GCP Professional Cloud Security Engineer Practice Question
Your security team has enforced two organization-wide controls on a Cloud Storage bucket that stores sensitive audit logs: (1) uniform bucket-level access is on, so no object ACLs are allowed, and (2) public access prevention blocks the use of the IAM principals allUsers and allAuthenticatedUsers. An external auditor who does not have a Google account needs read-only access to a single log object for the next 12 hours. You must satisfy the request without changing or violating the existing bucket controls and without granting broader or longer-lived access than necessary. What should you do?
Generate a V4 signed URL for the required object that expires in 12 hours and send the URL to the auditor.
Grant the Storage Object Viewer role on the bucket to a new service account, then email the auditor the service account's JSON key so they can access the object with gcloud.
Add an IAM binding that grants roles/storage.objectViewer to allAuthenticatedUsers, then remove the binding after 12 hours.
Apply a predefined reader object ACL to the specific object for allUsers and configure Object Lifecycle Management to remove the ACL after 12 hours.
Because uniform bucket-level access disables object ACLs, you cannot rely on temporary object ACLs. Public access prevention forbids granting access to the allUsers or allAuthenticatedUsers principals. Creating a service account and emailing its key would give the auditor bucket-wide access that persists until the key is manually revoked, which is broader and longer-lived than required and introduces key-management risks. A V4 signed URL, on the other hand, authorizes access through a cryptographic signature generated by someone who already possesses storage.objects.get permission. Signed URLs remain valid even when both uniform bucket-level access and public access prevention are enabled, and you can set them to expire automatically after 12 hours. Therefore, generating a time-limited V4 signed URL for the specific object is the appropriate solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a V4 signed URL?
Open an interactive chat with Bash
What is uniform bucket-level access?
Open an interactive chat with Bash
How does public access prevention work?
Open an interactive chat with Bash
What is a V4 signed URL in GCP Cloud Storage?
Open an interactive chat with Bash
What is public access prevention in GCP?
Open an interactive chat with Bash
How does uniform bucket-level access affect object permissions?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .