GCP Professional Cloud Security Engineer Practice Question
Your organization enforces Public Access Prevention and uniform bucket-level access on every Cloud Storage bucket. A nightly Dataflow pipeline runs with the service account "[email protected]" and must download objects whose names start with "exports/" in the bucket "corp-fin-raw". The job must not be able to list objects outside that prefix or view bucket metadata, and no other identities should gain new permissions. Which IAM binding applied on the bucket provides the required access with the principle of least privilege?
Grant roles/storage.objectViewer to the service account at the project level so it inherits download rights to all buckets in the project.
Add a bucket-level IAM binding that grants the service account roles/storage.objectViewer with a condition: resource.name.startsWith("projects/_/buckets/corp-fin-raw/objects/exports/").
Use object ACLs to grant the service account roles/storage.legacyObjectReader on every object inside the "exports/" prefix.
Grant roles/storage.objectAdmin on the bucket with a condition limiting resource.name to the "exports/" prefix.
The roles/storage.objectViewer role grants only read (download) permission on objects, without the ability to write, delete, or change bucket settings. When it is bound at the bucket level with an IAM condition that restricts the resource name to the path that begins with "projects/_/buckets/corp-fin-raw/objects/exports/", the service account can read objects whose names start with "exports/" but cannot list or access any other objects. IAM conditions are respected under uniform bucket-level access, so legacy ACLs cannot be used. Granting the role at the project scope would expose other buckets, while granting roles/storage.objectAdmin would add unnecessary write privileges. Legacy ACLs (roles/storage.legacyObjectReader) are ignored once uniform bucket-level access is enabled, so they would not satisfy the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Public Access Prevention in Google Cloud Storage?
Open an interactive chat with Bash
What are IAM conditions and how do they work in Google Cloud Storage?
Open an interactive chat with Bash
What is uniform bucket-level access in Google Cloud Storage?
Open an interactive chat with Bash
What is uniform bucket-level access?
Open an interactive chat with Bash
How do IAM Conditions work in bucket-level permissions?
Open an interactive chat with Bash
Why is setting roles/storage.objectViewer at the bucket level better than project-level permissions?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .