stronger than default encryption.
Correct
All encryption uses AES-256. CMEK provides key management control, not stronger encryption. The strength is the same.
Mistake
Retention policies can be shortened after locking.
Correct
Once a retention policy is locked, it cannot be removed or shortened. It can only be extended.
Mistake
Object versioning must be enabled to use retention policies.
Correct
Retention policies work without versioning. However, versioning is recommended to preserve overwritten objects.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Grant `allUsers` the `objectViewer` IAM role: `gsutil iam ch allUsers:objectViewer gs://my-bucket`. This allows anyone to read objects. To list objects, you also need `legacyBucketReader`. Be cautious: this makes all objects public.
CMEK (Customer-Managed Encryption Keys) uses Cloud KMS to manage keys; Google stores the key and you control it via IAM. CSEK (Customer-Supplied Encryption Keys) requires you to provide the key with each API call; Google does not store it. CMEK is easier to manage; CSEK gives you full control but you must safeguard the key.
Yes, you can enable uniform bucket-level access on an existing bucket using `gsutil uniformbucketlevelaccess set on gs://my-bucket`. However, any existing ACLs will be ignored. You cannot revert to fine-grained after enabling uniform.
Use the `gsutil signurl` command with a service account key file: `gsutil signurl -d 10m /path/to/key.json gs://my-bucket/object`. The duration `-d` specifies validity. The signer must have `storage.objects.get` permission on the object.
Data encrypted with a CSEK key is unrecoverable. Google does not store the key, so there is no way to decrypt the data. Always back up your keys securely.
No, objects cannot be deleted or overwritten until the retention period expires. Attempts to delete will fail. To delete, you must wait until the retention period ends or remove the retention policy (if not locked).
Enable Public Access Prevention at the organization level using Organization Policies. This blocks any attempt to grant `allUsers` or `allAuthenticatedUsers` access. You can also audit using Cloud Asset Inventory.
You've just covered Cloud Storage Bucket Security — now see how well it sticks with free ACE practice questions. Full explanations included, no account needed.
Done with this chapter?