GCP Professional Cloud Security Engineer Practice Question
Your organization discovers that a Cloud Storage bucket named "corp-secure-data" contains thousands of objects whose ACLs unintentionally grant allUsers read access. Only members of the Google Group [email protected] should be able to read any existing or future objects in this bucket, and you must ensure object owners cannot re-introduce public ACLs. A different bucket, "public-assets", currently uses object-level ACLs for signed URLs and must remain unchanged. Which approach meets these requirements with the least ongoing operational effort?
Keep fine-grained access on "corp-secure-data", write a daily script that removes all allUsers ACL entries and adds a READER ACL for the Google Group to each new object, leaving both buckets otherwise unchanged.
Apply project-level Public Access Prevention, leave current ACLs on "corp-secure-data" unchanged, and add a bucket-level READER ACL for the Google Group; keep "public-assets" as is.
Enable and lock uniform bucket-level access on "corp-secure-data", then grant the Google Group the roles/storage.objectViewer role on that bucket via IAM; make no changes to "public-assets".
Enable uniform bucket-level access on both buckets, then add an object-level READER ACL for the Google Group on every object in "corp-secure-data".
Enabling and locking uniform bucket-level access on the "corp-secure-data" bucket immediately disables the evaluation of all object ACLs, so the legacy public grants become ineffective without any need to edit each object. After ACLs are ignored, access is controlled exclusively by Cloud IAM. Granting the Google Group the predefined roles/storage.objectViewer role on the bucket supplies the required read permission for both existing and new objects. Because you change only the target bucket, the "public-assets" bucket that relies on fine-grained ACLs for signed URLs is untouched and continues to function. The other options either break the public-assets use case, rely on object ACLs that are ignored when uniform access is enabled, or require continual scripting and maintenance to keep unwanted ACLs from reappearing.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is uniform bucket-level access in Google Cloud Storage?
Open an interactive chat with Bash
What is Public Access Prevention in Google Cloud Storage?
Open an interactive chat with Bash
How does roles/storage.objectViewer role work in IAM?
Open an interactive chat with Bash
What is uniform bucket-level access in Google Cloud Storage?
Open an interactive chat with Bash
What is the roles/storage.objectViewer role in Google Cloud IAM?
Open an interactive chat with Bash
How does Public Access Prevention differ from uniform bucket-level access?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Configuring Access
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .