CCNA Ace Setup Environment Questions

13 of 88 questions · Page 2/2 · Ace Setup Environment topic · Answers revealed

76
MCQmedium

Your organization uses Cloud Identity to manage users. A new employee joins and needs access to a GCP project. What is the correct sequence to grant access?

A.Grant the user an IAM role directly; Cloud Identity is not required.
B.Create a service account for the user and grant roles to the service account.
C.Add the user to Cloud Identity, then grant the appropriate IAM role in the project.
D.Add the user to a Cloud Identity group, then grant the group an IAM role.
AnswerC

Correct sequence.

Why this answer

First, you add the user to Cloud Identity (if not already there). Then, in the GCP project, you grant an IAM role to the user. Cloud Identity provides the user account; IAM grants permissions.

You cannot skip adding to Cloud Identity.

77
MCQmedium

A team wants to enable Compute Engine API in their project using gcloud. Which command should they run?

A.gcloud compute enable api
B.gcloud services list --enabled
C.gcloud api enable compute
D.gcloud services enable compute.googleapis.com
AnswerD

Correct command.

Why this answer

The command 'gcloud services enable compute.googleapis.com' enables the Compute Engine API.

78
MCQmedium

You want to enable the Kubernetes Engine API for your project using the command line. Which gcloud command should you use?

A.gcloud services enable container.googleapis.com
B.gcloud container clusters create my-cluster
C.gcloud config set project my-project
D.gcloud auth login
AnswerA

Correct command to enable the API.

Why this answer

'gcloud services enable container.googleapis.com' enables the required API. 'gcloud auth login' authenticates. 'gcloud config set' sets project. 'gcloud container clusters create' creates a cluster but doesn't enable the API.

79
MCQmedium

A company wants to track costs by department and project. They have multiple GCP projects used by different teams. Which feature should they use to categorize costs?

A.Budgets and alerts
B.Labels
C.Billing export to BigQuery
D.Custom IAM roles
AnswerB

Labels allow cost attribution by department, project, etc.

Why this answer

Labels are key-value pairs that can be attached to resources and are used to organize and track costs. Budget alerts notify when spending exceeds thresholds. Billing export sends data to BigQuery.

Custom roles are for IAM permissions.

80
MCQhard

An engineer needs to give a data analyst access to run BigQuery queries but prevent them from viewing or modifying data in Cloud Storage. The analyst should be able to create new datasets. Which IAM role should the engineer assign at the project level?

A.roles/storage.objectViewer
B.roles/bigquery.dataEditor
C.roles/bigquery.dataOwner
D.roles/bigquery.user
AnswerB

Correct.

Why this answer

The role roles/bigquery.dataEditor allows creating datasets and querying data, but does not grant any Cloud Storage permissions.

81
Multi-Selecteasy

A Cloud Architect needs to understand the GCP resource hierarchy to set up proper access control. Which three resources are part of the GCP resource hierarchy? (Choose THREE.)

Select 3 answers
A.Billing Account
B.Folder
C.Project
D.Organization
E.Cloud Identity
AnswersB, C, D

Used to group projects.

Why this answer

The GCP resource hierarchy includes Organization, Folder, Project, and Resources (like VMs). Cloud Identity and Billing Account are separate services.

82
Multi-Selectmedium

A company wants to set up a new GCP project and ensure that only approved APIs can be used. Which two steps should they take? (Choose TWO)

Select 2 answers
A.Create a custom role with permissions to enable APIs
B.Use an organization policy to restrict the set of allowed APIs
C.Set a budget to limit API usage costs
D.Assign the Owner role to the project
E.Disable all APIs and enable only the required ones
AnswersB, E

Correct: Organization policies can enforce a whitelist of APIs.

Why this answer

To restrict API usage, you can disable unapproved APIs and use organization policies to enforce restrictions.

83
Multi-Selecthard

A company wants to organize their GCP resources into a hierarchy to separate development, staging, and production environments. Which THREE resources can be used to create this separation?

Select 3 answers
A.Folders
B.Organization node
C.Billing accounts
D.Projects
E.Labels
AnswersA, B, D

Folders allow grouping projects for environment separation.

Why this answer

GCP resource hierarchy includes Organization, Folders, Projects, and Resources. Folders can be used to group projects (e.g., dev folder, prod folder). Projects are the containers for resources.

Labels are metadata tags but not part of the hierarchy. Billing accounts are separate from the hierarchy. IAM policy is not a resource for separation.

84
MCQhard

A multinational corporation requires that all GCP resources across multiple projects are tagged with a key-value pair 'environment: production' and 'environment: development'. They want to enforce that any resource created without the appropriate label is automatically denied. How can this be achieved?

A.Use Cloud Asset Inventory to monitor and alert on missing labels.
B.Use IAM conditions to check labels at resource creation.
C.Create a custom IAM role that denies creation without labels.
D.Use an organization policy constraint to require labels.
AnswerD

Organization policy constraints can enforce required labels on resources.

Why this answer

Organization policy constraints like 'compute.googleapis.com/requireLabels' can enforce that certain labels must be present on resources. IAM conditions can restrict access based on labels, but they don't automatically deny creation of unlabeled resources. Cloud Asset Inventory is for monitoring, not enforcement.

Custom roles cannot enforce labeling.

85
MCQeasy

A Cloud Shell user wants to persist Terraform state files across sessions. What is the best approach?

A.Store them in /tmp
B.Store them in a Cloud Storage bucket and mount via gcsfuse
C.Store them on the instance's local SSD
D.Store them in the home directory ($HOME)
AnswerD

Correct: The home directory persists across sessions.

Why this answer

Cloud Shell provides a persistent 5GB home directory. Storing state files there ensures they persist across sessions.

86
MCQmedium

An engineer is setting up Cloud Identity for a new domain. What is a prerequisite for creating a Cloud Identity account?

A.A G Suite account
B.A billing account
C.Domain verification
D.An existing Google Cloud project
AnswerC

Correct: You must verify that you own the domain.

Why this answer

Cloud Identity requires domain verification to prove ownership. This is done via DNS TXT record or other methods.

87
MCQmedium

An engineer wants to ensure that no one in their organization can create VMs with public IP addresses. Which Google Cloud tool should they use to enforce this restriction?

A.Organization policies
B.Labels
C.IAM roles
D.Quotas
AnswerA

Correct.

Why this answer

Organization policies (Org Policies) allow setting constraints at the organization, folder, or project level to restrict configurations.

88
MCQeasy

A new engineer needs to enable the Compute Engine API for a project using the gcloud command-line tool. Which command should they run?

A.gcloud compute enable-api
B.gcloud projects enable compute.googleapis.com
C.gcloud api enable compute
D.gcloud services enable compute.googleapis.com
AnswerD

This is the standard command to enable the Compute Engine API.

Why this answer

The correct command to enable an API is `gcloud services enable`, specifying the service name. For Compute Engine the service name is `compute.googleapis.com`.

← PreviousPage 2 of 2 · 88 questions total

Ready to test yourself?

Try a timed practice session using only Ace Setup Environment questions.