Cloud Storage has two access control systems, IAM and ACLs, and Google's official guidance is to use IAM and disable ACLs unless you really need them. The Associate Cloud Engineer exam tests both this comparison and the existence of uniform bucket-level access as the mechanism that enforces the recommendation. This article covers the two systems, the recommended setup, and the exam patterns.
It does not cover every IAM role on Cloud Storage, conditional IAM policies, or VPC Service Controls. Those are separate topics. This is about the IAM-versus-ACL choice.
IAM is the standard access control system across Google Cloud. You grant a role to a principal at some level of the resource hierarchy, and the role's permissions apply to that resource and everything below it. For Cloud Storage, you can grant IAM roles at the organization, folder, project, or bucket level.
The roles you need to know for the Associate Cloud Engineer exam are Storage Admin (full control), Storage Object Admin (manage objects), Storage Object Creator (upload only), and Storage Object Viewer (read only). These are role-based, which means they bundle a set of permissions together and you grant the bundle.
The default is bucket-level. If you grant Storage Object Viewer on a bucket, the principal can read every object in that bucket. To grant access to a single object and not the rest, you have to use a conditional IAM policy, which is more advanced.
ACLs are the older system. They predate IAM. They operate at the object level only, and they grant specific permissions, like Owner, Writer, or Reader, to specific entities for specific objects. ACLs are useful when you need fine-grained, per-object control without writing a conditional IAM policy.
ACLs are considered legacy. They still work, and they may show up on the exam, but they are not recommended for new implementations because IAM is more comprehensive and easier to manage.
Uniform bucket-level access is a setting on a bucket that disables ACLs entirely. With it enabled, only IAM applies. Object-level ACLs are ignored. This is Google's recommended configuration. It simplifies access control by making IAM the only system that matters, which means you have one place to look when auditing who can access what.
Once enabled, uniform bucket-level access can be locked, after which it cannot be disabled for 90 days. This is a guardrail for compliance scenarios where you want to guarantee ACLs cannot be turned back on.
For new buckets, almost every case is IAM with uniform bucket-level access enabled. The cases where ACLs are still useful are narrow. Public-by-default web hosting on Cloud Storage where you want to grant anonymous read on specific files. Existing systems that already use ACLs and are not worth migrating. Some legacy integrations that expect ACL-based control.
For the Associate Cloud Engineer exam, the answer is almost always IAM with uniform bucket-level access. ACLs come up as wrong answers on questions where the right answer is the simpler IAM-based approach.
If you see a question about bucket access control and one option is IAM and the other is ACLs, IAM is almost always the answer. The exception is when the scenario specifically requires per-object permissions for a small number of objects in a bucket where most objects have different rules, but those scenarios are rare.
If you see a question about Google's recommended approach to Cloud Storage access control, the answer involves uniform bucket-level access, which disables ACLs and forces IAM-only.
If you see a question about granting an external party access to all objects in a bucket, the answer is an IAM grant of Storage Object Viewer on the bucket. ACLs would technically work, but they would require setting permissions on every object individually, and IAM is the cleaner answer.
If you see a question about granting access to a single file for a non-GCP user, the answer is a signed URL, not IAM and not ACLs. That is a different question pattern entirely, but it is worth recognizing because signed URLs sometimes appear as a wrong answer on IAM-vs-ACL questions and vice versa.
IAM is the standard, role-based, mostly bucket-level access control system. ACLs are the older, fine-grained, object-level system that Google recommends turning off via uniform bucket-level access. For the Associate Cloud Engineer exam, IAM is almost always the answer when ACLs are also an option, unless the scenario specifically requires per-object control that is hard to express in IAM.
My Associate Cloud Engineer course covers IAM, ACLs, uniform bucket-level access, and signed URLs in the Cloud Storage section the ACE exam tests.
