Associate Cloud EngineerFree trialFree trial

By google
Aug, 2025

Verified

25Q per page

Question 1

Every employee of your company has a Google account. Your operational team needs to manage a large number of instances on Compute Engine. Each member of this team needs only administrative access to the servers. Your security team wants to ensure that the deployment of credentials is operationally efficient and must be able to determine who accessed a given instance. What should you do?

  • A: Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key in the metadata of each instance.
  • B: Ask each member of the team to generate a new SSH key pair and to send you their public key. Use a configuration management tool to deploy those keys on each instance.
  • C: Ask each member of the team to generate a new SSH key pair and to add the public key to their Google account. Grant the ג€compute.osAdminLoginג€ role to the Google group corresponding to this team.
  • D: Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key as a project-wide public SSH key in your Cloud Platform project and allow project-wide public SSH keys on each instance.

Question 2

You have a development project with appropriate IAM roles defined. You are creating a production project and want to have the same IAM roles on the new project, using the fewest possible steps. What should you do?

  • A: Use gcloud iam roles copy and specify the production project as the destination project.
  • B: Use gcloud iam roles copy and specify your organization as the destination organization.
  • C: In the Google Cloud Platform Console, use the 'create role from role' functionality.
  • D: In the Google Cloud Platform Console, use the 'create role' functionality and select all applicable permissions.

Question 3

Your organization has strict requirements to control access to Google Cloud projects. You need to enable your Site Reliability Engineers (SREs) to approve requests from the Google Cloud support team when an SRE opens a support case. You want to follow Google-recommended practices. What should you do?

  • A: Add your SREs to roles/iam.roleAdmin role.
  • B: Add your SREs to roles/accessapproval.approver role.
  • C: Add your SREs to a group and then add this group to roles/iam.roleAdmin.role.
  • D: Add your SREs to a group and then add this group to roles/accessapproval.approver role.

Question 4

You need to host an application on a Compute Engine instance in a project shared with other teams. You want to prevent the other teams from accidentally causing downtime on that application. Which feature should you use?

  • A: Use a Shielded VM.
  • B: Use a Preemptible VM.
  • C: Use a sole-tenant node.
  • D: Enable deletion protection on the instance.

Question 5

Your organization needs to grant users access to query datasets in BigQuery but prevent them from accidentally deleting the datasets. You want a solution that follows Google-recommended practices. What should you do?

  • A: Add users to roles/bigquery user role only, instead of roles/bigquery dataOwner.
  • B: Add users to roles/bigquery dataEditor role only, instead of roles/bigquery dataOwner.
  • C: Create a custom role by removing delete permissions, and add users to that role only.
  • D: Create a custom role by removing delete permissions. Add users to the group, and then add the group to the custom role.

Question 6

You have a developer laptop with the Cloud SDK installed on Ubuntu. The Cloud SDK was installed from the Google Cloud Ubuntu package repository. You want to test your application locally on your laptop with Cloud Datastore. What should you do?

  • A: Export Cloud Datastore data using gcloud datastore export.
  • B: Create a Cloud Datastore index using gcloud datastore indexes create.
  • C: Install the google-cloud-sdk-datastore-emulator component using the apt get install command.
  • D: Install the cloud-datastore-emulator component using the gcloud components install command.

Question 7

Your company set up a complex organizational structure on Google Cloud. The structure includes hundreds of folders and projects. Only a few team members should be able to view the hierarchical structure. You need to assign minimum permissions to these team members, and you want to follow Google-recommended practices. What should you do?

  • A: Add the users to roles/browser role.
  • B: Add the users to roles/iam.roleViewer role.
  • C: Add the users to a group, and add this group to roles/browser.
  • D: Add the users to a group, and add this group to roles/iam.roleViewer role.

Question 8

Your company has a single sign-on (SSO) identity provider that supports Security Assertion Markup Language (SAML) integration with service providers. Your company has users in Cloud Identity. You would like users to authenticate using your company's SSO provider. What should you do?

  • A: In Cloud Identity, set up SSO with Google as an identity provider to access custom SAML apps.
  • B: In Cloud Identity, set up SSO with a third-party identity provider with Google as a service provider.
  • C: Obtain OAuth 2.0 credentials, configure the user consent screen, and set up OAuth 2.0 for Mobile & Desktop Apps.
  • D: Obtain OAuth 2.0 credentials, configure the user consent screen, and set up OAuth 2.0 for Web Server Applications.

Question 9

Your organization has a dedicated person who creates and manages all service accounts for Google Cloud projects. You need to assign this person the minimum role for projects. What should you do?

  • A: Add the user to roles/iam.roleAdmin role.
  • B: Add the user to roles/iam.securityAdmin role.
  • C: Add the user to roles/iam.serviceAccountUser role.
  • D: Add the user to roles/iam.serviceAccountAdmin role.

Question 10

You are building an archival solution for your data warehouse and have selected Cloud Storage to archive your data. Your users need to be able to access this archived data once a quarter for some regulatory requirements. You want to select a cost-efficient option. Which storage option should you use?

  • A: Cold Storage
  • B: Nearline Storage
  • C: Regional Storage
  • D: Multi-Regional Storage

Question 11

A team of data scientists infrequently needs to use a Google Kubernetes Engine (GKE) cluster that you manage. They require GPUs for some long-running, non- restartable jobs. You want to minimize cost. What should you do?

  • A: Enable node auto-provisioning on the GKE cluster.
  • B: Create a VerticalPodAutscaler for those workloads.
  • C: Create a node pool with preemptible VMs and GPUs attached to those VMs.
  • D: Create a node pool of instances with GPUs, and enable autoscaling on this node pool with a minimum size of 1.

Question 12

Your organization has user identities in Active Directory. Your organization wants to use Active Directory as their source of truth for identities. Your organization wants to have full control over the Google accounts used by employees for all Google services, including your Google Cloud Platform (GCP) organization. What should you do?

  • A: Use Google Cloud Directory Sync (GCDS) to synchronize users into Cloud Identity.
  • B: Use the cloud Identity APIs and write a script to synchronize users to Cloud Identity.
  • C: Export users from Active Directory as a CSV and import them to Cloud Identity via the Admin Console.
  • D: Ask each employee to create a Google account using self signup. Require that each employee use their company email address and password.

Question 13

You need a dynamic way of provisioning VMs on Compute Engine. The exact specifications will be in a dedicated configuration file. You want to follow Google's recommended practices. Which method should you use?

  • A: Deployment Manager
  • B: Cloud Composer
  • C: Managed Instance Group
  • D: Unmanaged Instance Group

Question 14

You have successfully created a development environment in a project for an application. This application uses Compute Engine and Cloud SQL. Now you need to create a production environment for this application. The security team has forbidden the existence of network routes between these 2 environments and has asked you to follow Google-recommended practices. What should you do?

  • A: Create a new project, enable the Compute Engine and Cloud SQL APIs in that project, and replicate the setup you have created in the development environment.
  • B: Create a new production subnet in the existing VPC and a new production Cloud SQL instance in your existing project, and deploy your application using those resources.
  • C: Create a new project, modify your existing VPC to be a Shared VPC, share that VPC with your new project, and replicate the setup you have in the development environment in that new project in the Shared VPC.
  • D: Ask the security team to grant you the Project Editor role in an existing production project used by another division of your company. Once they grant you that role, replicate the setup you have in the development environment in that project.

Question 15

Your management has asked an external auditor to review all the resources in a specific project. The security team has enabled the Organization Policy called
Domain Restricted Sharing on the organization node by specifying only your Cloud Identity domain. You want the auditor to only be able to view, but not modify, the resources in that project. What should you do?

  • A: Ask the auditor for their Google account, and give them the Viewer role on the project.
  • B: Ask the auditor for their Google account, and give them the Security Reviewer role on the project.
  • C: Create a temporary account for the auditor in Cloud Identity, and give that account the Viewer role on the project.
  • D: Create a temporary account for the auditor in Cloud Identity, and give that account the Security Reviewer role on the project.

Question 16

You have a workload running on Compute Engine that is critical to your business. You want to ensure that the data on the boot disk of this workload is backed up regularly. You need to be able to restore a backup as quickly as possible in case of disaster. You also want older backups to be cleaned automatically to save on cost. You want to follow Google-recommended practices. What should you do?

  • A: Create a Cloud Function to create an instance template.
  • B: Create a snapshot schedule for the disk using the desired interval.
  • C: Create a cron job to create a new disk from the disk using gcloud.
  • D: Create a Cloud Task to create an image and export it to Cloud Storage.

Question 17

You need to assign a Cloud Identity and Access Management (Cloud IAM) role to an external auditor. The auditor needs to have permissions to review your
Google Cloud Platform (GCP) Audit Logs and also to review your Data Access logs. What should you do?

  • A: Assign the auditor the IAM role roles/logging.privateLogViewer. Perform the export of logs to Cloud Storage.
  • B: Assign the auditor the IAM role roles/logging.privateLogViewer. Direct the auditor to also review the logs for changes to Cloud IAM policy.
  • C: Assign the auditor's IAM user to a custom role that has logging.privateLogEntries.list permission. Perform the export of logs to Cloud Storage.
  • D: Assign the auditor's IAM user to a custom role that has logging.privateLogEntries.list permission. Direct the auditor to also review the logs for changes to Cloud IAM policy.

Question 18

You are managing several Google Cloud Platform (GCP) projects and need access to all logs for the past 60 days. You want to be able to explore and quickly analyze the log contents. You want to follow Google-recommended practices to obtain the combined logs for all projects. What should you do?

  • A: Navigate to Stackdriver Logging and select resource.labels.project_id="*"
  • B: Create a Stackdriver Logging Export with a Sink destination to a BigQuery dataset. Configure the table expiration to 60 days.
  • C: Create a Stackdriver Logging Export with a Sink destination to Cloud Storage. Create a lifecycle rule to delete objects after 60 days.
  • D: Configure a Cloud Scheduler job to read from Stackdriver and store the logs in BigQuery. Configure the table expiration to 60 days.

Question 19

You need to reduce GCP service costs for a division of your company using the fewest possible steps. You need to turn off all configured services in an existing
GCP project. What should you do?

  • A: 1. Verify that you are assigned the Project Owners IAM role for this project. 2. Locate the project in the GCP console, click Shut down and then enter the project ID.
  • B: 1. Verify that you are assigned the Project Owners IAM role for this project. 2. Switch to the project in the GCP console, locate the resources and delete them.
  • C: 1. Verify that you are assigned the Organizational Administrator IAM role for this project. 2. Locate the project in the GCP console, enter the project ID and then click Shut down.
  • D: 1. Verify that you are assigned the Organizational Administrators IAM role for this project. 2. Switch to the project in the GCP console, locate the resources and delete them.

Question 20

You are configuring service accounts for an application that spans multiple projects. Virtual machines (VMs) running in the web-applications project need access to BigQuery datasets in crm-databases-proj. You want to follow Google-recommended practices to give access to the service account in the web-applications project. What should you do?

  • A: Give ג€project ownerג€ for web-applications appropriate roles to crm-databases-proj.
  • B: Give ג€project ownerג€ role to crm-databases-proj and the web-applications project.
  • C: Give ג€project ownerג€ role to crm-databases-proj and bigquery.dataViewer role to web-applications.
  • D: Give bigquery.dataViewer role to crm-databases-proj and appropriate roles to web-applications.

Question 21

An employee was terminated, but their access to Google Cloud was not removed until 2 weeks later. You need to find out if this employee accessed any sensitive customer information after their termination. What should you do?

  • A: View System Event Logs in Cloud Logging. Search for the user's email as the principal.
  • B: View System Event Logs in Cloud Logging. Search for the service account associated with the user.
  • C: View Data Access audit logs in Cloud Logging. Search for the user's email as the principal.
  • D: View the Admin Activity log in Cloud Logging. Search for the service account associated with the user.

Question 22

You need to create a custom IAM role for use with a GCP service. All permissions in the role must be suitable for production use. You also want to clearly share with your organization the status of the custom role. This will be the first version of the custom role. What should you do?

  • A: Use permissions in your role that use the 'supported' support level for role permissions. Set the role stage to ALPHA while testing the role permissions.
  • B: Use permissions in your role that use the 'supported' support level for role permissions. Set the role stage to BETA while testing the role permissions.
  • C: Use permissions in your role that use the 'testing' support level for role permissions. Set the role stage to ALPHA while testing the role permissions.
  • D: Use permissions in your role that use the 'testing' support level for role permissions. Set the role stage to BETA while testing the role permissions.

Question 23

Your company has a large quantity of unstructured data in different file formats. You want to perform ETL transformations on the data. You need to make the data accessible on Google Cloud so it can be processed by a Dataflow job. What should you do?

  • A: Upload the data to BigQuery using the bq command line tool.
  • B: Upload the data to Cloud Storage using the gsutil command line tool.
  • C: Upload the data into Cloud SQL using the import function in the console.
  • D: Upload the data into Cloud Spanner using the import function in the console.

Question 24

You have a Dockerfile that you need to deploy on Kubernetes Engine. What should you do?

  • A: Use kubectl app deploy <dockerfilename>.
  • B: Use gcloud app deploy <dockerfilename>.
  • C: Create a docker image from the Dockerfile and upload it to Container Registry. Create a Deployment YAML file to point to that image. Use kubectl to create the deployment with that file.
  • D: Create a docker image from the Dockerfile and upload it to Cloud Storage. Create a Deployment YAML file to point to that image. Use kubectl to create the deployment with that file.

Question 25

You need to manage multiple Google Cloud projects in the fewest steps possible. You want to configure the Google Cloud SDK command line interface (CLI) so that you can easily manage multiple projects. What should you do?

  • A: 1. Create a configuration for each project you need to manage. 2. Activate the appropriate configuration when you work with each of your assigned Google Cloud projects.
  • B: 1. Create a configuration for each project you need to manage. 2. Use gcloud init to update the configuration values when you need to work with a non-default project
  • C: 1. Use the default configuration for one project you need to manage. 2. Activate the appropriate configuration when you work with each of your assigned Google Cloud projects.
  • D: 1. Use the default configuration for one project you need to manage. 2. Use gcloud init to update the configuration values when you need to work with a non-default project.
Page 1 of 13 • Questions 1-25 of 302
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!