- Domain 4 Overview: Why Access and Security Matters
- IAM Fundamentals You Must Master
- Service Accounts and Workload Identity
- Resource Hierarchy and Organization Policy
- Network Security Controls
- Data Protection and Encryption
- How Domain 4 Questions Are Actually Written
- Scheduling Domain 4 Inside Your ACE Prep Plan
- Common Mistakes Candidates Make
- FAQ
- Domain 4 tests IAM roles, service accounts, org policy, and network security controls together, not in isolation.
- The ACE exam has 50-60 questions in 2 hours, so slow, careful reading of scenario-based access questions matters.
- Predefined roles, custom roles, and the principle of least privilege show up repeatedly across scenario questions.
- Service account key management and workload identity federation are frequently tested weak points for candidates.
Domain 4 Overview: Why Access and Security Matters
Domain 4, "Configuring access and security," is the final of the four content areas in the Associate Cloud Engineer exam guide, sitting alongside Domain 1: Setting up a cloud solution environment, Domain 2: Planning and implementing a cloud solution, and Domain 3: Ensuring the successful operation of a cloud solution. Even though it's listed last, it is not an afterthought. Access and security concepts thread through nearly every scenario question on the exam, because almost any task in Google Cloud - deploying a VM, granting a teammate access to a bucket, connecting a service to Cloud SQL - requires you to configure IAM correctly first.
If you haven't already reviewed how this domain fits with the other three, the ACE Exam Domains 2026 guide breaks down the full weighting and structure. This article goes deep specifically on Domain 4 so you walk into the exam room comfortable with identity, permissions, and network-level protections.
IAM Fundamentals You Must Master
Identity and Access Management (IAM) is the backbone of Domain 4. You need working fluency with the difference between primitive roles (Owner, Editor, Viewer), predefined roles (like roles/storage.objectViewer), and custom roles you build from individual permissions. Expect scenario questions that describe a business requirement - for example, a contractor who needs to view logs but not modify resources - and ask you to pick the most appropriate role.
IAM Policy Bindings
Candidates must understand how policies attach to resources, and how permissions are inherited down the resource hierarchy from organization to folder to project to individual resource.
- Know that IAM policies are additive - there is no way to explicitly deny at the basic IAM layer without deny policies or org policy constraints
- Understand the difference between granting a role at the project level versus a single resource level
- Be able to identify when a custom role is the better choice over a broad predefined role
You should also be comfortable navigating IAM through the Cloud Console, the gcloud CLI, and understanding how Gemini Cloud Assist can surface IAM recommendations inline - Google has steadily woven AI-assisted tooling into how administrators review permissions, and the current exam guide reflects that shift.
Service Accounts and Workload Identity
Service accounts are one of the highest-yield topics in Domain 4 because so many ACE candidates come from backgrounds without deep identity management experience. A service account is an identity used by an application or VM rather than a human, and the exam expects you to know how to create one, grant it roles, and understand the security implications of service account keys.
Service Account Key Risks
Downloaded JSON keys are a common source of security incidents because they are long-lived credentials that can leak. The exam tests whether you know safer alternatives.
- Prefer attaching a service account directly to a Compute Engine instance or Cloud Run function over downloading a key
- Understand workload identity federation for external workloads that need to authenticate without a static key
- Know how to rotate, disable, or delete a compromised service account key
Also expect questions touching on impersonation (using roles/iam.serviceAccountUser or serviceAccountTokenCreator) and how least-privilege applies when a Cloud Run function or Compute Engine instance needs access to Cloud Storage or Cloud SQL. This is directly relevant to the "current compute, storage, networking, observability, IAM, and service-account topics" called out in the exam guide.
Key Takeaway
If you only strengthen one weak area before test day, make it service accounts - key management, impersonation, and attaching identities to compute resources appear across multiple domains, not just Domain 4.
Resource Hierarchy and Organization Policy
Beyond individual IAM bindings, Domain 4 expects you to understand how Organization Policy Service constraints enforce guardrails across an entire organization, folder, or project - regardless of what any individual IAM role allows. This is a frequent point of confusion: IAM controls who can do what, while org policy controls what is allowed to happen at all, even for someone with broad IAM permissions.
- Know common constraints such as restricting external IP addresses on VMs or limiting resource locations
- Understand policy inheritance and how a stricter policy at a folder level overrides a looser one at the project level
- Recognize the difference between IAM deny policies and organization policy constraints
Questions in this area are often written as "a security team wants to prevent X across all projects" - the correct answer is almost always an org policy constraint, not an IAM change.
Network Security Controls
Domain 4 overlaps with networking concepts introduced in Domain 2, but here the focus shifts to securing access rather than just building connectivity. You should be able to configure and reason about:
- VPC firewall rules, including priority, direction, and target tags versus target service accounts
- Private Google Access and private service connect for reaching Google APIs without public IPs
- Cloud NAT for outbound-only internet access from private instances
- Identity-Aware Proxy (IAP) for securing SSH, RDP, and web app access without exposing public IPs
Data Protection and Encryption
Encryption questions in Domain 4 rarely ask you to perform complex cryptography - they test whether you know Google Cloud encrypts data at rest by default and understand when and why you'd add customer-managed encryption keys (CMEK) through Cloud KMS. You should also know:
- How to grant fine-grained access to Cloud Storage buckets and objects using IAM conditions or uniform bucket-level access
- The purpose of Secret Manager for storing API keys, passwords, and certificates instead of hardcoding them
- Basic audit logging concepts - Admin Activity, Data Access, and System Event logs - and where to view them in Cloud Logging
These topics connect to operational monitoring covered in Domain 3, so reviewing both domains together often reinforces retention better than studying them in isolation.
How Domain 4 Questions Are Actually Written
Google writes ACE questions as short scenarios rather than definition lookups. A typical Domain 4 question describes a business constraint - "a new contractor needs temporary access to view but not modify BigQuery datasets" - and gives you four or five role or policy options that all sound plausible. The skill being tested isn't memorization of role names; it's recognizing which option satisfies least privilege without breaking the stated requirement.
Multiple-select questions ("select two") appear in this domain more than some others, often around combinations like "which two actions would reduce the attack surface of this service account." If you're unsure how heavily this style is weighted across the whole exam, the How Hard Is the ACE Exam difficulty guide walks through the overall question style and pacing expectations in more detail.
Scheduling Domain 4 Inside Your ACE Prep Plan
Because Domain 4 concepts (IAM, service accounts, org policy) reinforce material from the other three domains, it works best studied in the middle-to-late part of a prep timeline, after you've already built familiarity with core compute and storage services from Domains 1 and 2.
IAM and Service Accounts Deep Dive
- Practice creating custom roles and attaching service accounts to Compute Engine and Cloud Run
- Rotate and audit a service account key in a sandbox project
Org Policy, Networking, and Data Protection
- Configure firewall rules and IAP for a test VM
- Apply an organization policy constraint and confirm inheritance behavior
This is the one place we'll mention general study mechanics: short, spaced review sessions on IAM role names and org policy constraints tend to stick better than a single long cram session, simply because there are dozens of similarly named roles and constraints to keep straight. For a full week-by-week plan across all four domains, see the ACE Study Guide 2026.
Common Mistakes Candidates Make
| Mistake | Why It Costs Points |
|---|---|
| Choosing Owner/Editor for convenience | Violates least privilege; exam favors scoped predefined or custom roles |
| Downloading service account keys by default | Ignores safer attachment or workload identity federation options |
| Confusing IAM with organization policy | Leads to picking a role change when a policy constraint is the correct answer |
| Overlooking firewall rule priority numbers | Misjudges which rule actually takes effect in a conflict scenario |
| Skipping Secret Manager in favor of hardcoded credentials | Missed best-practice answer on data protection questions |
Many of these mistakes come from treating security as a checkbox rather than a design constraint. Reviewing real project structures - even a free-tier sandbox - for a few hours does more for Domain 4 readiness than passive reading. If you're still weighing whether the investment in prep and the exam fee is worthwhile, the ROI analysis on the ACE certification and the full pricing breakdown lay out the total cost picture, and the salary guide covers how certified skills translate to hiring conversations.
Employers hiring for roles that map to ACE skills - cloud support engineers, junior DevOps engineers, and platform administrators - routinely list IAM and network security configuration as day-one responsibilities, which is exactly why Domain 4 carries real weight beyond the exam itself. Browse current openings referencing this certification on the ACE Jobs page to see how these skills appear in actual job descriptions.
Once you've reviewed the domain content, running full-length practice exams on our ACE practice test platform is the fastest way to see whether IAM and security scenarios are actually sticking, rather than just feeling familiar. Timed practice sets on the practice site also help you get used to reading multi-sentence scenario stems within the 2-hour window.
FAQ
Google does not publish an exact percentage breakdown per domain, but access and security concepts appear both directly in Domain 4 questions and indirectly across Domains 1-3 wherever IAM or service accounts are involved.
Google recommends 6+ months of hands-on Google Cloud experience for the ACE exam, and Domain 4 scenario questions are much easier to answer correctly if you've actually configured roles, service accounts, and firewall rules yourself rather than only reading about them.
Difficulty is subjective and depends on your background, but candidates without prior identity or networking experience often find IAM, service accounts, and org policy concepts less intuitive than compute or storage topics covered in earlier domains.
You can retake the exam; Google allows up to 4 attempts within a 2-year period for Associate and Professional Google Cloud exams, with required waiting periods between failed attempts.
See the dedicated guides for Domain 1, Domain 2, and Domain 3, or start with the overview in the ACE Exam Domains 2026 guide.
- ACE Domain 1: Setting up a cloud solution environment - Complete Study Guide 2026
- ACE Domain 2: Planning and implementing a cloud solution - Complete Study Guide 2026
- ACE Domain 3: Ensuring the successful operation of a cloud solution - Complete Study Guide 2026
- ACE Exam Domains 2026: Complete Guide to All 4 Content Areas