CCNA Setting Up A Cloud Solution Environment Questions

75 of 98 questions · Page 1/2 · Setting Up A Cloud Solution Environment topic · Answers revealed

1
MCQmedium

An organization needs to set up a new Google Cloud project with restricted access to only approved IP ranges for SSH into VMs. Which Google Cloud service should be used?

A.Cloud Armor
B.Cloud NAT
C.VPC Firewall Rules
D.Identity-Aware Proxy (IAP) TCP forwarding
AnswerC

Firewall rules can restrict inbound SSH to specific source IP ranges.

Why this answer

VPC Firewall Rules (Option C) are the correct choice because they allow you to restrict inbound SSH (TCP port 22) traffic to specific source IP ranges by defining ingress rules at the VPC network level. This directly enforces IP-based access control for SSH into VM instances without additional services or proxies.

Exam trap

The trap here is that candidates often confuse Cloud Armor (a WAF for HTTP/S) with network-layer firewall rules, or assume IAP TCP forwarding is for IP whitelisting when it actually uses identity-based access, not source IP restrictions.

How to eliminate wrong answers

Option A is wrong because Cloud Armor is a web application firewall (WAF) that protects HTTP/HTTPS traffic at the Google Cloud Armor edge, not SSH traffic at the VM level; it cannot filter SSH connections. Option B is wrong because Cloud NAT provides outbound internet access for private VMs via source network address translation, but it does not control inbound SSH access or restrict source IPs. Option D is wrong because Identity-Aware Proxy (IAP) TCP forwarding enables SSH access without public IPs by tunneling through IAP, but it does not restrict access to approved IP ranges; instead, it uses identity and context-based access, not source IP filtering.

2
Multi-Selecthard

A company is planning a hybrid cloud setup connecting their on-premises network to Google Cloud. They have a single data center with limited bandwidth. They need low latency and high reliability for their application traffic. Which TWO services should they consider? (Choose TWO.)

Select 2 answers
A.VPC Network Peering
B.Direct Peering
C.Dedicated Interconnect
D.Cloud VPN with dynamic routing
E.Carrier Peering
AnswersC, D

Provides a dedicated, high-bandwidth, low-latency physical connection.

Why this answer

Options A and D are correct. Dedicated Interconnect provides a direct physical connection with low latency and high reliability; Cloud VPN can serve as a cost-effective backup or for less critical traffic. Option B is wrong because Carrier Peering is less reliable than Dedicated Interconnect.

Option C is wrong because Direct Peering is for Google services, not for VPC connectivity. Option E is wrong because VPC Network Peering is for connecting VPCs, not for on-premises connectivity.

3
MCQeasy

What is the correct order of the Google Cloud resource hierarchy from highest to lowest level?

A.Folder → Organization → Project → Resources
B.Organization → Folder → Project → Resources
C.Project → Folder → Organization → Resources
D.Organization → Project → Folder → Resources
AnswerB

The correct hierarchy is Organization at the top, followed by Folders, Projects, and individual Resources.

Why this answer

The Google Cloud resource hierarchy is structured from highest to lowest as Organization, Folder, Project, and Resources. The Organization node is the root, allowing centralized policy management; Folders group projects under departments or teams; Projects are the base-level containers for services and APIs; Resources (like Compute Engine instances) reside within projects. Option B correctly reflects this top-down inheritance of IAM policies and access control.

Exam trap

The trap here is that candidates often confuse the hierarchy with a typical filesystem tree, mistakenly thinking Projects are the top level, but the Organization node is the root that enables enterprise-grade policy control.

How to eliminate wrong answers

Option A is wrong because it places Folder above Organization, but the Organization is the top-level node in the hierarchy, not a Folder. Option C is wrong because it reverses the order, placing Project above Folder and Organization, whereas Projects are always children of Folders or the Organization. Option D is wrong because it places Project above Folder, but Folders are a higher-level grouping mechanism that can contain multiple projects, so the correct order is Organization → Folder → Project → Resources.

4
MCQhard

A company is setting up a multi-project environment in Google Cloud with centralized billing. They need to separate development, staging, and production projects. They require that all projects have a specific set of APIs enabled (Compute Engine, Cloud Storage, Cloud SQL) and that only certain users can create projects. Additionally, the security team mandates that service accounts in one project cannot access resources in another project unless explicitly allowed. Which combination of steps should the administrator take to meet these requirements?

A.Use Google Cloud's Resource Manager to create projects under a folder, assign Billing Account User role to developers, and configure firewall rules to block cross-project traffic.
B.Create an organization, set up folder hierarchy (development, staging, production), assign Project Creator role at the folder level, and use Organization policies to restrict service account cross-project access.
C.Create a single project with multiple VPC networks, use IAM roles to separate access, and disable Cloud SQL API in development.
D.Create separate billing accounts for each environment, use Shared VPC to connect projects, and assign Project Owner role to all users.
AnswerB

This provides hierarchical control, limits project creation to folders, and enforces service account isolation via Organization policies.

Why this answer

Option A is correct because it leverages Organization and folder hierarchy for environment separation, assigns Project Creator at the folder level to control project creation, and uses Organization policies to restrict cross-project service account access. Option B is incorrect because a single project cannot separate environments, and disabling APIs does not meet the requirement. Option C is incorrect because Billing Account User role does not grant project creation permission, and firewall rules do not control service account access.

Option D is incorrect because separate billing accounts add unnecessary complexity, Shared VPC is for network connectivity, and Project Owner is too permissive.

5
MCQhard

You need to set an organization policy that prevents any project from creating Cloud SQL instances with a public IP address. The constraint you need is `sql.restrictPublicIp`. What type of constraint is this, and how do you enable it?

A.List constraint — add `CLOUD_SQL_INSTANCE` to the `deniedValues` list.
B.Boolean constraint — set `enforce: true` in the organization policy.
C.Custom constraint — define a CEL expression that evaluates the Cloud SQL instance's IP configuration.
D.List constraint — add `0.0.0.0/0` to the `deniedValues` list.
AnswerB

Boolean constraints have two states: enforced or not enforced. Setting enforce: true on sql.restrictPublicIp prevents public IP assignment on any Cloud SQL instance within the policy's scope.

Why this answer

Option B is correct because `sql.restrictPublicIp` is a boolean constraint in Google Cloud Organization Policies. Boolean constraints have a simple `enforce: true` or `enforce: false` setting, and setting it to `true` prevents projects from creating Cloud SQL instances with public IP addresses. This is the standard method to enforce this restriction across the organization.

Exam trap

The trap here is that candidates confuse boolean constraints with list constraints, thinking they need to specify denied values like IP ranges, when in fact the boolean constraint simply toggles enforcement on or off.

How to eliminate wrong answers

Option A is wrong because `sql.restrictPublicIp` is not a list constraint; list constraints use `deniedValues` or `allowedValues` lists for resources like allowed external IPs, but this constraint is boolean. Option C is wrong because custom constraints require a CEL expression and are used for policies not covered by built-in constraints, but `sql.restrictPublicIp` is a built-in boolean constraint, so no custom definition is needed. Option D is wrong because adding `0.0.0.0/0` to `deniedValues` is a list constraint approach for VPC firewall rules or similar, not for Cloud SQL public IP restriction, and the constraint type is boolean, not list.

6
MCQmedium

A team is creating a new GCP project for a sensitive workload. They need to ensure the project is linked to the correct billing account, placed in the correct folder, and has specific APIs enabled — all reproducibly. They want to automate this via Infrastructure as Code. Which approach is most appropriate?

A.Use a gcloud script with `gcloud projects create`, `gcloud beta billing projects link`, and `gcloud services enable`.
B.Use Terraform with `google_project`, `google_project_service`, and billing account linkage resources.
C.Use Cloud Console to manually create the project, then document the steps in a runbook.
D.Use Cloud Deployment Manager with a Python template to create the project.
AnswerB

Terraform provides declarative, idempotent, state-tracked project bootstrapping covering folder placement, billing linkage, and API enablement in a single plan/apply.

Why this answer

Option B is correct because Terraform is an Infrastructure as Code (IaC) tool that allows you to define the entire project setup—including folder placement, billing account linkage, and API enablement—in declarative configuration files. This ensures reproducibility, version control, and automation, which aligns with the requirement for a sensitive workload that must be set up consistently every time.

Exam trap

Google Cloud often tests the distinction between imperative scripting (gcloud) and declarative IaC (Terraform), where candidates mistakenly choose gcloud because it seems simpler, but fail to recognize that reproducibility and state management are the key requirements for sensitive workloads.

How to eliminate wrong answers

Option A is wrong because while gcloud commands can create a project and link billing, a script is imperative and less reproducible than declarative IaC; it also lacks built-in state management and drift detection, making it error-prone for sensitive workloads. Option C is wrong because manually creating the project via Cloud Console and documenting steps in a runbook is not automated and introduces human error, violating the reproducibility requirement. Option D is wrong because Cloud Deployment Manager, while capable of IaC, is a Google-specific tool that is less portable and has a smaller community compared to Terraform; it also requires Python templates, adding complexity without the multi-cloud benefits of Terraform.

7
MCQmedium

An infrastructure team uses Terraform to manage GCP resources including API enablement. Which Terraform resource enables a GCP API for a project, equivalent to `gcloud services enable`?

A.google_project_iam_binding with the serviceusage.services.enable permission
B.google_project_service with the desired service endpoint
C.google_service_account with enabled_services block
D.google_project with the services argument listing all required APIs
AnswerB

`google_project_service` enables a GCP service API for the specified project. Example: `service = "sqladmin.googleapis.com"` enables the Cloud SQL Admin API.

Why this answer

The `google_project_service` resource is the direct Terraform equivalent of `gcloud services enable`, as it explicitly enables a specified GCP service API for a given project. This resource takes the service endpoint (e.g., `compute.googleapis.com`) and handles the enablement lifecycle, including dependency tracking and disabling on destroy.

Exam trap

Google Cloud often tests the distinction between IAM permissions (who can enable APIs) and the actual API enablement action, leading candidates to confuse `google_project_iam_binding` with the correct resource for enabling services.

How to eliminate wrong answers

Option A is wrong because `google_project_iam_binding` manages IAM roles and permissions, not API enablement; the `serviceusage.services.enable` permission controls who can enable APIs, but the resource itself does not enable them. Option C is wrong because `google_service_account` creates and manages service accounts, and there is no `enabled_services` block in that resource — API enablement is unrelated to service account configuration. Option D is wrong because `google_project` does not have a `services` argument; API enablement is handled by the separate `google_project_service` resource, and listing services in the project resource would be invalid syntax.

8
MCQmedium

A GCP project uses labels extensively for cost attribution across teams. A finance team member needs to add a 'cost-center' label to an existing Compute Engine VM. Which gcloud command applies the label?

A.gcloud compute instances update my-vm --add-label=cost-center=finance-ops
B.gcloud compute instances add-labels my-vm --labels=cost-center=finance-ops --zone=us-central1-a
C.gcloud label add --resource=my-vm --key=cost-center --value=finance-ops
D.gcloud compute instances set-labels my-vm --labels=cost-center=finance-ops
AnswerB

`gcloud compute instances add-labels` is the correct command for adding labels to an existing VM, using `--labels=key=value` syntax.

Why this answer

Option B is correct because the `gcloud compute instances add-labels` command is the specific gcloud command designed to add labels to an existing Compute Engine VM. It requires the `--labels` flag with key-value pairs and the `--zone` flag to specify the VM's location, which is necessary for the API call to succeed.

Exam trap

The trap here is that candidates confuse `add-labels` with `set-labels`, assuming both can add a label, but `set-labels` replaces all existing labels, which is a destructive operation that can silently remove other labels.

How to eliminate wrong answers

Option A is wrong because `gcloud compute instances update` does not support an `--add-label` flag; the correct subcommand for adding labels is `add-labels`. Option C is wrong because `gcloud label add` is not a valid gcloud command; labels are managed through resource-specific commands like `gcloud compute instances add-labels`. Option D is wrong because `gcloud compute instances set-labels` replaces all existing labels on the VM with the specified labels, rather than adding a single label to the existing set, which would remove any other labels already applied.

9
MCQeasy

A developer wants to use Cloud Shell to create a Compute Engine VM but receives an error 'API not enabled'. What should the developer do first?

A.Switch to a different region
B.Enable the Compute Engine API
C.Use gcloud auth login
D.Increase project quota
AnswerB

The Compute Engine API must be enabled before creating VMs.

Why this answer

The error 'API not enabled' indicates that the Compute Engine API has not been activated for the developer's Google Cloud project. Cloud Shell uses the gcloud CLI, which requires the Compute Engine API to be enabled before it can create VM instances. The correct first step is to enable the Compute Engine API via the Cloud Console or the `gcloud services enable compute.googleapis.com` command.

Exam trap

Google Cloud often tests the distinction between authentication (gcloud auth login) and API enablement, trapping candidates who confuse user-level permissions with project-level service activation.

How to eliminate wrong answers

Option A is wrong because switching regions does not enable the required API; the error is about API access, not regional availability. Option C is wrong because `gcloud auth login` authenticates the user but does not enable the API; the API must be enabled at the project level regardless of authentication. Option D is wrong because increasing the project quota addresses resource limits, not the fundamental requirement of having the API enabled; the API must be enabled before any quota increase would be relevant.

10
Multi-Selectmedium

A company wants to deploy a highly available application across two Google Cloud regions for disaster recovery. The application consists of Compute Engine backend instances and a Cloud SQL database. Which THREE components are required to set up this multi-region architecture? (Choose THREE.)

Select 3 answers
A.Cloud SQL for MySQL with cross-region read replica and failover
B.Cloud VPN between regions
C.Cloud DNS with geoproximity and failover routing policy
D.Shared VPC
E.Global external HTTP(S) Load Balancer
AnswersA, C, E

Enables database failover from primary to replica in another region.

Why this answer

Options A, B, and D are correct. External HTTP(S) Load Balancer distributes traffic across regions; Cloud DNS with failover routing health checks endpoints; Cloud SQL for MySQL with cross-region replication provides database failover. Option C is wrong because a shared VPC is for multi-project, not multi-region.

Option E is wrong because a VPN is not needed for multi-region connectivity; Google Cloud internal network is already connected.

11
MCQmedium

A new engineer joins the team and needs access to GCP. The company uses Google Workspace for identity management. The GCP admin needs to add the engineer and grant them access to one project. What is the correct order of steps?

A.Create a service account for the engineer in GCP, then share the key file
B.Create the user in Google Workspace Admin Console, then grant their account IAM roles on the GCP project
C.Create a GCP project for the engineer, then add their personal Gmail as a project owner
D.Create an API key for the engineer in the GCP Console and share it securely
AnswerB

Users are provisioned in Google Workspace/Cloud Identity first. Once the Google account exists, IAM roles can be granted on any GCP project.

Why this answer

Option B is correct because Google Workspace is the identity provider (IdP) for the organization, so the engineer must first be created as a user in the Google Workspace Admin Console. Once the user exists, the GCP admin can then grant IAM roles (e.g., roles/viewer, roles/editor) on the specific project, which maps the Workspace user identity to GCP permissions. This follows the principle that GCP IAM relies on existing identities from the Cloud Identity or Workspace domain, not on separate user creation within GCP.

Exam trap

Google Cloud often tests the misconception that GCP users are created inside the GCP Console itself, when in fact human identities must be provisioned through the organization's identity provider (Google Workspace or Cloud Identity) before they can be assigned IAM roles.

How to eliminate wrong answers

Option A is wrong because service accounts are intended for applications and automated workloads, not for human users; sharing a key file violates security best practices and does not provide proper identity-based access control. Option C is wrong because creating a new project for the engineer is unnecessary and wasteful; the engineer should be added to an existing project, and personal Gmail accounts are not part of the corporate Google Workspace domain, so they cannot be managed centrally. Option D is wrong because API keys are used to authenticate calls to GCP APIs for applications, not to grant human users access to the GCP Console or project resources; they lack identity context and cannot enforce IAM roles.

12
MCQmedium

A team uses Cloud Shell for all GCP CLI operations. A developer notices that files they create in Cloud Shell's home directory persist between sessions, but files in other directories do not. What explains this behavior?

A.Cloud Shell saves all files to Cloud Storage automatically
B.Only $HOME (~) has persistent 5 GB storage; other directories use ephemeral container storage
C.Cloud Shell stores files in Firestore, which only retains home directory paths
D.Files outside $HOME are deleted after 24 hours automatically
AnswerB

Cloud Shell allocates 5 GB of persistent disk mounted at the home directory. All other paths are in the container's ephemeral filesystem, which resets between sessions.

Why this answer

Cloud Shell provides each user with a persistent 5 GB home directory ($HOME) backed by Cloud Storage. Files created outside this directory reside in the container's ephemeral storage, which is discarded when the Cloud Shell session ends or is restarted. This design ensures user configurations and scripts are preserved while maintaining a clean, temporary environment for other operations.

Exam trap

The trap here is that candidates may assume Cloud Shell behaves like a traditional persistent VM where all files survive, or they may confuse the persistent home directory with automatic full-disk backup, leading them to choose option A or D.

How to eliminate wrong answers

Option A is wrong because Cloud Shell does not automatically save all files to Cloud Storage; only the $HOME directory is backed by persistent storage, and users must explicitly copy files elsewhere if they want them saved. Option C is wrong because Cloud Shell uses Cloud Storage (specifically a persistent disk mounted as the home directory), not Firestore, which is a NoSQL document database and not used for file storage in this context. Option D is wrong because files outside $HOME are not deleted after a fixed 24-hour period; they are removed when the Cloud Shell container is recycled or the session ends, which can happen sooner than 24 hours depending on inactivity or manual restart.

13
MCQmedium

A developer frequently switches between three GCP projects and accounts throughout the day. They want to avoid rerunning `gcloud init` each time. Which gcloud feature lets them save and switch between pre-configured project/account/region combinations?

A.gcloud environments — a built-in workspace manager
B.gcloud named configurations created with `gcloud config configurations create`
C.Separate gcloud installations — one per project
D.A .gcloudrc file in each project directory that gcloud reads automatically
AnswerB

Named configurations save a full context (account, project, region, zone). `gcloud config configurations activate [NAME]` instantly switches between them.

Why this answer

Option B is correct because `gcloud config configurations` allow a developer to create, save, and switch between named sets of gcloud properties (project, account, region, zone) without re-running `gcloud init`. Each configuration stores its own active account, project ID, and default compute region/zone, and can be activated instantly with `gcloud config configurations activate <name>`, making it ideal for frequent context switching between multiple GCP projects and accounts.

Exam trap

The trap here is that candidates may confuse `gcloud config configurations` with a non-existent feature like 'gcloud environments' or assume that gcloud supports per-directory configuration files (like `.env` files), when in fact it relies on explicit named configurations stored globally.

How to eliminate wrong answers

Option A is wrong because `gcloud environments` is not a real gcloud feature; the correct mechanism for managing multiple sets of properties is `gcloud config configurations`, not a built-in workspace manager. Option C is wrong because maintaining separate gcloud installations for each project is unnecessary and inefficient; gcloud is designed to handle multiple projects and accounts within a single installation using configurations. Option D is wrong because gcloud does not automatically read a `.gcloudrc` file from project directories; it uses the active configuration (or the default configuration) and does not support per-directory property files.

14
Multi-Selecteasy

Which two actions are required to allow a user to create a Cloud Storage bucket using gcloud?

Select 2 answers
A.Set up billing
B.Create a service account
C.Assign the user roles/storage.admin
D.Enable the Cloud Storage API
E.Assign the user roles/storage.objectAdmin
AnswersC, D

Storage admin includes bucket create permission.

Why this answer

Option C is correct because the `roles/storage.admin` IAM role includes the `storage.buckets.create` permission, which is required to create a Cloud Storage bucket using the gcloud command. Without this role, the user will receive a permission denied error even if other prerequisites like billing are configured.

Exam trap

Google Cloud often tests the distinction between bucket-level permissions (e.g., `storage.buckets.create`) and object-level permissions (e.g., `storage.objects.create`), leading candidates to mistakenly choose `roles/storage.objectAdmin` because it sounds like it covers all storage administration.

15
MCQeasy

A GCP project has three service accounts. A developer wants to list all service accounts in the project using the gcloud CLI. Which command is correct?

A.gcloud service-accounts list
B.gcloud iam list service-accounts
C.gcloud iam service-accounts list
D.gcloud projects list-service-accounts
AnswerC

This is the correct command to list all service accounts in the active project.

Why this answer

Option C is correct because the `gcloud iam service-accounts list` command is the standard gcloud CLI command to list all service accounts in a GCP project. It uses the IAM API to retrieve the service accounts associated with the current project (or a specified project via the `--project` flag). This command is part of the `gcloud iam` group, which manages IAM resources, and the `service-accounts` sub-group specifically handles service account operations.

Exam trap

Google Cloud often tests the exact hierarchical structure of gcloud commands, and the trap here is that candidates may confuse the `gcloud iam` subcommand syntax (where the resource type comes before the verb) with other command groups (like `gcloud compute` where the verb often comes first), leading them to choose Option B or D.

How to eliminate wrong answers

Option A is wrong because `gcloud service-accounts list` is not a valid gcloud command; the correct command structure requires the `iam` group before `service-accounts`. Option B is wrong because `gcloud iam list service-accounts` uses an incorrect subcommand order — the verb `list` must come after the resource type `service-accounts`, not before. Option D is wrong because `gcloud projects list-service-accounts` does not exist; the `gcloud projects` command group is for managing project metadata, not for listing service accounts.

16
MCQhard

A company has just created a Google Cloud organization with multiple folders for different departments. The security team has set up organization policies, including a constraint that disables the creation of external IP addresses for VMs. However, the development team is unable to launch a VM instance because the 'External IP addresses' option is greyed out. They need to create a VM with an external IP for a temporary testing environment. The development team has the Project Owner role on their project. What should the company do to allow the development team to create VMs with external IPs while maintaining security?

A.Create a new folder for temporary testing and apply a policy exemption at the folder level, granting the development team the Organization Policy Administrator role on that folder.
B.Grant the development team the Organization Policy Administrator role on their existing project to allow them to override the policy.
C.Create a separate project outside the organization hierarchy to bypass the constraint.
D.Remove the organization policy constraint for the entire organization to allow external IPs.
AnswerA

Allows exception at a lower level without affecting other parts of the organization.

Why this answer

Option C is correct because creating a new folder and applying a policy exemption at that folder level allows the exception without affecting other parts of the organization. The development team can be granted Organization Policy Administrator on that folder to manage the exemption. Option A is incorrect because it bypasses the organization and undermines security.

Option B is too broad. Option D is incorrect because the Organization Policy Administrator role on the project cannot override an organization-level constraint; exemptions must be applied at a lower level in the hierarchy.

17
MCQmedium

A company organizes its GCP projects by business unit — Finance, Engineering, and Sales. Which resource is best suited to group these projects while applying shared IAM policies to all projects in each group?

A.Apply labels to each project to identify the business unit
B.Apply resource tags to each project for policy enforcement
C.Create GCP Folders for each business unit and add the relevant projects
D.Create a Shared VPC host project for each business unit
AnswerC

Folders are the right level in the GCP hierarchy for grouping projects by business unit. IAM and Org Policies set on a Folder cascade to all child projects.

Why this answer

C is correct because GCP Folders are the hierarchical resource designed to group projects under an organization node, allowing you to apply shared IAM policies at the folder level that automatically propagate to all projects within that folder. This aligns with the requirement to organize projects by business unit and enforce consistent access controls across each group.

Exam trap

The trap here is that candidates often confuse labels or tags with hierarchical grouping, assuming metadata-based organization can substitute for the IAM inheritance provided by Folders, but only Folders (or Organization nodes) support policy propagation across projects.

How to eliminate wrong answers

Option A is wrong because labels are key-value metadata used for resource organization and cost tracking, but they do not support inheritance of IAM policies across projects. Option B is wrong because resource tags (now called 'tags' in GCP) are used for conditional policy enforcement and network firewall rules, not for hierarchical grouping with IAM policy inheritance. Option D is wrong because a Shared VPC host project allows multiple service projects to share a common VPC network, but it does not group projects for IAM policy inheritance across unrelated projects; it only provides network-level isolation and sharing.

18
MCQmedium

A developer works across five different GCP projects daily and wants to switch their active project in the gcloud CLI without rerunning `gcloud init`. Which command should they use?

A.gcloud projects switch [PROJECT_ID]
B.gcloud config set project [PROJECT_ID]
C.gcloud auth set-project [PROJECT_ID]
D.gcloud init --project=[PROJECT_ID]
AnswerB

This command updates the `project` property in the current gcloud configuration immediately, without running the full `init` wizard.

Why this answer

The `gcloud config set project [PROJECT_ID]` command updates the `core/project` property in the active gcloud CLI configuration, allowing the developer to switch the active project without re-running `gcloud init`. This is the standard method for changing the project context in the current configuration, which persists across sessions until changed again.

Exam trap

Google Cloud often tests the distinction between `gcloud config set` and `gcloud init`, trapping candidates who think they must reinitialize the CLI to change the active project, when in fact only a property update is needed.

How to eliminate wrong answers

Option A is wrong because `gcloud projects switch` is not a valid gcloud command; the correct verb for switching context is `config set`, not a subcommand under `projects`. Option C is wrong because `gcloud auth set-project` does not exist; authentication and project configuration are separate concerns — `gcloud auth` handles credentials, not project settings. Option D is wrong because `gcloud init --project=[PROJECT_ID]` would reinitialize the entire configuration, which is unnecessary and slower than simply updating the project property; it also overwrites other settings like region and zone, which the developer likely wants to preserve.

19
Multi-Selectmedium

Which three steps are part of the initial setup for a new Google Cloud project with multiple subnets in a VPC?

Select 3 answers
A.Create a project
B.Enable the Compute Engine API
C.Enable billing
D.Create a VPC network with custom subnets
E.Create firewall rules
AnswersA, B, C

A project is the container for all resources.

Why this answer

Creating a project is the first step in Google Cloud because it serves as the top-level container for all resources, billing, and permissions. Without a project, you cannot provision any services, including VPC networks or Compute Engine instances. This step is mandatory and foundational for organizing and isolating cloud resources.

Exam trap

Google Cloud often tests the order of operations in Google Cloud setup, and the trap here is that candidates confuse the initial prerequisites (project, billing, API) with later configuration steps like creating VPCs or firewall rules.

20
Multi-Selecteasy

A new developer is setting up their first Google Cloud project. They need to perform initial project configuration. Which TWO actions are necessary before they can create any resources? (Choose TWO.)

Select 2 answers
A.Create a custom IAM role.
B.Set up Identity Platform.
C.Create a VPC network.
D.Enable billing for the project.
E.Enable the Cloud Billing API.
AnswersD, E

Billing must be linked to the project to use billable services.

Why this answer

Options B and D are correct because billing must be enabled, and the Cloud Billing API must be enabled to associate the project with a billing account. Option A is wrong because a VPC is not required before creating resources; many resources can be created without a VPC (e.g., Cloud Storage). Option C is wrong because Identity Platform is a separate service, not a prerequisite.

Option E is wrong because IAM roles are assigned automatically; no custom role is needed.

21
MCQeasy

You want to receive email notifications when your GCP project's billing reaches 50%, 80%, and 100% of a monthly budget. Which GCP feature should you configure?

A.Cloud Monitoring alerting policies on billing metrics.
B.Cloud Billing Budget with alert thresholds at 50%, 80%, and 100%.
C.Set a project spending limit in the Cloud Console billing settings.
D.Enable billing export to BigQuery and create a scheduled query that sends alert emails.
AnswerB

Cloud Billing Budgets support multiple percentage-based alert thresholds. Notifications are sent via email to billing account contacts or via Pub/Sub when each threshold is crossed.

Why this answer

Option B is correct because Cloud Billing Budgets allow you to set a budget amount for a GCP project and define alert threshold percentages (e.g., 50%, 80%, 100%). When the actual cost or forecasted cost reaches any threshold, Cloud Billing automatically sends email notifications to Billing Administrators and users you specify. This is the native, purpose-built feature for budget-based billing alerts.

Exam trap

The trap here is that candidates may confuse Cloud Monitoring alerting policies (which can monitor billing metrics but require manual setup for percentage thresholds) with the simpler, built-in Cloud Billing Budget feature that directly supports percentage-based email alerts.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring alerting policies can monitor billing metrics exported to Cloud Monitoring, but they do not natively support percentage-based budget thresholds or automatic email notifications for budget milestones without custom configuration. Option C is wrong because setting a project spending limit in the Cloud Console billing settings only caps the spend (and disables the project if exceeded), but it does not provide alert notifications at specific percentage thresholds. Option D is wrong because enabling billing export to BigQuery and creating a scheduled query that sends alert emails is a complex, custom workaround; it is not a built-in feature for simple threshold-based email alerts and requires additional scripting and infrastructure.

22
MCQhard

A company runs a batch processing workload on Compute Engine that completes in 30 minutes. The workload is CPU-intensive and runs once daily. The company wants to minimize costs while maintaining performance. Which of the following is the most cost-effective compute option?

A.Use a preemptible custom machine type with 4 vCPUs and 8 GB memory.
B.Use a sole-tenant node with a machine type that matches the workload.
C.Use an N1 standard-4 machine without discounts.
D.Purchase a 1-year committed use discount for the appropriate machine type.
AnswerA

Preemptible instances are significantly cheaper and suitable for fault-tolerant batch jobs.

Why this answer

A preemptible custom machine type with 4 vCPUs and 8 GB memory is the most cost-effective option because the workload is batch, CPU-intensive, fault-tolerant (runs once daily and can be restarted), and completes in 30 minutes — well within the 24-hour maximum preemptible VM lifetime. Preemptible instances offer up to 80% cost savings over standard instances, and a custom machine type avoids paying for unused resources, making this the cheapest viable compute option.

Exam trap

The trap here is that candidates assume committed use discounts (CUDs) are always the cheapest option, but they fail to recognize that preemptible instances are significantly cheaper for short, fault-tolerant batch workloads that do not require sustained usage.

How to eliminate wrong answers

Option B is wrong because sole-tenant nodes are designed for workloads requiring physical server isolation (e.g., licensing or compliance), which adds significant cost without any performance benefit for a standard batch job. Option C is wrong because an N1 standard-4 machine without discounts is a standard (on-demand) instance, which costs more than a preemptible instance for the same vCPU and memory capacity, and the workload is fault-tolerant so preemptible is appropriate. Option D is wrong because a 1-year committed use discount (CUD) requires a financial commitment for a full year, which is not cost-effective for a workload that runs only once daily for 30 minutes; the savings from CUDs are outweighed by the much lower cost of preemptible instances for such a short, infrequent job.

23
MCQhard

Your organization policy at the root level sets `gcp.resourceLocations` to allow only `us-central1` and `us-east1`. A business unit needs to deploy resources in `europe-west1` for GDPR compliance. How can you grant this exception without affecting other business units?

A.Create a separate GCP organization for the business unit and configure its own resource location policy.
B.Set a `gcp.resourceLocations` policy on the business unit's folder with `inheritFromParent: false`, allowing `us-central1`, `us-east1`, and `europe-west1`.
C.Add a `europe-west1` exception to the root org policy using the `exceptions` field.
D.Remove the `gcp.resourceLocations` org policy from the root and apply it to each business unit's folder individually.
AnswerB

Setting inheritFromParent: false and specifying the allowed locations at the folder level overrides the root org policy for that folder's projects only, without affecting other business units.

Why this answer

Option B is correct because Organization Policies support hierarchical inheritance, and setting `inheritFromParent: false` on the business unit's folder allows you to override the root-level `gcp.resourceLocations` constraint. This enables you to define a custom list of allowed locations (including `europe-west1`) for that specific folder without affecting other business units, as the policy is scoped to that folder only.

Exam trap

Google Cloud often tests the misconception that you can add exceptions to list constraints like `gcp.resourceLocations` using an exceptions field, but in reality, list constraints only support allow or deny lists with inheritance override, not per-value exceptions.

How to eliminate wrong answers

Option A is wrong because creating a separate GCP organization is unnecessary overhead and violates the principle of least privilege; you can achieve the exception with folder-level policy inheritance. Option C is wrong because the `gcp.resourceLocations` constraint does not support an `exceptions` field; exceptions are not a feature of this specific constraint type. Option D is wrong because removing the root-level policy would remove the baseline restriction for all business units, forcing you to reapply policies to every folder, which is inefficient and error-prone.

24
MCQmedium

You have a GCP organization with hundreds of projects. You need to find all projects that have the `compute.googleapis.com` API enabled. Which approach provides the most efficient way to query this across all projects?

A.Write a script that runs `gcloud services list --enabled` for each project ID returned by `gcloud projects list`.
B.Use Cloud Asset Inventory to search for `serviceusage.googleapis.com/Service` assets with state `ENABLED` and name matching `compute.googleapis.com`.
C.Check the Cloud Console's API library for each project manually.
D.Query Cloud Billing export data in BigQuery for projects with Compute Engine line items.
AnswerB

CAI indexes all GCP resource states organization-wide. A single `gcloud asset search-all-resources` or `analyzeOrgPolicy` call returns all matching assets across all projects without iterating.

Why this answer

Cloud Asset Inventory provides a scalable, API-driven way to query resources across all projects in an organization without iterating over each project. By searching for `serviceusage.googleapis.com/Service` assets with `state: ENABLED` and `name: compute.googleapis.com`, you can retrieve the exact list of projects with the Compute Engine API enabled in a single, efficient query. This avoids the latency and quota limitations of scripting against each project individually.

Exam trap

The trap here is that candidates assume the most straightforward scripting approach (Option A) is efficient, but Cisco tests whether you recognize that Cloud Asset Inventory is purpose-built for cross-project resource discovery without per-project API calls.

How to eliminate wrong answers

Option A is wrong because iterating over hundreds of projects with `gcloud services list --enabled` is inefficient, slow, and can hit API rate limits; it also requires scripting and error handling for each project. Option C is wrong because manually checking the Cloud Console's API library for each project is impractical and error-prone for hundreds of projects, offering no automation or scalability. Option D is wrong because Cloud Billing export data in BigQuery shows cost line items, not API enablement status; a project might have Compute Engine line items from legacy usage even if the API is currently disabled, or the API could be enabled without incurring costs.

25
MCQmedium

Your company uses Google Workspace for email. You need to set up GCP for a new team that includes contractors who use non-Google email addresses. Which identity solution allows contractors to authenticate to GCP without a Google Workspace license?

A.Issue each contractor a Gmail account and add it directly to IAM.
B.Provision contractor accounts using Cloud Identity Free, independent of Google Workspace.
C.Create service accounts for each contractor and share the key JSON files.
D.Add contractor email addresses as external users and grant them project-level IAM roles.
AnswerB

Cloud Identity Free provides managed Google accounts without Workspace productivity apps. Contractors get GCP-only identities under your organization's domain, with centralized management and SSO support.

Why this answer

Cloud Identity Free provides identity management for users without requiring a Google Workspace license. It allows contractors with non-Google email addresses to authenticate to GCP using their existing email as a Google account, enabling IAM role assignment without additional licensing costs. This is the correct solution because it decouples identity from Google Workspace, supporting external users while maintaining centralized access control.

Exam trap

The trap here is that candidates confuse 'external user' (which requires a pre-existing Google identity) with the ability to create a new Google identity via Cloud Identity Free, leading them to incorrectly select Option D, which fails because GCP IAM does not automatically create Google accounts from arbitrary email addresses.

How to eliminate wrong answers

Option A is wrong because issuing each contractor a Gmail account violates the requirement to use their existing non-Google email addresses and introduces unnecessary overhead, as Gmail accounts are personal and not designed for enterprise identity management. Option C is wrong because service accounts are intended for applications and automated workloads, not for individual human users; sharing key JSON files creates a severe security risk with no ability to enforce MFA or revoke access granularly. Option D is wrong because adding contractor email addresses as external users (e.g., via Google Groups or direct IAM) without a Cloud Identity or Workspace license does not create a Google account for them; they would be unable to authenticate because GCP IAM requires a Google identity (either a Google account or a Cloud Identity managed account) to sign in.

26
MCQmedium

A new developer tries to create a project using gcloud projects create but receives the error shown in the exhibit. Which action should the administrator take to resolve the issue?

A.Assign the Project Creator role (roles/resourcemanager.projectCreator) to the user.
B.Enable the Cloud Resource Manager API.
C.Assign the Billing Account Creator role to the user.
D.Create the project manually and share the project ID.
AnswerA

This role grants the resourcemanager.projects.create permission required to create projects.

Why this answer

Option B is correct because the error indicates missing resourcemanager.projects.create permission, which is granted by the Project Creator role (roles/resourcemanager.projectCreator). Option A grants permission for billing accounts, not project creation. Option C is a workaround but does not solve the permission issue for the developer.

Option D is incorrect because the error is about permissions, not API enablement; the Cloud Resource Manager API is typically already enabled for the project from which the command is run.

27
MCQmedium

A company is deploying a global web application that serves users from multiple continents. The application runs on Compute Engine instances in us-central1 and europe-west1. The company wants to provide the lowest latency access to users and support automatic failover if an entire region becomes unavailable. Which load balancing solution should they use?

A.Internal TCP/UDP Load Balancer
B.Regional external TCP/UDP Network Load Balancer
C.Global external HTTP(S) Load Balancer
D.External SSL Proxy Load Balancer (regional)
AnswerC

The global load balancer has a single anycast IP and routes to the closest healthy backend across regions.

Why this answer

Option B is correct because the global external HTTP(S) Load Balancer provides cross-region load balancing with anycast IP, directing users to the nearest healthy backend. Option A is wrong because a regional TCP/UDP load balancer cannot span regions. Option C is wrong because the external TCP proxy load balancer is regional in front but uses SSL, still regional.

Option D is wrong because a network load balancer is regional and not suitable for HTTP.

28
MCQmedium

A project has the following IAM bindings: User A has `roles/editor` at the project level, and a folder-level policy denies `roles/editor` to User A. Which effective permission does User A have on the project?

A.User A has Editor permissions because project-level IAM takes precedence over folder-level.
B.User A is denied Editor permissions because IAM Deny policies at a parent resource override allow grants at child resources.
C.User A has no permissions because conflicting policies result in no access.
D.User A has Editor permissions because folder-level policies don't apply to individual projects.
AnswerB

IAM Deny policies, when set at a folder level, prevent the denied permissions from taking effect on all child resources, including the project — even if the project has an allow binding for those permissions. Deny takes precedence over allow.

Why this answer

In Google Cloud, IAM Deny policies at a parent resource (like a folder) override allow bindings at a child resource (like a project). Even though User A has `roles/editor` granted at the project level, the folder-level Deny policy explicitly denies that role, so the effective permission is denial. This follows the principle that Deny policies are evaluated before Allow bindings and take precedence.

Exam trap

Google Cloud often tests the misconception that 'lower-level grants override higher-level denials' or that 'conflicting policies result in no access,' when in fact Deny policies at any level take precedence over Allow bindings at any lower level.

How to eliminate wrong answers

Option A is wrong because it incorrectly claims project-level IAM takes precedence over folder-level; in reality, Deny policies at a parent resource override allow grants at child resources. Option C is wrong because conflicting policies do not result in 'no access' — the Deny policy explicitly overrides the allow, resulting in a clear denial of Editor permissions. Option D is wrong because folder-level policies do apply to all projects within that folder; IAM policies are hierarchical and inherited downward.

29
MCQeasy

A company has a set of Compute Engine instances in a VPC that need outbound internet access for updates, but they do not have public IP addresses. The instances are running in a subnet with Private Google Access enabled. Which service should the company use to provide internet access?

A.Private Google Access
B.A default route to the internet gateway
C.Cloud NAT
D.Cloud VPN
AnswerC

Cloud NAT translates private IPs to a set of external IPs, enabling outbound internet access.

Why this answer

Option A is correct because Cloud NAT allows private instances to access the internet while blocking inbound connections. Option B is wrong because Private Google Access only enables access to Google APIs and services, not general internet. Option C is wrong because Cloud VPN provides secure connectivity to on-premises, not internet.

Option D is wrong because a default gateway with an internet gateway is not available in VPC without a NAT.

30
MCQhard

You are designing an environment where a CI/CD pipeline running in GitHub Actions needs to deploy Cloud Run services without storing any long-lived service account keys. Your organization's security policy prohibits downloading SA keys. Which approach meets these requirements?

A.Create a service account key, base64-encode it, and store it as a GitHub Actions secret.
B.Use Workload Identity Federation to allow GitHub Actions to impersonate a service account using OIDC tokens.
C.Grant the GitHub Actions runner VM's default service account the necessary roles.
D.Use Cloud Build triggers instead of GitHub Actions to avoid key management.
AnswerB

WIF exchanges the GitHub OIDC token for a short-lived GCP credential. No SA key is created or stored anywhere.

Why this answer

Workload Identity Federation allows GitHub Actions to exchange OIDC tokens from GitHub's identity provider for Google Cloud service account impersonation, eliminating the need to download and store long-lived service account keys. This approach satisfies the security policy by using short-lived, automatically rotated tokens that are valid for only one hour, and it integrates directly with GitHub's OIDC provider without requiring any secret key material.

Exam trap

Google Cloud often tests the misconception that you can rely on the runner VM's default service account in GitHub Actions, but GitHub-hosted runners are not GCP VMs, so that service account is irrelevant and the runner has no inherent GCP identity.

How to eliminate wrong answers

Option A is wrong because it violates the security policy by creating a long-lived service account key and storing it as a GitHub secret, which is exactly what the policy prohibits. Option C is wrong because the GitHub Actions runner VM's default service account is not used when running in GitHub-hosted runners; the runner is ephemeral and not associated with a GCP VM, so granting roles to that default service account has no effect. Option D is wrong because it avoids the problem rather than solving it; the requirement is to deploy from GitHub Actions, and switching to Cloud Build does not address the need to use GitHub Actions without keys.

31
MCQeasy

A project is being decommissioned. You need to delete it but want to ensure there is a 30-day window during which the deletion can be cancelled if needed. What happens when you delete a GCP project?

A.The project is immediately and permanently deleted along with all resources.
B.The project enters a 30-day pending deletion period; resources are inaccessible but the project can be restored within this window.
C.The project is archived but billing continues for 30 days before final deletion.
D.All resources are deleted immediately but the project ID is reserved for 90 days.
AnswerB

Project deletion is a soft-delete with a 30-day grace period. `gcloud projects undelete PROJECT_ID` cancels the deletion and restores access. After 30 days, deletion is permanent.

Why this answer

When you delete a GCP project, it enters a 30-day pending deletion period. During this time, all resources are inaccessible, but the project and its data can be fully restored if needed. This ensures a safety window before permanent deletion, aligning with the requirement for a 30-day cancellation window.

Exam trap

Google Cloud often tests the misconception that deletion is immediate and irreversible, leading candidates to choose Option A, but GCP's 30-day soft-delete period is a key differentiator that must be remembered for the ACE exam.

How to eliminate wrong answers

Option A is wrong because GCP does not immediately and permanently delete a project; it enforces a 30-day pending deletion period to allow recovery. Option C is wrong because the project is not archived; it is placed in a pending deletion state, and billing stops immediately upon deletion, not continued for 30 days. Option D is wrong because resources are not deleted immediately; they remain recoverable during the 30-day window, and the project ID is not reserved for 90 days—it becomes available after the 30-day period or upon permanent deletion.

32
MCQeasy

Refer to the exhibit. A developer tries to create a new project using the command `gcloud projects create my-project --name="My Project"` and receives the error 'Project ID my-project already exists.' What should the developer do?

A.Enable the Cloud Resource Manager API
B.Use a different project ID
C.Delete the existing project with the same ID
D.Use the --organization flag
AnswerB

Project IDs must be globally unique; a different ID will work.

Why this answer

Project IDs are globally unique. The developer must choose a different project ID. Option C is correct.

Options A, B, D are not appropriate or would cause issues.

33
MCQeasy

A startup wants to set up a Google Cloud environment with minimal administrative overhead. They have a small team of developers and need to manage permissions. Which approach should they use for organizing their cloud resources?

A.Create a separate project for each developer.
B.Use a single project with IAM roles at the project level.
C.Create a single project with folders for each team.
D.Create a single organization with multiple projects for each environment.
AnswerB

Simplest approach with low administrative overhead; manages permissions directly.

Why this answer

Option D is correct because a single project with IAM roles is the simplest approach with low administrative overhead for a small team. Option A is incorrect because creating an organization and multiple projects introduces overhead not needed. Option B is incorrect because separate projects for each developer are too many to manage.

Option C is incorrect because folders add complexity; a single project with IAM roles is simpler.

34
MCQmedium

You need to enforce that all new Cloud Storage buckets in your organization use Uniform Bucket-Level Access (UBLA) and are created in one of three approved regions: `us-central1`, `us-east1`, or `europe-west1`. What is the most efficient way to enforce both constraints?

A.Write a Cloud Function triggered by bucket creation events to check and delete non-compliant buckets.
B.Apply `storage.uniformBucketLevelAccess` and `gcp.resourceLocations` org policies at the organization level.
C.Create a custom IAM role that removes the `storage.buckets.create` permission for disallowed regions.
D.Use Terraform to provision all buckets and include validation in the Terraform plan step.
AnswerB

These two org policy constraints enforce UBLA and region restrictions declaratively at creation time — no buckets outside the policy are ever created.

Why this answer

Organization policies are the most efficient way to enforce constraints across all new Cloud Storage buckets because they are evaluated at resource creation time by the Cloud Resource Manager. The `storage.uniformBucketLevelAccess` policy enforces UBLA, and `gcp.resourceLocations` restricts the allowed locations, both applied at the organization level to cover all projects without per-bucket overhead.

Exam trap

Google Cloud often tests the distinction between preventive controls (organization policies) and detective/reactive controls (Cloud Functions, Terraform validation), and the trap here is assuming that a post-creation check or a tool-specific validation is sufficient when a native, pre-creation enforcement mechanism exists.

How to eliminate wrong answers

Option A is wrong because a Cloud Function triggered by bucket creation events is reactive and inefficient—it would delete non-compliant buckets after creation, causing unnecessary resource churn and potential data loss, and it cannot prevent the creation in the first place. Option C is wrong because IAM roles control permissions at the API level, not the allowed regions for bucket creation; removing `storage.buckets.create` for disallowed regions is not possible because IAM does not support location-based conditions for the create permission. Option D is wrong because using Terraform with validation in the plan step only enforces compliance within Terraform-managed buckets, but does not prevent non-compliant buckets from being created via the Console, gsutil, or other tools outside Terraform.

35
MCQeasy

A project was accidentally deleted. A GCP administrator realizes the mistake 3 days later. What is the maximum time window in which the project can be restored?

A.24 hours — projects are permanently deleted after one day
B.7 days — projects enter a one-week soft-delete period
C.30 days — projects can be restored using `gcloud projects undelete` within this window
D.Projects are permanently deleted immediately and cannot be recovered
AnswerC

Deleted projects remain recoverable for 30 days. `gcloud projects undelete [PROJECT_ID]` or the Console's Resource Manager page can restore the project during this period.

Why this answer

Option C is correct because Google Cloud projects have a 30-day soft-delete period after deletion. During this window, the project can be recovered using the `gcloud projects undelete` command or the Cloud Resource Manager API, restoring all associated resources and configurations.

Exam trap

The trap here is that candidates may confuse the 30-day project soft-delete period with shorter retention windows for other GCP services (like 7-day backup retention for Cloud SQL or 24-hour snapshot deletion), leading them to underestimate the recovery window.

How to eliminate wrong answers

Option A is wrong because projects are not permanently deleted after 24 hours; the soft-delete period is 30 days, not one day. Option B is wrong because the recovery window is 30 days, not 7 days; the 7-day figure might be confused with the retention period for some other GCP resources like Cloud SQL backups. Option D is wrong because projects are not permanently deleted immediately; they enter a recoverable soft-delete state for 30 days before permanent deletion.

36
Multi-Selecthard

A developer needs to allow a CI/CD system to deploy applications to Cloud Run. The CI/CD system uses a service account. Which two roles should be granted to that service account?

Select 2 answers
A.roles/cloudbuild.builds.builder
B.roles/run.invoker
C.roles/iam.serviceAccountUser
D.roles/run.admin
E.roles/storage.objectViewer
AnswersC, D

Allows service account to act as the Cloud Run runtime service account.

Why this answer

To deploy Cloud Run services, the service account needs roles/run.admin to create and manage services, and roles/iam.serviceAccountUser to act as the runtime service account. Options A and C are correct. Options B, D, E are insufficient or unrelated.

37
MCQeasy

Which service should be used to manage billing budgets and alerts?

A.Cloud Monitoring
B.Cloud Billing Budgets
C.Cloud Billing Reports
D.Cloud Logging
AnswerB

This service allows creating budget thresholds and alerts.

Why this answer

Cloud Billing Budgets is the correct service because it is specifically designed to allow you to set spending limits (budgets) on your Google Cloud projects, billing accounts, or folders, and to configure alerts (e.g., email notifications or Pub/Sub messages) when actual or forecasted costs exceed those thresholds. This directly addresses the requirement to manage billing budgets and alerts, whereas other services focus on monitoring infrastructure performance or logging operational data.

Exam trap

Google Cloud often tests the distinction between 'monitoring' (Cloud Monitoring) and 'billing alerts' (Cloud Billing Budgets), leading candidates to incorrectly choose Cloud Monitoring because they associate 'alerts' with performance monitoring rather than cost management.

How to eliminate wrong answers

Option A (Cloud Monitoring) is wrong because it is a service for collecting metrics, uptime checks, and alerting on infrastructure performance (e.g., CPU usage, latency), not for managing billing budgets or cost-based alerts. Option C (Cloud Billing Reports) is wrong because it provides historical cost analysis and export capabilities (e.g., BigQuery exports) but does not allow you to set proactive budget thresholds or trigger alerts when spending exceeds limits. Option D (Cloud Logging) is wrong because it is a service for storing, searching, and analyzing log data from applications and services (e.g., using Logs Explorer), not for managing financial budgets or cost alerts.

38
MCQhard

A service account needs to be able to create snapshots of disks in a specific project and store them in a different project. What is the correct IAM policy configuration?

A.Grant roles/compute.storageAdmin on both projects
B.Grant roles/viewer on both projects
C.Grant roles/compute.snapshotAdmin on the source project and roles/storage.objectAdmin on the target bucket
D.Grant roles/compute.instanceAdmin on the source project and roles/storage.objectAdmin on the target bucket
AnswerC

This provides snapshot creation and storage permissions.

Why this answer

Option C is correct because creating snapshots in one project and storing them in another requires distinct permissions: `roles/compute.snapshotAdmin` on the source project allows the service account to create snapshots, while `roles/storage.objectAdmin` on the target bucket (within the destination project) grants the necessary permissions to write snapshot data into the bucket. This separation follows the principle of least privilege and aligns with the cross-project snapshot workflow.

Exam trap

Google Cloud often tests the misconception that a single role like `compute.storageAdmin` or `compute.instanceAdmin` can handle cross-project snapshot operations, when in fact you need a combination of snapshot-specific and bucket-specific roles.

How to eliminate wrong answers

Option A is wrong because `roles/compute.storageAdmin` is a legacy role that grants broad storage permissions (including disks and images) but does not specifically allow snapshot creation across projects; it also over-provisions access. Option B is wrong because `roles/viewer` only provides read-only access and cannot create snapshots or write to a bucket. Option D is wrong because `roles/compute.instanceAdmin` on the source project allows managing instances but not creating snapshots of disks; snapshot creation requires `compute.snapshots.create` permission, which is not included in the instanceAdmin role.

39
Multi-Selecteasy

A developer needs to set up a Google Cloud environment for a new project. Which TWO actions are required to enable billing and APIs for the project?

Select 2 answers
A.Enable the required APIs using the Cloud Console or gcloud.
B.Configure firewall rules before enabling any APIs.
C.Create a billing account and link it to the project.
D.Set up VPC networks for all regions.
E.Assign IAM roles to all users globally.
AnswersA, C

APIs must be enabled for the services to be used in the project.

Why this answer

Options A and B are correct. Creating a billing account and linking it to the project is necessary for using billable services. Enabling the required APIs per project is also mandatory for service access.

Option C is not required initially; IAM roles are assigned as needed. Option D is not a prerequisite; VPC networks are created per requirements. Option E is incorrect because firewall rules are configured after services are enabled.

40
MCQmedium

A platform admin creates a new GCP project for a team. The team lead's email is teamlead@company.com. The admin needs the team lead to be able to create resources in the project but not manage IAM policies or billing. Which role is most appropriate?

A.Owner
B.Editor
C.Viewer
D.Billing Account Administrator
AnswerB

Editor grants broad create/read/update/delete on GCP resources while excluding IAM policy changes and billing management — matching the requirement precisely.

Why this answer

The Editor role (roles/editor) grants all permissions necessary to create, modify, and delete resources within a GCP project, but explicitly excludes permissions to manage IAM policies (roles/iam.securityAdmin or roles/owner) and billing (roles/billing.admin). This makes it the correct choice for a team lead who needs to deploy and manage resources without having the ability to change access controls or alter billing configurations.

Exam trap

Google Cloud often tests the distinction between resource-level permissions and management-level permissions, and the trap here is that candidates may confuse the Editor role with Owner because both can create resources, but only Owner can manage IAM and billing.

How to eliminate wrong answers

Option A is wrong because the Owner role (roles/owner) includes all Editor permissions plus the ability to manage IAM policies and billing, which violates the requirement that the team lead should not manage IAM or billing. Option C is wrong because the Viewer role (roles/viewer) only allows read-only access to existing resources and does not permit creating any resources. Option D is wrong because the Billing Account Administrator role (roles/billing.admin) manages billing accounts and budgets but does not grant any permissions to create project resources.

41
MCQeasy

A user wants to use gcloud to create a Cloud Storage bucket but receives a permission denied error. What is the most likely cause?

A.The bucket name is already taken
B.The user is not authenticated
C.The user does not have storage.buckets.create permission
D.The project does not have billing enabled
AnswerC

Permission denied indicates missing IAM permissions.

Why this answer

C is correct because Cloud Storage uses IAM permissions to control access to bucket creation. The specific permission required is `storage.buckets.create`, which must be granted at the project level. Without this permission, the gcloud command will fail with a permission denied error, even if the user is authenticated and billing is enabled.

Exam trap

Google Cloud often tests the distinction between authentication (who you are) and authorization (what you can do), so the trap here is that candidates may confuse a permission denied error with an authentication failure or a naming conflict.

How to eliminate wrong answers

Option A is wrong because a bucket name being taken results in a '409 Conflict' error, not a permission denied error. Option B is wrong because if the user is not authenticated, gcloud would return an authentication error (e.g., 'ERROR: (gcloud) You do not have permission to access project') or prompt for login, not a generic permission denied. Option D is wrong because billing is not required to create a bucket; it is required for using the bucket (e.g., storing data) but not for the creation API call itself.

42
MCQmedium

A Cloud Identity admin needs to grant a user access to manage billing for a specific GCP project without giving them access to any other projects in the organization. Which role should be assigned at the project level?

A.Billing Account Administrator at the organization level
B.Project Billing Manager on the specific project
C.Editor on the specific project
D.Billing Account User at the billing account level
AnswerB

Project Billing Manager (roles/billing.projectManager) grants the ability to link or unlink a billing account for a single project, with no other project access.

Why this answer

The Project Billing Manager role is the correct choice because it grants permissions to manage billing for a specific GCP project, including viewing billing reports and setting budget alerts, without providing access to other projects. This role is assigned at the project level, ensuring the user's billing management scope is limited to that single project.

Exam trap

The trap here is that candidates often confuse the Project Billing Manager role with the Billing Account User role, mistakenly thinking the latter provides project-level billing management, when in fact it only allows linking projects to a billing account and does not grant billing management permissions for a specific project.

How to eliminate wrong answers

Option A is wrong because the Billing Account Administrator role at the organization level grants full control over the billing account, including the ability to link or unlink projects, which would give the user access to billing for all projects under that billing account, not just the specific one. Option C is wrong because the Editor role on the specific project includes permissions to modify project resources (e.g., compute, storage) beyond billing management, violating the principle of least privilege. Option D is wrong because the Billing Account User role at the billing account level allows the user to link projects to the billing account but does not grant permissions to manage billing for a specific project; it is designed for users who need to associate projects with a billing account, not for project-level billing administration.

43
MCQmedium

A team's Cloud Build jobs are consistently failing with 'quota exceeded' errors. Billing is active and the project has available budget. What should the team do?

A.Delete unused projects in the same organization to release global quota
B.Upgrade the billing account to a higher payment tier
C.Request a quota increase for the Cloud Build API in the project settings
D.Use a larger machine type for Cloud Build worker pools
AnswerC

Navigating to IAM & Admin > Quotas (or the Cloud Quotas product) and submitting a quota increase request for Cloud Build resolves this issue.

Why this answer

Option C is correct because Cloud Build quota errors indicate that the project has reached its API rate limit or concurrent build limit, not a billing issue. Quotas are per-project and can be increased by requesting a higher limit from the Cloud Build API quotas page in the Google Cloud Console. Billing being active and having budget means the issue is not financial, so the team must specifically request a quota increase for the Cloud Build API.

Exam trap

The trap here is that candidates confuse billing-related errors (e.g., 'insufficient funds') with quota errors (e.g., 'quota exceeded'), leading them to incorrectly choose billing upgrades or project deletions instead of recognizing that API quotas are a separate, project-level limit that must be explicitly increased.

How to eliminate wrong answers

Option A is wrong because deleting unused projects does not release global quota; quotas are per-project and independent, so removing other projects has no effect on the Cloud Build quota in the affected project. Option B is wrong because upgrading the billing account to a higher payment tier does not affect API quotas; billing tiers relate to payment methods and invoicing, not resource limits. Option D is wrong because using a larger machine type for Cloud Build worker pools changes the compute resources for builds but does not increase the API quota for the number of concurrent builds or API requests; quota errors are about rate limits, not machine size.

44
MCQhard

An organization has a policy requiring all new GCP projects to be created within specific folders and linked to approved billing accounts only. Which combination of features enforces this at scale?

A.IAM deny policies on the organization + VPC Service Controls
B.Organization policies to restrict allowed billing accounts + granting Project Creator role only at approved folder level
C.Cloud Asset Inventory alerts + manual review of new projects
D.Requiring multi-factor authentication for all project creators
AnswerB

The `billing.allowedBillingAccounts` org policy restricts which billing accounts can be used. Scoping the Project Creator role to specific folders ensures new projects land in the right place.

Why this answer

Option B is correct because it combines two enforcement mechanisms: Organization policies (specifically the `constraints/compute.restrictBillingAccounts` constraint) to limit which billing accounts can be attached to projects, and granting the Project Creator role (`roles/resourcemanager.projectCreator`) only at the folder level (not the organization level). This ensures that new projects can only be created within the approved folders and must use an approved billing account, enforcing the policy at scale across the entire organization.

Exam trap

Google Cloud often tests the distinction between reactive monitoring (like Cloud Asset Inventory) and proactive enforcement (like Organization policies and IAM roles), leading candidates to choose a monitoring-based answer instead of the correct policy-based enforcement.

How to eliminate wrong answers

Option A is wrong because IAM deny policies are used to explicitly deny access to resources, not to restrict billing accounts or project creation locations; VPC Service Controls are designed to protect data in GCP services by controlling data exfiltration, not for enforcing project creation or billing constraints. Option C is wrong because Cloud Asset Inventory alerts and manual review are reactive, not proactive enforcement; they cannot prevent non-compliant projects from being created at scale. Option D is wrong because multi-factor authentication (MFA) is an identity security measure that does not restrict which billing accounts or folders can be used when creating projects.

45
MCQmedium

Your team needs to manage Google Kubernetes Engine clusters across multiple projects. Rather than granting `roles/container.admin` on each project individually, you want a centralized approach. What is the most maintainable solution?

A.Create a service account with `roles/container.admin` and share its key JSON with team members.
B.Grant `roles/container.admin` to the team's Google Group at the folder level containing all relevant projects.
C.Grant `roles/container.admin` to each team member individually in each project's IAM policy.
D.Use the GKE Hub to create a fleet and assign RBAC roles within each cluster.
AnswerB

Folder-level IAM grants inherit to all child projects. Using a Google Group means membership changes (add/remove people) automatically update access without modifying IAM policies.

Why this answer

Granting `roles/container.admin` at the folder level to a Google Group is the most maintainable solution because it centralizes IAM policy management. When new projects are added under that folder, they automatically inherit the role, and team membership changes are handled by updating the Google Group rather than modifying individual project IAM policies. This approach follows Google Cloud's recommended practice of using groups and resource hierarchy for scalable access control.

Exam trap

The trap here is that candidates confuse Kubernetes RBAC (which controls access within a cluster) with Google Cloud IAM (which controls access to the GKE API and cluster management), leading them to choose fleet-based RBAC solutions that do not address the centralized IAM requirement.

How to eliminate wrong answers

Option A is wrong because sharing a service account key JSON with team members violates security best practices, creates a long-lived credential that cannot be easily revoked per user, and bypasses audit logging tied to individual identities. Option C is wrong because granting `roles/container.admin` to each team member individually in each project's IAM policy is not scalable, creates significant administrative overhead, and violates the principle of least privilege by requiring per-project updates for any team change. Option D is wrong because GKE Hub fleets manage multi-cluster features like service discovery and policy propagation, but they do not replace IAM roles at the project or folder level; RBAC roles within clusters control Kubernetes-level permissions, not GCP-level access to the GKE API or cluster management.

46
MCQeasy

A team needs to create a Compute Engine VM but the `gcloud compute instances create` command is failing with 'insufficient permissions'. The team lead says the service account has the Compute Engine Default role. What is the minimal IAM role that allows creating VM instances?

A.Compute Viewer
B.Compute Instance Admin (v1)
C.Compute Network Admin
D.Project Editor
AnswerB

Compute Instance Admin (v1) grants permissions to create, modify, start, stop, and delete Compute Engine instances — the minimum role needed for VM creation.

Why this answer

The Compute Instance Admin (v1) role (roles/compute.instanceAdmin.v1) provides the necessary permissions to create, modify, and delete Compute Engine VM instances. The Compute Engine Default service account lacks the required permissions for instance creation, and this role is the minimal predefined IAM role that includes compute.instances.create.

Exam trap

Google Cloud often tests the distinction between predefined roles and basic roles, and the trap here is that candidates may choose Project Editor because it 'can do everything,' overlooking the requirement for the minimal role that specifically allows VM creation without extraneous permissions.

How to eliminate wrong answers

Option A is wrong because Compute Viewer (roles/compute.viewer) only grants read-only permissions to list and get Compute Engine resources, not create them. Option C is wrong because Compute Network Admin (roles/compute.networkAdmin) allows management of networking resources like firewalls and routes but does not include compute.instances.create. Option D is wrong because Project Editor (roles/editor) is a broad, basic role that includes many permissions beyond what is needed, making it not minimal; it grants create permissions but is overly permissive compared to the targeted Compute Instance Admin (v1) role.

47
MCQhard

A team runs a critical production project and wants to prevent anyone — including project owners and organization admins — from accidentally deleting it. Which mechanism provides this protection?

A.Remove the Owner role from all users in the project
B.Set an organization policy denying the resourcemanager.projects.delete permission
C.Create a project lien using the Cloud Resource Manager API or gcloud
D.Enable deletion protection in the project's IAM settings in the Console
AnswerC

A lien blocks the `resourcemanager.projects.delete` operation on a project. Even users with delete permissions cannot delete the project until the lien is removed via API.

Why this answer

A project lien is the correct mechanism because it explicitly prevents the deletion of a Google Cloud project by blocking the `resourcemanager.projects.delete` operation until the lien is removed. This protection works regardless of the user's role, including project owners and organization admins, and is managed via the Cloud Resource Manager API or `gcloud` command. It is designed specifically for accidental deletion prevention, not for access control.

Exam trap

The trap here is that candidates confuse IAM permissions (like denying `resourcemanager.projects.delete`) with project-level operational locks (liens), or assume a UI toggle exists for deletion protection when it does not in Google Cloud.

How to eliminate wrong answers

Option A is wrong because removing the Owner role from all users does not prevent organization admins or other privileged users from deleting the project, and it breaks project management functionality. Option B is wrong because setting an organization policy denying `resourcemanager.projects.delete` would block all project deletions across the organization, which is too broad and not a targeted protection for a single project. Option D is wrong because there is no 'deletion protection' toggle in IAM settings in the Google Cloud Console; IAM manages permissions, not project-level deletion locks.

48
MCQmedium

Your organization has a parent folder structure: Root Org → Division A → Team 1 → projects. You need to apply a constraint that prevents all projects in Team 1 from disabling Cloud Audit Logs, but you want Division A to be able to override this constraint for its other teams. At which resource level should you apply the `gcp.disableCloudLogging` org policy?

A.Root organization node
B.Division A folder
C.Team 1 folder
D.Each individual project in Team 1
AnswerC

Targeting the Team 1 folder scopes the constraint precisely to the projects it contains, leaving Division A's other folders unaffected.

Why this answer

Option C is correct because applying the `gcp.disableCloudLogging` org policy at the Team 1 folder ensures that all projects within that folder inherit the constraint, preventing them from disabling Cloud Audit Logs. Since org policies are inherited hierarchically, Division A can override this constraint for its other teams by applying a different policy at the Division A folder level, which takes precedence over the Team 1 folder policy for those other teams.

Exam trap

Google Cloud often tests the misconception that org policies must be applied at the most granular level (individual projects) to be effective, but the trap here is that applying at the folder level leverages inheritance and allows for hierarchical overrides, which is more efficient and aligns with the requirement for Division A to override the constraint for its other teams.

How to eliminate wrong answers

Option A is wrong because applying the policy at the Root organization node would enforce the constraint on all folders and projects under the entire organization, including Division A and its other teams, preventing Division A from overriding it. Option B is wrong because applying the policy at the Division A folder would enforce the constraint on all teams under Division A, including Team 1 and other teams, which contradicts the requirement that Division A should be able to override the constraint for its other teams. Option D is wrong because applying the policy to each individual project in Team 1 is inefficient and does not leverage the hierarchical inheritance of org policies; it also makes management harder and does not allow the constraint to be applied uniformly to new projects created in Team 1.

49
MCQmedium

A developer needs to use Application Default Credentials (ADC) in a local development environment to call the Cloud Translation API. They have already run `gcloud auth login`. What additional step is required to make ADC work correctly?

A.Run `gcloud auth application-default login` to generate ADC credentials.
B.Set the `GOOGLE_CLOUD_PROJECT` environment variable to the project ID.
C.Download a service account JSON key and set `GOOGLE_APPLICATION_CREDENTIALS`.
D.Run `gcloud config set account` to switch to the correct account.
AnswerA

This command generates the `application_default_credentials.json` file that client libraries discover automatically via the ADC lookup chain.

Why this answer

Option A is correct because `gcloud auth application-default login` creates a special credential file (typically at `~/.config/gcloud/application_default_credentials.json`) that Application Default Credentials (ADC) uses to authenticate API calls. While `gcloud auth login` sets up user credentials for gcloud CLI commands, ADC does not use those credentials directly; it requires its own separate credential file. Running this command ensures that the local development environment can authenticate to the Cloud Translation API via ADC without additional configuration.

Exam trap

Google Cloud often tests the distinction between `gcloud auth login` (for CLI authentication) and `gcloud auth application-default login` (for ADC), leading candidates to mistakenly think the former is sufficient for ADC-based API calls.

How to eliminate wrong answers

Option B is wrong because setting the `GOOGLE_CLOUD_PROJECT` environment variable only specifies the project ID for quota and billing purposes; it does not provide authentication credentials, so ADC would still fail without valid credentials. Option C is wrong because downloading a service account JSON key and setting `GOOGLE_APPLICATION_CREDENTIALS` is a valid method for ADC, but it is not required after `gcloud auth login`; the question asks for the additional step to make ADC work correctly, and the simpler, recommended step for local development is to use `gcloud auth application-default login` rather than managing service account keys. Option D is wrong because `gcloud config set account` switches the active account for gcloud CLI commands but does not create or configure the ADC credential file, so ADC would still not have credentials to use.

50
MCQhard

A company has 50+ Compute Engine instances running a stateful application in the us-central1 region. The instances are part of a managed instance group behind an internal load balancer. The application stores data on zonal persistent disks. The company wants to migrate the entire application stack to the europe-west1 region to reduce latency for European users. They have a Cloud VPN tunnel between their on-premises data center and us-central1. They want to extend connectivity to europe-west1 with minimal downtime. The current on-premises router uses BGP to advertise a specific CIDR block (10.0.0.0/8) to Google Cloud. The VPC is in custom mode with subnets in us-central1 and europe-west1 already created. The Cloud VPN gateway in us-central1 is attached to a Cloud Router with a BGP session to the on-premises router. Which course of action should the company take to achieve the migration with minimal downtime?

A.Create a second Cloud VPN tunnel on the existing Cloud VPN gateway to Europe with a new BGP session, and update the on-premises router to accept the new route advertisement.
B.Set up VPC Network Peering between the us-central1 and europe-west1 VPCs to allow cross-region communication.
C.Create a new Cloud VPN gateway in europe-west1, attach it to a Cloud Router, and establish a BGP session with the on-premises router. Use route priority or metrics to gradually shift traffic to europe-west1.
D.Provision a Dedicated Interconnect connection to europe-west1 and attach a new Cloud Router. Remove the existing Cloud VPN gateway.
AnswerC

This allows incremental migration with minimal downtime; on-premises router learns new routes for europe-west1 subnets.

Why this answer

Option C is correct because adding a second Cloud VPN gateway in europe-west1 and configuring a new BGP session to the on-premises router allows the on-premises router to learn routes for europe-west1 subnets and route traffic accordingly. This can be done without modifying existing sessions, and traffic can be shifted gradually by adjusting route priority (MED) or using BGP metrics. Option A is wrong because a second VPN tunnel on the same gateway would still be in us-central1 and might not provide optimal routing.

Option B is wrong because Cloud Interconnect is a dedicated connection that requires physical setup and is not suitable for a quick migration. Option D is wrong because VPC Network Peering does not connect on-premises to cloud.

51
Drag & Dropmedium

Arrange the steps to create a Compute Engine instance with a custom service account in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The service account must exist before attaching to an instance; instance creation is the final step.

52
MCQmedium

A company is migrating to Google Cloud and wants to set up a new cloud environment. They need to create a project structure that supports multiple environments (development, staging, production) with appropriate access controls. The security team requires that all project creation be approved and that projects are automatically placed in the correct folder based on environment. They also want to enforce that all projects have a specific set of labels. What should they do to achieve this?

A.Use Organization Policies to require labels on all projects and automatically assign projects to folders based on the user's group membership.
B.Use Google Cloud Deployment Manager to define templates that include labels and folder placement, and restrict project creation to service accounts that run the templates.
C.Create a custom role with permissions to create projects but do not include the ability to set folder or labels, then use audit logs to monitor compliance.
D.Set up a Cloud Function that is triggered by the project creation event and automatically adds labels and moves the project to the correct folder.
AnswerB

Deployment Manager can enforce structure; restricting project creation to service accounts ensures compliance.

Why this answer

Option B is correct because using Deployment Manager templates enforces the desired structure and restricts project creation to service accounts, ensuring compliance. Option A is incorrect because Cloud Function triggered by project creation is not real-time and less reliable. Option C is reactive, not preventive.

Option D is incorrect because Organization Policies cannot automatically assign folders or set labels; they only enforce constraints.

53
MCQmedium

A FinOps team wants to analyze daily GCP spending trends, allocate costs by team using labels, and create custom dashboards. Which configuration exports billing data for this analysis?

A.Enable Cloud Monitoring billing metrics and build dashboards in Metrics Explorer
B.Download the monthly billing PDF from the Console and import it into a spreadsheet
C.Enable Cloud Billing data export to BigQuery and query the exported dataset
D.Use the Cloud Billing API to pull cost data into Cloud Firestore nightly
AnswerC

BigQuery billing export provides detailed, near-real-time cost data including resource labels, SKUs, and usage amounts. It's the standard approach for GCP FinOps analysis.

Why this answer

Option C is correct because exporting GCP billing data to BigQuery enables granular, daily cost analysis, label-based allocation, and custom dashboard creation via tools like Looker Studio. BigQuery's SQL interface allows querying detailed cost and usage data, which is essential for the FinOps team's requirements.

Exam trap

Google Cloud often tests the misconception that Cloud Monitoring or simple API pulls are sufficient for detailed cost analysis, but the exam expects candidates to recognize that BigQuery export is the only option that provides the required granularity, label support, and queryability for custom dashboards.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring billing metrics provide only aggregated, pre-defined cost views and lack the granular, label-based cost allocation and custom querying capabilities needed for detailed analysis. Option B is wrong because monthly billing PDFs offer only a high-level summary, not daily granularity or label-based cost breakdowns, and cannot be queried programmatically for custom dashboards. Option D is wrong because Cloud Firestore is a NoSQL document database not designed for cost analytics; using the Cloud Billing API to pull data into Firestore nightly would require custom code, lacks native querying for cost trends, and is not a standard or scalable approach for this use case.

54
MCQeasy

Where in the Google Cloud Console can a user view all APIs currently enabled for their project and monitor their usage?

A.Cloud Shell > Active Sessions
B.IAM & Admin > Service Accounts
C.APIs & Services > Dashboard
D.Monitoring > Metrics Explorer
AnswerC

The APIs & Services Dashboard is the central location for viewing enabled APIs, usage metrics, and managing API settings per project.

Why this answer

Option C is correct because the 'APIs & Services > Dashboard' page in the Google Cloud Console provides a centralized view of all enabled APIs for a project, along with real-time usage metrics such as requests per second, error rates, and latency. This dashboard is the primary interface for monitoring API consumption and identifying throttling or quota issues.

Exam trap

The trap here is that candidates confuse the 'APIs & Services > Dashboard' with the 'Monitoring > Metrics Explorer' because both show usage data, but only the Dashboard provides a project-level view of enabled APIs and their aggregate usage in one place.

How to eliminate wrong answers

Option A is wrong because Cloud Shell > Active Sessions shows active terminal sessions in Cloud Shell, not API enablement or usage. Option B is wrong because IAM & Admin > Service Accounts is used to manage service account identities and keys, not to view enabled APIs or their usage metrics. Option D is wrong because Monitoring > Metrics Explorer is a tool for creating custom charts and alerts from Cloud Monitoring metrics, but it does not provide a consolidated list of enabled APIs for the project.

55
MCQhard

A security auditor needs to check whether a specific user (user@company.com) currently has sufficient permissions to delete a Cloud SQL instance in project 'prod-db'. Without making any changes, which tool simulates this check?

A.Run the delete command with `--dry-run` flag to simulate without executing
B.Use the IAM Policy Troubleshooter (Policy Simulator) to check if the permission is granted
C.Inspect the IAM policy with `gcloud projects get-iam-policy` and manually trace inheritance
D.Grant the user the permission temporarily, test the delete, then revoke it
AnswerB

The Policy Troubleshooter evaluates the effective IAM policy for a principal+permission+resource combination and explains whether access is granted or denied — non-destructive and immediate.

Why this answer

The IAM Policy Troubleshooter (Policy Simulator) is the correct tool because it allows you to check whether a specific user has a particular permission (e.g., cloudsql.instances.delete) on a given resource (the Cloud SQL instance in project 'prod-db') without making any changes. It evaluates the effective IAM policy, including all inherited roles and policies, and returns a result indicating whether the permission is granted. This directly addresses the auditor's need to simulate a permission check without executing any action.

Exam trap

Google Cloud often tests the misconception that a dry-run flag or manual policy inspection is sufficient for permission checks, but the trap here is that only the IAM Policy Troubleshooter provides a comprehensive, no-change simulation that evaluates all policy types and inheritance paths, which is essential for security audits.

How to eliminate wrong answers

Option A is wrong because the `--dry-run` flag is not supported by the `gcloud sql instances delete` command; Cloud SQL does not implement a dry-run mode for deletion operations, and even if it did, it would simulate the deletion action itself, not check permissions. Option C is wrong because manually inspecting the IAM policy with `gcloud projects get-iam-policy` and tracing inheritance is error-prone, time-consuming, and does not account for all policy types (e.g., deny policies, conditional roles, or resource-level policies) that the Policy Troubleshooter evaluates automatically. Option D is wrong because granting the user the permission temporarily, testing the delete, and then revoking it is an insecure and disruptive approach that changes the environment, violates the 'without making any changes' requirement, and could lead to unintended consequences or audit compliance issues.

56
MCQeasy

Which gcloud CLI command authenticates a developer's local environment with their Google account?

A.gcloud config set account [EMAIL]
B.gcloud auth login
C.gcloud init --authenticate
D.gcloud accounts activate
AnswerB

`gcloud auth login` initiates the OAuth flow, authenticates the user, and stores credentials for subsequent CLI commands.

Why this answer

Option B, `gcloud auth login`, is correct because it initiates the OAuth 2.0 flow to authenticate the gcloud CLI with a user's Google account, storing the resulting credentials locally for subsequent API calls. This command is the standard way to authorize a developer's local environment for the first time or when switching users.

Exam trap

The trap here is that candidates confuse configuration commands (like `gcloud config set account`) with authentication commands, mistakenly thinking setting an account name is sufficient to establish credentials, when in fact it only selects a pre-existing authenticated account.

How to eliminate wrong answers

Option A is wrong because `gcloud config set account [EMAIL]` only sets the active account configuration to an already-authenticated account; it does not perform any authentication or credential acquisition. Option C is wrong because `gcloud init --authenticate` is not a valid gcloud command; `gcloud init` can configure a new environment and optionally trigger authentication, but the `--authenticate` flag does not exist. Option D is wrong because `gcloud accounts activate` is not a valid gcloud command; the correct command to switch between authenticated accounts is `gcloud config set account` or `gcloud auth login` to re-authenticate.

57
MCQhard

You need to configure a GCP organization so that when new projects are created, a specific set of default IAM bindings is automatically applied (e.g., the security team's group gets Security Reviewer on every new project). Which approach achieves this without requiring manual post-creation steps?

A.Set an org policy constraint that applies default IAM bindings to all new projects.
B.Trigger a Cloud Function via Eventarc on project creation audit log events to automatically apply the IAM bindings.
C.Add the security team's group to the organization's IAM policy with Security Reviewer role — it will inherit to all new projects.
D.Require all project creators to use a Terraform module that includes the IAM binding in its configuration.
AnswerB, C

Eventarc can trigger on Cloud Audit Log events (project.create) and invoke a Cloud Function that applies default IAM bindings via the Resource Manager API — a fully automated, event-driven guardrails pattern.

Why this answer

Option B is correct because it uses Eventarc to capture audit log events for 'google.cloud.resourcemanager.v3.CreateProject' and triggers a Cloud Function that programmatically applies IAM bindings to the new project. This ensures the bindings are applied automatically without manual steps, leveraging serverless event-driven architecture.

Exam trap

Google Cloud often tests the misconception that IAM inheritance from the organization level automatically applies to new projects, but in reality, inheritance only applies to existing resources; new projects do not inherit bindings set at the organization level unless they are created within a folder that has the binding, and even then, the binding is not 'default' for all new projects.

How to eliminate wrong answers

Option A is wrong because org policy constraints (e.g., 'constraints/iam.allowedPolicyMemberDomains') only restrict allowed members or roles, they cannot apply default IAM bindings to new projects. Option C is wrong because adding a group to the organization's IAM policy with a role like Security Reviewer does not automatically propagate that binding to new projects; IAM inheritance applies only to resources within the organization hierarchy (folders, projects) that exist at the time the binding is set, not to future projects. Option D is wrong because requiring a Terraform module does not enforce automatic application; it relies on project creators to use the module, which is not automatic and can be bypassed.

58
MCQeasy

A company is deploying a GKE cluster in a new VPC. The cluster nodes need to communicate with a Cloud SQL instance that has a private IP address. The company wants to minimize data transfer costs and avoid using public IPs. What is the most cost-effective configuration?

A.Create a VPC-native cluster with private nodes and configure Private Service Access for Cloud SQL.
B.Create a cluster with public nodes and set up a Cloud VPN tunnel to Cloud SQL.
C.Create a VPC-native cluster with public nodes and whitelist the node IPs in Cloud SQL authorized networks.
D.Create a cluster with public nodes and use Cloud NAT for outbound traffic.
AnswerA

This configuration enables direct private communication between GKE nodes and Cloud SQL over the internal VPC network.

Why this answer

Option B is correct because a VPC-native cluster with private node communication and a Private Service Access connection allows GKE nodes to reach Cloud SQL over the internal network without incurring egress costs or using public IPs. Option A is wrong because using Cloud NAT would not enable connectivity to Cloud SQL's private IP. Option C is wrong because a cluster with public nodes would incur egress costs and security risks.

Option D is wrong because Cloud VPN is unnecessary and adds cost.

59
MCQhard

A DevOps engineer created a Compute Engine instance with a startup script that installs Apache and configures a website. The startup script runs a command that requires a service account with roles/storage.objectViewer to download assets from Cloud Storage. The instance is created with the default compute service account. The startup script fails. Upon inspection, the engineer finds that the service account cannot download the assets. What is the most likely cause?

A.The OAuth scopes on the instance do not include https://www.googleapis.com/auth/devstorage.read_only.
B.A firewall rule is blocking the startup script from reaching the Cloud Storage API.
C.The startup script is not running as the service account.
D.The service account lacks the IAM role roles/storage.objectViewer on the bucket.
AnswerD

The default compute engine service account has project editor role, but that may not include specific bucket permissions if bucket-level IAM is used. Explicitly granting the objectViewer role is required.

Why this answer

Option D is correct because the default compute service account does not have storage.objectViewer by default; it must be granted. Option A is wrong because firewall rules don't affect API calls. Option B is wrong because the default compute service account typically has project editor, which includes storage.admin, so it's not a scope issue.

Option C is wrong because OAuth scopes only affect user credentials, not service accounts.

60
MCQmedium

A company is deploying a public-facing web application on Compute Engine behind a global HTTP(S) Load Balancer. The company wants to protect the application from common web attacks, such as SQL injection and cross-site scripting (XSS). Which Google Cloud security service should they enable?

A.VPC Service Controls
B.Cloud Armor
C.Cloud IDS
D.Identity and Access Management (IAM)
AnswerB

Cloud Armor offers WAF rules to mitigate web attacks like SQL injection and XSS.

Why this answer

Option C is correct because Cloud Armor provides web application firewall (WAF) capabilities to protect against OWASP Top 10 attacks. Option A is wrong because IAM controls access to resources, not web attacks. Option B is wrong because Cloud IDS is for network-based threat detection.

Option D is wrong because VPC Service Controls prevent data exfiltration but do not filter HTTP traffic.

61
MCQmedium

You need to tag all Compute Engine VMs in your organization with a `cost-center` tag for billing allocation reports. The tag values must be controlled centrally — only predefined values should be allowed. Which GCP feature enables this?

A.Use Compute Engine labels — configure label keys and restrict values using an org policy.
B.Create Resource Manager Tag keys and values at the org level, then attach tags to VMs.
C.Use network tags on VMs and enforce allowed values via a custom org policy constraint.
D.Require teams to apply specific label values using a Terraform module, and enforce this via code review.
AnswerB

Resource Manager Tags support centrally defined, version-controlled tag keys and enumerated values. IAM roles (tagUser, tagAdmin) control who can create values vs. who can apply tags. Tags integrate with billing reports.

Why this answer

Resource Manager Tags (formerly 'tags' in the Resource Manager API) allow you to create tag keys and predefined tag values at the organization level, then attach those tags to resources like Compute Engine VMs. This ensures that only centrally controlled values can be used, meeting the requirement for controlled billing allocation. Labels, by contrast, are free-form key-value pairs and cannot have their values restricted natively by an org policy.

Exam trap

Google Cloud often tests the distinction between labels (free-form, no value restriction) and Resource Manager Tags (centrally controlled, predefined values), leading candidates to mistakenly choose labels because they are more commonly used for metadata.

How to eliminate wrong answers

Option A is wrong because Compute Engine labels are free-form key-value pairs; while you can use an org policy to restrict label keys, you cannot natively restrict label values to a predefined set using an org policy alone. Option C is wrong because network tags are used for firewall rules and networking, not for billing or resource metadata, and there is no native org policy constraint to enforce allowed values on network tags. Option D is wrong because relying on a Terraform module and code review does not provide a centrally enforced, programmatic control mechanism; it depends on human compliance and can be bypassed.

62
MCQeasy

A developer runs `gcloud projects list` and receives the error: `ERROR: (gcloud.projects.list) PERMISSION_DENIED: The caller does not have permission`. The developer has the Viewer role on several projects. What is the most likely cause?

A.The developer does not have multi-factor authentication enabled.
B.The developer lacks `resourcemanager.projects.list` at the organization or folder level.
C.The gcloud SDK is outdated and must be updated.
D.The developer's account has been suspended by the billing administrator.
AnswerB

Project Viewer only grants permissions within the project. Listing all projects requires the permission at a higher hierarchy level.

Why this answer

The `gcloud projects list` command requires the `resourcemanager.projects.list` permission, which is granted at the organization or folder level, not at the individual project level. Even with the Viewer role on several projects, the developer lacks this specific permission at the resource hierarchy level above the projects, causing the PERMISSION_DENIED error.

Exam trap

Google Cloud often tests the misconception that project-level roles like Viewer are sufficient for listing projects, when in reality the `resourcemanager.projects.list` permission must be granted at a higher level in the resource hierarchy.

How to eliminate wrong answers

Option A is wrong because multi-factor authentication (MFA) is an account security feature that does not affect API permissions or gcloud command authorization; it is unrelated to IAM permission errors. Option C is wrong because an outdated gcloud SDK would typically cause version mismatch errors or deprecation warnings, not a PERMISSION_DENIED error, which is an IAM authorization issue. Option D is wrong because a suspended account would result in an authentication error (e.g., 'Account is disabled') or a billing-related error, not a permission denied error for a specific API call.

63
MCQhard

Your security team requires that all service accounts in your GCP organization older than 90 days that have not been used must be automatically disabled. They want a fully managed, serverless solution with no persistent infrastructure. Which architecture best meets these requirements?

A.Deploy a Compute Engine VM with a cron job that calls the IAM API nightly.
B.Use Cloud Scheduler to trigger a Cloud Function that queries Cloud Asset Inventory and disables stale service accounts.
C.Configure an org policy that automatically expires service accounts after 90 days.
D.Use Security Command Center to flag and manually disable unused service accounts.
AnswerB

Cloud Scheduler + Cloud Function is fully serverless. Cloud Asset Inventory provides `lastAuthenticatedTime` for service accounts, and the IAM API can disable them programmatically.

Why this answer

Option B is correct because Cloud Scheduler can trigger a serverless Cloud Function on a schedule (e.g., nightly) to query Cloud Asset Inventory for service accounts older than 90 days with no last authentication time, then disable them via the IAM API. This meets the fully managed, serverless requirement with no persistent infrastructure (no VMs or servers to maintain).

Exam trap

Google Cloud often tests the misconception that Organization Policies can enforce time-based lifecycle actions on IAM resources, but they only provide static constraints (e.g., 'constraints/iam.disableServiceAccountCreation'), not dynamic expiration or usage-based disabling.

How to eliminate wrong answers

Option A is wrong because it uses a Compute Engine VM with a cron job, which requires persistent infrastructure (the VM) and is not fully managed or serverless. Option C is wrong because Organization Policies do not support automatic expiration or disabling of service accounts based on age or usage; they enforce constraints on resource locations, domains, or service states, not time-based lifecycle actions. Option D is wrong because Security Command Center (SCC) provides findings and recommendations but does not automatically disable resources; it requires manual intervention, which violates the 'automatically disabled' requirement.

64
MCQeasy

A project manager wants to see how much each GCP service is costing the team this month, broken down by service. Where should they look?

A.IAM & Admin > Quotas
B.Cloud Monitoring > Cost metrics dashboard
C.Billing > Reports (filtered by service)
D.Resource Manager > Project settings > Cost summary
AnswerC

The Billing Reports page shows detailed cost breakdowns by service, SKU, project, and time period — the primary cost analysis tool in GCP.

Why this answer

Option C is correct because the Billing > Reports page in the Google Cloud Console allows you to filter costs by service, SKU, project, and other dimensions. This provides a granular breakdown of monthly spending per GCP service, which is exactly what the project manager needs.

Exam trap

Google Cloud often tests the distinction between cost reporting (Billing > Reports) and quota monitoring (IAM & Admin > Quotas), trapping candidates who confuse usage limits with cost breakdowns.

How to eliminate wrong answers

Option A is wrong because IAM & Admin > Quotas shows resource usage limits and current utilization, not cost breakdowns by service. Option B is wrong because Cloud Monitoring > Cost metrics dashboard displays billing metrics aggregated over time but does not provide a per-service cost breakdown; it is designed for monitoring and alerting on cost trends, not detailed service-level reports. Option D is wrong because Resource Manager > Project settings > Cost summary shows a high-level total cost for the project, not a breakdown by individual GCP service.

65
MCQhard

A Cloud Build pipeline needs to deploy to Cloud Run but the pipeline's service account has only minimal permissions. Rather than granting it Cloud Run Admin, the team wants it to temporarily act as a more privileged deployment service account. Which technique enables this?

A.Download the deployment service account's JSON key and store it in Cloud Build secrets
B.Grant service account impersonation: give the Cloud Build SA the Token Creator role on the deployment SA
C.Add the Cloud Build SA as an Owner of the project
D.Enable service account delegation in the project's IAM settings
AnswerB

With `roles/iam.serviceAccountTokenCreator` on the target SA, the Cloud Build SA can generate short-lived access tokens to act as the deployment SA — no key files needed.

Why this answer

Option B is correct because it uses IAM service account impersonation, which allows the Cloud Build service account to temporarily assume the identity of a more privileged deployment service account by calling the iam.serviceAccounts.actAs permission. This avoids granting broad Cloud Run Admin permissions directly to the pipeline's service account, adhering to the principle of least privilege. The Token Creator role (roles/iam.serviceAccountTokenCreator) on the deployment service account enables the Cloud Build SA to generate short-lived OAuth2 tokens for impersonation, which are automatically scoped to the deployment SA's permissions.

Exam trap

Google Cloud often tests the distinction between granting a role directly (like Cloud Run Admin) versus using impersonation with the Token Creator role, and the trap here is that candidates confuse storing a JSON key (Option A) with secure, temporary impersonation, or assume that 'delegation' (Option D) is a real IAM feature when it is not.

How to eliminate wrong answers

Option A is wrong because downloading a JSON key and storing it in Cloud Build secrets introduces a long-lived, static credential that violates security best practices (e.g., key rotation, exposure risk) and does not use temporary, auditable impersonation. Option C is wrong because adding the Cloud Build SA as an Owner of the project grants it full, permanent project-level control, which is far more permissive than needed and contradicts the goal of minimal permissions. Option D is wrong because 'service account delegation' is not a standard IAM setting; the correct mechanism is service account impersonation via the actAs permission and Token Creator role, not a project-level delegation toggle.

66
MCQmedium

A security team needs an inventory of all Compute Engine VM instances across all projects in their GCP organization, including instance names, zones, and status, without logging into each project individually. Which service provides this?

A.Cloud Monitoring — use the metric explorer to list all VM instances
B.Cloud Asset Inventory with an organization-scoped asset search
C.Cloud Resource Manager — list all projects and then query each for VMs
D.BigQuery information_schema views for GCP compute resources
AnswerB

`gcloud asset search-all-resources --scope=organizations/[ORG_ID] --asset-types=compute.googleapis.com/Instance` returns all VMs across all projects in the organization.

Why this answer

Cloud Asset Inventory provides a unified, organization-scoped view of all resources across projects, including Compute Engine VM instances. By using an organization-scoped asset search, the security team can query for all VM instances (e.g., `asset_type = "compute.googleapis.com/Instance"`) without needing to log into each project individually. This service is purpose-built for cross-project resource discovery and inventory management.

Exam trap

The trap here is that candidates confuse Cloud Monitoring's metric explorer with an inventory tool, or assume Cloud Resource Manager can directly query resources across projects, when in fact it only manages project metadata and IAM policies.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring's metric explorer is designed for monitoring metrics and logs, not for listing resource metadata like instance names, zones, and status; it cannot perform a comprehensive inventory of all VM instances across projects. Option C is wrong because Cloud Resource Manager can list projects but cannot directly query each project for VM instances; you would need to write custom scripts using the Compute Engine API per project, which violates the requirement of not logging into each project individually. Option D is wrong because BigQuery information_schema views are for querying BigQuery datasets and tables, not for GCP compute resources; there is no such view for Compute Engine instances.

67
Matchingmedium

Match each Google Cloud deployment tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Infrastructure-as-code using YAML

Multi-cloud infrastructure provisioning

CI/CD pipeline for building and testing

Command-line tool for managing GCP resources

Web-based UI for managing GCP

Why these pairings

These tools help manage GCP resources programmatically or manually.

68
MCQmedium

A platform team needs to categorize GCP resources for policy enforcement (e.g., applying IAM conditions only to resources tagged 'environment:production'). Labels exist but don't support IAM conditions. What feature provides policy-tag-based enforcement?

A.Resource labels — set environment=production on each resource and reference in IAM conditions
B.Resource Manager Tags — attach a tag with key 'environment' and value 'production' and reference it in IAM conditions
C.Cloud Asset Inventory metadata fields — query by label and apply policies
D.Pub/Sub event-driven policy application triggered by label changes
AnswerB

Resource Manager Tags (created in Tag Namespaces) can be attached to resources and referenced in IAM Conditions, enabling attribute-based access control based on resource classification.

Why this answer

Option B is correct because Resource Manager Tags are the GCP feature specifically designed to support IAM conditions for policy enforcement. Unlike resource labels, which are simple key-value pairs used for metadata and billing, Resource Manager Tags can be referenced in IAM condition expressions using the `resource.matchTag` function, enabling fine-grained access control based on tag values such as 'environment:production'.

Exam trap

Google Cloud often tests the distinction between resource labels and Resource Manager Tags, trapping candidates who assume labels can be used in IAM conditions because they are more commonly used for resource organization.

How to eliminate wrong answers

Option A is wrong because resource labels cannot be used in IAM conditions; they are only for metadata, billing, and filtering, not for policy enforcement. Option C is wrong because Cloud Asset Inventory metadata fields are used for asset discovery and inventory, not for real-time policy enforcement via IAM conditions. Option D is wrong because Pub/Sub event-driven policy application is an architectural pattern, not a native GCP feature for tag-based IAM conditions, and label changes do not trigger IAM condition updates.

69
MCQmedium

A company wants to allow a junior admin to view project resources and create/modify Cloud Storage buckets but not delete them. Which IAM role should be assigned?

A.roles/storage.objectCreator
B.roles/storage.legacyBucketWriter
C.roles/storage.objectAdmin
D.roles/storage.admin
AnswerB

Legacy bucket writer allows create and update buckets without delete.

Why this answer

The storage.legacyBucketWriter role allows creation and update of buckets without delete permission. Option B is correct. Option A (storage.admin) allows all actions including delete.

Option C (storage.objectAdmin) is for objects, not buckets. Option D (storage.objectCreator) is for object creation only.

70
MCQhard

Refer to the exhibit. An administrator wants to grant a service account read-only access to all Compute Engine instances in a project, but only those with label 'environment=production'. Which IAM policy configuration should be used?

A.roles/compute.instanceAdmin with condition 'resource.labels.environment == "production"'
B.roles/compute.viewer with condition 'resource.labels.environment == "production"'
C.roles/compute.imageUser with condition 'resource.labels.environment == "production"'
D.roles/compute.viewer with condition 'request.host == "production"'
AnswerB

Viewer provides read-only access, condition restricts to production label.

Why this answer

Option B is correct because roles/compute.viewer provides read-only access to Compute Engine resources, and the condition 'resource.labels.environment == "production"' restricts that access to only instances with the specified label. This satisfies the requirement of granting read-only access to production-labeled instances without granting broader permissions.

Exam trap

Google Cloud often tests the distinction between roles that grant read-only access (like roles/compute.viewer) versus roles that grant broader permissions (like roles/compute.instanceAdmin), and the use of correct condition attributes (resource.labels vs. request.host) to filter by resource labels.

How to eliminate wrong answers

Option A is wrong because roles/compute.instanceAdmin grants write permissions (e.g., start, stop, modify instances), which exceeds the required read-only access. Option C is wrong because roles/compute.imageUser only allows listing and using images, not reading instance metadata or configurations, so it does not provide the necessary read-only access to instances. Option D is wrong because 'request.host' is not a valid condition attribute for Compute Engine; the correct attribute for filtering by resource labels is 'resource.labels', and 'request.host' refers to the HTTP host header, which is irrelevant here.

71
MCQeasy

Which gcloud command lists all available roles that can be granted on a GCP project, including both predefined and custom roles?

A.`gcloud iam roles list --project=PROJECT_ID`
B.`gcloud iam list-grantable-roles //cloudresourcemanager.googleapis.com/projects/PROJECT_ID`
C.`gcloud projects get-iam-policy PROJECT_ID`
D.`gcloud iam roles describe roles/editor`
AnswerB

This queries all roles — predefined and custom — that can be granted on the specified project resource.

Why this answer

Option B is correct because the `gcloud iam list-grantable-roles` command is specifically designed to list all roles (both predefined and custom) that can be granted on a given resource, such as a GCP project. The resource is identified by its canonical name, which for a project is `//cloudresourcemanager.googleapis.com/projects/PROJECT_ID`. This command returns roles that are eligible for binding at that resource level, including those inherited from ancestors.

Exam trap

Google Cloud often tests the distinction between listing roles that *can* be granted (grantable roles) versus listing roles that *are* granted (current bindings), and candidates confuse `gcloud iam roles list` (custom roles only) with the correct command for all grantable roles.

How to eliminate wrong answers

Option A is wrong because `gcloud iam roles list --project=PROJECT_ID` lists only custom roles defined in that project, not predefined roles or roles inherited from the organization. Option C is wrong because `gcloud projects get-iam-policy PROJECT_ID` retrieves the current IAM policy bindings (who has what role), not the list of all available roles that can be granted. Option D is wrong because `gcloud iam roles describe roles/editor` shows details of a single predefined role (Editor), not a list of all grantable roles on a project.

72
MCQhard

A team runs `gcloud organizations list` and sees no output even though they know their company has a GCP organization. What is the most likely cause, and how should they resolve it?

A.The organization does not exist yet; run `gcloud organizations create` to create it.
B.The user lacks org-level IAM permissions such as Organization Viewer.
C.The gcloud SDK does not support the organizations command; use the Cloud Console instead.
D.The project must be linked to the organization using `gcloud projects move`.
AnswerB

Without `resourcemanager.organizations.get` permission at the org level, `gcloud organizations list` returns empty results even if the org exists.

Why this answer

The `gcloud organizations list` command retrieves organizations from the GCP Resource Manager API. If no output is returned despite the organization existing, the most likely cause is that the authenticated user lacks the `resourcemanager.organizations.get` permission, which is granted by roles like Organization Viewer (`roles/resourcemanager.organizationViewer`) or Organization Administrator (`roles/resourcemanager.organizationAdmin`). Without this IAM permission at the organization level, the API call returns an empty list rather than an error, which is a common source of confusion.

Exam trap

The trap here is that candidates assume a missing organization or a command limitation, when in fact the empty output is a deliberate API behavior designed to hide organizations from users without explicit permission, testing the understanding of IAM scoping and the difference between list and describe commands.

How to eliminate wrong answers

Option A is wrong because `gcloud organizations create` is not a valid command; GCP organizations are created automatically when a Google Workspace or Cloud Identity account is set up, not via the gcloud CLI. Option C is wrong because the `gcloud organizations` command is fully supported in the gcloud SDK and uses the Resource Manager API; the Cloud Console is not required. Option D is wrong because linking a project to an organization is unrelated to listing organizations; the issue is about visibility of the organization itself, not project association.

73
MCQmedium

Instead of granting IAM roles to 50 individual developer email addresses, a team wants to manage access by team membership. When a developer joins or leaves, access updates automatically. What is the recommended approach?

A.Create a service account shared by all developers on the team
B.Grant IAM roles to a Google Group containing all team members
C.Create a GCP project per developer and use cross-project IAM bindings
D.Use Cloud Identity-Aware Proxy to manage team membership
AnswerB

Google Groups are supported as IAM principals. Roles granted to a group apply to all members. Membership changes in Google Groups are reflected in GCP access immediately.

Why this answer

Option B is correct because Google Groups act as identity containers that can be granted IAM roles at the project or resource level. When developers are added to or removed from the group, their IAM permissions automatically update without requiring manual role changes for each individual user. This aligns with the principle of least privilege and simplifies access management at scale.

Exam trap

The trap here is that candidates often confuse service accounts with user identities or think that Cloud IAP can manage IAM roles, when in fact IAP only controls access to applications and not to GCP resource-level permissions.

How to eliminate wrong answers

Option A is wrong because sharing a service account among multiple developers violates security best practices — service accounts are intended for application-to-application authentication, not for individual user access, and sharing credentials eliminates audit trails and non-repudiation. Option C is wrong because creating a GCP project per developer introduces unnecessary overhead and complexity; cross-project IAM bindings still require managing individual identities and do not leverage group-based membership for automatic updates. Option D is wrong because Cloud Identity-Aware Proxy (IAP) controls access to applications at the HTTP/S layer, not to GCP IAM roles or resources; it does not replace IAM role management for cloud infrastructure permissions.

74
Multi-Selectmedium

A company is setting up a new Google Cloud environment. They need to ensure that they can manage billing across multiple projects and have a hierarchical resource structure. Which TWO statements are correct about the Google Cloud resource hierarchy?

Select 2 answers
A.Each billing account can be linked to only one project.
B.A project must always belong to a folder or organization.
C.Resources are organized hierarchically with Organization, Folders, Projects, and Resources.
D.Each project must belong to a folder.
E.IAM policies can be inherited from a folder to projects within it.
AnswersC, E

This is the correct hierarchical structure.

Why this answer

Options A and D are correct. Option A correctly describes the hierarchy. Option D correctly states that IAM policies can be inherited from folders.

Option B is false because billing accounts can be linked to multiple projects. Option C is false because projects do not have to belong to a folder. Option E is false because projects can exist without a folder or organization if using a standalone billing account.

75
MCQmedium

A company is migrating a legacy on-premises application to Google Cloud. The application stores structured transactional data in a relational database. The database currently handles 2,000 transactions per second (TPS) and is expected to grow to 10,000 TPS over the next year. The database size is 500 GB. The application requires strong consistency and the ability to run complex JOIN queries. Which Google Cloud database service should the company choose?

A.Cloud Spanner
B.Cloud SQL for PostgreSQL
C.Cloud Bigtable
D.Cloud Firestore
AnswerB

Cloud SQL provides a fully managed relational database with strong consistency and support for complex queries.

Why this answer

Cloud SQL for PostgreSQL is the correct choice because it provides a fully managed relational database with strong ACID compliance, support for complex JOIN queries, and can scale vertically or via read replicas to handle up to 10,000 TPS with proper configuration. The 500 GB database size is well within Cloud SQL's limits, and PostgreSQL's native support for complex joins meets the application's requirements without the operational overhead of self-managed databases.

Exam trap

Google Cloud often tests the misconception that Cloud Spanner is the only option for strong consistency and high TPS, but the trap here is that the workload is single-region and moderate scale, making Cloud SQL a simpler and more cost-effective choice despite Spanner's global capabilities.

How to eliminate wrong answers

Option A is wrong because Cloud Spanner is designed for globally distributed, horizontally scalable workloads with strong consistency, but it introduces unnecessary complexity and higher cost for a single-region workload that only needs up to 10,000 TPS and 500 GB; it also requires schema changes to use interleaved tables for optimal JOIN performance. Option C is wrong because Cloud Bigtable is a NoSQL wide-column database that does not support SQL JOINs or strong relational consistency, making it unsuitable for structured transactional data requiring complex queries. Option D is wrong because Cloud Firestore is a NoSQL document database designed for mobile and web apps with eventual consistency by default, and it lacks native support for complex JOIN operations or the transactional throughput needed for 10,000 TPS.

Page 1 of 2 · 98 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Setting Up A Cloud Solution Environment questions.