Question 5 - Google Associate Cloud Engineer Real Exam Questions [Jan 2026 Update]

Q: 5

You have an object in a Cloud Storage bucket that you want to share with an external company. The object contains sensitive dat a. You want access to the content to be removed after four hours. The external company does not have a Google account to which you can grant specific user-based access privileges. You want to use the most secure method that requires the fewest steps. What should you do?

Options

Correct Answer:

Explanation

A signed URL provides a secure, time-limited method for granting read or write access to a specific Cloud Storage object. It uses a cryptographic signature embedded in the URL, which authenticates the request without requiring the user to have a Google account. By setting a four-hour expiration, access is automatically revoked after the specified period. This approach directly addresses all requirements: it's secure for sensitive data, time-limited, works for users without Google accounts, and is the most direct method, requiring only a single step to generate the URL.

Why Incorrect

B. Making an object public is highly insecure for sensitive data, as anyone on the internet could potentially access it during the four-hour window.

C. Configuring a bucket as a static website also makes objects publicly accessible, which is not secure for sensitive content. This method is also more complex than generating a signed URL.

D. This method is inefficient, requiring multiple steps (create bucket, copy object, delete bucket). It also fails to specify the access mechanism, which would still need to be either public (insecure) or a signed URL (making option A superior).

References

1. Google Cloud Documentation - Signed URLs: "A signed URL is a URL that provides limited permission and time to make a request... Anyone who knows the signed URL can access the resource until the URL expires

regardless of whether they have a Google Cloud account." This document explicitly describes the use case of providing temporary access to users without Google accounts.

Source: Google Cloud Documentation

"Cloud Storage > How-to Guides > Using signed URLs".

2. Google Cloud Documentation - Overview of Access Control: This document outlines various access control methods. It implicitly discourages using public access for sensitive data by describing its function: "The allUsers identifier is a special identifier that represents any user who is on the internet." This highlights the insecurity of options B and C.

Source: Google Cloud Documentation

"Cloud Storage > Key Concepts > Overview of access control".

3. Google Cloud Documentation - Object Lifecycle Management: "Object Lifecycle Management lets you apply rules to a bucket that automatically take an action on the objects in the bucket when they meet the criteria you specify." The purpose is automated object state management (e.g.

deletion

changing storage class)

not for granting temporary

secure access to external users.

Source: Google Cloud Documentation

"Cloud Storage > How-to Guides > Using Object Lifecycle Management".

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE