Google Associate Cloud Engineer (ACE) — Questions 601675

991 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQhard

An organization needs to deploy a microservices application on Google Kubernetes Engine. Each microservice has different resource requirements, and the team wants to optimize costs by using a mix of spot (preemptible) and regular nodes. They also need to ensure that critical services run on regular nodes. Which GKE feature allows this separation?

A.Use resource quotas to limit namespace resource usage
B.Use separate clusters for critical and non-critical services
C.Use node pools with taints and tolerations on the pods
D.Use vertical pod autoscaling
AnswerC

Node pools allow different node types (preemptible vs regular). Taints on the spot node pool prevent critical pods from being scheduled there unless they have the corresponding toleration.

Why this answer

Node pools in GKE allow you to have groups of nodes with different configurations (e.g., machine type, preemptible vs on-demand). You can then use node affinity or taints/tolerations to schedule pods onto the appropriate node pool.

602
MCQhard

A Cloud Build pipeline builds a container image and pushes it to Artifact Registry. The next step needs to deploy the image to Cloud Run. The pipeline runs as the Cloud Build service account. What minimum permission does the Cloud Build SA need for the deployment step?

A.`roles/run.admin` only.
B.`roles/run.admin` and `roles/iam.serviceAccountUser` on the Cloud Run runtime service account.
C.`roles/owner` to ensure all necessary permissions are covered.
D.`roles/cloudbuild.builds.editor` on the Cloud Run project.
AnswerB

run.admin manages Cloud Run services. iam.serviceAccountUser (which grants `iam.serviceAccounts.actAs`) allows the Cloud Build SA to configure which SA Cloud Run runs as — both are required.

Why this answer

The Cloud Build service account needs `roles/run.admin` to deploy services to Cloud Run, but it also requires `roles/iam.serviceAccountUser` on the Cloud Run runtime service account (the identity the Cloud Run service runs as) because the deployment step impersonates that runtime service account to create or update the service. Without the `iam.serviceAccountUser` permission, the deployment fails with a permission denied error, even if the Cloud Build SA has full Cloud Run admin rights.

Exam trap

Google Cloud often tests the nuance that deploying to Cloud Run requires not just Cloud Run permissions but also the ability to impersonate the runtime service account, leading candidates to incorrectly choose `roles/run.admin` alone.

How to eliminate wrong answers

Option A is wrong because `roles/run.admin` alone does not grant the Cloud Build service account the ability to impersonate the Cloud Run runtime service account; the `iam.serviceAccountUser` role is required on that runtime service account for the deployment to succeed. Option C is wrong because `roles/owner` is overly permissive and violates the principle of least privilege; the minimum permissions are `roles/run.admin` and `roles/iam.serviceAccountUser` on the runtime service account, not full project ownership. Option D is wrong because `roles/cloudbuild.builds.editor` only allows managing Cloud Build builds, not deploying to Cloud Run; it does not include any Cloud Run or IAM impersonation permissions.

603
Multi-Selectmedium

You need to view the current gcloud configuration settings, including the active account, project, and compute region. Which TWO commands can you use? (Choose two.)

Select 2 answers
A.gcloud config list
B.gcloud config describe
C.gcloud projects list
D.gcloud auth list
E.gcloud info
AnswersA, E

This lists all configuration properties.

Why this answer

gcloud config list displays all configuration properties. gcloud info provides detailed information, including configuration.

604
Multi-Selecthard

An engineer is troubleshooting a Compute Engine instance that is unreachable via SSH. They suspect a firewall rule is blocking traffic. Which TWO actions should they take to diagnose the issue? (Choose 2)

Select 2 answers
A.Create a Cloud Monitoring alert for packet loss
B.View Cloud Logging for firewall rule logs
C.Run gcloud compute ssh --dry-run
D.Use Cloud Trace to analyze network latency
E.Check VPC firewall rules in Cloud Console
AnswersB, E

Why this answer

In Cloud Logging, you can view firewall logs (if VPC flow logs are enabled, but firewall rules logging can be enabled per rule). Checking VPC firewall rules in the Cloud Console allows you to verify the rules. Cloud Trace is for latency, Cloud Monitoring for metrics, and gcloud compute ssh is for connecting, not diagnosing firewall rules.

605
Multi-Selecteasy

A company is implementing cost optimization for their Google Cloud resources. Which two practices are recommended? (Choose two.)

Select 2 answers
A.Keep all resources in a single region to avoid data transfer costs.
B.Always use premium-tier networking for all traffic.
C.Use committed use discounts for predictable workloads.
D.Use preemptible VMs for all batch jobs irrespective of fault tolerance.
E.Delete unused static external IP addresses.
AnswersC, E

CUDs provide significant discounts for stable usage.

Why this answer

Committed use discounts (CUDs) are recommended for cost optimization because they provide significant discounts (up to 70% for vCPUs and memory) in exchange for a commitment to use a minimum level of resources (e.g., 1-year or 3-year term) for predictable workloads. This aligns costs with actual usage patterns, reducing waste from on-demand pricing. Deleting unused static external IP addresses is also recommended because each static IP incurs a small hourly charge (e.g., $0.005/hour for a regional IP) even when not attached to a resource, so removing them eliminates unnecessary costs.

Exam trap

The trap here is that candidates often assume 'single region' avoids all data transfer costs (ignoring cross-zone charges) or that preemptible VMs are safe for any batch job, but the ACE exam tests the nuance that preemptible VMs require fault tolerance and that static IPs have ongoing costs even when idle.

606
MCQmedium

A startup is building a web application using Cloud Run. They want to deploy multiple independent services that can communicate with each other internally, but each service should be deployed and scaled independently. Which deployment strategy should they use?

A.Create multiple Cloud Run services and use internal endpoints for communication
B.Deploy the application to App Engine Standard Environment
C.Use a single GKE cluster with multiple deployments and services
D.Deploy a single Cloud Run service with multiple containers
AnswerA

Each Cloud Run service is independent and can communicate via internal URLs.

Why this answer

Cloud Run natively supports deploying multiple independent services, each with its own URL and scaling configuration. Internal communication between these services can be achieved using Cloud Run's built-in internal endpoints (e.g., using the `run.app` domain with internal traffic routing), which avoids exposing services to the public internet. This approach allows each service to scale independently based on its own request load, meeting the startup's requirement for independent deployment and scaling.

Exam trap

Google Cloud often tests the misconception that Cloud Run supports multiple containers per service (like a pod in Kubernetes), but Cloud Run services are single-container per revision, and multiple containers require separate services or a different platform like Cloud Run for Anthos.

How to eliminate wrong answers

Option B is wrong because App Engine Standard Environment is a fully managed platform that deploys a single application as a monolithic service; it does not natively support deploying multiple independent services that scale independently within the same project without using additional modules or services, which adds complexity and does not match the requirement for independent scaling. Option C is wrong because using a single GKE cluster with multiple deployments and services introduces the overhead of managing a Kubernetes cluster (node pools, networking, etc.) and is overkill for a simple web application; Cloud Run abstracts away cluster management entirely, making it a simpler and more cost-effective choice for independent services. Option D is wrong because a single Cloud Run service can only run one container per revision; multiple containers within a single service would share the same scaling behavior and cannot be deployed or scaled independently, which directly contradicts the requirement.

607
MCQmedium

A company is deploying a public-facing web application on Compute Engine behind a global HTTP(S) Load Balancer. The company wants to protect the application from common web attacks, such as SQL injection and cross-site scripting (XSS). Which Google Cloud security service should they enable?

A.VPC Service Controls
B.Cloud Armor
C.Cloud IDS
D.Identity and Access Management (IAM)
AnswerB

Cloud Armor offers WAF rules to mitigate web attacks like SQL injection and XSS.

Why this answer

Option C is correct because Cloud Armor provides web application firewall (WAF) capabilities to protect against OWASP Top 10 attacks. Option A is wrong because IAM controls access to resources, not web attacks. Option B is wrong because Cloud IDS is for network-based threat detection.

Option D is wrong because VPC Service Controls prevent data exfiltration but do not filter HTTP traffic.

608
MCQhard

You need to perform a rolling update of a GKE deployment and ensure that during the update, the new pods are ready before terminating the old ones. You have already set the update strategy to RollingUpdate. Which kubectl command sequence should you use to update the image and monitor the rollout?

A.gcloud container clusters upgrade my-cluster; kubectl get deployments
B.kubectl set image deployment/myapp myapp=gcr.io/myproject/myapp:v2; kubectl rollout status deployment/myapp
C.kubectl edit deployment myapp; kubectl get pods; kubectl delete pod old-pod
D.kubectl apply -f deployment.yaml; kubectl rollout undo deployment/myapp
AnswerB

This updates the image and monitors the rollout status.

Why this answer

kubectl set image updates the image; kubectl rollout status monitors the progress. If the rollout fails, kubectl rollout undo rolls back.

609
MCQmedium

A developer is using Cloud Functions with HTTP trigger. The function needs to process a request payload and return a response. What is the correct way to send a JSON response from the function?

A.response.end(JSON.stringify({ 'status': 'ok' }))
B.return { 'status': 'ok' }
C.context.done(null, { 'status': 'ok' })
D.res.send({ 'status': 'ok' })
AnswerD

Correct: sends a JSON response.

Why this answer

In Cloud Functions (Node.js runtime), the response is sent via the res (response) object. The correct method is res.send() or res.json(). res.send() can send JSON directly.

610
MCQmedium

A DevOps engineer creates a service account for a CI/CD pipeline. The pipeline needs to push container images to Artifact Registry. Which role grants the minimum required permission?

A.Artifact Registry Administrator
B.Artifact Registry Writer
C.Storage Object Creator on the underlying Cloud Storage bucket
D.Artifact Registry Reader
AnswerB

Artifact Registry Writer grants the minimum permissions to push (write) artifacts to existing Artifact Registry repositories — the appropriate role for CI/CD pipelines.

Why this answer

Option B is correct because the Artifact Registry Writer role provides the minimal permissions needed to push container images to Artifact Registry, specifically the `artifactregistry.writer` permission. This role allows writing artifacts without granting broader administrative or read-only access, aligning with the principle of least privilege.

Exam trap

Google Cloud often tests the misconception that Artifact Registry is just a wrapper around Cloud Storage, leading candidates to choose Storage Object Creator, but in reality, Artifact Registry uses its own IAM roles and does not expose the underlying bucket for direct permission assignment.

How to eliminate wrong answers

Option A is wrong because Artifact Registry Administrator grants full control over all Artifact Registry resources, including deletion and permission management, which is excessive for a CI/CD pipeline that only needs to push images. Option C is wrong because Artifact Registry does not expose its underlying Cloud Storage bucket directly; permissions must be managed through Artifact Registry roles, not Storage Object Creator, which would not work due to the service's abstraction layer. Option D is wrong because Artifact Registry Reader only allows reading and listing artifacts, not writing or pushing new images.

611
MCQmedium

An organization wants to use Cloud Storage to host a static website. The bucket name must match the domain name. They already own the domain 'example.com' and want to serve the site from 'www.example.com'. Which bucket name should they create?

A.example.com
B.www_example_com
C.example-com-bucket
D.www.example.com
AnswerD

Correct: bucket named after the subdomain.

Why this answer

To host a website with a custom domain using Cloud Storage, you must use a bucket name that matches the domain (or subdomain). For 'www.example.com', the bucket must be named 'www.example.com'. For the apex domain, it would be 'example.com'.

612
Multi-Selectmedium

You are configuring a VPC with multiple subnets. You need to allow traffic from the internet to a specific instance on port 80, but only if the traffic originates from a set of known IP addresses. Which three resources must be configured? (Choose three.)

Select 3 answers
A.A load balancer with Cloud Armor.
B.A route to the internet gateway.
C.A reserved external IP address for the instance.
D.A Cloud Router.
E.A firewall rule allowing ingress from the IP range to the instance on port 80.
AnswersA, C, E

Cloud Armor can provide IP whitelisting and DDoS protection at the load balancer.

Why this answer

Option A is correct because Cloud Armor is a web application firewall that can be attached to a load balancer to allow or deny traffic based on IP address ranges. This enables you to restrict inbound HTTP traffic on port 80 to only the known IP addresses, while the load balancer distributes traffic to the instance. Without Cloud Armor, a load balancer alone cannot filter by source IP; it relies on backend firewall rules or Cloud Armor policies for such granular access control.

Exam trap

Google Cloud often tests the misconception that a route to the internet gateway alone is sufficient to control inbound traffic, but routes only define the path, not the access policy; you must explicitly configure firewall rules or Cloud Armor to restrict source IPs.

613
MCQeasy

A company wants to automate the rotation of encryption keys for Cloud Storage buckets every 30 days. Which key type should be used?

A.Customer-Managed Encryption Keys (CMEK)
B.Google-managed encryption keys
C.Key Access Justification
D.Customer-Supplied Encryption Keys (CSEK)
AnswerA

Correct: CMEK allows you to set a rotation period (e.g., 30 days) using Cloud Key Management Service.

Why this answer

Customer-Managed Encryption Keys (CMEK) allow you to control the key lifecycle, including rotation. Google-Managed keys rotate automatically but you cannot schedule or force rotation. CSEK requires manual rotation.

Key Access Justification is a feature of CMEK for access transparency.

614
MCQeasy

A small business is deploying a web application on Compute Engine and wants to ensure high availability. They have set up two instances in different zones behind a TCP load balancer. What should they also configure to detect and route traffic away from unhealthy instances?

A.Configure a health check on the load balancer.
B.Set a firewall rule to allow traffic only on port 80.
C.Use a global HTTP(S) load balancer instead.
D.Create a snapshot schedule for the persistent disks.
AnswerA

Health checks allow the load balancer to stop sending traffic to unhealthy instances.

Why this answer

A health check is required for the TCP load balancer to monitor the backend instances. It periodically probes the instances on a specified port and path, marking them as unhealthy if they fail to respond. The load balancer then stops routing new traffic to unhealthy instances, ensuring high availability by directing traffic only to healthy backends.

Exam trap

The trap here is that candidates often confuse health checks with firewall rules or backup strategies, thinking that allowing traffic or creating snapshots ensures availability, but only health checks provide the active monitoring needed to detect and route around failures.

How to eliminate wrong answers

Option B is wrong because a firewall rule allowing only port 80 controls network access but does not detect instance health or influence load balancer routing decisions. Option C is wrong because a global HTTP(S) load balancer is designed for HTTP/HTTPS traffic and cannot be used with a TCP load balancer; the question specifies a TCP load balancer, which requires a TCP health check. Option D is wrong because snapshot schedules are for backup and disaster recovery of persistent disks, not for real-time health detection or traffic routing.

615
MCQmedium

You need to tag all Compute Engine VMs in your organization with a `cost-center` tag for billing allocation reports. The tag values must be controlled centrally — only predefined values should be allowed. Which GCP feature enables this?

A.Use Compute Engine labels — configure label keys and restrict values using an org policy.
B.Create Resource Manager Tag keys and values at the org level, then attach tags to VMs.
C.Use network tags on VMs and enforce allowed values via a custom org policy constraint.
D.Require teams to apply specific label values using a Terraform module, and enforce this via code review.
AnswerB

Resource Manager Tags support centrally defined, version-controlled tag keys and enumerated values. IAM roles (tagUser, tagAdmin) control who can create values vs. who can apply tags. Tags integrate with billing reports.

Why this answer

Resource Manager Tags (formerly 'tags' in the Resource Manager API) allow you to create tag keys and predefined tag values at the organization level, then attach those tags to resources like Compute Engine VMs. This ensures that only centrally controlled values can be used, meeting the requirement for controlled billing allocation. Labels, by contrast, are free-form key-value pairs and cannot have their values restricted natively by an org policy.

Exam trap

Google Cloud often tests the distinction between labels (free-form, no value restriction) and Resource Manager Tags (centrally controlled, predefined values), leading candidates to mistakenly choose labels because they are more commonly used for metadata.

How to eliminate wrong answers

Option A is wrong because Compute Engine labels are free-form key-value pairs; while you can use an org policy to restrict label keys, you cannot natively restrict label values to a predefined set using an org policy alone. Option C is wrong because network tags are used for firewall rules and networking, not for billing or resource metadata, and there is no native org policy constraint to enforce allowed values on network tags. Option D is wrong because relying on a Terraform module and code review does not provide a centrally enforced, programmatic control mechanism; it depends on human compliance and can be bypassed.

616
Multi-Selecteasy

You need to set up an alerting policy to notify your team via email and Slack when a Compute Engine instance's CPU utilization exceeds 80% for 5 minutes. Which two resources must you configure? (Choose two.)

Select 2 answers
A.A Cloud Function to check CPU and send Slack message
B.A metric threshold condition on the 'compute.googleapis.com/instance/cpu/utilization' metric
C.An uptime check for the external IP of the instance
D.A notification channel of type 'email'
E.A log-based alert for the 'compute.googleapis.com/instance' log
AnswersB, D

This condition triggers when CPU exceeds 80% for the specified duration.

Why this answer

To create an alerting policy, you need a metric threshold condition (e.g., CPU utilization > 80% for 5 minutes) and notification channels (email, Slack). Uptime checks are for availability, not performance metrics. Log-based alerts are for log events, not metrics.

617
MCQmedium

You need to create a service account for a Compute Engine instance to allow it to access Cloud Storage objects. The service account should have minimal permissions. What is the recommended approach?

A.Create a service account and assign it to the instance using gcloud compute instances set-service-account after creation
B.Use the default compute engine service account and grant it roles/storage.objectAdmin
C.Create a service account, download a JSON key, and store it on the instance's local disk
D.Create a service account, grant it the required roles, and specify it when creating the instance using the --service-account flag
AnswerD

Correct: uses instance service account without keys.

Why this answer

Create a service account with only the necessary roles (e.g., roles/storage.objectViewer) and attach it to the instance at creation time. Avoid downloading service account keys; use instance metadata-based credentials instead.

618
MCQeasy

A batch data processing job runs nightly for 4 hours and can tolerate interruption because it saves progress checkpoints every 15 minutes. Which VM option offers the greatest cost reduction?

A.Custom machine type VM with reduced memory
B.Spot VM
C.Sole-tenant node VM
D.Shielded VM
AnswerB

Spot VMs are available at up to 91% discount and are ideal for batch workloads that tolerate interruption and implement checkpointing.

Why this answer

Spot VMs offer significant cost reduction (up to 60-91% discount) compared to standard VMs, making them ideal for fault-tolerant, interruptible batch workloads. Since the job saves checkpoints every 15 minutes, it can resume from the last checkpoint if preempted, fully leveraging the cost benefit of Spot VMs.

Exam trap

Google Cloud often tests the misconception that custom machine types or sole-tenant nodes are cost-saving options, but the trap here is that Spot VMs are the only option that directly leverages preemptible pricing for interruptible workloads, while other options either increase cost or provide no cost benefit.

How to eliminate wrong answers

Option A is wrong because reducing memory on a custom machine type does not provide the same magnitude of cost savings as Spot VMs, and the question specifically asks for the greatest cost reduction. Option C is wrong because sole-tenant nodes are designed for dedicated hardware compliance or licensing requirements, and they are more expensive than standard VMs, offering no cost reduction. Option D is wrong because Shielded VMs provide security features (secure boot, vTPM, integrity monitoring) but do not reduce cost; they may even add a slight premium.

619
Multi-Selecthard

A data engineering team wants to create a Cloud Storage bucket for storing sensitive analytics data. They require encryption at rest with customer-managed keys (CMEK) and want to restrict access to a specific service account. Which three steps are necessary?

Select 3 answers
A.Set the bucket's default encryption to use the KMS key
B.Enable uniform bucket-level access
C.Grant the service account roles/storage.objectAdmin on the bucket
D.Create a service account and download its JSON key
E.Create a Cloud KMS key ring and key in the same region as the bucket
AnswersA, C, E

Configure bucket to use the KMS key for encryption.

Why this answer

To use CMEK, you must create a Cloud KMS key ring and key, then configure the bucket to use that key. Access is controlled via IAM; granting the service account roles/storage.objectAdmin allows full object management. Note: The KMS key must be in the same region as the bucket.

620
MCQeasy

You need to create a Google-managed SSL certificate for an external HTTPS load balancer. The domain is 'www.example.com'. Which command creates the certificate?

A.gcloud compute ssl-certificates create my-cert --certificate example.crt --private-key example.key
B.gcloud compute ssl-certificates create my-cert --certificate example.crt
C.gcloud compute ssl-certificates create my-cert --domains www.example.com
D.gcloud compute ssl-certificates create my-cert --domains www.example.com --managed
AnswerC

Correct: --domains flag creates a Google-managed certificate.

Why this answer

The correct command is gcloud compute ssl-certificates create with the --domains flag. This creates a Google-managed certificate that will be provisioned and renewed automatically.

621
Multi-Selecthard

An organization wants to migrate a 5 TB on-premises MongoDB database to Google Cloud. They need to minimize latency for write operations and support global users with strong consistency. Which three services or tools should they consider for this migration? (Choose 3)

Select 3 answers
A.Database Migration Service
B.Cloud Bigtable
C.Transfer Appliance
D.MongoDB Atlas on Google Cloud
E.Cloud Spanner
AnswersC, D, E

For transferring 5 TB of data, Transfer Appliance can be used to physically ship data.

Why this answer

MongoDB Atlas is available on Google Cloud and provides global distribution with strong consistency. Database Migration Service does not support MongoDB natively. Bigtable is not compatible.

Cloud Spanner is globally distributed and strongly consistent. Transfer Appliance is for large data transfers. BigQuery is not suitable.

622
Multi-Selectmedium

An engineer is using gsutil to upload a large number of files to a Cloud Storage bucket. The upload is proceeding very slowly. Which two actions could improve the upload performance? (Choose two.)

Select 2 answers
A.Use the gsutil -m option to enable parallel multi-threading.
B.Increase the number of retries using gsutil -o Boto:num_retries=10.
C.Change the storage class of the bucket to Standard.
D.Set the parallel composite upload threshold to a value less than the size of the files being uploaded.
E.Set a custom ACL on the bucket to allow faster writes.
AnswersA, D

Parallel multi-threading speeds up uploads of multiple files.

Why this answer

To improve upload performance, you can use parallel composite uploads (gsutil -o GSUtil:parallel_composite_upload_threshold=150M) and increase the number of parallel threads (gsutil -m). Option A and C are correct. Option B increases the number of retries, which may slow down.

Option D changes storage class, which doesn't affect upload speed. Option E changes ACL settings.

623
MCQeasy

Which of the following is true about Cloud Shell?

A.Cloud Shell has 5 GB of persistent home directory storage.
B.Cloud Shell requires installation of gcloud and kubectl manually.
C.Cloud Shell only supports the gcloud CLI, not kubectl.
D.Cloud Shell provides a persistent VM that can run for hours.
AnswerA

The home directory is persistent across sessions.

Why this answer

Cloud Shell provides a temporary virtual machine with 5 GB of persistent home directory storage, and the gcloud, kubectl, and terraform tools are pre-installed. The home directory persists across sessions, but the VM is ephemeral (after 20 minutes of inactivity the VM is terminated, but home directory persists).

624
MCQeasy

A new engineer is setting up their GCP environment for the first time. They have a billing account and need to create a new project for development. What is the correct order of steps?

A.Enable APIs → Create billing account → Create project
B.Create project → Associate billing account → Enable APIs
C.Create project → Enable APIs → Associate billing account
D.Create billing account → Create project → Enable APIs
AnswerD

This is the correct sequence: billing account first, then project creation, then API enablement.

Why this answer

The standard order is to first create the billing account, then create the project and associate it with the billing account, and finally enable the required APIs within that project.

625
MCQeasy

You want to ensure that all Cloud Storage buckets in your organization require customer-managed encryption keys (CMEK). What is the most efficient way to enforce this?

A.Use Cloud Audit Logs to monitor for non-compliant buckets.
B.Create an Organization Policy with constraint 'storage.requireCustomerManagedEncryption'.
C.Use a service account to encrypt all objects with CMEK.
D.Set a bucket policy on each bucket to require CMEK.
AnswerB

Organization Policy can enforce CMEK requirement on all buckets in the organization.

Why this answer

Option B is correct because the Organization Policy constraint 'storage.requireCustomerManagedEncryption' is a centralized, scalable way to enforce CMEK across all Cloud Storage buckets in the organization. This policy is applied at the organization or folder level and automatically prevents the creation of new buckets without CMEK, while also blocking updates to existing non-compliant buckets. It is the most efficient method as it requires no per-bucket configuration or ongoing monitoring.

Exam trap

Google Cloud often tests the distinction between monitoring (Audit Logs) and enforcement (Organization Policies), and the trap here is that candidates may think monitoring is sufficient for compliance, when in fact only a proactive policy constraint can prevent non-compliant resources from being created.

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs only provide post-hoc visibility into bucket creation and configuration changes; they do not enforce or prevent non-compliant buckets from being created. Option C is wrong because using a service account to encrypt objects with CMEK does not enforce the requirement at the bucket level—objects can still be uploaded with Google-managed encryption keys if the service account is not used, and it does not prevent creation of buckets without CMEK. Option D is wrong because setting a bucket policy on each bucket is not scalable and does not prevent the creation of new buckets without CMEK; it also requires manual or scripted application to every existing and future bucket, which is inefficient and error-prone.

626
MCQmedium

Two GCP projects, A and B, have VPC peering configured. Project A is peered with B, and Project B is peered with Project C. Can VMs in Project A reach VMs in Project C through Project B?

A.Yes — VPC peering automatically enables transitive routing through intermediate peered networks
B.No — VPC peering is non-transitive; A and C must be directly peered to communicate
C.Yes — if Project B has IP forwarding enabled, it acts as a router between A and C
D.It depends on the firewall rules in Project B's VPC
AnswerB

VPC peering in GCP does not support transitive routing. Project A's peering with B gives A access to B's VPC only — not to networks B is peered with (like C).

Why this answer

Option B is correct because VPC peering in Google Cloud is non-transitive. This means that if Project A is peered with Project B and Project B is peered with Project C, traffic from Project A cannot flow through Project B to reach Project C. Each peering connection is a direct, point-to-point link, and there is no routing of traffic across multiple peered networks unless explicitly configured with a separate mechanism like a VPN or a third-party appliance.

Therefore, VMs in Project A and Project C must be directly peered to communicate.

Exam trap

Google Cloud often tests the misconception that VPC peering behaves like a traditional router or switch, where traffic can be forwarded through intermediate networks, but in Google Cloud, VPC peering is strictly non-transitive, and candidates must remember that direct peering is required for communication between non-adjacent VPCs.

How to eliminate wrong answers

Option A is wrong because VPC peering does not automatically enable transitive routing; it is explicitly non-transitive by design in Google Cloud, and traffic cannot hop through an intermediate peered network. Option C is wrong because IP forwarding on instances in Project B does not enable transitive routing across VPC peering; IP forwarding is used for instances acting as routers or NAT gateways, but VPC peering itself does not support transitive routing regardless of IP forwarding settings. Option D is wrong because the issue is not about firewall rules; even if firewall rules in Project B allow all traffic, the fundamental non-transitive nature of VPC peering prevents communication between A and C through B.

627
MCQeasy

An organization wants to run a stateless HTTP-based containerized application that scales to zero when not in use and charges only for request processing time. They do not want to manage any underlying infrastructure. Which compute option should they choose?

A.Compute Engine with managed instance group
B.Cloud Run
C.Cloud Functions
D.Google Kubernetes Engine (GKE) Standard
AnswerB

Cloud Run is serverless, scales to zero, and charges per request. Perfect for stateless HTTP containers.

Why this answer

Cloud Run is a fully managed serverless platform for containers. It scales to zero automatically when no requests are coming in, and you pay only for the resources used during request processing. It is ideal for stateless HTTP-triggered workloads.

628
MCQmedium

A cost-conscious team notices their GKE cluster's node pools have consistently high memory utilization (>90%) while CPU remains at 30%. Pods are occasionally OOMKilled. What should they do to balance resource efficiency and stability?

A.Switch node pool machine type to a memory-optimized series (e.g., m2-ultramem) and ensure Pod memory requests are accurate
B.Increase CPU limits for all Pods to use the available CPU capacity
C.Enable vertical pod autoscaling (VPA) set to Recreate mode as the only change
D.Reduce the number of replica Pods to lower memory consumption
AnswerA

Memory-optimized machine types provide more RAM per vCPU, directly addressing the memory bottleneck. Accurate Pod requests let the scheduler pack Pods efficiently and let the autoscaler add the right type of capacity.

Why this answer

Option A is correct because the team has a memory-bound workload (high memory utilization, low CPU, OOMKills). Switching to a memory-optimized machine series (e.g., m2-ultramem) provides a higher memory-to-CPU ratio, directly addressing the memory pressure. Ensuring accurate Pod memory requests allows the scheduler to place Pods efficiently and prevents overcommitment, balancing resource efficiency with stability.

Exam trap

Google Cloud often tests the misconception that vertical scaling (VPA) alone can fix memory pressure without considering the node's physical resource ratio, leading candidates to pick Option C and overlook the need for a memory-optimized machine type.

How to eliminate wrong answers

Option B is wrong because increasing CPU limits does not address memory pressure or OOMKills; it wastes CPU capacity that is already underutilized and may cause unnecessary throttling or scheduling inefficiencies. Option C is wrong because enabling VPA in Recreate mode as the only change will adjust CPU and memory requests based on historical usage, but it does not change the underlying machine type's memory-to-CPU ratio; the node pool may still lack sufficient memory capacity, leading to continued OOMKills or failed VPA recommendations. Option D is wrong because reducing replica Pods lowers overall memory consumption but also reduces application throughput and availability; it does not fix the root cause of memory inefficiency per Pod and may violate stability or SLA requirements.

629
MCQhard

An organization wants to enforce encryption at rest for all data in Cloud Storage using Customer-Managed Encryption Keys (CMEK). They have created a Cloud KMS key ring and key. What additional step is required when creating a new bucket to use CMEK?

A.Use the `--encryption-key` flag in the `gsutil mb` command.
B.Use the `--default-encryption-key` flag with the KMS key resource ID in the `gsutil mb` command.
C.Assign the Cloud KMS CryptoKey Encrypter/Decrypter role to the Cloud Storage service account.
D.Enable CMEK in the Cloud Console under the bucket's encryption settings after creation.
AnswerB

Correct. This sets the default encryption key for the bucket.

Why this answer

When creating a bucket with CMEK, you must specify the `--default-encryption-key` flag with the KMS key resource ID. This sets the default encryption key for objects stored in the bucket.

630
MCQmedium

A company wants to track and forecast GCP spending across different departments. They have already set up labels on resources to indicate the department. Which additional step should they take to analyze costs by department in BigQuery?

A.Enable billing export to BigQuery in the Cloud Billing console
B.Use the Cloud Billing API to programmatically fetch cost data and write it to BigQuery
C.Run a scheduled query in BigQuery that calls the Cloud Billing API
D.Create a Cloud Function that captures billing events and inserts them into BigQuery
AnswerA

This automatically exports detailed billing data with labels into BigQuery.

Why this answer

Enabling billing export to BigQuery will stream billing data (including labels) into a BigQuery dataset, allowing custom queries and analysis.

631
MCQeasy

A developer runs `gcloud projects list` and receives the error: `ERROR: (gcloud.projects.list) PERMISSION_DENIED: The caller does not have permission`. The developer has the Viewer role on several projects. What is the most likely cause?

A.The developer does not have multi-factor authentication enabled.
B.The developer lacks `resourcemanager.projects.list` at the organization or folder level.
C.The gcloud SDK is outdated and must be updated.
D.The developer's account has been suspended by the billing administrator.
AnswerB

Project Viewer only grants permissions within the project. Listing all projects requires the permission at a higher hierarchy level.

Why this answer

The `gcloud projects list` command requires the `resourcemanager.projects.list` permission, which is granted at the organization or folder level, not at the individual project level. Even with the Viewer role on several projects, the developer lacks this specific permission at the resource hierarchy level above the projects, causing the PERMISSION_DENIED error.

Exam trap

Google Cloud often tests the misconception that project-level roles like Viewer are sufficient for listing projects, when in reality the `resourcemanager.projects.list` permission must be granted at a higher level in the resource hierarchy.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) is an account security feature that does not affect API permissions or gcloud command authorization; it is unrelated to IAM permission errors. Option C is wrong because an outdated gcloud SDK would typically cause version mismatch errors or deprecation warnings, not a PERMISSION_DENIED error, which is an IAM authorization issue. Option D is wrong because a suspended account would result in an authentication error (e.g., 'Account is disabled') or a billing-related error, not a permission denied error for a specific API call.

632
Multi-Selectmedium

A company plans to deploy a containerized application on GKE Autopilot. They want to ensure high availability by running multiple replicas across different zones. They also need to expose the application via a load balancer with SSL termination. Which THREE resources should they create?

Select 3 answers
A.Service
B.StatefulSet
C.Ingress
D.ConfigMap
E.Deployment
AnswersA, C, E

A Service (e.g., ClusterIP or NodePort) provides stable networking to the pods.

Why this answer

In GKE, a Deployment manages replica pods, a Service of type LoadBalancer provisions a load balancer (with SSL termination if configured), and the Ingress resource can also provide SSL termination and routing. The question says 'load balancer with SSL termination' – a Service of type LoadBalancer creates a TCP/UDP load balancer which does not natively terminate SSL. For HTTP/S traffic with SSL termination, they need an Ingress resource (which creates an HTTP(S) load balancer).

Alternatively, they could use a Service of type NodePort with a separate ingress. The typical pattern for SSL termination in GKE is to use an Ingress. The three resources: Deployment (for replicas), Service (to expose pods internally or via load balancer), and Ingress (for SSL termination and external access).

Some might say Service of type LoadBalancer can also terminate SSL if using the GKE Ingress for Anthos, but standard is Ingress. The question is multi-select, so we need three correct. Let's choose Deployment, Service (ClusterIP or NodePort), and Ingress.

Option A (Deployment) is correct. Option B (StatefulSet) is not needed. Option C (Service) is correct.

Option C (Service) yes. Option D (Ingress) correct. Option E (ConfigMap) is optional.

So A, C, D.

633
Multi-Selecthard

An organization needs to run a batch analytics job on BigQuery every night that processes terabytes of data. The job is critical and must complete within a specific time window. To optimize costs, they are considering using flat-rate pricing but want to minimize commitment risk. Which THREE factors should they evaluate?

Select 3 answers
A.The number of Cloud Storage buckets used for data staging
B.The cost of on-demand query pricing for the same workload
C.The cost of reserving dedicated hardware for Compute Engine
D.The number of slots needed to complete the job within the required time window
E.The availability of flex slots for short-term capacity needs
AnswersB, D, E

Compare flat-rate pricing to on-demand to determine if flat-rate is cheaper.

Why this answer

Option B is correct because comparing the cost of on-demand query pricing for the same workload provides a baseline to evaluate whether flat-rate pricing is more economical. Flat-rate pricing is cost-effective for predictable, high-volume workloads, but without understanding the on-demand cost, the organization cannot assess potential savings or commitment risk.

Exam trap

Cisco often tests the misconception that storage infrastructure (like Cloud Storage buckets) or unrelated compute services (like Compute Engine) influence BigQuery pricing decisions, when in fact the focus should be on slot allocation and cost comparison with on-demand pricing.

634
MCQeasy

A company wants to store event logs from multiple applications in a centralized location for future analysis. The logs are written frequently (thousands per second) and need to be retained for 90 days. The data is write-once, read-rarely. Which storage class and lifecycle rule combination is most cost-effective?

A.Set default storage class to Archive and use lifecycle rule to delete after 90 days
B.Set default storage class to Standard and use lifecycle rule to delete after 90 days
C.Set default storage class to Coldline and use lifecycle rule to delete after 90 days
D.Set default storage class to Nearline and use lifecycle rule to delete after 90 days
AnswerC

Coldline is designed for data accessed less than once per 90 days, with lower storage cost. Deleting after 90 days aligns with the retention period.

Why this answer

For write-once, read-rarely data, Coldline storage class is cost-effective for data accessed less than once per 90 days. Set a lifecycle rule to delete objects after 90 days. Alternatively, use Standard for the first 30 days then move to Coldline, but the question asks for a combination.

The simplest is to set the default storage class to Coldline and a lifecycle rule to delete at 90 days.

635
MCQmedium

You are managing a project and need to create a custom IAM role that allows only the permissions compute.instances.list and compute.instances.get. What is the correct way to create this role using gcloud?

A.gcloud iam service-accounts create viewer --permissions="compute.instances.list,compute.instances.get"
B.gcloud iam roles create viewer --organization=123456 --permissions="compute.instances.*"
C.gcloud iam roles create viewer --project=my-project --permissions="compute.instances.list,compute.instances.get"
D.gcloud iam custom-roles create viewer --project=my-project --permissions='compute.instances.list,compute.instances.get'
AnswerC

Correct syntax for creating a custom role with specific permissions.

Why this answer

The command 'gcloud iam roles create' is used to create custom roles. The permissions are specified with the --permissions flag.

636
MCQmedium

An engineer is setting up Cloud Shell for the first time. They notice that their home directory persists across sessions. How much storage is allocated to the home directory in Cloud Shell?

A.10 GB
B.1 GB
C.20 GB
D.5 GB
AnswerD

Correct.

Why this answer

Cloud Shell provides 5 GB of persistent home directory storage.

637
MCQeasy

A company is using Cloud Run for a stateless application. The application sometimes fails with HTTP 503 errors when traffic spikes. Which action should the team take to improve reliability?

A.Configure a liveness probe with a higher initial delay.
B.Increase the maximum number of container instances.
C.Use Cloud Functions instead of Cloud Run.
D.Enable HTTP load balancing with Cloud CDN.
AnswerB

Increasing the max instances allows more concurrent requests, reducing 503s.

Why this answer

HTTP 503 errors during traffic spikes indicate that Cloud Run is scaling out but hitting the maximum number of container instances limit, causing new requests to be rejected. Increasing the maximum number of container instances allows Cloud Run to spin up more concurrent containers to handle the burst, directly improving reliability under load.

Exam trap

The trap here is that candidates confuse liveness probes (which check container health) with scaling mechanisms, or assume that adding a CDN or switching to Cloud Functions will magically absorb traffic spikes, when the root cause is simply hitting the instance cap.

How to eliminate wrong answers

Option A is wrong because a liveness probe with a higher initial delay only affects when the container is considered healthy after startup; it does not address capacity limits during traffic spikes. Option C is wrong because Cloud Functions has similar or stricter concurrency and scaling limits, and switching to it would not inherently solve capacity-related 503 errors. Option D is wrong because HTTP load balancing with Cloud CDN caches static content but does not increase the backend's ability to handle more concurrent requests; the 503 originates from Cloud Run's instance cap, not from network-level congestion.

638
MCQmedium

A team wants to automatically restart any GKE Pod that fails a liveness probe three consecutive times. The probe should check HTTP GET /healthz on port 8080, starting after 30 seconds and checking every 10 seconds. Which Pod spec configuration implements this?

A.readinessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 30 periodSeconds: 10 failureThreshold: 3
B.livenessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 30 periodSeconds: 10 failureThreshold: 3
C.startupProbe: httpGet: path: /healthz port: 8080 failureThreshold: 3
D.lifecycle: postStart: httpGet: path: /healthz port: 8080
AnswerB

livenessProbe with the correct httpGet, timing, and failureThreshold configuration will restart the container after 3 consecutive failures — exactly the described behavior.

Why this answer

Option B is correct because a livenessProbe with an HTTP GET on /healthz at port 8080, configured with initialDelaySeconds: 30, periodSeconds: 10, and failureThreshold: 3, will cause the kubelet to restart the Pod after three consecutive failed checks. This directly matches the requirement to restart on liveness probe failures, as liveness probes are specifically designed to determine if a container should be restarted.

Exam trap

Google Cloud often tests the distinction between readinessProbe and livenessProbe, trapping candidates who confuse 'restart on failure' with 'stop sending traffic on failure'.

How to eliminate wrong answers

Option A is wrong because it uses a readinessProbe, which only controls whether the Pod receives traffic from Services, not whether the container is restarted; readiness probes do not trigger restarts on failure. Option C is wrong because a startupProbe is used to delay other probes until the application has started, and it does not cause restarts after the initial startup phase; it also lacks the required initialDelaySeconds and periodSeconds. Option D is wrong because lifecycle hooks like postStart execute a command or HTTP request once after container creation, not as a recurring health check, and they cannot be configured with failure thresholds or periodic checks.

639
MCQeasy

You need to deploy a new version of an App Engine standard environment application. The new version should receive 10% of traffic while the current version continues to receive 90%. Which command achieves this?

A.`gcloud app deploy --version=v2 --no-promote`
B.`gcloud app services set-traffic default --splits v1=0.9,v2=0.1`
C.`gcloud app versions migrate v2`
D.`gcloud app deploy --version=v2 --promote --stop-previous-version`
AnswerB

This command splits traffic between v1 (90%) and v2 (10%) for the default service — precisely the canary deployment pattern required.

Why this answer

Option B is correct because the `gcloud app services set-traffic` command explicitly splits traffic between versions of an App Engine service. By specifying `--splits v1=0.9,v2=0.1`, you direct 90% of requests to version v1 and 10% to version v2, without deploying a new version or promoting it. This is the standard method for gradual traffic migration in App Engine standard environment.

Exam trap

Google Cloud often tests the distinction between deploying a version (`deploy`), migrating all traffic (`migrate`), and splitting traffic (`set-traffic`), so the trap here is that candidates confuse `--no-promote` with traffic splitting, thinking it allocates a percentage of traffic when it actually just deploys without routing any traffic to the new version.

How to eliminate wrong answers

Option A is wrong because `gcloud app deploy --version=v2 --no-promote` deploys version v2 but does not split traffic; it leaves all traffic on the default version (v1), so v2 receives 0% of traffic. Option C is wrong because `gcloud app versions migrate v2` migrates all traffic to version v2 (100%), not a 10% split. Option D is wrong because `gcloud app deploy --version=v2 --promote --stop-previous-version` deploys v2, promotes it to receive all traffic, and stops the previous version, resulting in 100% traffic to v2, not a 10/90 split.

640
Multi-Selecteasy

An organization is setting up a new GCP environment and needs to create a hierarchy that separates development, staging, and production workloads. Which two resources can be used to group projects for this purpose? (Choose TWO.)

Select 2 answers
A.VPC
B.Project
C.Cloud Identity
D.Folder
E.Organization
AnswersB, D

Projects are the container for resources; they can be grouped into folders.

Why this answer

Folders and projects are the key hierarchy elements. Folders can contain projects and other folders, and projects contain resources. Organization is the root node, not used to group projects directly.

641
MCQmedium

An engineer wants to authenticate to Google Cloud using their own user credentials and also set up application default credentials for a local development environment. Which sequence of gcloud auth commands should they use?

A.gcloud auth login then gcloud auth application-default login
B.gcloud auth application-default login then gcloud auth login
C.gcloud init then gcloud auth login
D.gcloud auth configure-docker then gcloud auth login
AnswerA

Correct sequence: user credentials first, then ADC.

Why this answer

First, use 'gcloud auth login' to authenticate the gcloud CLI with user credentials. Then, use 'gcloud auth application-default login' to set up application default credentials for local development. The other options are incorrect or reversed.

642
MCQhard

A company is using a managed instance group (MIG) with autoscaling based on CPU utilization. The application is memory-intensive, and the team notices that new instances are not being created quickly enough during traffic spikes. What should the engineer do to improve responsiveness?

A.Enable predictive autoscaling
B.Increase the autoscaling cooldown period
C.Decrease the autoscaling cooldown period
D.Use a larger machine type in the instance template
AnswerC

A shorter cooldown allows the MIG to scale up faster.

Why this answer

Increasing autoscaling cooldown period slows down scaling. Decreasing it makes scaling more responsive. Changing to a more aggressive metric or using predictive autoscaling can help, but the simplest is to reduce the cooldown period.

The other options are wrong.

643
MCQhard

A company wants to migrate an on-premises PostgreSQL database to Google Cloud. They need a managed database service with high availability and automatic failover. The application uses many stored procedures and extensions specific to PostgreSQL. Which service should they choose?

A.Cloud Spanner
B.Bare Metal Solution
C.Cloud SQL for PostgreSQL
D.Firestore
AnswerC

Why this answer

Cloud SQL for PostgreSQL supports many PostgreSQL extensions and stored procedures. Cloud Spanner is not PostgreSQL-compatible; Firestore is NoSQL; Bare Metal Solution is for on-premises-like deployments, not managed.

644
Multi-Selectmedium

You need to drain a GKE node for maintenance without disrupting running workloads that are managed by a DaemonSet. Which TWO flags should you use with kubectl drain? (Choose two.)

Select 2 answers
A.--delete-emptydir-data
B.--grace-period=0
C.--disable-eviction
D.--ignore-daemonsets
E.--force
AnswersA, D

Necessary if any pods use emptyDir volumes; the question doesn't specify, but it's a common flag used in drains.

Why this answer

kubectl drain evicts pods. By default, it will fail if there are pods not managed by a ReplicationController/ReplicaSet/Deployment or if there are DaemonSet pods. The --ignore-daemonsets flag allows draining despite DaemonSet pods.

The --delete-emptydir-data flag is needed if any pods use emptyDir volumes.

645
MCQeasy

Which of the following is required to enable Private Google Access on a subnet?

A.Configuring the subnet with --enable-private-ip-google-access
B.A Cloud Router in the same region
C.A Cloud NAT gateway
D.VPC peering with a Google-managed network
AnswerA

Correct: This flag enables Private Google Access on the subnet.

Why this answer

Private Google Access is enabled at the subnet level using the '--enable-private-ip-google-access' flag. A Cloud NAT is not required for Private Google Access, though it is commonly used together. Cloud Router and VPC peering are not prerequisites.

646
MCQmedium

A team needs a GKE cluster named 'prod-cluster' in the us-central1 region with cluster autoscaling enabled, scaling between 3 and 10 nodes. Which command achieves this?

A.gcloud container clusters create prod-cluster --region=us-central1 --num-nodes=3 --enable-autoscaling --min-nodes=3 --max-nodes=10
B.gcloud kubernetes clusters create prod-cluster --location=us-central1 --autoscale=3:10
C.gcloud container cluster create prod-cluster --zone=us-central1 --scaling=3-10
D.kubectl create cluster prod-cluster --region=us-central1 --autoscale --min=3 --max=10
AnswerA

This command creates a regional GKE cluster with the node autoscaler configured to scale between 3 and 10 nodes. `--region` creates a regional (multi-zone) cluster.

Why this answer

Option A is correct because it uses the `gcloud container clusters create` command with the `--enable-autoscaling` flag, which enables cluster autoscaler for the GKE cluster. The `--min-nodes=3` and `--max-nodes=10` flags define the scaling range, while `--num-nodes=3` sets the initial node count, ensuring the cluster starts with 3 nodes and can scale up to 10 as needed. The `--region=us-central1` specifies a regional cluster, which is appropriate for production workloads requiring high availability across zones.

Exam trap

Google Cloud often tests the distinction between `gcloud container clusters` (correct for GKE) and `gcloud kubernetes clusters` (invalid), as well as the requirement to use `--enable-autoscaling` with separate `--min-nodes` and `--max-nodes` flags instead of shorthand syntax like `--autoscale=3:10`.

How to eliminate wrong answers

Option B is wrong because `gcloud kubernetes clusters create` is not a valid gcloud command; the correct command uses `gcloud container clusters create`. Additionally, `--autoscale=3:10` is not a valid flag; the correct flags are `--enable-autoscaling`, `--min-nodes`, and `--max-nodes`. Option C is wrong because `--zone=us-central1` is invalid since us-central1 is a region, not a zone; a zone would be like `us-central1-a`.

Also, `--scaling=3-10` is not a valid gcloud flag; the correct syntax uses `--enable-autoscaling` with separate min and max flags. Option D is wrong because `kubectl create cluster` is not a valid kubectl command; kubectl is used to manage Kubernetes resources, not to create GKE clusters. Additionally, `--autoscale`, `--min`, and `--max` are not kubectl flags for cluster creation.

647
MCQmedium

A data scientist wants to deploy a Python function that processes messages from a Pub/Sub topic whenever a new message arrives. The function should be stateless and run in a serverless environment. Which deployment command should be used?

A.gcloud run deploy my-function --source . --region us-central1 --trigger-topic my-topic
B.gcloud functions deploy my-function --runtime python39 --trigger-topic my-topic --entry-point my_entry --region us-central1
C.gcloud pubsub subscriptions create my-sub --topic my-topic --push-endpoint https://my-function-url
D.gcloud functions deploy my-function --runtime python39 --trigger-http --entry-point my_entry --region us-central1
AnswerB

Correct. This deploys a Cloud Function triggered by Pub/Sub topic.

Why this answer

Cloud Functions is serverless and can be triggered by Pub/Sub. The command 'gcloud functions deploy' with --trigger-topic creates a function that is triggered by messages on the specified topic.

648
MCQeasy

A startup wants to host a static website (HTML, CSS, JS) globally with minimal latency and high availability. They expect low traffic initially but want to scale seamlessly. Which solution is most cost-effective and simple?

A.Compute Engine with nginx
B.App Engine standard environment
C.Cloud Functions with HTTP triggers
D.Cloud Storage bucket with Cloud CDN enabled
AnswerD

Static website hosting from a bucket is simple, and CDN provides global low latency.

Why this answer

A Cloud Storage bucket with Cloud CDN enabled is the most cost-effective and simple solution for hosting a static website globally with minimal latency. Cloud Storage natively serves static content (HTML, CSS, JS) without provisioning servers, and Cloud CDN caches content at edge locations worldwide, reducing latency. It scales seamlessly from zero traffic to high demand without manual intervention, and costs are based only on storage and egress, making it ideal for low-traffic startups.

Exam trap

Google Cloud often tests the misconception that static websites require a compute layer (like App Engine or Compute Engine) to serve files, when in fact Cloud Storage with CDN is the simplest and most cost-effective serverless option for static content.

How to eliminate wrong answers

Option A is wrong because Compute Engine with nginx requires managing a virtual machine, which adds operational overhead and cost for idle resources, and does not provide global edge caching without additional configuration. Option B is wrong because App Engine standard environment is designed for dynamic web applications with server-side code, not purely static sites, and incurs costs for always-on instances even at low traffic. Option C is wrong because Cloud Functions with HTTP triggers is intended for event-driven, short-lived compute tasks, not for serving static files efficiently; it would incur per-invocation costs and cold start latency, and lacks built-in global CDN caching for static assets.

649
MCQhard

An e-commerce application has a read-heavy database workload: 95% reads, 5% writes. The primary Cloud SQL instance is experiencing CPU saturation during peak read traffic. What is the most appropriate GCP-native solution that minimizes changes to application code?

A.Enable Cloud SQL high availability; the standby replica will serve read traffic.
B.Create Cloud SQL read replicas and route read queries to the replica endpoint.
C.Scale the primary Cloud SQL instance vertically to a larger machine type.
D.Migrate from Cloud SQL to Cloud Spanner for unlimited horizontal read scalability.
AnswerB

Read replicas receive replicated data from the primary and serve SELECT queries. Application code only needs different connection strings for reads vs. writes — minimal changes.

Why this answer

B is correct because Cloud SQL read replicas are designed to offload read traffic from the primary instance, directly addressing CPU saturation during peak reads without requiring application code changes—simply route SELECT queries to the read replica's IP address. This is the most appropriate GCP-native solution for a read-heavy (95% reads) workload, as it horizontally scales read capacity while keeping writes on the primary.

Exam trap

The trap here is that candidates confuse Cloud SQL HA standby replicas with read replicas, assuming the standby can serve reads, when in fact HA standby replicas are passive and only used for automatic failover.

How to eliminate wrong answers

Option A is wrong because Cloud SQL high availability (HA) uses a standby replica in a different zone that does not serve read traffic; it only provides failover for writes, so it does not offload read queries or reduce CPU on the primary. Option C is wrong because vertical scaling (larger machine type) increases cost and has an upper limit, and it does not leverage the read-heavy nature of the workload; it also requires a brief downtime during the resize. Option D is wrong because migrating to Cloud Spanner introduces significant application code changes (e.g., different query syntax, strong consistency model) and is overkill for a simple read-heavy MySQL/PostgreSQL workload; Spanner is designed for globally distributed, strongly consistent transactions, not for minimizing code changes.

650
MCQhard

A team is using gcloud configurations to manage multiple projects. They want to create a new configuration for a production project. How can they achieve this?

A.Run 'gcloud init' and select 'Create a new configuration'
B.Run 'gcloud config configurations create prod' then 'gcloud config set project prod-project'
C.Run 'gcloud config set project prod-project' with a flag to create new config
D.Edit the gcloud config file manually
AnswerB

Correct: First create the configuration, then set project within it.

Why this answer

Manage configurations with 'gcloud config configurations create' and then set properties. Switching is done with 'gcloud config configurations activate'.

651
MCQhard

Your GKE cluster is running a deployment with a container image my-app:v1. You need to update it to my-app:v2 and monitor the rollout progress. Which commands should you use?

A.gcloud compute instances update-container and kubectl get events
B.kubectl edit deployment/my-app and change the image, then kubectl rollout undo if needed
C.kubectl set image deployment/my-app my-app=my-app:v2 followed by kubectl rollout status deployment/my-app
D.gcloud container clusters upgrade and kubectl get pods
AnswerC

Correct sequence to update and monitor rollout.

Why this answer

kubectl set image updates the deployment, and kubectl rollout status monitors progress.

652
MCQhard

Your security team requires that all service accounts in your GCP organization older than 90 days that have not been used must be automatically disabled. They want a fully managed, serverless solution with no persistent infrastructure. Which architecture best meets these requirements?

A.Deploy a Compute Engine VM with a cron job that calls the IAM API nightly.
B.Use Cloud Scheduler to trigger a Cloud Function that queries Cloud Asset Inventory and disables stale service accounts.
C.Configure an org policy that automatically expires service accounts after 90 days.
D.Use Security Command Center to flag and manually disable unused service accounts.
AnswerB

Cloud Scheduler + Cloud Function is fully serverless. Cloud Asset Inventory provides `lastAuthenticatedTime` for service accounts, and the IAM API can disable them programmatically.

Why this answer

Option B is correct because Cloud Scheduler can trigger a serverless Cloud Function on a schedule (e.g., nightly) to query Cloud Asset Inventory for service accounts older than 90 days with no last authentication time, then disable them via the IAM API. This meets the fully managed, serverless requirement with no persistent infrastructure (no VMs or servers to maintain).

Exam trap

Google Cloud often tests the misconception that Organization Policies can enforce time-based lifecycle actions on IAM resources, but they only provide static constraints (e.g., 'constraints/iam.disableServiceAccountCreation'), not dynamic expiration or usage-based disabling.

How to eliminate wrong answers

Option A is wrong because it uses a Compute Engine VM with a cron job, which requires persistent infrastructure (the VM) and is not fully managed or serverless. Option C is wrong because Organization Policies do not support automatic expiration or disabling of service accounts based on age or usage; they enforce constraints on resource locations, domains, or service states, not time-based lifecycle actions. Option D is wrong because Security Command Center (SCC) provides findings and recommendations but does not automatically disable resources; it requires manual intervention, which violates the 'automatically disabled' requirement.

653
MCQeasy

A developer wants to deploy a Cloud Function that processes images uploaded to a Cloud Storage bucket. The function should be triggered automatically when an object is created. What is the best practice for setting up this trigger?

A.Use a Pub/Sub topic and a push subscription to invoke the Cloud Function
B.Create a Cloud Function with a Cloud Storage trigger and specify the bucket and event type
C.Use a Compute Engine instance to watch the bucket and call the function
D.Set up a Cloud Scheduler job to periodically scan the bucket and invoke the function
AnswerB

Cloud Functions natively support Cloud Storage triggers; this is the simplest approach.

Why this answer

Option B is correct because Cloud Functions natively supports Cloud Storage triggers via the `google.storage.object.finalize` event type, which fires when a new object is created in the specified bucket. This is the simplest and most reliable approach, as it eliminates the need for intermediate services and ensures low-latency, event-driven invocation directly from the storage layer.

Exam trap

Google Cloud often tests the misconception that Pub/Sub is required for all event-driven triggers, but Cloud Storage has a direct integration with Cloud Functions that avoids the overhead of an additional messaging layer.

How to eliminate wrong answers

Option A is wrong because using a Pub/Sub topic and push subscription adds unnecessary complexity and latency; Cloud Storage can directly trigger Cloud Functions without an intermediary, and Pub/Sub is typically used for decoupling or fan-out scenarios, not for direct storage events. Option C is wrong because using a Compute Engine instance to poll the bucket introduces compute cost, polling latency, and operational overhead, violating the serverless and event-driven best practices that Cloud Functions are designed for. Option D is wrong because Cloud Scheduler is a cron-based job scheduler for periodic tasks, not for real-time event triggers; it would introduce delays and inefficiency compared to the native event-driven trigger.

654
MCQeasy

You need to alert when the CPU utilization of your Compute Engine instance exceeds 80% for 5 minutes. What should you create in Cloud Monitoring?

A.An uptime check
B.A metric threshold alerting policy
C.A log-based alert
D.A dashboard chart
AnswerB

Metric threshold alerts evaluate metric data against a threshold over time.

Why this answer

A metric threshold alerting policy triggers when a metric crosses a threshold for a specified duration.

655
Multi-Selecteasy

A developer wants to deploy a new application on Google Cloud. The application consists of a frontend service that serves web traffic and a backend service that processes images. Both services need to be containerized. Which two compute options are serverless and support container deployment? (Choose 2)

Select 2 answers
A.Google Kubernetes Engine (GKE)
B.Cloud Functions (2nd gen)
C.Cloud Run
D.Compute Engine
E.Cloud Functions (1st gen)
AnswersB, C

Cloud Functions (2nd gen) supports container images.

Why this answer

Cloud Run and Cloud Functions (2nd gen) both support container images and are serverless (no server management, scale automatically). GKE and Compute Engine are not serverless. Cloud Functions (1st gen) does not support containers.

656
MCQmedium

An organization has deployed a Compute Engine VM instance running a web server. The web server is not responding to HTTP requests from the internet. The firewall rules allow ingress traffic on port 80 and 443 from any source (0.0.0.0/0). The VM has a public IP address and is in a VPC network with default subnets. What is the most likely cause of the issue?

A.The VM does not have an HTTP health check configured.
B.The web server service is not running on the VM.
C.The VPC network's default firewall rule blocks ingress traffic.
D.The VM is not in the same region as the global load balancer.
AnswerB

If the web server process is not running, it will not respond to HTTP requests.

Why this answer

Option B is correct because the most likely cause of the web server not responding to HTTP requests, despite correct firewall rules and a public IP, is that the web server service (e.g., Apache, Nginx) is not running on the VM. Firewall rules only control network traffic; they do not ensure that the application process is listening on the specified ports. A simple `sudo systemctl status apache2` or `netstat -tlnp` would confirm whether the service is active.

Exam trap

Google Cloud often tests the misconception that firewall rules alone guarantee application availability, when in fact the application service must be running and listening on the correct port.

How to eliminate wrong answers

Option A is wrong because HTTP health checks are used by load balancers to monitor instance health, but they are not required for a standalone VM to respond to HTTP requests; the VM can serve traffic directly without any health check configuration. Option C is wrong because the default VPC firewall rules include an 'allow' rule for ingress traffic on ports 80 and 443 from 0.0.0.0/0, so they do not block the traffic; the issue is not firewall-related. Option D is wrong because a global load balancer is not mentioned in the scenario, and even if one were used, the VM does not need to be in the same region as the load balancer — global load balancers route traffic to backends in any region.

657
MCQhard

You need to create a log-based metric that counts the number of 5xx errors from your application logs. The logs are in Cloud Logging and contain a field "httpRequest.status". Which filter should you use when creating the metric?

A.httpRequest.status:5*
B.severity=ERROR AND "5xx"
C.httpRequest.status = 500 OR httpRequest.status = 501 OR httpRequest.status = 502
D.httpRequest.status >= 500
AnswerD

This filter correctly selects log entries with status code 500 or greater.

Why this answer

Log-based metrics use Cloud Logging filter language to select log entries.

658
MCQhard

You are enabling OS Login for a GCP project to manage SSH access to Compute Engine VMs. A developer cannot SSH to a VM despite having `roles/compute.osLogin` granted. The VM has OS Login enabled. What is the most likely missing configuration?

A.The developer needs `roles/compute.instanceAdmin` in addition to `roles/compute.osLogin`.
B.The VM metadata `enable-oslogin` is not set to `TRUE` at the VM or project level.
C.The developer must generate an SSH key pair and upload the public key to the VM's authorized_keys.
D.The developer's account needs `roles/iam.serviceAccountTokenCreator` to authenticate via SSH.
AnswerB

OS Login is enabled by setting `enable-oslogin=TRUE` in instance or project metadata. Without this metadata key, OS Login is not active on the VM even if the IAM role is granted.

Why this answer

Option B is correct because OS Login requires the VM or project metadata key `enable-oslogin` to be set to `TRUE`. Even if the user has the `roles/compute.osLogin` role, OS Login will not function if this metadata is missing or set to `FALSE`. The metadata enables the OS Login agent on the VM to authenticate users via IAM permissions rather than local SSH keys.

Exam trap

The trap here is that candidates assume granting the IAM role `roles/compute.osLogin` is enough, but they overlook the mandatory metadata flag `enable-oslogin=TRUE` that must be set at the project or VM level to activate the OS Login feature.

How to eliminate wrong answers

Option A is wrong because `roles/compute.instanceAdmin` grants broader management permissions (e.g., start/stop VMs) but is not required for SSH access via OS Login; `roles/compute.osLogin` alone is sufficient when OS Login is enabled. Option C is wrong because OS Login replaces the need for managing SSH keys in `authorized_keys`; authentication is handled by IAM and the OS Login service, not by uploading public keys to the VM. Option D is wrong because `roles/iam.serviceAccountTokenCreator` is used to generate OAuth2 tokens for service accounts, not for SSH authentication; OS Login uses IAM roles and the OS Login API to authorize SSH connections.

659
MCQmedium

An organization needs to deploy a regional Cloud SQL MySQL instance with 4 vCPUs and 15 GB of memory. The instance should be highly available within a single region. Which gcloud command should they use?

A.gcloud sql instances create my-instance --tier=db-n1-standard-4 --region=us-central1 --database-version=MYSQL_8_0 --root-password=password123 --availability-type=REGIONAL
B.gcloud sql instances create my-instance --tier=db-n1-highmem-4 --region=us-central1 --database-version=MYSQL_8_0
C.gcloud sql instances create my-instance --tier=db-n1-standard-4 --region=us-central1 --database-version=MYSQL_8_0 --root-password=password123
D.gcloud sql instances create my-instance --tier=db-n1-standard-4 --region=us-central1
AnswerC

Correct tier (4 vCPU, 15 GB), region, version, and root password.

Why this answer

The correct command uses --tier=db-n1-standard-4 (4 vCPU, 15 GB RAM), --region, --database-version= MYSQL_8_0, and --root-password. The --availability-type flag is not required for regional; it defaults to zonal. db-n1-highmem-4 has 26 GB RAM. The other commands either miss required flags or use wrong tier.

660
Multi-Selecthard

A company wants to implement a least-privilege security model for a service account that needs to read secrets from Secret Manager and publish messages to Pub/Sub. Which TWO IAM roles should be granted? (Choose TWO)

Select 2 answers
A.roles/pubsub.publisher
B.roles/secretmanager.viewer
C.roles/secretmanager.secretAccessor
D.roles/pubsub.admin
E.roles/secretmanager.admin
AnswersA, C

Correct: Grants permission to publish messages to Pub/Sub topics.

Why this answer

The minimum roles needed are: roles/secretmanager.secretAccessor for reading secret versions, and roles/pubsub.publisher for publishing messages. roles/secretmanager.admin is too broad, roles/pubsub.admin is too broad, and roles/secretmanager.viewer only allows viewing metadata, not accessing secret values.

661
MCQmedium

You need to store application configuration data that changes infrequently (e.g., feature flags, database connection strings). Multiple services need to read this configuration at startup, and values must never appear in application code or container images. Updates to configuration should not require redeploying services. Which GCP service is most appropriate?

A.Store configuration in environment variables set at deployment time.
B.Use Cloud Secret Manager to store and retrieve configuration at runtime.
C.Store configuration in a Cloud Storage bucket readable by all services.
D.Use Cloud Firestore to store configuration documents that services read on startup.
AnswerB

Secret Manager provides versioned, IAM-controlled secret storage. Services read secrets at startup via API; updates are applied without redeployment by accessing the latest version.

Why this answer

Secret Manager is designed exactly for storing sensitive configuration (connection strings, API keys, feature flags with sensitive values). Secrets can be accessed via API or SDK at runtime without being embedded in code or images. Secret Manager supports versioning, automatic rotation triggers, and IAM-controlled access.

When a secret value changes, services can be configured to reload it without redeployment using Secret Manager's notification integration.

662
MCQeasy

A project manager wants to see how much each GCP service is costing the team this month, broken down by service. Where should they look?

A.IAM & Admin > Quotas
B.Cloud Monitoring > Cost metrics dashboard
C.Billing > Reports (filtered by service)
D.Resource Manager > Project settings > Cost summary
AnswerC

The Billing Reports page shows detailed cost breakdowns by service, SKU, project, and time period — the primary cost analysis tool in GCP.

Why this answer

Option C is correct because the Billing > Reports page in the Google Cloud Console allows you to filter costs by service, SKU, project, and other dimensions. This provides a granular breakdown of monthly spending per GCP service, which is exactly what the project manager needs.

Exam trap

Google Cloud often tests the distinction between cost reporting (Billing > Reports) and quota monitoring (IAM & Admin > Quotas), trapping candidates who confuse usage limits with cost breakdowns.

How to eliminate wrong answers

Option A is wrong because IAM & Admin > Quotas shows resource usage limits and current utilization, not cost breakdowns by service. Option B is wrong because Cloud Monitoring > Cost metrics dashboard displays billing metrics aggregated over time but does not provide a per-service cost breakdown; it is designed for monitoring and alerting on cost trends, not detailed service-level reports. Option D is wrong because Resource Manager > Project settings > Cost summary shows a high-level total cost for the project, not a breakdown by individual GCP service.

663
MCQhard

A Cloud Build pipeline needs to deploy to Cloud Run but the pipeline's service account has only minimal permissions. Rather than granting it Cloud Run Admin, the team wants it to temporarily act as a more privileged deployment service account. Which technique enables this?

A.Download the deployment service account's JSON key and store it in Cloud Build secrets
B.Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA
C.Add the Cloud Build SA as an Owner of the project
D.Enable service account delegation in the project's IAM settings
AnswerB

With `roles/iam.serviceAccountTokenCreator` on the target SA, the Cloud Build SA can generate short-lived access tokens to act as the deployment SA — no key files needed.

Why this answer

Option B is correct because it uses IAM service account impersonation, which allows the Cloud Build service account to temporarily assume the identity of a more privileged deployment service account by calling the iam.serviceAccounts.actAs permission. This avoids granting broad Cloud Run Admin permissions directly to the pipeline's service account, adhering to the principle of least privilege. The Token Creator role (roles/iam.serviceAccountTokenCreator) on the deployment service account enables the Cloud Build SA to generate short-lived OAuth2 tokens for impersonation, which are automatically scoped to the deployment SA's permissions.

Exam trap

Google Cloud often tests the distinction between granting a role directly (like Cloud Run Admin) versus using impersonation with the Token Creator role, and the trap here is that candidates confuse storing a JSON key (Option A) with secure, temporary impersonation, or assume that 'delegation' (Option D) is a real IAM feature when it is not.

How to eliminate wrong answers

Option A is wrong because downloading a JSON key and storing it in Cloud Build secrets introduces a long-lived, static credential that violates security best practices (e.g., key rotation, exposure risk) and does not use temporary, auditable impersonation. Option C is wrong because adding the Cloud Build SA as an Owner of the project grants it full, permanent project-level control, which is far more permissive than needed and contradicts the goal of minimal permissions. Option D is wrong because 'service account delegation' is not a standard IAM setting; the correct mechanism is service account impersonation via the actAs permission and Token Creator role, not a project-level delegation toggle.

664
MCQmedium

A company wants to migrate an on-premises PostgreSQL database to Google Cloud. They require automated backups, point-in-time recovery, and a 99.95% availability SLA. Which service should they choose?

A.Compute Engine with self-managed PostgreSQL
B.Cloud SQL for PostgreSQL
C.Cloud SQL for MySQL
D.Cloud Spanner
AnswerB

Cloud SQL for PostgreSQL offers all required features: managed backups, PITR, and a 99.95% SLA.

Why this answer

Cloud SQL for PostgreSQL provides automated backups, point-in-time recovery (PITR), and a 99.95% SLA for single-zone instances. It is fully managed, reducing operational overhead.

665
MCQeasy

A developer wants to use gcloud CLI with application default credentials (ADC) to authenticate to Google APIs from their local machine. Which command should they run first?

A.gcloud auth login
B.gcloud init
C.gcloud auth application-default login
D.gcloud config set auth/application_default true
AnswerC

Correct. This sets up Application Default Credentials.

Why this answer

gcloud auth application-default login sets up ADC for the user. This stores credentials that can be used by Google client libraries.

666
MCQmedium

Your organization mandates that all service-to-service communication within a GKE cluster must be encrypted in transit using mutual TLS (mTLS). The team does not want to manage certificates or modify application code. Which solution meets these requirements?

A.Configure Kubernetes TLS Secrets and mount them as volumes in each pod.
B.Enable Anthos Service Mesh with mTLS policy set to STRICT mode.
C.Use Cloud Armor to enforce TLS between services within the cluster.
D.Enable GKE node-to-node encryption to encrypt all traffic between nodes.
AnswerB

ASM (based on Istio) injects Envoy sidecars that handle mTLS automatically. In STRICT mode, all service-to-service communication requires mTLS. No application code changes needed — the sidecar handles everything.

Why this answer

Anthos Service Mesh (ASM) with mTLS set to STRICT mode enforces mutual TLS between all services in the mesh without requiring any application code changes or manual certificate management. ASM automatically injects Envoy sidecar proxies that handle certificate issuance, rotation, and encryption, meeting the requirement for encrypted service-to-service communication with mTLS.

Exam trap

Google Cloud often tests the distinction between network-layer encryption (node-to-node) and application-layer mTLS (service-to-service), leading candidates to mistakenly choose node-to-node encryption as a solution for service-level mTLS requirements.

How to eliminate wrong answers

Option A is wrong because mounting Kubernetes TLS Secrets as volumes requires manual certificate management and application code changes to load and use the certificates, which violates the 'do not want to manage certificates or modify application code' requirement. Option C is wrong because Cloud Armor is a web application firewall that protects external HTTP(S) traffic at the edge of the GKE cluster, not internal service-to-service traffic within the cluster. Option D is wrong because GKE node-to-node encryption encrypts traffic between nodes at the network layer (IPsec), not at the application layer between individual pods/services, and does not provide mutual TLS authentication between services.

667
MCQmedium

An engineer needs to enable Private Google Access for a subnet to allow instances without external IPs to access Google APIs and services. Which flag should be used when creating or updating the subnet?

A.--enable-google-access
B.--private-google-access
C.--enable-private-ip-google-access
D.--enable-private-ip
AnswerC

Correct flag to enable Private Google Access.

Why this answer

Private Google Access is enabled on a subnet using the `--enable-private-ip-google-access` flag. This allows instances in the subnet to reach Google APIs via the default route.

668
MCQeasy

Which GCP service protects internet-facing applications against SQL injection, cross-site scripting (XSS), and other OWASP Top 10 attacks?

A.Cloud Firewall (VPC firewall rules)
B.Cloud Armor WAF with preconfigured OWASP Core Rule Set
C.Security Command Center's Web Security Scanner
D.Cloud Identity-Aware Proxy (IAP)
AnswerB

Cloud Armor's WAF feature includes preconfigured rules for OWASP Top 10 attacks. These rules inspect HTTP request content and block malicious patterns at the load balancer edge.

Why this answer

Cloud Armor WAF with the preconfigured OWASP Core Rule Set (CRS) is specifically designed to protect internet-facing applications from web application attacks, including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. It operates at the edge of Google's network, inspecting HTTP/HTTPS traffic against a set of rules that match known attack patterns, and can be integrated with Cloud Load Balancing to filter malicious requests before they reach the backend.

Exam trap

Google Cloud often tests the distinction between a WAF that inspects application-layer payloads (Cloud Armor) and network-layer firewalls (VPC firewall rules) or identity-based access controls (IAP), leading candidates to confuse perimeter security with application-layer protection.

How to eliminate wrong answers

Option A is wrong because Cloud Firewall (VPC firewall rules) operates at the network layer (L3/L4) and cannot inspect application-layer payloads such as SQL injection or XSS strings; it only filters based on IP addresses, ports, and protocols. Option C is wrong because Security Command Center's Web Security Scanner is a vulnerability scanning tool that identifies security flaws in web applications, not a real-time protection service that blocks attacks in transit. Option D is wrong because Cloud Identity-Aware Proxy (IAP) provides access control based on identity and context, but it does not inspect or filter HTTP request payloads for malicious content like SQL injection or XSS.

669
Multi-Selecthard

A company wants to allow developers to create and manage secrets in Secret Manager, but prevent them from viewing secret values. Which TWO predefined roles should be combined to achieve this?

Select 2 answers
A.roles/secretmanager.admin
B.roles/secretmanager.secretAccessor
C.roles/secretmanager.secretManager
D.roles/secretmanager.secretVersionManager
E.roles/secretmanager.viewer
AnswersC, D

Allows managing secrets (create, update, delete) without accessing versions.

Why this answer

The roles/secretmanager.admin role includes permissions to create and manage secrets but not to access secret versions (i.e., view values). However, it includes the permission to access versions. Actually, the admin role includes secretmanager.versions.access, so it can view values.

To separate manage from view, you need roles/secretmanager.secretVersionManager (manage versions without access) and roles/secretmanager.secretManager (manage secrets). Wait, the correct combination is roles/secretmanager.secretVersionManager (create/disable/destroy versions) and roles/secretmanager.secretManager (create/update/delete secrets). Neither includes secretmanager.versions.access.

The roles/secretmanager.viewer allows viewing metadata but not values. The roles/secretmanager.secretAccessor allows accessing versions. To manage without viewing, combine roles that exclude access.

Check accurate roles: roles/secretmanager.admin includes all permissions including access. roles/secretmanager.secretManager includes manage secrets but not access versions? Let's verify: roles/secretmanager.secretManager has permissions: secretmanager.secrets.create, secretmanager.secrets.delete, secretmanager.secrets.get, secretmanager.secrets.update, secretmanager.secrets.list. It does NOT include secretmanager.versions.access. roles/secretmanager.secretVersionManager has permissions: secretmanager.versions.create, secretmanager.versions.disable, secretmanager.versions.destroy, secretmanager.versions.enable, secretmanager.versions.get, secretmanager.versions.list. It does NOT include secretmanager.versions.access.

So combining these two roles allows managing secrets and versions but not accessing the payload. roles/secretmanager.viewer allows viewing metadata but not accessing payload. roles/secretmanager.secretAccessor allows accessing payload. So the correct two are secretManager and secretVersionManager.

670
MCQmedium

A company plans to run a stateful application on Compute Engine that requires high random I/O performance and the ability to resize the persistent disk without downtime. The application is running on a Linux VM. Which persistent disk type and configuration should the engineer choose?

A.Extreme persistent disk (pd-extreme)
B.Balanced persistent disk (pd-balanced)
C.SSD persistent disk (pd-ssd)
D.Standard persistent disk (pd-standard)
AnswerA

Extreme disks provide the highest IOPS and support live resizing without downtime.

Why this answer

Extreme persistent disks are designed for high random I/O workloads, offering up to 120,000 IOPS and the ability to resize without downtime. They are SSD-based and suitable for databases.

671
MCQmedium

A security team needs an inventory of all Compute Engine VM instances across all projects in their GCP organization, including instance names, zones, and status, without logging into each project individually. Which service provides this?

A.Cloud Monitoring — use the metric explorer to list all VM instances
B.Cloud Asset Inventory with an organization-scoped asset search
C.Cloud Resource Manager — list all projects and then query each for VMs
D.BigQuery information_schema views for GCP compute resources
AnswerB

`gcloud asset search-all-resources --scope=organizations/[ORG_ID] --asset-types=compute.googleapis.com/Instance` returns all VMs across all projects in the organization.

Why this answer

Cloud Asset Inventory provides a unified, organization-scoped view of all resources across projects, including Compute Engine VM instances. By using an organization-scoped asset search, the security team can query for all VM instances (e.g., `asset_type = "compute.googleapis.com/Instance"`) without needing to log into each project individually. This service is purpose-built for cross-project resource discovery and inventory management.

Exam trap

The trap here is that candidates confuse Cloud Monitoring's metric explorer with an inventory tool, or assume Cloud Resource Manager can directly query resources across projects, when in fact it only manages project metadata and IAM policies.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring's metric explorer is designed for monitoring metrics and logs, not for listing resource metadata like instance names, zones, and status; it cannot perform a comprehensive inventory of all VM instances across projects. Option C is wrong because Cloud Resource Manager can list projects but cannot directly query each project for VM instances; you would need to write custom scripts using the Compute Engine API per project, which violates the requirement of not logging into each project individually. Option D is wrong because BigQuery information_schema views are for querying BigQuery datasets and tables, not for GCP compute resources; there is no such view for Compute Engine instances.

672
Multi-Selecthard

An engineer needs to allow an external IP address (203.0.113.5) to access a Compute Engine instance that only has an internal IP. The instance is in a VPC with Cloud NAT. Which TWO steps are necessary to enable this access?

Select 2 answers
A.Grant the user the roles/iap.tunnelResourceAccessor IAM role on the instance
B.Set a firewall rule allowing ingress from the IP 203.0.113.5 to port 22
C.Modify the Cloud NAT to allow the external IP
D.Assign a public IP to the instance
E.Use 'gcloud compute start-iap-tunnel' to create a tunnel to the instance
AnswersA, E

Required to use IAP tunneling.

Why this answer

To access an internal-only instance from the internet, you need an IAP TCP forwarding tunnel (gcloud compute start-iap-tunnel) and the appropriate IAM role (roles/iap.tunnelResourceAccessor) to use IAP. Alternatively, you could use a bastion host, but IAP is cleaner.

673
MCQeasy

An administrator needs to create a Cloud Storage bucket in the US with the Nearline storage class and make objects publicly readable via IAM. Which gcloud command should they use to create the bucket?

A.gsutil mb -c NEARLINE -l US gs://my-bucket
B.gsutil mb -s NEARLINE -l US-CENTRAL1 gs://my-bucket
C.gcloud storage buckets create gs://my-bucket --storage-class=NEARLINE --region=US
D.gcloud storage buckets create gs://my-bucket --default-storage-class=NEARLINE --location=us
AnswerA

Correct: gsutil mb with -c for storage class and -l for location.

Why this answer

The correct command is gcloud storage buckets create with --default-storage-class and --location flags. Option B uses gsutil mb with -c for storage class and -l for location. Option A uses gcloud storage but location should be a region, not 'us'.

Option C uses gsutil but -s is not a valid flag. Option D incorrectly uses --region.

674
MCQmedium

A company wants to allow unauthenticated HTTP invocations of a container deployed on Cloud Run. Which flag should be included in the 'gcloud run deploy' command?

A.--public
B.--no-authentication
C.--allow-unauthenticated
D.--auth-type public
AnswerC

Correct. This flag makes the service publicly accessible.

Why this answer

The '--allow-unauthenticated' flag allows unauthenticated invocations. By default, Cloud Run requires authentication.

675
MCQeasy

A small business wants to host a static website (HTML, CSS, JS) on Google Cloud. The site should have high availability and low latency for global users. The team has limited experience with infrastructure management and wants to minimize operational overhead and costs. They already have a custom domain. Which solution should they implement?

A.Use Firebase Hosting with the custom domain and enable Cloud CDN.
B.Store the website on Cloud Storage, point the custom domain to a global HTTP(S) load balancer, and enable Cloud CDN.
C.Package the static files as a container and deploy on Cloud Run with a managed SSL certificate.
D.Deploy the website on a single Compute Engine instance with a static IP and install a web server.
AnswerB

Standard, low-overhead, global solution.

Why this answer

Cloud Storage can host static content and integrate with Cloud CDN for low-latency delivery worldwide. This is serverless, highly available, and cost-effective. Option A is correct because it meets all requirements with minimal management.

Option B (Compute Engine) requires instance management and is overkill. Option C (Cloud Run) is for containerized apps, not ideal for pure static sites. Option D (Firebase Hosting) is also good but redundant with Cloud Storage; however, Cloud Storage with CDN is a standard solution and more flexible for custom domains.

Page 8

Page 9 of 14

Page 10
Google Associate Cloud Engineer ACE Questions 601–675 | Page 9/14 | Courseiva