ACE · topic practice

Configuring Access and Security practice questions

Practise Google Associate Cloud Engineer Configuring Access and Security practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Configuring Access and Security

What the exam tests

What to know about Configuring Access and Security

Configuring Access and Security questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Configuring Access and Security exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Configuring Access and Security questions

20 questions · select your answer, then reveal the explanation

An engineer needs to grant an external auditor read-only access to a subset of Cloud Storage buckets in a project. The auditor's identity is a Google account. Which IAM approach should the engineer use?

A security team wants to ensure that all Compute Engine instances in a project automatically use a custom service account with minimal permissions. What must the engineer do when creating new instances?

An engineer created a firewall rule to allow inbound HTTP traffic on port 80 from the internet to instances with the tag 'web-server'. However, after applying the rule, a test instance with the tag 'web-server' is still not reachable on port 80. What is a likely cause?

Question 4mediummultiple choice
Read the full NAT/PAT explanation →

A company wants to use Cloud NAT to allow private instances in a VPC to send outbound traffic to the internet and to receive inbound responses. Which two resources must be configured to set up Cloud NAT?

An engineer needs to view the current IAM policy for a project in JSON format. Which gcloud command should they use?

A developer created a service account with the roles/storage.admin role and wants to use it from a Compute Engine instance without downloading a key file. What is the best practice?

Which Google Cloud service provides a managed, scalable, and secure way to store API keys, passwords, and certificates?

Question 8mediummultiple choice
Review the full subnetting walkthrough →

A company has a VPC with a subnet that has Private Google Access enabled. They want their Compute Engine instances to access Google APIs and services through internal IP addresses. Which additional configuration is required?

An organization needs to audit all data access (read/write) to a Cloud Storage bucket for compliance. Which type of audit log should they enable?

Question 10hardmultiple choice
Review the full subnetting walkthrough →

A company has a VPC with two subnets: subnet-a (10.0.1.0/24) and subnet-b (10.0.2.0/24). They want to allow traffic from instances in subnet-a to reach a specific instance in subnet-b only on TCP port 443. What is the most specific firewall rule to achieve this?

An engineer wants to create a Google-managed SSL certificate for a domain and attach it to an HTTPS load balancer. Which gcloud command should they use to create the certificate?

A team needs to create a new service account and grant it the roles/storage.objectViewer role on a project. Which two gcloud commands are required?

A company wants to ensure that a Compute Engine instance can access only a specific Cloud Storage bucket and no other resources in the project. Which TWO steps should the engineer take? (Select 2 correct answers)

Which THREE configurations are required to enable Private Google Access for Compute Engine instances in a custom VPC subnet? (Select 3 correct answers)

Which TWO of the following are valid ways to grant IAM roles to a service account for accessing a Cloud Storage bucket? (Select 2 correct answers)

An engineer needs to grant a user the ability to create and manage service accounts in a project, but not delete them. Which predefined IAM role should be assigned?

You want to allow HTTP traffic from the internet to a set of Compute Engine instances tagged 'web-server'. Which gcloud command creates the appropriate firewall rule?

A security team wants to audit all Data Access attempts in a project for a specific Cloud Storage bucket, including who accessed which object and when. Which configuration is required?

You need to create a service account for a Compute Engine instance to allow it to access Cloud Storage objects. The service account should have minimal permissions. What is the recommended approach?

An organization has multiple projects under a folder. They want to grant a network admin the ability to create firewall rules in all projects in the folder. Which IAM policy binding achieves this with least privilege?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Configuring Access and Security sessions

Start a Configuring Access and Security only practice session

Every question in these sessions is drawn from the Configuring Access and Security domain — nothing else.

Related practice questions

Related ACE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the ACE exam test about Configuring Access and Security?
Configuring Access and Security questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Configuring Access and Security questions in a focused session?
Yes — the session launcher on this page draws every question from the Configuring Access and Security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other ACE topics?
Use the topic links above to move to related areas, or go back to the ACE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the ACE exam covers. They are not copied from any real exam or dump site.