Google Professional Cloud Architect (PCA) — Questions 901975

1000 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

An organization uses Cloud Storage to store critical documents. They want to protect against accidental deletion or overwriting of objects. Which feature should they enable?

A.Uniform bucket-level access
B.Object lifecycle management rules
C.Object versioning and retention policies
D.Customer-managed encryption keys (CMEK)
AnswerC

Versioning retains previous versions; retention policies prevent deletion. Together they protect against accidents.

Why this answer

Object versioning and retention policies together protect against accidental deletion and overwrites. Versioning keeps multiple versions of objects, and retention policies prevent deletion until a specified time. Uniform bucket-level access is for access control, not protection.

Object lifecycle management automates transitions/deletion, not protection. Encryption protects data at rest.

902
MCQeasy

A company wants to migrate a MySQL database running on-premises to Cloud SQL with minimal downtime. Which GCP service should they use?

A.Migrate for Compute Engine
B.Storage Transfer Service
C.Transfer Appliance
D.Database Migration Service
AnswerD

DMS provides minimal-downtime migration for MySQL to Cloud SQL.

Why this answer

Database Migration Service (DMS) supports homogeneous migrations for MySQL, PostgreSQL, and SQL Server with minimal downtime using continuous replication. Migrate for Compute Engine is for VM migration, Transfer Appliance for bulk data, and Storage Transfer Service for object storage.

903
Multi-Selectmedium

Which TWO strategies should a company implement to optimize costs for a production GKE cluster? (Choose two.)

Select 2 answers
A.Use Istio for traffic management.
B.Use a regional cluster.
C.Enable GKE usage metering.
D.Use cluster autoscaler with preemptible node pools.
E.Use node local DNS cache.
AnswersC, D

Usage metering helps allocate costs per namespace and identify waste.

Why this answer

Option C is correct because GKE usage metering provides detailed cost allocation by breaking down cluster resource consumption (CPU, memory, storage) per Kubernetes namespace or label. This enables teams to track and optimize spending across different projects or departments, directly supporting cost optimization for a production cluster.

Exam trap

Google Cloud often tests the distinction between cost optimization and other operational goals like high availability or performance; candidates mistakenly choose regional clusters (high availability) or Istio (traffic management) as cost-saving measures when they are not.

904
Multi-Selectmedium

A company wants to enforce that only approved container images can be deployed to GKE. They also want to ensure images are scanned for vulnerabilities before deployment. Which two GCP services should they use? (Choose TWO).

Select 2 answers
A.Container Analysis API
B.Cloud Security Command Center
C.Container Registry vulnerability scanning
D.Cloud Build
E.Binary Authorization
AnswersA, E

Container Analysis provides vulnerability scanning and can be integrated with Binary Authorization.

Why this answer

Binary Authorization enforces deployment policies based on image signatures. Container Analysis (or vulnerability scanning) identifies vulnerabilities in images.

905
MCQmedium

A company wants to restrict access to a Cloud Storage bucket so that only objects encrypted with a specific Cloud KMS key can be read. Which approach should they use?

A.Enable Key Access Justifications on the Cloud KMS key and allow access only for justified requests.
B.Set a bucket policy that denies access if the object's encryption type is not CMEK.
C.Use IAM conditions with the resource name condition 'resource.name.startsWith("projects/_/buckets/example-bucket/objects/")' and 'resource.hasTag("kmsKeyName", "projects/p/locations/l/keyRings/kr/cryptoKeys/ck")'.
D.Configure VPC Service Controls to include the bucket and the Cloud KMS key resource.
AnswerC

IAM conditions can check object metadata such as 'kmsKeyName' to restrict access to objects encrypted with a specific key.

Why this answer

Option D is correct because Cloud Storage Object has a 'kmsKeyName' condition that can be used in IAM conditions to require objects to be encrypted with a specific KMS key. Option A is wrong because VPC Service Controls prevent data exfiltration but do not enforce encryption at the object level. Option B is wrong because bucket policies do not directly examine encryption key metadata.

Option C is wrong because Key Access Justifications only provide reasons for key access but do not restrict object access based on encryption key.

906
MCQmedium

A company is building a microservices architecture on Google Kubernetes Engine (GKE) and needs to ensure each microservice can only access specific Cloud Storage buckets. IAM permissions should be assigned at the pod level, not at the node level. What is the recommended approach?

A.Store service account keys in Kubernetes secrets and mount them into each pod
B.Use a CSI driver to mount IAM credentials into pods
C.Use Workload Identity to bind a Kubernetes service account to a GCP service account
D.Assign a service account to each node pool and configure pod security policies
AnswerC

Workload Identity enables per-pod IAM permissions by mapping Kubernetes service accounts to GCP service accounts.

Why this answer

Workload Identity Federation allows you to assign a GCP service account to a Kubernetes service account, which is then bound to a pod. This enables fine-grained IAM permissions per pod. Node-level IAM would give all pods on the node the same permissions.

Service accounts cannot be assigned directly to pods via metadata, and CSI drivers are for storage, not IAM.

907
MCQmedium

Your company has a production Cloud SQL for PostgreSQL instance in us-central1 with automated backups enabled. You need to ensure that if the zone fails, the database automatically fails over to a standby in a different zone with minimal downtime. What should you do?

A.Enable deletion protection on the instance.
B.Create a cross-region read replica and manually promote it during a failure.
C.Configure the instance as a highly available (regional) instance.
D.Enable point-in-time recovery (PITR) and keep 30 days of transaction logs.
AnswerC

HA configuration creates a standby in a different zone and enables automatic failover.

Why this answer

Cloud SQL high availability (HA) configuration creates a standby instance in a different zone. The primary and standby use synchronous replication, and automatic failover occurs if the primary zone fails. Enabling deletion protection does not provide HA.

Read replicas are for read scaling, not automatic failover. Automated backups alone do not provide failover.

908
Multi-Selectmedium

A cloud architect is implementing a CI/CD pipeline for a microservices-based application on Google Kubernetes Engine (GKE). The team needs to deploy new versions of the services with zero downtime and the ability to quickly roll back if issues are detected. Which two strategies should the architect consider? (Choose two.)

Select 2 answers
A.Shadow deployment
B.Rolling update
C.Blue/green deployment
D.Canary deployment
E.A/B testing deployment
AnswersC, D

Correct: blue/green allows instant rollback by switching traffic back to the old version.

Why this answer

Blue/green deployment (A) and canary deployment (C) are two strategies that provide zero downtime and quick rollback. Blue/green deploys new version to a separate environment and switches traffic; canary gradually shifts traffic and allows easy rollback. Rolling update (B) also provides zero downtime but rollback requires a new update, not immediate.

Shadow deployment (D) mirrors traffic for analysis but doesn't serve users. A/B testing (E) is a method for comparing features but not a deployment strategy.

909
MCQeasy

A multinational e-commerce company needs a globally distributed database that provides strong consistency and transactional support for order processing. Which Google Cloud database service should they use?

A.Cloud SQL
B.Cloud Spanner
C.Cloud Bigtable
D.Cloud Firestore
AnswerB

Cloud Spanner provides global distribution, strong consistency, and full transactional support, making it ideal for order processing.

Why this answer

Cloud Spanner is the correct choice because it is a globally distributed, horizontally scalable relational database service that provides strong consistency and full ACID transactional support across regions. Unlike other Google Cloud databases, Spanner uses synchronous replication and the TrueTime API to guarantee external consistency, making it ideal for order processing systems that require both global scale and transactional integrity.

Exam trap

The trap here is that candidates often confuse Cloud Spanner with Cloud SQL, assuming that a traditional relational database like Cloud SQL can be scaled globally by adding replicas, but they miss that Cloud SQL replicas are read-only and cannot provide the strong consistency and write scalability needed for a globally distributed transactional system.

How to eliminate wrong answers

Option A is wrong because Cloud SQL is a regional, single-writer database that cannot scale horizontally across multiple regions, and it does not provide the global strong consistency needed for a globally distributed order processing system. Option C is wrong because Cloud Bigtable is a NoSQL wide-column database designed for high-throughput analytical workloads, not for transactional order processing that requires strong consistency and ACID transactions. Option D is wrong because Cloud Firestore is a NoSQL document database that offers eventual consistency by default (unless using transactions in a single region) and is not designed for the complex, strongly consistent transactional workloads of a global e-commerce order processing system.

910
MCQmedium

A company uses Cloud Deploy for continuous delivery. They have a delivery pipeline with multiple targets: dev, staging, and prod. They want to require manual approval before deploying to prod. How should they configure this?

A.Add a Cloud Build trigger that pauses and waits for approval
B.Use IAM conditions to restrict deployment to prod
C.Configure an approval gate on the prod target in the delivery pipeline
D.Set up a Pub/Sub notification and a Cloud Function to approve
AnswerC

Approval gates are natively supported in Cloud Deploy delivery pipelines.

Why this answer

Approval gates in Cloud Deploy are configured as phases within a delivery pipeline, where a required approval step blocks progression until manually approved.

911
MCQhard

A team wants to enforce that only container images signed by their CI/CD system can be deployed to GKE. They have enabled Binary Authorization with a policy that requires an attestor. What additional step must they take to bind the attestor to the image signing process?

A.Create a Container Analysis note and grant the attestor service account the containeranalysis.notes.attacher role
B.Add the attestor to the Binary Authorization policy as a required attestor
C.Create a Cloud Build step that signs the image and stores the signature in Cloud Storage
D.Configure the GKE cluster to require Binary Authorization with the --no-enforce flag
AnswerA

This binds the attestor to the Container Analysis note, allowing it to create attestations for signed images.

Why this answer

After creating the attestor, you must create an AttestationAuthority note in Container Analysis and grant the attestor service account permission to bind attestations. Configuring Cloud Build to sign images is part of the process but not the binding step.

912
MCQeasy

An administrator is configuring firewall rules in a VPC. Two rules apply to the same traffic: rule 1 allows ingress from 0.0.0.0/0 on TCP 80, rule 2 denies ingress from 10.0.0.0/8 on TCP 80. Rule 1 has priority 1000, rule 2 has priority 500. What is the effective behavior for traffic from 10.0.0.1?

A.The result is unpredictable without knowing the rule creation order.
B.Traffic is allowed because allow rules override deny rules.
C.Traffic is denied because rule 2 has higher priority.
D.Traffic is allowed because rule 1 has a lower priority number.
AnswerC

Rule 2 (priority 500) has higher priority than rule 1 (priority 1000), so deny applies.

Why this answer

In AWS VPC Network ACLs (NACLs), rules are evaluated in priority order, with lower numbers having higher priority. Rule 2 (priority 500) is evaluated before rule 1 (priority 1000), and since rule 2 explicitly denies traffic from 10.0.0.0/8 on TCP 80, traffic from 10.0.0.1 is denied regardless of rule 1's allow. NACLs are stateless and do not have an implicit override between allow and deny; the first matching rule determines the outcome.

Exam trap

Google Cloud often tests the misconception that allow rules override deny rules or that rule creation order matters, but the trap here is that candidates confuse priority numbers (lower = higher priority) and assume a higher number means higher priority.

How to eliminate wrong answers

Option A is wrong because rule creation order does not affect evaluation; only the priority number matters. Option B is wrong because allow rules do not inherently override deny rules; the rule with the highest priority (lowest number) that matches the traffic is applied. Option D is wrong because a lower priority number means higher priority, not lower; rule 1 has a higher priority number (1000) and thus lower priority, so it is not evaluated before rule 2.

913
MCQhard

A company runs a multi-tier application on Google Cloud: a frontend on App Engine Standard, a backend on Cloud Run, and a Cloud SQL database. The application experiences intermittent 500 errors when users submit forms. The errors correlate with high CPU usage on the Cloud SQL instance (db-n1-standard-2, 7.5 GB memory). The Cloud Run service has a concurrency setting of 80 and a maximum of 10 instances. The App Engine service uses automatic scaling. The team has verified that the application code is not the issue. They suspect the database is hitting connection limits. Current max_connections on Cloud SQL is 250. The Cloud Run service uses a connection pool of 10 connections per instance. The App Engine service uses a connection pool of 5 connections per instance. They also have a few batch jobs that run occasionally, using up to 10 connections. The team wants to resolve the errors with minimal cost and complexity. Which course of action should they take?

A.Increase the maximum number of Cloud Run instances to 20 to handle more requests.
B.Upgrade the Cloud SQL instance to db-n1-standard-4 (15 GB memory) to handle more connections.
C.Increase the max_connections parameter on Cloud SQL to 500.
D.Reduce the concurrency setting on Cloud Run from 80 to 40.
AnswerC

This directly addresses the connection limit issue with minimal cost and no code changes.

Why this answer

The intermittent 500 errors are caused by the Cloud SQL instance hitting its max_connections limit of 250. With Cloud Run using 10 connections per instance and up to 10 instances (100 connections), App Engine using 5 connections per instance (unknown instance count but likely significant), and batch jobs using up to 10 connections, the total can easily exceed 250. Increasing max_connections to 500 directly addresses the connection limit without changing instance size or scaling behavior, which is the simplest and most cost-effective fix.

Exam trap

Google Cloud often tests the misconception that upgrading the instance tier (more memory/CPU) automatically increases connection limits, when in fact max_connections is a configurable parameter that can be increased independently without changing the instance size.

How to eliminate wrong answers

Option A is wrong because increasing Cloud Run instances to 20 would increase the total number of connections (up to 200 from Cloud Run alone), worsening the connection limit issue and potentially causing more 500 errors. Option B is wrong because upgrading to db-n1-standard-4 increases memory but does not change the default max_connections limit (which is based on tier, not memory alone); the current bottleneck is the connection count, not CPU or memory, so this adds cost without solving the problem. Option D is wrong because reducing concurrency on Cloud Run from 80 to 40 would decrease the number of concurrent requests per instance but does not reduce the number of connections per instance (still 10), and could lead to more instances being spun up, potentially increasing total connections.

914
MCQhard

You are investigating a Vertex AI Workbench instance (instance-2) that is showing UNHEALTHY status. Based on the exhibit, what is the most likely cause of the issue?

A.The container image gcr.io/my-project/my-image:latest does not exist, or the service account used by the Workbench instance does not have storage.objectViewer access to the container registry.
B.The container registry endpoint is blocked by a firewall rule that does not allow egress to gcr.io.
C.The instance's underlying Compute Engine resources are exhausted, causing the container creation to timeout.
D.The Workbench instance is using an outdated custom image that is not compatible with the latest runtime version.
AnswerA

Option C is correct because the error is an image pull failure, which is typically due to missing image or insufficient permissions.

Why this answer

The UNHEALTHY status in Vertex AI Workbench typically occurs when the instance fails to start its container. The most likely cause is that the specified container image (gcr.io/my-project/my-image:latest) does not exist in the Container Registry, or the service account attached to the instance lacks the storage.objectViewer role on the registry bucket. Without this permission, the instance cannot pull the image, leading to a container creation failure and an UNHEALTHY state.

Exam trap

Google Cloud often tests the distinction between container image availability/permissions and network-level issues; the trap here is that candidates may assume a firewall or resource exhaustion is the cause, but the exhibit's focus on a specific container image points directly to a missing image or insufficient IAM permissions on the Container Registry.

How to eliminate wrong answers

Option B is wrong because while a firewall blocking egress to gcr.io could cause a pull failure, the exhibit does not mention any firewall rules, and the question asks for the 'most likely' cause based on the exhibit—lack of image existence or permissions is a more common and direct issue. Option C is wrong because Compute Engine resource exhaustion (e.g., CPU/memory) would typically cause a timeout or error during instance creation, not a persistent UNHEALTHY status after the instance is running; Vertex AI Workbench handles resource allocation separately. Option D is wrong because an outdated custom image would likely cause compatibility warnings or startup failures, but the exhibit shows a specific container image reference (gcr.io/my-project/my-image:latest), not a custom image issue; the UNHEALTHY status is tied to container pull failures, not image version mismatches.

915
MCQeasy

A company wants to control which resources can be accessed by a service account in a specific project. Which IAM policy binding approach should be used?

A.Use VPC Service Controls to restrict the service account
B.Grant the service account a role at the project or resource level
C.Add the service account to a Cloud Identity group and grant the group a role
D.Grant the service account a role at the organization level
AnswerB

IAM roles at the project or resource level restrict access to that scope.

Why this answer

IAM roles are bound to members (including service accounts) at the resource, project, folder, or organization level. The correct approach is to grant the service account an IAM role at the project or resource level.

916
MCQmedium

You are designing a CI/CD pipeline for a containerized application on Google Cloud. The application is built with Cloud Build, stored in Container Registry, and deployed to GKE. The team wants to ensure that only images that pass vulnerability scanning are deployed. What should you do?

A.Add a step in Cloud Build that runs a vulnerability scanner on the image and fails the build if vulnerabilities exceed a threshold.
B.Configure Container Analysis to automatically scan images in Container Registry and block deployment via a webhook.
C.Enable Binary Authorization on the GKE cluster and configure a policy to require an attestation from a trusted authority.
D.Use Security Command Center to detect vulnerabilities and alert the team to manually block deployments.
AnswerA

This integrates scanning into the pipeline, preventing vulnerable images from being pushed.

Why this answer

Option A is correct because Cloud Build can include a custom step that runs a vulnerability scanner (e.g., using the Google Cloud `gcloud container images list-tags` with the `--show-occurrences-from` flag or a third-party tool like Trivy) and then evaluates the results against a threshold. If the scan finds vulnerabilities exceeding the defined threshold, the build step exits with a non-zero status, causing the Cloud Build pipeline to fail and preventing the image from being pushed to Container Registry or deployed. This directly enforces the requirement that only images passing vulnerability scanning proceed in the CI/CD pipeline.

Exam trap

The trap here is that candidates often confuse Binary Authorization (which requires attestations but does not perform scanning) with vulnerability scanning, or they assume Container Analysis can directly block deployments via a webhook, when in fact it only generates metadata that must be consumed by another policy engine.

How to eliminate wrong answers

Option B is wrong because Container Analysis automatically scans images in Container Registry, but it does not have a built-in webhook mechanism to block deployment; it only generates vulnerability occurrences that must be consumed by another service (e.g., Binary Authorization) to enforce policy. Option C is wrong because Binary Authorization enforces deployment policies based on attestations from trusted authorities, but it does not itself perform vulnerability scanning; it relies on an external attestor to verify the image, and the question requires that only images passing vulnerability scanning are deployed, not that an attestation is required. Option D is wrong because Security Command Center is a security and risk management platform that provides visibility and alerts, but it does not automatically block deployments; it requires manual intervention or integration with other tools to stop a deployment.

917
Multi-Selecthard

A company is designing a highly available architecture for a stateful application on Compute Engine. They need to protect against zonal failures. Which THREE steps should they take?

Select 3 answers
A.Store session state in memory
B.Use a global load balancer with health checks
C.Use a single zone instance group
D.Use persistent disks with regional persistent disks
E.Use a managed instance group across multiple zones
AnswersB, D, E

Distributes traffic and fails over.

Why this answer

To protect against zonal failures: use a managed instance group across multiple zones (A) to distribute instances; use regional persistent disks (B) that replicate data across zones; and use a global load balancer with health checks (C) to direct traffic to healthy instances. Storing session state in memory (D) is not durable. Using a single zone instance group (E) does not provide HA.

918
MCQeasy

A developer runs the command above and sees the output. The cluster has one node pool with 3 nodes, each of type e2-standard-4 (4 vCPU, 16 GB RAM). The application requires at least 2 GB of memory per pod and the cluster has 10 pods that need to be scheduled. The developer also notices that the node pool autoscaling is enabled with a minimum of 1 and maximum of 5 nodes. However, the cluster is unable to schedule all pods. What is the most likely cause?

A.The cluster is running an older version of Kubernetes that does not support node auto-scaling.
B.The node pool autoscaler is not properly configured to scale up based on pod resource requests.
C.The node auto-repair feature is disabled, causing a node to be unhealthy.
D.The pod resource requests exceed the allocatable resources on the existing nodes after accounting for system reservations.
AnswerD

System reservations (kube-reserved, eviction threshold) reduce allocatable CPU and memory, and the pod requests may exceed what is available.

Why this answer

Option D is correct because the cluster has 3 e2-standard-4 nodes, each with 4 vCPU and 16 GB RAM. After accounting for system reservations (e.g., kubelet, OS, daemonsets), the allocatable memory per node is typically around 13-14 GB. With 10 pods each requesting 2 GB, the total memory request is 20 GB, but the total allocatable memory across 3 nodes is only about 39-42 GB.

However, the autoscaler can only scale up to 5 nodes, and even then, the total allocatable memory would be around 65-70 GB, which is sufficient. The most likely cause is that the pod resource requests exceed the allocatable resources on the existing nodes, preventing scheduling, and the autoscaler may not have triggered yet or is constrained by other factors like CPU or node limits.

Exam trap

Google Cloud often tests the distinction between pod resource requests and limits, and the fact that the Cluster Autoscaler scales based on requests, not limits, leading candidates to overlook system reservations or assume autoscaling is misconfigured.

How to eliminate wrong answers

Option A is wrong because older Kubernetes versions (e.g., 1.15+) do support node autoscaling via the Cluster Autoscaler; the version is unlikely to be the issue. Option B is wrong because the node pool autoscaler is configured to scale based on unschedulable pods, and it does consider pod resource requests; the issue is that the autoscaler may not have scaled up sufficiently or the requests exceed the current node capacity. Option C is wrong because node auto-repair is unrelated to scheduling; it handles node health issues, not resource insufficiency.

919
MCQeasy

A developer is trying to deploy a Compute Engine instance from a Cloud Build step. The build fails with the above error. What is the problem?

A.The project has exceeded its service account quota.
B.The Cloud Build service account lacks 'compute.instances.create' permission.
C.Cloud Build does not have the 'iam.serviceAccounts.actAs' permission on the default compute service account.
D.The developer's personal account does not have permission to use Cloud Build.
AnswerC

When Cloud Build creates a VM, it must act as the VM's service account.

Why this answer

The error occurs because Cloud Build needs to impersonate the Compute Engine default service account to create a VM instance. The Cloud Build service account requires the 'iam.serviceAccounts.actAs' permission on the target service account to delegate its identity. Without this permission, the build step fails even if the Cloud Build service account has 'compute.instances.create' permission.

Exam trap

Google Cloud often tests the subtle distinction between having resource-level permissions (like 'compute.instances.create') and the 'actAs' permission required to impersonate a service account, leading candidates to incorrectly choose the missing resource permission.

How to eliminate wrong answers

Option A is wrong because service account quotas are separate from IAM permissions; exceeding a quota would produce a different error (e.g., 'quota exceeded'), not a permission denied error. Option B is wrong because the error message specifically indicates an 'actAs' permission issue, not a missing 'compute.instances.create' permission; if that were the problem, the error would reference 'compute.instances.create' directly. Option D is wrong because Cloud Build uses its own service account for execution, not the developer's personal account; the error is about the Cloud Build service account's permissions, not the developer's.

920
MCQeasy

A developer needs to grant a Compute Engine instance the ability to read from a Cloud Storage bucket. The instance does not have a service account attached. What should the developer do?

A.Create a service account and assign it the Storage Object Viewer role, then attach the service account to the instance.
B.Add the instance's external IP to the bucket permissions.
C.Generate a JSON key for a user account and store it on the instance.
D.Create a firewall rule to allow access to Cloud Storage.
AnswerA

This is the recommended approach.

Why this answer

The best practice is to create a service account with the required roles (e.g., Storage Object Viewer) and attach it to the instance. This avoids managing keys and follows IAM best practices.

921
MCQhard

A multinational corporation has deployed a web application across multiple Google Cloud regions using an external HTTPS load balancer with backend services in each region. They recently added a new region (asia-southeast1) and updated the load balancer configuration. After the update, some users in that region report high latency and occasional connection timeouts when accessing the application. The load balancer health checks show all backends as healthy. The network team confirms that the backend instances in asia-southeast1 are correctly configured and can be accessed directly via their external IPs. What should the architects investigate next?

A.Check the Cloud CDN cache settings for the new region
B.Verify that the backend service in asia-southeast1 has the correct timeout settings for the load balancer
C.Ensure that the firewall rules allow traffic from the load balancer's health check ranges to the instances
D.Review the Cloud Armor security policy rules that might be blocking traffic from that region
AnswerD

Cloud Armor geo-filtering may block traffic from that region while allowing health checks from Google IPs.

Why this answer

Option D is correct because Cloud Armor security policies can block traffic based on geographic location. If the new region (asia-southeast1) was added but the Cloud Armor policy was not updated to allow traffic from that region, requests from users in asia-southeast1 could be denied or rate-limited, causing high latency and timeouts even though health checks (which originate from Google's health check ranges, not user IPs) show backends as healthy. The direct access via external IPs works because it bypasses the load balancer and its associated Cloud Armor policy.

Exam trap

Google Cloud often tests the misconception that health check success implies full end-to-end connectivity, but health checks bypass Cloud Armor and firewall rules that apply to user traffic, so healthy backends do not guarantee user traffic is allowed.

How to eliminate wrong answers

Option A is wrong because Cloud CDN cache settings affect content delivery speed and cache hit ratio, not connection timeouts or high latency caused by traffic blocking; CDN would not cause timeouts if the origin is reachable. Option B is wrong because timeout settings on the backend service control how long the load balancer waits for a response from the backend, but since health checks pass and direct access works, timeouts are not the issue; incorrect timeouts would affect all users, not just those in the new region. Option C is wrong because firewall rules for health check ranges are already correctly configured (health checks show all backends as healthy), and the issue is with user traffic, not health check probes; the network team confirmed backend instances are reachable via external IPs, indicating no firewall blockage.

922
MCQmedium

A company uses Cloud Spanner in a multi-region configuration. They want to ensure the highest availability with an SLA of 99.999%. Which configuration supports this?

A.Single-region configuration
B.Multi-region configuration with three regions
C.Dual-region configuration with read replicas
D.Multi-region configuration with two regions
AnswerB

Spanner multi-region configurations with three regions (e.g., nam3) are designed for 99.999% availability.

Why this answer

Cloud Spanner multi-region configurations are designed for 99.999% availability. The default multi-region setups (e.g., nam3, eur3) include three regions with automatic failover. A single-region configuration offers 99.99%.

Multi-region with two regions does not provide the same SLA.

923
Multi-Selecthard

Which THREE Google Cloud services can be used to implement a zero-trust architecture for network security? (Choose three.)

Select 3 answers
A.Cloud Armor
B.Access Context Manager (ACM)
C.Identity-Aware Proxy (IAP)
D.VPC Networks
E.Cloud VPN
AnswersA, B, C

Cloud Armor provides WAF and DDoS protection at the edge, enforcing security policies.

Why this answer

Options A, B, and C are correct. Cloud Armor enforces security policies at the edge, Identity-Aware Proxy (IAP) verifies identity and context before granting access, and Access Context Manager defines access levels based on device, IP, etc., to enforce fine-grained access. Option D is wrong because Cloud VPN is for network connectivity, not zero-trust security.

Option E is wrong because VPC Networks are the underlying network, but zero-trust requires beyond network perimeters.

924
Multi-Selecteasy

A company needs to run batch processing jobs that can tolerate interruptions. They want to minimize costs. Which TWO compute options should they consider? (Choose TWO.)

Select 2 answers
A.Sole-tenant nodes
B.Committed use discounts
C.Preemptible VMs
D.Standard (on-demand) VMs
E.Spot VMs
AnswersC, E

Preemptible VMs are low-cost, can be terminated, suitable for batch jobs.

Why this answer

Preemptible VMs and Spot VMs are short-lived, low-cost instances that can be terminated at any time. They are ideal for fault-tolerant batch jobs. Committed use discounts are for predictable workloads, not for interruptible jobs.

Standard VMs and Sole-tenant nodes are more expensive and not intended for interruptible workloads.

925
MCQmedium

A financial services company wants to migrate a legacy monolithic Java application to Google Cloud with minimal changes to the code. They plan to containerise the application but want to avoid managing Kubernetes clusters. The application requires persistent storage and must be reachable via an internal IP address within the VPC. Which compute service should they use?

A.Compute Engine with Docker installed
B.Cloud Run (fully managed)
C.Google Kubernetes Engine (GKE) Autopilot
D.App Engine Flexible Environment
AnswerB

Serverless container platform; supports internal traffic via Serverless VPC Access and persistent storage via Cloud NFS.

Why this answer

Cloud Run (fully managed) supports containers, can be configured for internal traffic only, and provides persistent storage via Cloud NFS or other volume mounts. It abstracts away cluster management.

926
MCQmedium

Alice needs to read objects in the bucket 'secret-bucket'. Based on the IAM policy, what is her effective access?

A.Alice cannot read objects because the deny rule overrides all allow bindings.
B.Alice can read objects only if she also has objectCreator role.
C.Alice can read objects because objectAdmin grants read access and is not denied.
D.Alice cannot read objects because the deny rule removes objectViewer and she has no other read access.
AnswerC

objectAdmin includes read, and the deny only applies to objectViewer.

Why this answer

The deny rule denies objectViewer specifically on secret-bucket, but she also has objectAdmin which overrides (deny does not block other roles). So she can read via objectAdmin. Option B is incorrect because deny rules only remove the specified role.

Option C is incorrect because objectAdmin includes read. Option D is incorrect.

927
Multi-Selectmedium

A company is designing a disaster recovery strategy for a Cloud SQL for PostgreSQL database with a Recovery Point Objective (RPO) of 1 hour and a Recovery Time Objective (RTO) of 2 hours. They are using the Regional Cloud SQL tier. Which TWO actions should they take? (Choose TWO.)

Select 2 answers
A.Increase the number of CPUs on the primary instance.
B.Create a read replica in the same region.
C.Configure cross-region replication by creating a cross-region replica.
D.Enable deletion protection on the database.
E.Enable automated backups and point-in-time recovery.
AnswersC, E

Cross-region replica enables failover to another region, achieving RPO < 1 hour.

Why this answer

Cross-region replication (replica) provides failover to another region with an RPO < 1 hour. Automated backups with point-in-time recovery can restore within RTO if the replica is also used. Enabling deletion protection is a safety measure but not DR.

A read replica in the same region does not help cross-region. Scaling CPU does not affect DR.

928
MCQeasy

A service account needs to be able to start and stop Compute Engine instances in a specific project. Which IAM role should be assigned at the project level?

A.roles/iam.serviceAccountUser
B.roles/editor
C.roles/compute.viewer
D.roles/compute.instanceAdmin.v1
AnswerD

Grants necessary permissions to start and stop instances.

Why this answer

The correct answer is D, roles/compute.instanceAdmin.v1, because this role grants the necessary permissions to start, stop, and manage Compute Engine instances, including operations like instances.start and instances.stop, at the project level. This role is specifically designed for managing compute resources without granting broader project-level access like editing all resources.

Exam trap

Google Cloud often tests the distinction between primitive roles (like roles/editor) and predefined roles (like roles/compute.instanceAdmin.v1), where candidates mistakenly choose the broader role due to its apparent convenience, overlooking the principle of least privilege and the specific permissions required for the task.

How to eliminate wrong answers

Option A is wrong because roles/iam.serviceAccountUser grants permission to impersonate service accounts, not to manage Compute Engine instances; it allows attaching a service account to a resource but does not include compute.instance.start or compute.instance.stop. Option B is wrong because roles/editor is a broad, primitive role that grants full edit access to all resources in the project, including Compute Engine, but it violates the principle of least privilege by providing excessive permissions beyond what is needed for instance management. Option C is wrong because roles/compute.viewer only provides read-only permissions to view Compute Engine resources (e.g., compute.instances.list, compute.instances.get) and does not include any write or action permissions like starting or stopping instances.

929
Multi-Selecteasy

A development team uses BigQuery for analytical queries. They want to reduce query costs for a large table that is frequently filtered by a date column and a customer_id column. Which TWO table design strategies will reduce the amount of data scanned? (Choose 2)

Select 2 answers
A.Partition the table by date.
B.Create an index on customer_id.
C.Use wildcard tables with date suffixes.
D.Normalize the table into multiple tables.
E.Cluster the table on customer_id.
AnswersA, E

Date partitioning allows queries to scan only relevant partitions.

Why this answer

Partitioning by date limits scans to relevant partitions. Clustering on customer_id further organizes data within partitions for efficient filtering. Both reduce data scanned.

Indexes and normalization are not applicable in BigQuery.

930
MCQhard

Refer to the exhibit. A GKE cluster named 'prod-cluster' has network policy enabled with Calico. A deployment in the cluster uses a ServiceAccount that needs to pull images from a private Container Registry in the same project. Despite correct configuration of ImagePullSecrets, pods fail to pull images with 'AccessDenied' errors. What is the most likely cause?

A.The ImagePullSecret is not correctly base64-encoded.
B.The network policy blocks egress traffic to the Container Registry's endpoints.
C.The cluster's private cluster feature prevents access to external registries.
D.The node service account lacks storage.objectViewer role on the registry bucket.
AnswerD

The node's OAuth scopes include devstorage.read_only, but that only grants access to Storage objects if the service account has the necessary IAM permissions. The node's default service account may not have the required roles.

931
Multi-Selecthard

Your company wants to implement a canary deployment for a microservice running on GKE. You need to gradually shift traffic from the stable version to the canary version while monitoring error rates. Which THREE components or practices should you use? (Choose 3)

Select 3 answers
A.Cloud Deploy with an automated canary strategy and verification
B.Cloud Monitoring to track error rates and trigger rollback
C.Cloud CDN for caching responses
D.Feature flags in the application code
E.Istio for traffic splitting between versions
AnswersA, B, E

Cloud Deploy orchestrates canary deployments with rollback.

Why this answer

A canary deployment on GKE typically uses a service mesh like Istio for fine-grained traffic splitting, Cloud Monitoring for observability, and automated rollback via a progressive delivery tool or manual intervention. Cloud Deploy also supports canary strategies. Cloud CDN is for content delivery, not internal traffic splitting.

Feature flags are for feature toggles, not traffic shifting.

932
MCQeasy

A company stores sensitive data in Cloud Storage and wants to enforce encryption at rest using customer-managed keys. Which Google Cloud service should they use to manage the keys?

A.Cloud HSM
B.Secret Manager
C.Cloud KMS
D.IAM
AnswerC

Manages customer-managed encryption keys for Cloud Storage.

Why this answer

Cloud KMS (Key Management Service) is the correct choice because it is the native Google Cloud service for managing cryptographic keys, including customer-managed encryption keys (CMEK). It allows you to create, rotate, and control access to keys used to encrypt data at rest in Cloud Storage, and it integrates directly with Cloud Storage's CMEK feature. Cloud HSM is a hardware-backed key management option but is built on top of Cloud KMS, not a separate service for key management.

Exam trap

The trap here is that candidates confuse Cloud HSM as a separate key management service, but Cloud HSM is actually a hardware-backed key storage option that requires Cloud KMS for key management, not a replacement for it.

How to eliminate wrong answers

Option A is wrong because Cloud HSM is a hardware security module service that provides FIPS 140-2 Level 3 validated key storage, but it is an add-on to Cloud KMS, not a standalone key management service; you still use Cloud KMS to manage the keys stored in HSM. Option B is wrong because Secret Manager is designed to store and manage secrets such as API keys, passwords, and certificates, not for managing encryption keys used for data at rest in Cloud Storage. Option D is wrong because IAM (Identity and Access Management) is a service for managing access control and permissions, not for creating, storing, or managing encryption keys.

933
MCQhard

An organization wants to export their Cloud Logging logs to a centralized BigQuery dataset for long-term analysis. They also need to exclude logs from a specific source (e.g., a test project) to reduce costs. How should they set this up?

A.Disable logging in the test project
B.Create a log sink to BigQuery and add a log exclusion filter that excludes the test project's logs
C.Create two separate sinks: one for production logs to BigQuery and another for test logs to Cloud Storage
D.Create a log sink to BigQuery and use IAM to restrict access to the test project's logs
AnswerB

Exclusion filters can be applied to the sink or the log bucket to drop certain logs.

Why this answer

A log sink exports logs to BigQuery. To exclude logs from a test project, create a log exclusion filter that matches the test project's logs and apply it to the sink or the project's logs bucket.

934
Multi-Selecthard

A company runs a web application on Google Kubernetes Engine (GKE) that experiences sudden spikes in traffic. They need to automatically scale the number of pods and also ensure that the cluster itself can scale by adding new nodes when needed. Which THREE components should they configure to achieve this?

Select 2 answers
A.Cluster Autoscaler
B.Vertical Pod Autoscaler (VPA)
C.Horizontal Pod Autoscaler (HPA)
D.Node Auto-Repair
E.Pod Disruption Budget (PDB)
AnswersA, C

Cluster Autoscaler adds or removes nodes as needed when pods are pending.

Why this answer

Horizontal Pod Autoscaler (HPA) scales the number of pods based on CPU/memory or custom metrics. Cluster Autoscaler adds or removes nodes to accommodate pod scheduling. Vertical Pod Autoscaler (VPA) adjusts pod resource requests, but does not scale pods or nodes.

Pod Disruption Budget protects pods during voluntary disruptions. Node Auto-Repair is for health maintenance, not scaling.

935
MCQeasy

You manage a batch data processing workload on Compute Engine that runs daily on a single VM. The VM uses a standard persistent disk (pd-standard) for input data and output results. Recently, the VM crashed due to a hardware failure, and the job failed. You need to implement a solution that automatically recovers from VM failures with minimal data loss. The job is idempotent and can restart from the beginning if necessary. Which solution should you choose?

A.Take a snapshot of the persistent disk every hour and create a new VM from the latest snapshot on failure
B.Use Cloud Scheduler to restart the VM every hour until the job completes
C.Add a startup script to the existing VM to rerun the job on boot, and enable automatic restart
D.Create a managed instance group (MIG) with an instance template that includes a startup script to run the job, and enable autohealing
AnswerD

Correct: MIG autohealing recreates VM on failure.

Why this answer

Option D is correct because a managed instance group (MIG) with autohealing automatically recreates a VM instance when it fails, and the startup script ensures the idempotent job reruns from the beginning on the new VM. This minimizes data loss by using the same persistent disk (or a fresh one) and leverages Compute Engine's health check mechanism to detect failure and trigger recovery without manual intervention.

Exam trap

The trap here is that candidates confuse automatic restart (which only works for transient failures on the same VM) with autohealing (which recreates the VM after hardware failure), leading them to pick Option C instead of D.

How to eliminate wrong answers

Option A is wrong because hourly snapshots introduce up to 1 hour of potential data loss and require manual steps to create a new VM from the snapshot, which does not provide automatic recovery. Option B is wrong because Cloud Scheduler restarting the VM every hour does not detect actual VM failure; it blindly restarts on a schedule, which could interrupt a running job and does not address hardware failure recovery. Option C is wrong because enabling automatic restart on a single VM only recovers from transient failures (e.g., host maintenance), not from hardware failures that destroy the VM; the VM must be recreated, and a startup script on a dead VM cannot execute.

936
MCQmedium

An application running on Compute Engine frequently makes connection requests to a Cloud SQL for PostgreSQL instance. The connections are short-lived and many are created per second. What should be implemented to reduce latency and connection overhead?

A.Deploy PgBouncer on the application server or as a sidecar
B.Increase the number of vCPUs on the Cloud SQL instance
C.Enable connection scaling in Cloud SQL
D.Use Cloud SQL Auth Proxy with private IP
AnswerA

PgBouncer acts as a connection pooler, maintaining a pool of persistent connections to the database and reusing them for application requests, reducing latency and overhead.

Why this answer

Connection pooling reuses database connections instead of creating new ones for each request. PgBouncer is a lightweight connection pooler for PostgreSQL. Cloud SQL Auth Proxy is for secure connections but does not pool.

937
MCQhard

An e-commerce platform uses Cloud Spanner for order processing. Recently, latency spikes have occurred during flash sales. The team suspects hot spots due to monotonically increasing order IDs. Which table design change would best solve this?

A.Remove the primary key and let Spanner auto-generate it.
B.Use interleaved tables to store orders under customers.
C.Add a random prefix to the order ID primary key.
D.Create a secondary index on the timestamp column.
AnswerC

Randomizing the first part of the key distributes writes across splits.

Why this answer

Monotonically increasing primary keys (like sequential order IDs) cause hot spots in Cloud Spanner because all writes are directed to a single split (tablet), overwhelming that node. Adding a random prefix (e.g., a hash of the customer ID) distributes writes across multiple splits, eliminating the hot spot and reducing latency spikes during high-throughput flash sales.

Exam trap

Google Cloud often tests the misconception that secondary indexes or interleaved tables can fix write hot spots, when in reality only primary key distribution strategies (like hash prefixes) address the root cause of split-level contention.

How to eliminate wrong answers

Option A is wrong because removing the primary key and relying on auto-generation still produces monotonically increasing values (e.g., Spanner's auto-generated keys are sequential), which does not solve the hot spot issue. Option B is wrong because interleaved tables organize child rows under a parent row, but if the parent key is monotonically increasing, writes still concentrate on the same split, failing to distribute load. Option D is wrong because a secondary index on the timestamp column does not affect the distribution of primary key writes; it only helps query performance, not write hot spots.

938
Multi-Selectmedium

Which TWO actions reduce egress costs when transferring data from Compute Engine to the internet? (Choose 2)

Select 2 answers
A.Use Cloud NAT for outbound traffic
B.Use Cloud CDN to cache content
C.Move instances to a lower-cost region
D.Use Premium Tier networking
E.Compress data before sending it
AnswersB, E

Reduces origin egress by serving from edge caches.

Why this answer

Options A and D are correct. Using a Cloud CDN caches content at edge locations, reducing egress from origin. Using a Premium Tier network does not reduce egress costs; it may increase.

Compressing data reduces egress volume, but it's not always applicable and may affect latency. Moving to a different region does not reduce egress cost. There are only two correct: A and D.

Actually, compressing data reduces the amount of data transferred, so that reduces egress cost. Let's reconsider. The correct answers: Using Cloud CDN (caches content, reduces origin egress) and using data compression (reduces size).

Option A is correct, option D is correct. Option B (move to lower-cost region) does not reduce egress cost because egress is per GB, same worldwide. Option C (use Premium Tier) increases cost.

Option E (use a NAT gateway) does not reduce egress.

939
MCQmedium

An e-commerce application uses Firestore for product catalog. They need to run complex analytical queries on the catalog data, such as aggregations and joins, without impacting production performance. What is the best approach?

A.Create a second Firestore database for analytics
B.Use Cloud SQL to query Firestore directly
C.Use Firestore `!=` operator to filter data
D.Export Firestore data to BigQuery for analytics
AnswerD

BigQuery is designed for analytical workloads and integrates with Firestore via exports.

Why this answer

Firestore is not designed for analytical queries. Exporting to BigQuery allows running complex analytics without impacting Firestore performance. Using a second Firestore database increases cost but doesn't improve analytics.

Cloud SQL does not natively integrate with Firestore. Using the `!=` operator doesn't solve analytical needs.

940
MCQeasy

An application running on Compute Engine instances behind a load balancer experiences intermittent failures. Health checks show instances passing, but some users get errors. What should be the first troubleshooting step?

A.Increase instance size.
B.Review the application logs for errors.
C.Enable HTTP health checks.
D.Check the load balancer's backend service configuration for session affinity.
AnswerB

Logs reveal application-level errors.

Why this answer

The correct first step is to review the application logs (Option B) because the issue is intermittent failures despite healthy load balancer health checks. Since health checks confirm the instances are reachable and responding correctly at the health check endpoint, the problem likely lies within the application itself—such as request handling errors, timeouts, or resource contention. Application logs provide the most direct evidence of what is happening when users encounter errors, enabling targeted debugging before modifying infrastructure.

Exam trap

The trap here is that candidates assume health check failures are the cause of user errors, but Cisco tests the distinction between infrastructure-level health (passing) and application-level errors (logged), leading them to incorrectly adjust health checks or backend configuration instead of inspecting application logs.

How to eliminate wrong answers

Option A is wrong because increasing instance size addresses resource constraints (CPU/memory) but does not target the root cause of intermittent errors when health checks pass; it is a reactive scaling action, not a diagnostic step. Option C is wrong because enabling HTTP health checks (if not already enabled) would only change the health check protocol from TCP to HTTP, but the instances are already passing health checks, so the issue is not with health check configuration. Option D is wrong because checking the load balancer's backend service configuration for session affinity is premature; session affinity (sticky sessions) could cause uneven load distribution but would not explain intermittent errors if health checks are passing—this is a configuration review step, not the first troubleshooting action.

941
MCQmedium

A company is designing a disaster recovery strategy for a critical application. They need to ensure that if the primary region fails, the application can fail over to a secondary region with a Recovery Point Objective (RPO) of 1 hour and a Recovery Time Objective (RTO) of 15 minutes. The application uses Cloud Spanner. Which Cloud Spanner configuration meets these requirements?

A.Multi-region configuration (e.g., nam3)
B.Single-region configuration
C.Backup and restore in another region
D.Dual-region with asynchronous replication
AnswerA

Multi-region configurations replicate data synchronously across regions, providing automatic failover with RPO=0 and RTO<15 minutes, meeting the requirements.

Why this answer

Cloud Spanner multi-region configurations provide automatic replication across regions with synchronous replication, achieving RPO near zero and RTO in seconds. Single-region configurations do not provide geographic failover. A two-region setup like nam3 (US Central + US East) or eur3 (Europe) provides synchronous replication with strong consistency.

Active/active is the default. Multi-region configs are recommended for DR.

942
MCQeasy

A team wants to allow a service account to be used only on specific Compute Engine VMs. Which IAM condition should be applied to the service account's roles?

A.resource.service
B.resource.owner
C.resource.name
D.resource.type
E.resource.labels
AnswerC

Correct. resource.name can be used to restrict to specific resources.

Why this answer

Option C is correct because the `resource.name` IAM condition allows you to restrict a service account's roles to specific Compute Engine VM instances by matching the VM's resource name (e.g., `projects/project-id/zones/zone/instances/instance-name`). This ensures the service account can only be used on designated VMs, enforcing fine-grained access control.

Exam trap

Google Cloud often tests the misconception that `resource.type` or `resource.labels` can restrict access to a specific VM, but only `resource.name` provides a unique identifier for a single instance, while labels are for grouping and can change over time.

How to eliminate wrong answers

Option A is wrong because `resource.service` is not a valid IAM condition attribute for Compute Engine VMs; it is used in other services like Cloud Storage to match the service name. Option B is wrong because `resource.owner` is not a standard IAM condition attribute; IAM conditions use resource attributes like `resource.name`, not ownership metadata. Option D is wrong because `resource.type` refers to the resource type (e.g., `compute.googleapis.com/Instance`), which cannot narrow access to specific VMs—it applies to all VMs of that type.

Option E is wrong because `resource.labels` can filter VMs by label key-value pairs, but it does not uniquely identify a specific VM instance; labels are mutable and can be shared across multiple VMs, making them unsuitable for restricting to a single VM.

943
Multi-Selectmedium

Your company uses Cloud Storage to store critical documents. You need to prevent accidental deletion or modification of objects for a retention period of 5 years. Which TWO features should you use?

Select 2 answers
A.Object versioning
B.Object hold
C.Requester pays
D.Lifecycle rule to delete objects older than 5 years
E.Retention policy with Bucket Lock
AnswersA, E

Versioning keeps old versions, enabling recovery from accidental changes.

Why this answer

Object versioning preserves previous versions of objects, allowing recovery from accidental deletion or overwrite. Retention policies (bucket-level) enforce a minimum retention period for all objects. Bucket Lock makes the retention policy immutable.

Object holds are per-object and can be removed. Lifecycle policies manage object transitions/deletion, not retention enforcement.

944
MCQmedium

A company uses Cloud Logging to monitor their application logs. They notice that some logs from their Compute Engine instances are missing. The instances have the required logging permission. What is the most likely cause?

A.The log sink is not configured correctly.
B.The logging agent is not configured to send logs to Cloud Logging.
C.The instances are using a custom image without the logging agent.
D.The log bucket is in a different project.
E.The log entries are being filtered by the exclusion filter.
AnswerB

The logging agent must be installed and configured to forward logs.

Why this answer

Compute Engine instances do not automatically send logs to Cloud Logging. They require the Cloud Logging agent (based on fluentd) to be installed and configured to forward logs. Even with correct IAM permissions, without the agent, logs will not be collected.

Option B correctly identifies this missing agent as the most likely cause.

Exam trap

Google Cloud often tests the distinction between log collection (agent) and log routing (sinks) — the trap here is that candidates assume IAM permissions alone are sufficient, overlooking the mandatory agent installation and configuration step.

How to eliminate wrong answers

Option A is wrong because a log sink controls where logs are routed (e.g., to BigQuery or Pub/Sub), not whether logs are collected from instances; missing logs are a collection issue, not a routing issue. Option C is wrong because while a custom image might lack the agent, the question states the instances have the required logging permission, implying the agent could be installed separately; the most likely cause is the agent not being configured, not the image itself. Option D is wrong because log buckets in a different project would still receive logs if the sink is configured correctly; the issue is logs not appearing at all, not appearing in the wrong project.

Option E is wrong because exclusion filters remove logs after they are ingested; if logs are missing entirely, they were never ingested, so exclusion is not the cause.

945
Multi-Selecteasy

A cloud architect needs to implement a CI/CD pipeline for a team developing a Python-based microservice. The team uses GitHub as their source repository. The pipeline should automatically run unit tests and deploy the service to Cloud Run when changes are pushed to the main branch. Which THREE Google Cloud services should they use?

Select 3 answers
A.Artifact Registry
B.Cloud Run
C.Cloud Deploy
D.Cloud Source Repositories
E.Cloud Build
AnswersA, B, E

Artifact Registry stores the container image built by Cloud Build.

Why this answer

Cloud Build can connect to GitHub via triggers to run tests and build a container image. Artifact Registry stores the image. Cloud Run deploys the container.

Cloud Deploy is for GKE and other platforms, not Cloud Run directly. Cloud Functions is serverless but not for containers. Cloud Source Repositories is Google's own git, not GitHub.

946
MCQhard

An organization has a multi-regional deployment of a stateful application on GKE using regional persistent disks. They need to implement disaster recovery with an RPO of less than 1 hour and RTO of 30 minutes. What is the most cost-effective approach?

A.Use zonal persistent disks and take snapshots every 45 minutes, then restore in secondary region.
B.Use regional persistent disks with asynchronous replication to a secondary region and deploy GKE clusters in both regions with a load balancer directing traffic.
C.Use a third-party replication tool to asynchronously replicate data to the secondary region.
D.Use Cloud Storage FUSE to write state to a multi-regional bucket and read from secondary cluster.
AnswerB

Regional pd already replicates within zone; adding asynchronous cross-region replication meets RPO/RTO.

Why this answer

Option B is correct because regional persistent disks with asynchronous replication provide built-in, managed replication to a secondary region, meeting the RPO of less than 1 hour and RTO of 30 minutes without additional infrastructure costs. By deploying GKE clusters in both regions and using a load balancer, traffic can be redirected to the secondary cluster within the RTO, making this the most cost-effective approach as it avoids third-party tools or complex manual processes.

Exam trap

The trap here is that candidates often confuse the cost-effectiveness of snapshots (Option A) with the need for low RPO/RTO, overlooking that snapshot-based recovery cannot meet sub-hour RTOs due to restore times, while regional persistent disk replication provides near-continuous replication at a lower total cost than third-party tools.

How to eliminate wrong answers

Option A is wrong because zonal persistent disks with snapshots every 45 minutes cannot guarantee an RPO of less than 1 hour due to snapshot consistency delays and the time required to restore volumes in a secondary region, which would exceed the 30-minute RTO. Option C is wrong because using a third-party replication tool introduces additional licensing, operational overhead, and potential compatibility issues, making it less cost-effective than Google's native asynchronous replication. Option D is wrong because Cloud Storage FUSE introduces significant latency and consistency challenges for stateful applications, and multi-regional buckets do not provide the low-latency, consistent storage required for a stateful application's RPO and RTO targets.

947
MCQmedium

A company uses Cloud Deployment Manager to manage infrastructure. They want to roll back to a previous deployment state after a failed update. What is the recommended approach?

A.Use gcloud deployment-manager deployments rollback --deployment <name>
B.Use the --update-policy=PARTIAL flag to selectively revert changes
C.Delete the deployment and recreate it from the previous template
D.Run gcloud deployment-manager deployments update --config <previous_manifest>
AnswerD

This updates the deployment to the configuration defined in the previous manifest, effectively rolling back.

Why this answer

Deployment Manager stores the deployment manifests. You can use an update with a previous manifest to revert to a known good state. Deleting and recreating is not a rollback.

Partial updates are not supported directly.

948
MCQmedium

A company wants to migrate on-premises workloads to Google Cloud. They need to assess the existing infrastructure, plan the migration, and track progress. Which tool should they use?

A.Cloud Endpoints.
B.Cloud Deployment Manager.
C.Cloud Foundation Toolkit.
D.Migrate for Compute Engine.
AnswerD

Provides assessment and migration capabilities.

Why this answer

Migrate for Compute Engine (formerly Velostrata) is the correct tool because it is specifically designed to assess, plan, and migrate on-premises workloads to Google Cloud. It provides discovery of existing infrastructure, generates migration plans, and tracks progress through a dashboard, directly addressing the need for assessment, planning, and tracking.

Exam trap

The trap here is that candidates may confuse Cloud Foundation Toolkit (a foundation setup tool) with a migration tool, or assume Cloud Deployment Manager can handle migration planning, when in fact only Migrate for Compute Engine provides the full assessment-to-tracking workflow.

How to eliminate wrong answers

Option A is wrong because Cloud Endpoints is an API management service for securing and monitoring APIs, not a migration assessment or planning tool. Option B is wrong because Cloud Deployment Manager is an infrastructure-as-code tool for deploying Google Cloud resources using templates, not for assessing or migrating on-premises workloads. Option C is wrong because Cloud Foundation Toolkit provides Terraform templates and best practices for setting up a Google Cloud foundation (e.g., projects, networking), but it does not include discovery, assessment, or migration tracking for existing on-premises workloads.

949
MCQmedium

An organization deploys a web application on Compute Engine behind a global HTTPS load balancer. They want to reduce latency for users worldwide and minimize load on backend instances. Which GCP service should they use?

A.Cloud Armor
B.Cloud NAT
C.Cloud CDN
D.VPC Network Peering
AnswerC

Cloud CDN caches content at Google's edge locations to reduce latency and backend load.

Why this answer

Cloud CDN uses Google's global edge caches to serve content closer to users, reducing latency and backend load. Cloud Armor provides security, Cloud NAT is for outbound connectivity, and VPC peering is for network connectivity, not caching.

950
MCQmedium

An e-commerce company uses Cloud SQL for MySQL for its transactional database. They need to run complex analytical queries on the same data without impacting OLTP performance. The analytical queries should be run on a read replica with minimal lag. Which solution is BEST?

A.Use Data Studio directly on Cloud SQL primary instance
B.Migrate to Cloud Spanner to handle both workloads
C.Create a Cloud SQL read replica and run analytical queries on it
D.Export the database to BigQuery and run queries there
AnswerC

Read replicas handle read traffic, preventing impact on the primary instance for OLTP.

Why this answer

Cloud SQL read replicas can offload read traffic, including analytical queries, without affecting the primary instance. However, for heavy analytics, BigQuery is better. Using a read replica allows near-real-time data.

Cloud Spanner is not needed. Data Studio is a visualization tool.

951
MCQmedium

A company wants to connect their on-premises network to Google Cloud with a dedicated, high-bandwidth, low-latency connection that has a Service Level Agreement (SLA) of 99.99% uptime. Which connectivity option should they choose?

A.High Availability VPN (HA VPN)
B.Partner Cloud Interconnect
C.Dedicated Cloud Interconnect
D.Classic VPN
AnswerC

Dedicated Interconnect provides direct physical connection, high bandwidth, low latency, and 99.99% SLA.

Why this answer

Dedicated Cloud Interconnect provides a direct physical connection with high bandwidth, low latency, and a 99.99% SLA. Partner Interconnect uses a third-party provider and has a lower SLA. HA VPN offers 99.99% SLA but lower bandwidth.

Classic VPN has no SLA.

952
MCQhard

An organization is running a stateful workload on Compute Engine with a single persistent disk. They want to migrate to a regional persistent disk for higher availability. The disk is 500 GB and currently 80% full. They need zero downtime during the migration. What is the recommended approach?

A.Attach a new regional disk to the instance and use RAID 1 mirroring.
B.Create a snapshot of the disk, then create a new regional persistent disk from that snapshot, and attach it to the instance.
C.Use rsync to copy data to a new regional disk while the instance is running.
D.Use gcloud compute disks resize to change the disk type to regional.
AnswerB

This is the recommended migration path; snapshot creation is the only downtime window.

Why this answer

Option B is correct because creating a snapshot of the existing persistent disk and then creating a new regional persistent disk from that snapshot allows you to attach the new disk to the instance with zero downtime. The snapshot captures the disk state at a point in time, and the regional disk is created asynchronously; once available, you can detach the original disk and attach the regional disk without stopping the instance, as Compute Engine supports live disk attachment/detachment.

Exam trap

Google Cloud often tests the misconception that you can change a disk's type in-place using a resize or update command, but the only supported way to switch from zonal to regional is to create a new disk from a snapshot or image.

How to eliminate wrong answers

Option A is wrong because RAID 1 mirroring requires two disks of the same type and is not a supported feature for attaching a regional disk to a running instance; it would also require downtime to configure the RAID array. Option C is wrong because rsync does not provide a consistent point-in-time copy of a disk that is actively being written to, risking data inconsistency and requiring application-level quiescence to avoid corruption. Option D is wrong because gcloud compute disks resize does not support changing a disk's type from zonal to regional; you must create a new regional disk from a snapshot or image, not modify the existing disk.

953
MCQmedium

A company is migrating a 200 TB on-premises file server to Cloud Storage. The network bandwidth is limited to 100 Mbps. The migration must complete within 30 days. Which approach should they use?

A.Use Storage Transfer Service from another cloud
B.Use gsutil rsync over the network
C.Use Cloud Data Fusion
D.Use Transfer Appliance
AnswerD

Transfer Appliance can physically ship 200 TB of data, which can be transferred within days. This meets the 30-day requirement.

Why this answer

Transfer Appliance is a physical device that can transfer up to 480 TB in a single shipment. At 100 Mbps, transferring 200 TB over the network would take approximately 200 TB * 1024 GB/TB * 8 bits/byte / (100 Mbps) ≈ 16,384 seconds ≈ 190 days, far exceeding 30 days. Therefore, using Transfer Appliance is the only feasible option.

954
MCQmedium

A security engineer wants to ensure that all admin activity in their GCP organization is logged and retained for 3 years. They also need to be alerted if a new firewall rule is created. Which logs should they enable?

A.Data Access audit logs
B.Admin Activity audit logs
C.VPC flow logs
D.Cloud DNS logging
AnswerB

Admin Activity logs capture all create/modify/delete actions on resources like firewall rules.

Why this answer

Admin Activity audit logs record all API calls that modify configuration or metadata, such as creating firewall rules. Data Access audit logs record reads/writes to data, not admin actions. VPC flow logs record network traffic, not admin actions.

Cloud DNS logging records DNS queries.

955
MCQmedium

A web application running on Compute Engine behind a global HTTP(S) load balancer experiences high latency during traffic spikes. Which quick fix would best address this issue without changing the architecture?

A.Configure managed instance group autoscaling to add more instances.
B.Enable Cloud CDN on the load balancer.
C.Switch to a regional load balancer to reduce latency.
D.Increase the machine type of the backend instances.
AnswerA

Horizontal scaling quickly increases capacity.

Why this answer

Managed instance group (MIG) autoscaling dynamically adds more instances when CPU utilization or other metrics exceed a threshold, directly absorbing the increased traffic during spikes. This is the quickest fix because it requires no architectural changes—just configuring autoscaling parameters on the existing MIG. By scaling out horizontally, the load balancer can distribute requests across more backends, reducing per-instance load and latency.

Exam trap

Google Cloud often tests the distinction between horizontal scaling (autoscaling) and vertical scaling (increasing machine type) or caching solutions, leading candidates to choose Cloud CDN or machine type changes as a 'quick fix' when the real issue is insufficient compute capacity to handle dynamic request spikes.

How to eliminate wrong answers

Option B is wrong because enabling Cloud CDN caches static content at edge locations, which does not help with high latency caused by dynamic request processing during traffic spikes—CDN only reduces latency for cacheable content, not for the dynamic workload that is overwhelming the backend. Option C is wrong because switching to a regional load balancer would actually increase latency for global users, as it lacks the anycast IP and global distribution of the global HTTP(S) load balancer, and it requires architectural changes (e.g., changing the load balancer type). Option D is wrong because increasing the machine type (vertical scaling) is not a quick fix—it requires instance recreation or rolling update, and it does not scale as elastically as horizontal autoscaling; it also may not handle sudden spikes as effectively as adding more instances.

956
MCQeasy

A company is adopting Site Reliability Engineering (SRE) practices. After a major incident, they want to conduct a review to understand what went wrong and how to prevent recurrence, without blaming individuals. Which SRE practice should they follow?

A.Define SLOs and SLIs
B.Create an error budget policy
C.Perform capacity planning
D.Conduct a blameless postmortem
AnswerD

A blameless postmortem is an SRE practice to review incidents without blame, focusing on systemic improvements.

Why this answer

A blameless postmortem focuses on learning from incidents without assigning blame. Error budgets are for measuring reliability, SLOs/SLIs are for defining targets, and capacity planning is for scaling.

957
Multi-Selecteasy

A company is using BigQuery for data analytics. They want to optimize costs while maintaining query performance. Which TWO actions should they take? (Choose 2.)

Select 2 answers
A.Use reserved slots with flat-rate pricing.
B.Always use SELECT *.
C.Partition tables by date.
D.Materialize frequently used queries as tables.
E.Use clustering on frequently filtered columns.
AnswersC, E

Partitioning reduces the amount of data scanned, lowering costs.

Why this answer

Partitioning tables by date (Option C) is correct because it allows BigQuery to prune partitions during query execution, scanning only the relevant date ranges instead of the entire table. This reduces the amount of data processed, directly lowering query costs under on-demand pricing while maintaining performance through reduced I/O.

Exam trap

Google Cloud often tests the distinction between cost optimization and performance optimization, and the trap here is that candidates might choose reserved slots (Option A) thinking it always reduces costs, when in fact it is a pricing model that only benefits sustained high usage, not a direct cost-reduction technique for typical query patterns.

958
Multi-Selecteasy

A company deploys a critical application on Google Kubernetes Engine (GKE) and wants to ensure high availability during cluster upgrades. Which TWO practices should they follow?

Select 2 answers
A.Use a single-zone node pool with multiple replicas.
B.Use multiple node pools across different zones within the cluster.
C.Configure PodDisruptionBudgets to allow only a small number of pods to be unavailable during upgrades.
D.Enable cluster autoscaling to add nodes during upgrades.
E.Enable regional clusters for multi-zone control plane.
AnswersB, C

Multi-zone node pools allow pods to be rescheduled in other zones during upgrades.

Why this answer

Option B is correct because deploying multiple node pools across different zones ensures that if one zone fails or is taken down for maintenance, the application can continue serving from the other zones. This aligns with GKE's best practice for high availability by distributing workloads across failure domains. Option C is correct because PodDisruptionBudgets (PDBs) define the minimum number of pods that must remain available during voluntary disruptions like cluster upgrades, preventing the upgrade from taking down too many replicas at once.

Exam trap

The trap here is that candidates often confuse control plane high availability (regional clusters) with application-level high availability, or they assume autoscaling can compensate for disruption during upgrades, when in fact PDBs and multi-zone node pools are the correct mechanisms.

959
MCQeasy

A startup runs a web application on App Engine standard environment. They want to ensure the application can handle sudden traffic spikes without manual intervention. Which App Engine feature should they configure?

A.Manual scaling with a fixed number of instances.
B.Basic scaling with automatic instance creation.
C.Resident instances with a minimum number of always-on instances.
D.Custom scaling based on CPU utilization.
E.Automatic scaling with a maximum number of idle instances.
AnswerE

Automatic scaling dynamically creates instances to handle traffic spikes.

Why this answer

Option E is correct because App Engine's automatic scaling with a maximum number of idle instances is designed to handle sudden traffic spikes by dynamically creating and removing instances based on request load. This configuration allows the application to scale up quickly when traffic increases, ensuring responsiveness without manual intervention, while the maximum idle instances setting prevents over-provisioning and controls costs.

Exam trap

The trap here is that candidates often confuse 'basic scaling' with 'automatic scaling' because both involve dynamic instance creation, but basic scaling does not maintain idle instances and is unsuitable for handling sudden traffic spikes without latency.

How to eliminate wrong answers

Option A is wrong because manual scaling with a fixed number of instances requires manual intervention to adjust capacity, which does not handle sudden traffic spikes automatically. Option B is wrong because basic scaling creates instances only when a request is received and shuts them down after processing, leading to cold starts and latency under sudden spikes, and it does not maintain a pool of idle instances for immediate handling. Option C is wrong because resident instances with a minimum number of always-on instances are a feature of manual scaling, not automatic scaling, and they do not dynamically scale up or down in response to traffic spikes.

Option D is wrong because custom scaling based on CPU utilization is not a native App Engine scaling type; App Engine offers automatic, basic, and manual scaling, and custom scaling is not a supported configuration option.

960
MCQmedium

A company needs to ensure that only approved container images can be deployed to a GKE cluster. They already use Binary Authorization. What additional step is required to enforce this policy?

A.Configure a VPC Service Perimeter
B.Enable Container Registry vulnerability scanning
C.Create an attestor and attach it to a Binary Authorization policy
D.Assign the container.deployer role to the GKE service account
AnswerC

An attestor validates image signatures; the policy enforces that only attested images can be deployed.

Why this answer

Binary Authorization requires an attestor that verifies image signatures. The attestor must be created and attached to a policy that requires at least one attestation.

961
MCQeasy

A company wants to run a containerized web application that experiences unpredictable traffic spikes. They want to pay only for resources used during request processing, with no idle cost. Which compute service should they choose?

A.Google Kubernetes Engine (GKE) Autopilot
B.Cloud Run
C.App Engine Standard
D.Compute Engine with managed instance groups
AnswerB

Cloud Run scales to zero and charges per request, ideal for unpredictable traffic with no idle cost.

Why this answer

Cloud Run is a serverless container platform that scales to zero when not in use and charges per request. It eliminates idle costs. GKE Autopilot has a per-pod billing model but still incurs some cost for the cluster control plane.

App Engine Standard supports scaling to zero but is limited to specific runtimes. Compute Engine VMs incur cost for running instances even if idle.

962
MCQhard

An organization needs to store secrets used by multiple GCP services. They require automatic rotation of secrets every 30 days and integration with Cloud Functions. Which service should they use?

A.Cloud HSM
B.Cloud KMS
C.Cloud Asset Inventory
D.Secret Manager
AnswerD

Secret Manager is designed for storing secrets and supports rotation policies.

Why this answer

Secret Manager supports automatic rotation (via rotation period and next rotation time) and integrates with Cloud Functions via the API client libraries.

963
Multi-Selecthard

A company runs a latency-sensitive web application on Compute Engine in us-east1. They want to improve response times for users in Europe and Asia without changing the application architecture. Which TWO actions should they take? (Choose 2.)

Select 2 answers
A.Use preemptible VMs to reduce cost
B.Enable Cloud CDN on the load balancer
C.Deploy additional instances in us-west1
D.Create a multi-region load balancer and deploy backends in europe-west1 and asia-east1
E.Use Cloud Armor to block high-latency requests
AnswersB, D

Cloud CDN caches static content at edge locations, improving latency for all users.

Why this answer

Cloud CDN caches static content at edge locations globally, reducing latency for users worldwide. Placing a load balancer in multiple regions (multi-region load balancing with proximity-based routing) directs users to the nearest backend region. Using only us-west1 would still leave European users far away.

Cloud Armor is for security, not performance. Spot VMs are for cost savings, not latency.

964
MCQeasy

A company wants to use Cloud Armor to protect their HTTP load balancer from SQL injection attacks. Which rule action should they configure to block malicious requests?

A.Use a pre-configured WAF rule that includes 'evaluatePreconfiguredExpr('sqli-stable')' with action 'deny(403)'.
B.Configure a rate-limiting rule with action 'rateLimit' to throttle traffic from suspicious IPs.
C.Create a rule that redirects traffic to a reCAPTCHA challenge for validation.
D.Set a security policy rule with action 'deny(403)' and a simple condition on the user-agent header.
AnswerA

Cloud Armor's pre-configured WAF rules detect common SQL injection signatures.

Why this answer

Option B is correct because Cloud Armor's pre-configured WAF rules include 'sqli' to detect SQL injection patterns. Option A is wrong because 'deny(403)' alone does not inspect the request body. Option C is wrong because 'rateLimit' limits request rate but does not inspect for SQL injection.

Option D is wrong because 'redirect' does not block.

965
MCQhard

A company is migrating a large Oracle database (5 TB) from on-premises to Cloud SQL for PostgreSQL. They require minimal downtime and automated schema conversion. Which Google Cloud service should they use?

A.Velostrata (Migrate for Compute Engine)
B.Transfer Appliance
C.Database Migration Service (DMS)
D.Storage Transfer Service
AnswerC

DMS supports Oracle to Cloud SQL for PostgreSQL migration with minimal downtime and automated schema conversion.

Why this answer

Database Migration Service (DMS) supports homogeneous and heterogeneous migrations with minimal downtime and includes schema conversion for Oracle to PostgreSQL via the Database Migration Service with converters. Velostrata is for VM migration, Transfer Appliance for bulk data, and Storage Transfer Service for cloud-to-cloud data.

966
MCQeasy

A company runs a web application on Compute Engine instances behind a global HTTP(S) Load Balancer. The application uses Cloud SQL for MySQL for user data. Users report that during peak hours, the page load times increase significantly. The development team notices that the number of database connections exceeds the maximum allowed, causing some requests to fail. The application is designed to use connection pooling with a maximum pool size of 100 connections per instance. There are currently 10 instances. The Cloud SQL instance is configured with 4 vCPUs and 15 GB memory, and the maximum connections is set to 400. The application team wants to minimize cost while resolving the issue. What should the architect recommend?

A.Reduce the max pool size per instance to 40 connections.
B.Increase the Cloud SQL instance tier to have more vCPUs and memory.
C.Implement connection pooling at the global HTTP(S) Load Balancer level.
D.Use Cloud SQL Proxy with connection pooling.
AnswerA

This reduces total connections to 400, matching the Cloud SQL max and resolving the issue at no extra cost.

Why this answer

Option B is correct. With 10 instances each using a pool of 100 connections, the potential connections is 1000, far exceeding the Cloud SQL max of 400. Reducing the pool size to 40 per instance brings the total to 400, fitting within the limit without additional cost.

Option A increases cost unnecessarily as the current tier can handle the load when connections are properly sized. Option C is not feasible because load balancers do not manage database connection pooling. Option D does not reduce the total connection count and adds complexity without solving the core issue.

967
MCQhard

An organization runs a Kubernetes cluster on GKE with cluster autoscaling enabled. They notice that pods are frequently in 'Pending' state due to insufficient CPU, but the cluster autoscaler does not add nodes quickly enough. What is the most likely cause?

A.The cluster autoscaler is using the 'least-waste' expander.
B.The horizontal pod autoscaler (HPA) is misconfigured.
C.The pod disruption budget (PDB) is too restrictive.
D.The node pool has reached the maximum node count limit.
AnswerD

Cluster autoscaler cannot exceed max node limit.

Why this answer

Option D is correct because the cluster autoscaler cannot add new nodes if the node pool has already reached its maximum node count limit. This limit is configured at the node pool level in GKE, and once reached, the autoscaler will not scale up further, leaving pods in 'Pending' state due to insufficient CPU resources.

Exam trap

Google Cloud often tests the distinction between pod-level scaling (HPA) and node-level scaling (cluster autoscaler), and the trap here is that candidates confuse a restrictive PDB with a node pool limit, or assume the expander strategy directly causes scaling delays.

How to eliminate wrong answers

Option A is wrong because the 'least-waste' expander selects a node pool that minimizes resource waste after scaling, but it does not prevent the autoscaler from adding nodes; it only affects which node pool is chosen. Option B is wrong because the HPA scales pods based on CPU or memory utilization, not nodes; a misconfigured HPA would cause incorrect pod scaling, not a delay in node addition by the cluster autoscaler. Option C is wrong because a pod disruption budget (PDB) controls the number of pods that can be voluntarily disrupted during maintenance or upgrades, not the ability of the cluster autoscaler to add nodes.

968
Multi-Selectmedium

A team is building a CI/CD pipeline for a Java application that will run on GKE. They want to automatically build the application, run unit tests, create a Docker image, push it to Artifact Registry, and deploy to GKE. Which two GCP services should be combined? (Choose two.)

Select 2 answers
A.Cloud Functions
B.Compute Engine
C.Cloud Run
D.Cloud Deploy
E.Cloud Build
AnswersD, E

Cloud Deploy can manage delivery pipelines to deploy to GKE.

Why this answer

Cloud Build handles the build and test steps, builds the Docker image, and pushes to Artifact Registry. Cloud Deploy manages the deployment to GKE. Cloud Run is serverless; Cloud Functions is event-driven; Compute Engine is VMs.

969
Multi-Selecteasy

Which TWO methods can be used to encrypt data at rest in BigQuery?

Select 2 answers
A.Use a Cloud Storage bucket with bucket-level default encryption.
B.Use Customer-Managed Encryption Keys (CMEK) via Cloud KMS.
C.Use Cloud SQL with encryption at rest.
D.Use Customer-Supplied Encryption Keys (CSEK).
E.Use Cloud Bigtable with encryption at rest.
AnswersB, D

BigQuery tables can use CMEK.

Why this answer

BigQuery supports both CMEK (Cloud KMS key) and CSEK (customer-supplied encryption key) for data at rest encryption. Option C is for Cloud Storage, not BigQuery. Option D is for Cloud SQL.

Option E is for Bigtable.

970
MCQhard

A company uses Cloud Key Management Service (Cloud KMS) with a customer-managed encryption key (CMEK) to encrypt data in BigQuery. They want to ensure the key can only be used by the BigQuery service account in the 'us-central1' region. Which IAM condition should be added to the key's IAM policy?

A.resource.name.startsWith('projects/_/locations/us-central1') && request.auth.principal == 'bigquery@system.gserviceaccount.com'
B.resource.name.startsWith('projects/_/locations/global') && request.auth.principal == 'bigquery@system.gserviceaccount.com'
C.resource.name.startsWith('projects/_/locations/us-central1') && request.auth.principalSet == 'serviceAccount:bq-<project-number>@bigquery-encryption.iam.gserviceaccount.com'
D.resource.service == 'bigquery.googleapis.com' && resource.location == 'us-central1'
AnswerC

This condition restricts the key to the us-central1 location and the BigQuery encryption service account.

Why this answer

IAM conditions allow restricting access based on attributes like region and service account. The condition must check the 'destination_service' for BigQuery and the 'region' for us-central1.

971
MCQmedium

Refer to the exhibit. A user alice@example.com is unable to list objects in bucket 'bucket-b'. What is the most likely reason?

A.The condition restricts access only to bucket-a.
B.The IAM policy is missing the roles/storage.objectAdmin role.
C.The condition expression is invalid.
D.The user needs the roles/storage.legacyBucketReader role.
AnswerA

The condition expression limits the role to buckets with names starting with 'bucket-a'.

Why this answer

Option B is correct. The IAM condition restricts the storage.objectViewer role to only objects whose name starts with 'bucket-a'. Since alice is trying to list objects in bucket-b, the condition prevents access.

Option A is incorrect because the objectViewer role is sufficient to list objects. Option C is incorrect because legacyBucketReader is not required for listing. Option D is incorrect because the condition expression is valid.

972
MCQhard

A company wants to allow a Kubernetes pod in GKE to access a Cloud Storage bucket using the pod's own identity, without managing long-lived credentials. They have created a Google service account (GSA) and a Kubernetes service account (KSA). What should they do to bind the KSA to the GSA?

A.Create a service account key and mount it as a secret in the pod
B.Add an annotation to the KSA referencing the GSA, and grant the KSA the iam.workloadIdentityUser role on the GSA
C.Grant the GSA the roles/iam.serviceAccountUser role on the project
D.Add an annotation to the GSA referencing the KSA, and grant the KSA the iam.workloadIdentityUser role on the GSA
AnswerB

This is the correct configuration for Workload Identity: annotate the KSA with the GSA email, and grant the KSA the workload identity user role on the GSA.

Why this answer

Workload Identity allows you to configure a KSA to act as a GSA by adding an annotation to the KSA and granting the GSA the necessary IAM role. The GSA does not impersonate the KSA; the KSA impersonates the GSA. The annotation is set on the KSA, not the pod.

The GSA does not need to be bound to the KSA via an IAM role on the KSA.

973
MCQhard

A financial services company uses Cloud Storage to store sensitive transaction records. They need to ensure that objects cannot be deleted or overwritten for a retention period of 7 years, even by the bucket owner. Which feature should they enable?

Answer options not yet available.

Why this answer

Bucket Lock with retention policy enforces a minimum retention period for objects. Once locked, the retention policy cannot be removed, preventing deletion or overwrite. Object versioning helps but can be overwritten.

Hold policies are temporary. IAM policies can be overridden by owner.

974
MCQeasy

A development team uses Cloud Build for their CI/CD pipeline. They want to reduce build times. Which action is most effective?

A.Store build artifacts in a Cloud Storage bucket and reuse them
B.Enable parallel builds by separating build steps into multiple jobs
C.Use more powerful build machines by specifying larger machine types
D.Use a Cloud Run service to run builds asynchronously
AnswerB

Parallelizing independent steps reduces overall build duration.

Why this answer

Enabling parallel builds by separating build steps into multiple jobs reduces total build time by running independent steps concurrently. Other options are less effective or add complexity.

975
Multi-Selecteasy

A company needs to store and serve large media files (each up to 5 GB) to users globally. The files are accessed infrequently (once a quarter) but must be available with low latency. Which THREE Cloud Storage classes and features should they consider? (Choose three.)

Select 3 answers
A.Coldline storage class
B.Standard storage class
C.Cloud CDN
D.Object lifecycle management
E.Nearline storage class
AnswersC, D, E

Cloud CDN caches content at edge locations for low-latency global access.

Why this answer

Nearline is suitable for data accessed less than once a month. Cloud CDN caches content at edge locations for low latency. Object lifecycle management can transition objects to colder storage automatically.

Standard is for frequently accessed data. Coldline is for data accessed less than once a quarter. Archive is for data accessed less than once a year.

Page 12

Page 13 of 14

Page 14