Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsACEExam Questions

Google Cloud · Free Practice Questions · Last reviewed May 2026

ACE Exam Questions and Answers

30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

50 exam questions
120 min time limit
Pass: 700/1000 / 1000
5 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Setting up a cloud solution environment2. Planning and configuring a cloud solution3. Deploying and implementing a cloud solution4. Ensuring successful operation of a cloud solution5. Configuring access and security
1

Domain 1: Setting up a cloud solution environment

All Setting up a cloud solution environment questions
Q1
easyFull explanation →

What is the correct order of the Google Cloud resource hierarchy from highest to lowest level?

A

Folder → Organization → Project → Resources

B

Organization → Folder → Project → Resources

The correct hierarchy is Organization at the top, followed by Folders, Projects, and individual Resources.

C

Project → Folder → Organization → Resources

D

Organization → Project → Folder → Resources

Why: The Google Cloud resource hierarchy is structured from highest to lowest as Organization, Folder, Project, and Resources. The Organization node is the root, allowing centralized policy management; Folders group projects under departments or teams; Projects are the base-level containers for services and APIs; Resources (like Compute Engine instances) reside within projects. Option B correctly reflects this top-down inheritance of IAM policies and access control.
Q2
easyFull explanation →

A startup creates its first Google Cloud project. Before deploying any paid resources, what must be linked to the project?

A

A Cloud Identity domain

B

An Organization resource node

C

A billing account

Every project that uses paid GCP services must have a billing account linked. Without it, resource creation for paid services will fail.

D

A Shared VPC host project

Why: A billing account must be linked to a Google Cloud project before deploying any paid resources because Google Cloud requires a valid payment method to be associated with the project to track and charge for resource usage. Without a billing account, the project is in a 'billing-enabled' state and can only use free-tier or always-free resources, but any paid service will fail to provision.
Q3
easyFull explanation →

Which gcloud CLI command authenticates a developer's local environment with their Google account?

A

gcloud config set account [EMAIL]

B

gcloud auth login

`gcloud auth login` initiates the OAuth flow, authenticates the user, and stores credentials for subsequent CLI commands.

C

gcloud init --authenticate

D

gcloud accounts activate

Why: Option B, `gcloud auth login`, is correct because it initiates the OAuth 2.0 flow to authenticate the gcloud CLI with a user's Google account, storing the resulting credentials locally for subsequent API calls. This command is the standard way to authorize a developer's local environment for the first time or when switching users.
Q4
mediumFull explanation →

A developer attempts to create a Cloud SQL instance but receives the error: 'API [sqladmin.googleapis.com] not enabled.' What is the correct resolution?

A

Assign the developer the Cloud SQL Admin IAM role

B

Request a quota increase for Cloud SQL in the project

C

Enable the Cloud SQL Admin API via APIs & Services > Library in the Console

Navigating to APIs & Services > Library and enabling the Cloud SQL Admin API resolves this error. It can also be done with `gcloud services enable sqladmin.googleapis.com`.

D

Create a new project — Cloud SQL is enabled by default in new projects

Why: The error 'API [sqladmin.googleapis.com] not enabled' indicates that the Cloud SQL Admin API has not been activated for the project. The correct resolution is to enable the API via APIs & Services > Library in the Google Cloud Console, as this is a prerequisite for creating any Cloud SQL instance. Assigning IAM roles or requesting quota increases does not enable the underlying API service.
Q5
mediumFull explanation →

An application running on a Compute Engine VM needs to read objects from a Cloud Storage bucket in the same project. What is the recommended authentication approach?

A

Embed a developer's user account credentials in the application configuration file

B

Attach a service account with the Storage Object Viewer role to the VM

Service accounts attached to VMs allow applications to authenticate automatically via the metadata server. This eliminates the need to manage credentials directly.

C

Create an API key and store it as an environment variable on the VM

D

Grant the VM's IP address access to the bucket using a VPC firewall rule

Why: Option B is correct because attaching a service account with the Storage Object Viewer role to the Compute Engine VM is the recommended and secure method for authenticating to Cloud Storage. The VM automatically obtains OAuth 2.0 access tokens for the service account via the metadata server, eliminating the need to manage or embed credentials in the application code.
Q6
mediumFull explanation →

A company organizes its GCP projects by business unit — Finance, Engineering, and Sales. Which resource is best suited to group these projects while applying shared IAM policies to all projects in each group?

A

Apply labels to each project to identify the business unit

B

Apply resource tags to each project for policy enforcement

C

Create GCP Folders for each business unit and add the relevant projects

Folders are the right level in the GCP hierarchy for grouping projects by business unit. IAM and Org Policies set on a Folder cascade to all child projects.

D

Create a Shared VPC host project for each business unit

Why: C is correct because GCP Folders are the hierarchical resource designed to group projects under an organization node, allowing you to apply shared IAM policies at the folder level that automatically propagate to all projects within that folder. This aligns with the requirement to organize projects by business unit and enforce consistent access controls across each group.

Want more Setting up a cloud solution environment practice?

Practice this domain
2

Domain 2: Planning and configuring a cloud solution

All Planning and configuring a cloud solution questions
Q1
easyFull explanation →

A compliance archive stores legal documents accessed at most once per quarter. Which Cloud Storage class minimizes storage cost while meeting that access pattern?

A

Standard

B

Nearline

C

Coldline

Coldline is ideal for data accessed once per quarter or less. It offers low storage cost with a 90-day minimum storage duration, matching this use case.

D

Archive

Why: Coldline storage is designed for data accessed less than once per quarter, offering lower storage costs than Standard or Nearline while still providing millisecond access when needed. For a compliance archive accessed at most once per quarter, Coldline minimizes storage cost without incurring the higher retrieval fees or minimum storage durations of Archive storage.
Q2
mediumFull explanation →

A team needs to run a containerized HTTP API that scales to zero when idle and requires zero cluster or server management. Which GCP compute platform is the best fit?

A

Compute Engine with a managed instance group

B

Google Kubernetes Engine Autopilot

C

Cloud Run

Cloud Run is purpose-built for containerized HTTP services with zero-to-scale autoscaling, no infrastructure management, and per-request billing.

D

App Engine Flexible

Why: Cloud Run is the best fit because it is a fully managed serverless platform that automatically scales your containerized HTTP API to zero when idle, meaning you pay only for resources used during request processing. It requires no cluster or server management, as it abstracts away the underlying infrastructure entirely, unlike other options that still involve some level of node or instance management.
Q3
easyFull explanation →

A batch data processing job runs nightly for 4 hours and can tolerate interruption because it saves progress checkpoints every 15 minutes. Which VM option offers the greatest cost reduction?

A

Custom machine type VM with reduced memory

B

Spot VM

Spot VMs are available at up to 91% discount and are ideal for batch workloads that tolerate interruption and implement checkpointing.

C

Sole-tenant node VM

D

Shielded VM

Why: Spot VMs offer significant cost reduction (up to 60-91% discount) compared to standard VMs, making them ideal for fault-tolerant, interruptible batch workloads. Since the job saves checkpoints every 15 minutes, it can resume from the last checkpoint if preempted, fully leveraging the cost benefit of Spot VMs.
Q4
mediumFull explanation →

A mobile app needs a managed database to store user profiles with flexible nested structures that evolve frequently — new fields are added without schema migrations. Which GCP database service is most appropriate?

A

Cloud SQL for PostgreSQL

B

Cloud Bigtable

C

Cloud Firestore

Cloud Firestore stores data as flexible JSON documents with nested fields, supporting schema evolution without migrations. It's purpose-built for mobile/web app backends.

D

Cloud Spanner

Why: Cloud Firestore is a NoSQL document database that supports flexible, nested data structures and automatically handles schema evolution. New fields can be added to documents at any time without requiring migrations, making it ideal for user profiles that change frequently. It also provides real-time synchronization and offline support, which are common requirements for mobile apps.
Q5
mediumFull explanation →

A global web application needs HTTPS traffic routed to backend services in multiple regions, directing each user to the nearest healthy endpoint. Which load balancer type should be used?

A

Regional external Network Load Balancer

B

Global external Application Load Balancer

This load balancer uses Google's global anycast network to route HTTPS traffic to the nearest healthy backend across multiple regions.

C

Regional internal Application Load Balancer

D

Regional internal TCP/UDP load balancer

Why: The Global external Application Load Balancer (ALB) is the correct choice because it provides cross-regional load balancing for HTTPS traffic, routing each user to the nearest healthy backend based on anycast IP and client location. This is essential for a global web application requiring low latency and high availability across multiple regions.
Q6
mediumFull explanation →

A startup wants to minimize egress costs for a web service that exclusively serves customers within Europe. Which network service tier is most cost-effective?

A

Premium Tier

B

Standard Tier

Standard Tier routes traffic through the public internet, offering lower egress costs. It's suitable for services with regional traffic patterns where Google's global backbone is unnecessary.

C

Economy Tier

D

Free Tier

Why: Standard Tier uses Google's network with egress traffic routed over the internet, which is significantly cheaper than Premium Tier's SLA-backed, low-latency global network. Since the service exclusively serves customers within Europe, the higher cost of Premium Tier is unnecessary, making Standard Tier the most cost-effective choice for minimizing egress costs.

Want more Planning and configuring a cloud solution practice?

Practice this domain
3

Domain 3: Deploying and implementing a cloud solution

All Deploying and implementing a cloud solution questions
Q1
easyFull explanation →

Which gcloud command creates a Compute Engine VM named 'web-01' using the e2-medium machine type in zone us-central1-a?

A

gcloud vm create web-01 --zone=us-central1-a --machine=e2-medium

B

gcloud compute instances create web-01 --zone=us-central1-a --machine-type=e2-medium

This is the correct syntax. `gcloud compute instances create` is the command, `--zone` specifies the zone, and `--machine-type` specifies the VM size.

C

gcloud instances create web-01 --region=us-central1 --type=e2-medium

D

gcloud compute create-instance web-01 --zone=us-central1-a --size=e2-medium

Why: Option B is correct because the `gcloud compute instances create` command is the proper syntax for creating a Compute Engine VM, and it requires the `--machine-type` flag (not `--machine`) to specify the machine type. The zone is specified with `--zone`, and the VM name is provided as a positional argument.
Q2
easyFull explanation →

A developer has a Kubernetes Deployment manifest in a file named 'api-deployment.yaml'. Which command creates the Deployment if it doesn't exist, or updates it if it does?

A

kubectl create -f api-deployment.yaml

B

kubectl run api-deployment.yaml

C

kubectl apply -f api-deployment.yaml

`kubectl apply -f` reads the manifest and creates or updates the resource declaratively — the standard command for deploying from YAML files.

D

kubectl deploy -f api-deployment.yaml

Why: Option C is correct because `kubectl apply -f api-deployment.yaml` uses a declarative approach: it creates the Deployment if it does not exist, or performs a rolling update if it already exists, by applying the desired state defined in the YAML manifest. This command leverages the Kubernetes API's server-side apply logic, merging changes without requiring the resource to be deleted first.
Q3
mediumFull explanation →

A team wants to deploy a container image at 'gcr.io/myproject/api:v2' as a Cloud Run service named 'api-service' in us-east1, accessible without authentication. Which command is correct?

A

gcloud run deploy api-service --image=gcr.io/myproject/api:v2 --region=us-east1 --allow-unauthenticated

This is the correct syntax for deploying a Cloud Run service with public access. `--allow-unauthenticated` enables unauthenticated invocations.

B

gcloud run create api-service --image=gcr.io/myproject/api:v2 --zone=us-east1 --public

C

gcloud cloud-run deploy api-service --container=gcr.io/myproject/api:v2 --region=us-east1

D

gcloud run deploy --name=api-service --image=gcr.io/myproject/api:v2 --region=us-east1 --no-auth

Why: Option A is correct because it uses the `gcloud run deploy` command with the `--image` flag to specify the container image, `--region=us-east1` to target the correct region, and `--allow-unauthenticated` to make the service publicly accessible without authentication. This matches the exact requirements for deploying a Cloud Run service with public access.
Q4
mediumFull explanation →

A team needs a GKE cluster named 'prod-cluster' in the us-central1 region with cluster autoscaling enabled, scaling between 3 and 10 nodes. Which command achieves this?

A

gcloud container clusters create prod-cluster --region=us-central1 --num-nodes=3 --enable-autoscaling --min-nodes=3 --max-nodes=10

This command creates a regional GKE cluster with the node autoscaler configured to scale between 3 and 10 nodes. `--region` creates a regional (multi-zone) cluster.

B

gcloud kubernetes clusters create prod-cluster --location=us-central1 --autoscale=3:10

C

gcloud container cluster create prod-cluster --zone=us-central1 --scaling=3-10

D

kubectl create cluster prod-cluster --region=us-central1 --autoscale --min=3 --max=10

Why: Option A is correct because it uses the `gcloud container clusters create` command with the `--enable-autoscaling` flag, which enables cluster autoscaler for the GKE cluster. The `--min-nodes=3` and `--max-nodes=10` flags define the scaling range, while `--num-nodes=3` sets the initial node count, ensuring the cluster starts with 3 nodes and can scale up to 10 as needed. The `--region=us-central1` specifies a regional cluster, which is appropriate for production workloads requiring high availability across zones.
Q5
easyFull explanation →

Which command creates a Cloud Storage bucket named 'my-archive-bucket' in the US multi-region using the modern gcloud CLI?

A

gcloud storage mk gs://my-archive-bucket --location=US

B

gcloud storage buckets create gs://my-archive-bucket --location=US

This is the correct modern syntax. `gcloud storage buckets create` followed by the `gs://` bucket URI and `--location` creates the bucket in the US multi-region.

C

gcloud cloud-storage create my-archive-bucket --region=US

D

gsutil mk -l US gs://my-archive-bucket

Why: Option B is correct because the modern gcloud CLI uses the `gcloud storage buckets create` command to create a Cloud Storage bucket, and the `--location=US` flag specifies the US multi-region. This command is part of the newer, unified `gcloud storage` command group that replaces the older `gsutil` tool for bucket management.
Q6
mediumFull explanation →

A Cloud Function must execute automatically every time a new object is written to a specific Cloud Storage bucket. Which trigger type should be configured for the function?

A

HTTP trigger

B

Pub/Sub trigger

C

Cloud Storage trigger (object finalized event)

A Cloud Storage trigger on the `object.finalized` event fires the function immediately when a new object is created in the bucket — no intermediate service needed.

D

Cloud Scheduler trigger

Why: The Cloud Storage trigger (object finalized event) is the correct choice because Cloud Functions natively supports Cloud Storage events via the `google.storage.object.finalize` event type, which fires when a new object is created or an existing object is overwritten in a bucket. This trigger automatically invokes the function without requiring any intermediary service, directly binding the function to the bucket's notification system.

Want more Deploying and implementing a cloud solution practice?

Practice this domain
4

Domain 4: Ensuring successful operation of a cloud solution

All Ensuring successful operation of a cloud solution questions
Q1
easyFull explanation →

A team wants to receive an email alert when the average CPU utilization of VMs in a managed instance group exceeds 80% for more than 5 minutes. What should they create in Cloud Monitoring?

A

A dashboard with a CPU utilization chart

B

An alerting policy with a CPU utilization threshold condition

Alerting policies evaluate metric conditions continuously and send notifications via configured channels when thresholds are breached for the specified duration.

C

A log-based metric filter for high-CPU events

D

An uptime check targeting the managed instance group

Why: B is correct because Cloud Monitoring alerting policies allow you to define conditions based on metric thresholds, such as average CPU utilization exceeding 80% for a specified duration (5 minutes). This directly meets the requirement to trigger an email alert when the condition is met.
Q2
easyFull explanation →

A team wants logs from their Python application running on a Compute Engine VM to appear in Cloud Logging. What must be installed on the VM?

A

Cloud Trace SDK for the Python application

B

Ops Agent (Google Cloud's combined logging and monitoring agent)

The Ops Agent collects logs from system files and application log streams and forwards them to Cloud Logging. It must be installed explicitly on Compute Engine VMs.

C

Cloud Monitoring agent only

D

No installation needed — GCE VMs automatically stream logs to Cloud Logging

Why: The Ops Agent is Google Cloud's unified agent for both logging and monitoring, and it is required to stream custom application logs from a Compute Engine VM to Cloud Logging. While the VM itself sends basic platform logs (e.g., serial console output), application-level logs (e.g., from a Python app) require the Ops Agent to collect, parse, and forward them to the Cloud Logging API.
Q3
mediumFull explanation →

A security analyst needs to retrieve all Cloud Logging entries with severity ERROR or higher across all resource types in the current project. Which log query correctly filters these entries?

A

severity >= ERROR AND timestamp > now() - 24h

B

severity="ERROR" AND resource.type="gce_instance"

C

severity >= "ERROR"

`severity >= "ERROR"` correctly matches all entries at ERROR and above across all resource types. The time range is set separately via the console time picker.

D

logName="projects/my-project/logs/stderr" AND severity > "WARNING"

Why: Option C is correct because Cloud Logging's query language supports comparison operators like `>=` for severity levels, where `ERROR` is a recognized severity level. The query `severity >= "ERROR"` retrieves all entries with severity ERROR, CRITICAL, ALERT, or EMERGENCY, as these are considered higher severity than ERROR. This matches the requirement to filter for severity ERROR or higher across all resource types without restricting the time range or resource type.
Q4
mediumFull explanation →

A managed instance group (MIG) is running 4 VMs with a CPU autoscaling target of 60%. A traffic spike drives average CPU to 90%. How does the autoscaler respond?

A

The MIG terminates the 2 least-used VMs to trigger a restart with higher performance settings

B

The autoscaler adds VMs until average CPU across the group drops to approximately 60%

The autoscaler computes how many VMs are needed to bring average utilization to the target and scales out accordingly.

C

The MIG live-migrates instances to larger machine types automatically

D

The MIG restarts all existing VMs to clear cached load

Why: The autoscaler for a managed instance group (MIG) uses a target utilization metric—here, CPU at 60%. When average CPU exceeds that target (90%), the autoscaler calculates the desired number of VMs to bring utilization back to 60% (e.g., 4 VMs * 90% / 60% = 6 VMs) and adds instances accordingly. It does not terminate, migrate, or restart VMs; it scales out horizontally.
Q5
easyFull explanation →

A load balancer is routing traffic to a VM where the application process has crashed, but the VM itself is still running. What prevents the load balancer from continuing to send traffic to this instance?

A

A VPC firewall rule blocking traffic to the VM

B

An HTTP health check configured on the backend service

HTTP health checks probe the application port. A crashed application fails the probe, causing the load balancer to stop directing traffic to that VM until it recovers.

C

A Cloud Armor security policy blocking the crashed instance's IP

D

The instance group autoscaling policy detecting the failure

Why: The load balancer uses an HTTP health check to periodically probe the application on the VM. When the application process crashes, the health check fails (e.g., returns a non-2xx status code or times out), and the load balancer automatically stops routing new traffic to that unhealthy instance. This is the standard mechanism in Google Cloud for detecting application-level failures, as opposed to infrastructure-level failures.
Q6
mediumFull explanation →

A microservices application has intermittent high latency. The team wants to identify which specific service-to-service call in the request chain is causing the slowdown. Which Cloud Operations tool is designed for this?

A

Cloud Monitoring Metrics Explorer

B

Cloud Logging log viewer

C

Cloud Trace

Cloud Trace instruments requests as they flow through services, recording each span's duration and parent-child relationships, making it ideal for pinpointing latency in distributed systems.

D

Cloud Profiler

Why: Cloud Trace is designed to capture latency data for individual service-to-service calls in a distributed request chain. It provides end-to-end tracing by collecting trace spans from each microservice, allowing you to pinpoint which specific call is causing the slowdown. This makes it the correct tool for identifying the exact service-to-service latency bottleneck.

Want more Ensuring successful operation of a cloud solution practice?

Practice this domain
5

Domain 5: Configuring access and security

All Configuring access and security questions
Q1
easyFull explanation →

A junior developer needs read-only access to all GCP resources in a project. Which IAM role grants the minimum permissions required?

A

Editor

B

Owner

C

Viewer

Viewer grants read-only access to all project resources without any modification permissions — the correct minimum role for read-only access.

D

Browser

Why: The Viewer role (roles/viewer) grants read-only access to all GCP resources in a project, including existing and future resources, without allowing any modifications. This is the minimum permissions required for read-only access, as it provides exactly the necessary permissions (e.g., resourcemanager.projects.get, storage.objects.list) without any write or administrative capabilities.
Q2
mediumFull explanation →

A security review identifies that service account JSON key files are stored on multiple developer laptops, posing a data exfiltration risk. What is the recommended remediation?

A

Rotate the key files every 90 days and redistribute them securely

B

Encrypt the JSON key files using Cloud KMS before distributing

C

Remove the key files and use service account impersonation or Workload Identity for workloads that need GCP access

Eliminating key files is the recommended approach. GCE VMs use attached service accounts; GKE uses Workload Identity; external systems use Workload Identity Federation — no downloadable keys needed.

D

Store the key files in Secret Manager and retrieve them at application startup

Why: Option C is correct because storing service account JSON key files on developer laptops creates a persistent credential that can be exfiltrated. The recommended remediation is to remove these static keys entirely and instead use service account impersonation (via the `iamcredentials.googleapis.com` API) or Workload Identity (for GKE or GCE workloads) to obtain short-lived access tokens. This eliminates the long-lived secret and follows Google's principle of using federated identity rather than distributing static keys.
Q3
mediumFull explanation →

A team wants to allow inbound HTTPS traffic (TCP port 443) from the internet to instances tagged 'web-server', while blocking all other inbound traffic. What firewall configuration achieves this?

A

An ingress allow rule for port 443 from 0.0.0.0/0 targeting the 'web-server' tag, relying on the implied deny for other traffic

GCP's implied deny-all ingress rule (priority 65535) blocks all traffic not explicitly allowed. A single allow rule for port 443 is all that's needed.

B

An ingress allow rule for port 443 and a separate egress deny rule for all other ports

C

An ingress deny rule for all ports from 0.0.0.0/0, plus an ingress allow for port 443 with lower priority

D

A Cloud Armor policy allowing only HTTPS requests to port 443

Why: Option A is correct because Google Cloud VPC firewall rules are stateful and have an implicit deny for all traffic that is not explicitly allowed. An ingress allow rule for TCP port 443 from 0.0.0.0/0 applied to instances with the 'web-server' tag permits inbound HTTPS traffic, and the implicit deny blocks all other inbound traffic without needing additional rules.
Q4
hardFull explanation →

An enterprise stores sensitive customer data in Cloud Storage. Regulatory requirements mandate that the company controls its own encryption keys — Google must not be able to decrypt data unilaterally. Which encryption configuration satisfies this?

A

Google-managed encryption keys (the default)

B

Customer-managed encryption keys (CMEK) using Cloud KMS

CMEK keys are created and controlled by the customer in Cloud KMS. GCP encrypts data using these keys, but the customer retains full control — including the ability to revoke access.

C

Client-side encryption before uploading to Cloud Storage, without using Cloud KMS

D

Shielded VM with vTPM enabled on the storage backend

Why: Option B is correct because Customer-Managed Encryption Keys (CMEK) with Cloud KMS allow the enterprise to control and manage their own encryption keys, ensuring that Google cannot unilaterally decrypt the data. With CMEK, the encryption keys are stored in Cloud KMS under the customer's control, and Google only has access to the key material for encryption/decryption operations as authorized by the customer. This satisfies the regulatory requirement that the company retains sole control over key material, preventing Google from decrypting data without explicit permission.
Q5
mediumFull explanation →

A Cloud Run service needs to access a database password at runtime. Where should the password be stored according to GCP security best practices?

A

As a plain-text environment variable in the Cloud Run service configuration

B

In a Cloud Storage bucket accessible to the service account

C

In Secret Manager, referenced as a mounted secret or accessed via the API at runtime

Secret Manager stores secrets encrypted, with IAM access control and full audit trails. Cloud Run can reference secrets as environment variables or volume mounts without exposing the value in configuration.

D

Baked into the container image at build time

Why: Secret Manager is the GCP-native service designed to securely store sensitive data like database passwords. It provides encryption at rest and in transit, fine-grained access control via IAM, and supports both mounting secrets as volumes and accessing them via the API at runtime. This aligns with GCP security best practices by avoiding exposure of secrets in plain text, configuration files, or container images.
Q6
mediumFull explanation →

A compliance team needs a log of every time a user or service account accessed data in a BigQuery dataset — specifically read operations. Which Cloud Audit Log type captures this?

A

System event audit logs

B

Admin Activity audit logs

C

Data Access audit logs

Data Access audit logs record API calls that read data — including BigQuery table reads and query executions. They must be explicitly enabled and can generate high log volume.

D

VPC flow logs

Why: Data Access audit logs record API calls that read or modify user-provided data, including BigQuery read operations like SELECT queries. Since the requirement is specifically for read operations on user data, Data Access logs are the correct type. Admin Activity logs cover configuration changes, not data reads, and System Event logs cover Google-managed actions, not user-initiated reads.

Want more Configuring access and security practice?

Practice this domain

Frequently asked questions

How many questions are on the ACE exam?

The ACE exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.

What types of questions appear on the ACE exam?

Scenario questions on setting up GCP environments, deploying compute, configuring storage and databases, managing networking, and monitoring.

How are ACE questions organised by domain?

The exam covers 5 domains: Setting up a cloud solution environment, Planning and configuring a cloud solution, Deploying and implementing a cloud solution, Ensuring successful operation of a cloud solution, Configuring access and security. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual ACE exam questions?

No. These are original exam-style practice questions written against the official Google Cloud ACE exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 60 ACE questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all ACE questionsTake a timed practice test