Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Google Professional Cloud Security Engineer Exam - Topic 4 Question 110 Discussion

Actual exam question for Google's Professional Cloud Security Engineer exam
Question #: 110
Topic #: 4
[All Professional Cloud Security Engineer Questions]

A batch job running on Compute Engine needs temporary write access to a Cloud Storage bucket. You want the batch job to use the minimum permissions necessary to complete the task. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: B

To provide temporary write access to a Cloud Storage bucket with the minimum permissions necessary, you should:

Identify the Compute Engine instance's default service account: Each Compute Engine instance has a default service account that is used to interact with other Google Cloud services.

Assign the storage.objectCreator role: This predefined IAM role grants permissions to create objects in a Cloud Storage bucket, which is sufficient for temporary write access. It does not grant permissions to read or delete objects, thus adhering to the principle of least privilege.

Avoid using full permissions or long-lived keys: Options A and C suggest using broader permissions than necessary or embedding long-lived keys, which could pose a security risk if compromised.

Service account impersonation (Option D)is not necessary for this task and would be more appropriate for scenarios where you need to assume a different identity with different permissions.


Google Cloud documentation on IAM roles for Cloud Storage, which lists the storage.objectCreator role as providing permissions to create objects without granting full administrative access to the bucket1.

Best practices for access control in Cloud Storage recommend using the least privilege necessary and avoiding the use of long-lived service account keys2.

by Billy at Nov 21, 2025, 10:38 PM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Security Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Deonna
7 days ago
C is a no-go for me. Long-lived keys are bad practice.
upvoted 0 times
...
Ciara
12 days ago
I dislike A. Full permissions are too risky.
upvoted 0 times
...
Laurene
17 days ago
But D feels more complex. B is simpler.
upvoted 0 times
...
Remedios
22 days ago
Option D could work too. Impersonation is smart.
upvoted 0 times
...
Tammi
27 days ago
Agreed, B seems straightforward. Less risk.
upvoted 0 times
...
Nenita
1 month ago
I agree with B, but I’m surprised it’s not more common knowledge!
upvoted 0 times
...
Miriam
1 month ago
Isn't embedding a service account key in the script a security risk?
upvoted 0 times
...
Joana
2 months ago
I think D is a solid approach too!
upvoted 0 times
...
Thad
2 months ago
Option B is the best choice for minimal permissions.
upvoted 0 times
...
Carissa
2 months ago
I'd go with D. Impersonation is the way to keep things locked down.
upvoted 0 times
...
Twila
2 months ago
Haha, option A is like giving a toddler the keys to the candy store. No way!
upvoted 0 times
...
Roxane
3 months ago
C? Embedding a key file? That's a security nightmare waiting to happen.
upvoted 0 times
...
Dalene
3 months ago
D seems like the most secure option. Impersonation is the way to do it.
upvoted 0 times
...
Jesusa
3 months ago
Option B is the way to go. Gotta keep those permissions tight!
upvoted 0 times
...
Luther
3 months ago
I recall something about avoiding long-lived keys, so option C seems risky to me, but I can't remember the exact reasons.
upvoted 0 times
...
Yuriko
3 months ago
I think we practiced a similar question where using service account impersonation was emphasized, so I'm leaning towards D again.
upvoted 0 times
...
Tricia
3 months ago
I'm not entirely sure, but I feel like option B could work too since it grants the necessary permissions without being overly broad.
upvoted 0 times
...
Dacia
4 months ago
I remember we discussed the principle of least privilege, so I think option D might be the best choice since it uses a specific role.
upvoted 0 times
...
Altha
4 months ago
I'm leaning towards option C, since it gives me the most control over the permissions. Embedding the service account key file directly in the script seems straightforward.
upvoted 0 times
...
Reita
4 months ago
I think option B is the best. Minimal permissions needed.
upvoted 0 times
...
Elke
4 months ago
Option D sounds like the most secure approach, but it might be a bit more complex to implement. I'd have to research service account impersonation to be sure I understand it.
upvoted 0 times
...
Florinda
5 months ago
Wait, why would you use full admin permissions? That seems risky.
upvoted 0 times
...
Hubert
5 months ago
I'm a bit confused about the difference between creating a service account and using the default service account. Can someone clarify that for me?
upvoted 0 times
...
Jina
5 months ago
I think option B is the way to go. It's the simplest and most direct approach to give the Compute Engine instance the minimum permissions it needs.
upvoted 0 times
Dean
2 days ago
But what about option D? It adds more security.
upvoted 0 times
...
Bernardine
4 months ago
I agree, option B seems straightforward.
upvoted 0 times
...
Queenie
5 months ago
Yeah, it minimizes permissions effectively.
upvoted 0 times
...
...

Save Cancel