GCP Professional Cloud Security Engineer Practice Question

A data science team stores research datasets in a Cloud Storage bucket that currently uses fine-grained object ACLs. Recently, several objects became publicly readable after an intern granted the allUsers entity READ access through an object-level ACL. Security leadership insists that:

Future uploads must not allow object owners to override the bucket's restricted sharing model.
Administrators should continue assigning access via Google groups at the project level.

Which control best satisfies both requirements with the least operational overhead?

Create a deny policy that blocks the storage.objects.get permission for the principal allUsers on the bucket.
Apply the organization policy constraint constraints/storage.publicAccessPrevention in enforced mode to the project.
Enable uniform bucket-level access on the bucket and rely solely on IAM role bindings for access control.
Instruct object owners to remove any public ACL entries after uploading and keep using fine-grained ACLs for internal sharing.

Report Issue

Answer Description

Enabling uniform bucket-level access (UBLA) converts the bucket to an IAM-only model: all existing and future object ACLs are disabled and ignored, so object owners cannot grant additional access such as allUsers. Administrators instead manage permissions through IAM role bindings, for example by granting roles/storage.objectViewer to a Google Group at the project or bucket level. Public Access Prevention only blocks public principals but still leaves ACLs functional for other identities; monitoring or manual cleanup does not stop future misconfigurations; a deny policy on storage.objects.get for allUsers would still allow other unintended ACL grants and adds management complexity. Therefore, UBLA is the most effective and lowest-overhead solution.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.