ACE · topic practice

Configuring access and security practice questions

Use this page to practise Configuring access and security questions for this certification. Focus on how the exam tests configuring access and security in scenario format — understanding the why behind each answer builds more durable knowledge than memorising options.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Configuring access and security

What the exam tests

What to know about Configuring access and security

Configuring access and security questions on this certification test your ability to deploy and manage configuring access and security concepts in scenario-based situations.

Core Configuring access and security concepts and how they apply in real-world cloud scenarios.

How to deploy configuring access and security correctly and verify the outcome.

Troubleshooting configuring access and security issues by interpreting error output and system state.

Cloud best practices and Configuring access and security design trade-offs tested by this certification.

Watch out for

Common Configuring access and security exam traps

  • Selecting the most expensive service when a simpler managed option meets the requirement.
  • Forgetting that cloud resources must be explicitly secured — defaults are rarely secure.
  • Choosing a global service fix when the issue is region-specific.
  • Overlooking cost implications of cross-region data transfer in architecture questions.

Practice set

Configuring access and security questions

20 questions · select your answer, then reveal the explanation

A junior developer needs read-only access to all GCP resources in a project. Which IAM role grants the minimum permissions required?

A security review identifies that service account JSON key files are stored on multiple developer laptops, posing a data exfiltration risk. What is the recommended remediation?

A team wants to allow inbound HTTPS traffic (TCP port 443) from the internet to instances tagged 'web-server', while blocking all other inbound traffic. What firewall configuration achieves this?

An enterprise stores sensitive customer data in Cloud Storage. Regulatory requirements mandate that the company controls its own encryption keys — Google must not be able to decrypt data unilaterally. Which encryption configuration satisfies this?

A Cloud Run service needs to access a database password at runtime. Where should the password be stored according to GCP security best practices?

A compliance team needs a log of every time a user or service account accessed data in a BigQuery dataset — specifically read operations. Which Cloud Audit Log type captures this?

A security team wants to prevent authorized users from copying BigQuery query results to a dataset in a different GCP project that is outside the team's security boundary — even if the user has valid IAM permissions. Which control enforces this?

A GKE Pod needs to call the Cloud Storage API. The team wants to avoid creating and managing service account key files. What is the recommended approach?

A public API receives global traffic but has been targeted by both volumetric DDoS attacks and SQL injection attempts in HTTP request parameters. Which single GCP service provides protection against both threats?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A team wants to grant a contractor the Storage Object Viewer role on a specific bucket path, but only during business hours (Monday–Friday, 9am–5pm local time). Which IAM feature supports these conditions?

A team wants to grant three developers access to view Cloud SQL instance details and connection strings, but not create, delete, or modify any Cloud SQL instances. Which predefined IAM role is the most appropriate?

A compliance requirement mandates that all VM-to-VM traffic within a GCP project must be encrypted in transit, even for internal VPC traffic. Which feature enforces this for Compute Engine?

An organization needs to ensure that only images from their approved Container Registry (gcr.io/approved-project) can be deployed on GKE clusters in their organization. Which GCP control enforces this?

A DevOps engineer creates a service account for a CI/CD pipeline. The pipeline needs to push container images to Artifact Registry. Which role grants the minimum required permission?

A security team discovers that a service account key was accidentally committed to a public GitHub repository 48 hours ago. What should be the immediate steps to remediate this incident?

A team's Cloud Storage bucket containing backups has been accidentally made publicly readable. A monitoring alert fires. What is the fastest way to remove public access?

A GKE cluster hosts both a public-facing web application and an internal data processing service. The data processing service should only accept traffic from the web application Pods, not from the internet. Which Kubernetes feature enforces this policy?

A developer accidentally grants the Owner role to a test service account on the production project. The team wants to remove only this specific IAM binding without affecting other members' access. Which gcloud command achieves this?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A regulated financial company must ensure that all GCP API calls made by employees are logged with full request and response payloads for audit purposes. Which combination of Cloud Audit Log types captures this?

A GCP project needs to allow outbound internet access from VMs that have only private IP addresses, without exposing those VMs to inbound internet traffic. Which GCP service provides this?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Configuring access and security sessions

Start a Configuring access and security only practice session

Every question in these sessions is drawn from the Configuring access and security domain — nothing else.

Related practice questions

Related ACE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the ACE exam test about Configuring access and security?
Configuring access and security questions on this certification test your ability to deploy and manage configuring access and security concepts in scenario-based situations.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Configuring access and security questions in a focused session?
Yes — the session launcher on this page draws every question from the Configuring access and security domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other ACE topics?
Use the topic links above to move to related areas, or go back to the ACE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the ACE exam covers. They are not copied from any real exam or dump site.