12.2 Managing and Securing Cloud Storage Objects & Lifecycle Policies

Key Takeaways

  • Uniform bucket-level access (IAM-only) is the recommended default; enabling it disables legacy per-object ACLs entirely for that bucket.
  • Signed URLs grant time-boxed access to a single object for identities outside Google Cloud, capped at 7 days (604,800 seconds) under V4 signing.
  • A lifecycle rule pairs AND-combined conditions (age, matchesStorageClass, numNewerVersions, and others) with one action: Delete, SetStorageClass, or AbortIncompleteMultipartUpload.
  • Nearline/Coldline/Archive carry 30/90/365-day minimum storage durations; moving or deleting an object early still bills the remainder.
  • Retention policies (Bucket Lock) and object holds prevent early deletion; lifecycle rules cause eventual deletion — compliance setups typically combine both.
Last updated: July 2026

Why This Matters for the ACE Exam

Domain 4 of the official exam guide lists two Cloud Storage bullets under "Ensuring successful operation of a cloud solution": managing and securing objects, and setting object lifecycle management policies. Chapter 4 covered choosing a storage class; this section covers what happens after data lands in a bucket — who is allowed to touch it, how to share a single file without opening the whole bucket, and how to make aging data cheaper automatically instead of manually re-uploading it every few months.

Access Control: IAM, ACLs, and Signed URLs

Cloud Storage supports two overlapping access-control systems, plus a bridge mechanism for external sharing:

  • Uniform bucket-level access — the recommended default. Once enabled on a bucket, only IAM policies grant access; legacy per-object ACLs stop applying entirely, and any attempt to set or read an ACL on that bucket or its objects fails.
  • Fine-grained access — the older model, where per-object access control lists (ACLs, using roles like READER and OWNER) work alongside IAM. This is only available when uniform bucket-level access is not enabled.
  • Signed URLs — a way to grant time-boxed access to one specific object to a party who has no Google Cloud identity at all (a customer downloading an invoice, for example). A signed URL is neither an IAM grant nor an ACL; it is a cryptographically signed link with a built-in expiration.
IAM rolePermission level
roles/storage.adminFull control of buckets and objects
roles/storage.objectAdminFull control of objects only (create, read, delete, list)
roles/storage.objectCreatorUpload-only — cannot read or delete existing objects
roles/storage.objectViewerRead-only access to objects

For signed URLs, the current V4 signing scheme allows a maximum expiration of 604,800 seconds — 7 days — because the signing mechanism itself is only valid for that long. In practice, best practice is to use a far shorter window than the maximum: minutes for a one-time upload link, an hour or less for a download link, and never the full 7 days for anything sensitive.

Object Lifecycle Management

A lifecycle configuration is a set of independent rules attached to a bucket. Each rule pairs one or more conditions (combined with AND logic — every condition in the rule must match) with exactly one action. Multiple rules on the same bucket are evaluated independently (effectively OR'd), so a bucket commonly has several rules working together to build a full aging pipeline.

ConditionMeaning
ageObject has existed for N days since creation
createdBeforeObject was created before a specific date
customTimeBefore / daysSinceCustomTimeBased on a user-set Custom-Time metadata value
isLiveTrue for the current (live) version, false for noncurrent versions
matchesStorageClassObject is currently in a specified storage class
matchesPrefix / matchesSuffixObject name matches a prefix or suffix pattern
noncurrentTimeBefore / daysSinceNoncurrentTimeBased on when a versioned object became noncurrent
numNewerVersionsAt least N newer versions exist (requires object versioning)
ActionEffect
DeleteRemoves the object (subject to any active retention policy or hold)
SetStorageClassTransitions the object to a cheaper (or different) storage class
AbortIncompleteMultipartUploadCancels stalled uploads; only usable with age, matchesPrefix, or matchesSuffix

Two operational facts matter for scenario questions: Cloud Storage evaluates rules regularly rather than instantly, so a lifecycle configuration change can take up to 24 hours to take effect, and even once effective, the action itself runs asynchronously — there can be a lag between the moment an object meets a condition and the moment the action fires.

Storage Class Minimums and Cost

Each non-Standard class carries a minimum storage duration; deleting or transitioning an object out early still bills for the remaining minimum period as an early-deletion charge.

ClassMinimum storage duration
StandardNone
Nearline30 days
Coldline90 days
Archive365 days

A typical exam-style lifecycle policy tiers objects down automatically as they age:

{
  "rule": [
    { "action": {"type": "SetStorageClass", "storageClass": "NEARLINE"},
      "condition": {"age": 30, "matchesStorageClass": ["STANDARD"]} },
    { "action": {"type": "SetStorageClass", "storageClass": "COLDLINE"},
      "condition": {"age": 90, "matchesStorageClass": ["NEARLINE"]} },
    { "action": {"type": "SetStorageClass", "storageClass": "ARCHIVE"},
      "condition": {"age": 365, "matchesStorageClass": ["COLDLINE"]} },
    { "action": {"type": "Delete"},
      "condition": {"age": 2555} }
  ]
}

Here the matchesStorageClass condition is essential — without it, an object already in Archive would keep re-matching the age: 30 rule and be pushed back down to Nearline.

Retention Policies and Holds: Not the Same as Lifecycle

A lifecycle policy eventually deletes data; a retention policy (Bucket Lock) does the opposite — it prevents deletion or overwriting of any object in the bucket until a configured retention period elapses, even by a project owner. Object holds (temporary or event-based) block deletion of a specific object regardless of any lifecycle rule, until the hold is explicitly released. Compliance scenarios often combine both: a retention policy guarantees data isn't deleted too early, while a lifecycle rule guarantees it eventually is deleted once the requirement expires.

Common Traps

  • Enabling uniform bucket-level access and then trying to run an ACL command against that bucket — it fails, because ACLs are disabled entirely, not merged with IAM.
  • Assuming a lifecycle action fires the instant a condition is met — configuration changes take up to 24 hours to activate, and actions run asynchronously afterward.
  • Forgetting that versioning-related conditions (numNewerVersions, isLive, noncurrentTimeBefore) only do anything on a bucket with object versioning enabled.
  • Treating a signed URL as equivalent to an IAM grant — it is a separate, time-limited mechanism capped at 7 days for external, identity-less sharing.

Key Takeaways

  • Uniform bucket-level access (IAM-only) is the recommended default; enabling it disables legacy ACLs entirely for that bucket.
  • Signed URLs grant time-boxed access to a single object for non-Google-Cloud identities and cap out at 7 days under V4 signing.
  • A lifecycle rule = conditions (AND) + one action (Delete, SetStorageClass, or AbortIncompleteMultipartUpload); rules on a bucket act independently.
  • Nearline/Coldline/Archive carry 30/90/365-day minimum storage durations; deleting early still bills the remainder.
  • Retention policies and holds prevent early deletion; lifecycle rules cause eventual deletion — compliance setups typically use both together.
Test Your Knowledge

A bucket has uniform bucket-level access enabled. An administrator then tries to grant a user read access to one object using a legacy ACL. What happens?

A
B
C
D
Test Your Knowledge

Which lifecycle configuration automatically cancels multipart uploads that have been incomplete for more than 7 days, without touching any completed objects?

A
B
C
D
Test Your Knowledge

What is the maximum expiration time for a Cloud Storage signed URL generated using the current V4 signing process?

A
B
C
D