CCNA Pcde Bootstrapping Org Questions

75 of 84 questions · Page 1/2 · Pcde Bootstrapping Org topic · Answers revealed

1
MCQhard

A team uses Terraform with remote state stored in a GCS bucket. They are implementing policy as code using Conftest to validate Terraform plans before apply. The Conftest checks run in a CI/CD pipeline. Which approach ensures that Conftest policies are enforced consistently across all Terraform workspaces?

A.Use Terraform Cloud's Sentinel policies instead of Conftest, as they are more integrated.
B.Create a separate Git repository for Conftest policies. In the CI/CD pipeline, clone this repo and run conftest test against the Terraform plan.
C.Embed Conftest policies directly into the Terraform modules using JSON files.
D.Store Conftest policies in each Terraform workspace's directory and reference them in the pipeline configuration.
AnswerB

A centralized policy repository ensures all workspaces use the same up-to-date policies.

Why this answer

Conftest uses Rego policies. To enforce consistently, the policies should be version-controlled in a separate repository and the CI/CD pipeline should fetch the latest policy bundle before running tests. Using a centralized policy repo ensures all workspaces are checked against the same rules.

2
MCQhard

A DevOps team is using Terraform to manage infrastructure. They have a module that creates a Cloud Storage bucket. They want to reference the bucket's URL in another part of the configuration without hardcoding. Which approach should they use?

A.Use a shared Terraform workspace to access the bucket across configurations.
B.Use Terraform outputs and a remote state data source to read the bucket URL from the state of the configuration that created it.
C.Use a Terraform data source for the bucket, such as google_storage_bucket.
D.Store the bucket URL in a variable and pass it manually.
AnswerB

Remote state data sources allow you to fetch outputs from another Terraform state, enabling cross-configuration references.

Why this answer

Terraform remote state data sources allow one configuration to read outputs from another configuration's state file stored in a backend like GCS.

3
MCQhard

An organization wants to restrict the creation of Compute Engine instances in their Google Cloud organization to only certain regions. Which organization policy constraint should they use?

A.constraints/gcp.resourceLocations
B.compute.requireShieldedVm
C.constraints/compute.vmExternalIpAccess
D.iam.allowedPolicyMemberDomains
AnswerA

This is the correct constraint to limit the allowed locations for resource creation.

Why this answer

The resourceLocations constraint is used to restrict where resources can be created. It can be applied at any level of the resource hierarchy.

4
MCQhard

An organization wants to implement least-privilege IAM for their DevOps team. They need permissions to manage Compute Engine instances but not to create or delete them. Which IAM role should be assigned?

A.roles/compute.networkAdmin
B.roles/compute.admin
C.roles/compute.instanceAdmin.v1
D.roles/compute.viewer
AnswerC

This role allows modifying, starting, stopping, but not creating or deleting instances.

Why this answer

The role roles/compute.instanceAdmin.v1 provides permissions to manage Compute Engine instances, including starting, stopping, and modifying them, but explicitly excludes the ability to create or delete instances. This aligns with the least-privilege requirement for the DevOps team, as they need operational control without lifecycle management rights.

Exam trap

The trap here is that candidates often confuse roles/compute.admin with instanceAdmin.v1, assuming 'admin' implies management without realizing it includes full lifecycle permissions, or they pick roles/compute.networkAdmin thinking it covers instance management due to the word 'network'.

How to eliminate wrong answers

Option A is wrong because roles/compute.networkAdmin grants permissions to manage networking resources like firewalls and routes, not Compute Engine instances. Option B is wrong because roles/compute.admin provides full control over all Compute Engine resources, including creating and deleting instances, which violates the least-privilege constraint. Option D is wrong because roles/compute.viewer only allows read-only access to Compute Engine resources, lacking the permissions needed to manage instances.

5
MCQmedium

A company is setting up a new Google Cloud organization. The DevOps team wants to enforce that all Compute Engine instances are created only in us-central1 or europe-west1. Which approach should they use?

A.Set a IAM policy on the organization to allow Compute Engine instances only in those regions.
B.Configure a VPC Service Controls perimeter to restrict resource creation to allowed regions.
C.Use Cloud Deployment Manager to enforce regions via a template that validates location.
D.Create an organization policy with constraint `resourceLocations` and set allowed values to `us-central1` and `europe-west1`.
AnswerD

The `resourceLocations` constraint restricts the regions where resources can be created.

Why this answer

Option D is correct because the `resourceLocations` organization policy constraint is specifically designed to restrict the set of Google Cloud locations where resources can be created. By setting allowed values to `us-central1` and `europe-west1`, the DevOps team enforces that Compute Engine instances (and other supported resources) can only be provisioned in those regions. This policy is evaluated at resource creation time and applies across the entire organization, project, or folder hierarchy.

Exam trap

The trap here is that candidates often confuse IAM policies (who can act) with organization policies (what can be done where), leading them to select Option A, which cannot enforce regional restrictions.

How to eliminate wrong answers

Option A is wrong because IAM policies control who can perform actions (e.g., compute.instances.create), not where resources can be created; they cannot restrict creation to specific regions. Option B is wrong because VPC Service Controls is designed to protect data exfiltration by controlling access to services within a perimeter, not to enforce region restrictions on resource creation. Option C is wrong because Cloud Deployment Manager templates can validate region parameters, but they are not enforced at the organization level and can be bypassed by users creating resources outside of Deployment Manager.

6
MCQmedium

A DevOps engineer needs to ensure that no Compute Engine VM in the organization can have an external IP address, except for a specific set of approved projects. Which organization policy configuration should they use?

A.Use 'constraints/compute.vmExternalIpAccess' with a condition that denies external IPs unless the project has a specific label.
B.Set the policy 'constraints/compute.vmExternalIpAccess' to 'Allowed' at the organization level and 'Denied' on each project except the approved ones.
C.Create a custom constraint to block external IPs and apply it to all projects except the approved ones.
D.Set 'constraints/compute.vmExternalIpAccess' to 'Deny' at the organization level, then create a tag-based condition to allow external IPs for approved projects.
AnswerD

This is the correct method: deny at org level, then use conditions to allow for projects with a specific tag.

Why this answer

Organization policies support inheritance and conditions. Setting policy to 'Enforce' at the organization level with a condition to exclude approved projects (e.g., resource.matchTag:env/approved-external-ip) ensures only those projects can have external IPs.

7
MCQmedium

An organization wants to centralize cost management across multiple projects. They need to analyze spending trends and set budget alerts. Which combination of services should they use?

A.Use the Cloud Billing API to retrieve cost data and store in Firestore for querying.
B.Export billing data to Cloud Storage and use Cloud Logging for analysis.
C.Export billing data to BigQuery and set up budgets with alert thresholds.
D.Enable Cloud Billing reports and configure Slack notifications via webhooks.
AnswerC

BigQuery enables powerful analysis, and budgets with alerts provide cost control.

Why this answer

For cost analysis, billing export to BigQuery provides detailed data. Budgets and alerts are set up in the Cloud Billing console and can trigger notifications via Pub/Sub or email.

8
Multi-Selectmedium

A company is designing a landing zone for a large enterprise with multiple business units. They need to implement cost tracking and billing management. Which TWO actions should they take?

Select 2 answers
A.Create a separate billing account for each project.
B.Set up budgets and alerts for each project to monitor spending.
C.Enable billing export to BigQuery for detailed cost analysis.
D.Use resource labels to tag resources with project, team, and environment metadata.
E.Use Cloud Armor to restrict access to billing data.
AnswersC, D

Export to BigQuery allows custom queries and reporting.

Why this answer

Labels can be applied to resources for cost breakdown in billing reports. Billing export to BigQuery enables detailed analysis. Budgets and alerts provide notifications but do not enable tracking at the resource level.

Using a billing account per project would be inefficient.

9
Multi-Selectmedium

A company wants to enforce least-privilege IAM for their DevOps team. They need to grant permissions to manage Compute Engine instances but not to delete them. Which TWO approaches should they use?

Select 2 answers
A.Use a predefined role with an IAM condition that denies delete operations.
B.Grant the `roles/compute.instanceAdmin.v1` role.
C.Grant the `roles/owner` role at the project level.
D.Grant the `roles/compute.admin` role.
E.Create a custom role with only the necessary permissions (e.g., compute.instances.create, compute.instances.update) and assign it.
AnswersA, E

Conditions can be used to restrict actions even with predefined roles.

Why this answer

Predefined roles like `roles/compute.instanceAdmin.v1` include delete permissions. Custom roles allow fine-grained selection of specific permissions. Predefined roles with conditions can restrict actions (e.g., prevent delete), but conditions can be complex.

The simplest is to create a custom role with only the required permissions (e.g., compute.instances.create, etc., but not delete).

10
MCQmedium

An organization wants to track cloud costs per team and per project. They have already enabled billing export to BigQuery. What additional step should they take to enable cost attribution?

A.Create separate billing accounts per team
B.Apply labels to resources (team, environment) and query BigQuery billing export
C.Use resource hierarchy folders to track costs
D.Enable VPC flow logs for cost tracking
AnswerB

Labels are designed for cost attribution.

Why this answer

Labels are key-value pairs attached to resources. By applying labels like `team` and `environment`, billing data in BigQuery can be queried to attribute costs.

11
MCQhard

A DevOps engineer is using Terraform and wants to reference outputs from another Terraform configuration that manages networking. Which approach should they use?

A.Use Cloud Shell environment variables
B.Use `terraform_remote_state` data source pointing to the networking project's GCS state
C.Use Terraform Cloud's variable sets
D.Hardcode the networking values in variables
AnswerB

This data source retrieves outputs from another state file.

Why this answer

The `terraform_remote_state` data source is the correct approach because it allows one Terraform configuration to securely read the latest state outputs (e.g., VPC IDs, subnet CIDRs) from another configuration's state file stored in a remote backend like Google Cloud Storage (GCS). This avoids hardcoding or manual copying of values, ensures consistency, and supports dependency management across configurations. By pointing to the networking project's GCS state, the DevOps engineer can dynamically reference outputs like `networking.vpc_id` without exposing sensitive data in environment variables or variable files.

Exam trap

A common misconception in Google Cloud exams is that environment variables or variable sets can substitute for cross-configuration state sharing, but the only native Terraform mechanism for reading outputs from another configuration's state is `terraform_remote_state`.

How to eliminate wrong answers

Option A is wrong because Cloud Shell environment variables are ephemeral, session-specific, and not designed for cross-configuration state sharing; they would require manual export each time and break automation. Option C is wrong because Terraform Cloud variable sets are used to share common variables across workspaces, not to read outputs from another configuration's state; they cannot dynamically fetch remote state outputs. Option D is wrong because hardcoding networking values in variables defeats the purpose of Infrastructure as Code (IaC), introduces duplication, and creates maintenance overhead when networking values change.

12
MCQmedium

A team is migrating from Cloud Deployment Manager to Terraform. They need to manage state for multiple environments (dev, staging, prod) using a single Terraform configuration. Which Terraform feature should they use to achieve this?

A.Use Terraform data sources to switch between environments.
B.Use Terraform workspaces, with each workspace mapping to an environment and storing state in the same GCS bucket with workspace-specific prefixes.
C.Use Terraform modules with different variable files for each environment.
D.Create separate Terraform configurations in separate directories.
AnswerB

Workspaces provide isolated state per environment while using the same configuration.

Why this answer

Terraform workspaces allow you to manage multiple distinct state files from a single configuration. By mapping each workspace to an environment (dev, staging, prod) and configuring a single GCS backend with workspace-specific prefixes (e.g., `prefix = "terraform/state"`), Terraform automatically stores each workspace's state in a separate path within the same bucket. This enables isolated state management without duplicating configuration code.

Exam trap

A common misconception is that workspaces are only for code branching or that variable files alone can isolate state, but workspaces are specifically designed for state isolation with a single configuration and backend.

How to eliminate wrong answers

Option A is wrong because data sources are used to fetch or compute data from providers, not to manage state isolation or switch between environments; they cannot separate state files. Option C is wrong because modules with different variable files only provide input parameterization, not separate state storage; all environments would still share the same state file unless combined with workspaces or separate backends. Option D is wrong because creating separate directories with separate configurations duplicates code and increases maintenance overhead, whereas workspaces achieve the same goal with a single configuration.

13
MCQmedium

An organization wants to enforce that all Compute Engine instances in their Google Cloud organization are created with Shielded VM enabled. What is the MOST effective way to enforce this requirement?

A.Configure a VPC Service Controls perimeter to only allow Shielded VMs.
B.Set an organization policy with the constraint compute.requireShieldedVm at the organization level.
C.Create a custom IAM role that only allows creating VMs with Shielded VM enabled.
D.Use Cloud Audit Logs to detect non-compliant VMs and trigger a Cloud Function to delete them.
AnswerB

This organization policy denies creation of VMs that do not have Shielded VM enabled, enforcing the requirement.

Why this answer

Organization policies can enforce constraints on resource creation. The compute.requireShieldedVm constraint ensures that any new VM must have Shielded VM enabled; otherwise, the creation fails.

14
MCQeasy

A company wants to ensure that all new projects created in their Google Cloud organization automatically inherit a set of baseline IAM roles for the security team. Which approach should they use?

A.Grant the roles at the folder or organization level.
B.Use Cloud Audit Logs to detect new projects and trigger a Cloud Function to add roles.
C.Grant the roles at the project level after each project is created.
D.Use a custom script that runs periodically to add roles.
AnswerA

IAM inheritance means roles granted at higher levels are inherited by all projects underneath.

Why this answer

IAM roles can be granted at the folder or organization level, and they are inherited by all child projects. Granting roles at the organization level ensures every new project inherits them automatically.

15
MCQeasy

A DevOps team wants to implement policy-as-code to enforce that all Terraform configurations comply with security rules before deployment. Which tool is most appropriate for pre-commit policy checks on Terraform plans?

A.Google Cloud Deployment Manager
B.Conftest
C.Open Policy Agent (OPA)
D.Sentinel
AnswerB

Conftest is specifically designed for policy checks on configuration files, including Terraform, using OPA's Rego language.

Why this answer

Conftest is a tool that can evaluate policy as code (using Rego language) against structured configuration files like Terraform HCL or plan JSON. It is designed for pre-commit checks in CI/CD pipelines.

16
MCQhard

A team uses Terraform with a GCS backend. After a failed apply, the state file is corrupted. How can they recover to the last known good state?

A.Use 'terraform force-unlock' to release the lock and then 'terraform apply' again
B.Run 'terraform state rm' to remove corrupted resources and re-import
C.Restore a previous version of the state file from GCS object versioning
D.Manually edit the state file in GCS using the JSON editor
AnswerC

If bucket versioning is enabled, you can restore a previous version of the state file to recover.

Why this answer

With versioning enabled on the GCS bucket, each state file version is preserved. You can restore a previous version by copying it over the current state file.

17
MCQmedium

A company wants to implement granular cost tracking for their cloud resources. They need to attribute costs to specific teams and environments. Which approach should they use?

A.Use separate projects for each team and environment, and analyze costs per project.
B.Use separate billing accounts for each team.
C.Apply labels to resources, such as 'team:engineering' and 'environment:prod', and use billing export to BigQuery for cost analysis.
D.Enable cost attribution in Cloud Monitoring.
AnswerC

Labels enable cost breakdown by any dimension, and BigQuery export allows custom queries.

Why this answer

Labels are key-value pairs that can be applied to resources. By using labels like 'team' and 'environment', costs can be broken down in billing reports and BigQuery exports.

18
MCQmedium

A DevOps team is designing a landing zone for a multi-team organization. They need to separate environments (prod, staging, dev) and also provide isolated projects for each team's sandbox testing. The team wants to centrally manage networking and security through a shared VPC. Which folder structure best supports this design?

A.Folders: TeamA, TeamB; inside each: prod, staging, dev projects
B.Folders: prod, staging, dev; inside each, folders for each team's project; no sandbox folder
C.Folders: prod, staging, dev, common; inside each, folders for teams with their projects; plus a sandbox folder
D.Folders: prod, staging, dev, sandbox; all projects inside with no team subfolders
AnswerC

This separates environments, teams, and shared services; sandbox projects can be placed in a separate folder with relaxed policies.

Why this answer

A common best practice is to have environment folders (prod, staging, dev) and within each, team folders with team-specific projects. A separate 'common' folder for shared services like networking and security aligns with a landing zone design. The 'Sandbox' folder can contain sandbox projects outside the environment hierarchy.

19
Multi-Selectmedium

A company wants to implement a landing zone with centralized logging and monitoring. Which TWO services should they use to collect and analyze logs from all projects? (Choose 2)

Select 2 answers
A.Cloud Logging
B.Cloud Monitoring
C.Pub/Sub
D.Cloud Storage
E.BigQuery
AnswersA, E

Aggregates logs from all projects into a central sink.

Why this answer

Centralized logging requires Logging (to aggregate logs) and BigQuery (for analysis and long-term storage). Cloud Monitoring is for metrics, not logs. Pub/Sub is for streaming, not analysis.

Cloud Storage can store logs but is not ideal for analysis.

20
MCQhard

An organization wants to use a GitOps workflow for infrastructure deployment with Terraform. They use GitHub as the source of truth and want to automatically apply Terraform changes when a pull request is merged to the main branch. They need to review Terraform plans before apply. Which solution meets these requirements?

A.Use Cloud Source Repositories and Cloud Functions to trigger Terraform on merge.
B.Use Terraform workspaces with remote state and manual apply after merging.
C.Configure Cloud Build triggers to run `terraform apply` on every push to main.
D.Use Terraform Cloud with VCS integration: plan on pull request, apply on merge to main.
AnswerD

Terraform Cloud's VCS workflow supports plan on PR and auto-apply on merge.

Why this answer

Terraform Cloud / Enterprise supports VCS-driven workflows with speculative plans on PRs and automatic applies on merges. Atlantis is a self-hosted option that also does plan on PR and apply on merge. Cloud Build would require custom scripting.

Cloud Source Repositories is a Git host but lacks native plan/apply workflow.

21
Multi-Selecthard

A DevOps team is adopting trunk-based development for their Terraform configurations. They want to ensure that all changes are tested before being applied to production. Which THREE practices should they implement?

Select 3 answers
A.Create long-lived feature branches to develop infrastructure changes.
B.Require manual approval before applying changes from main to production.
C.After merge to main, run `terraform apply` automatically in the CI pipeline.
D.Use a single environment (production) only to reduce complexity.
E.Run `terraform plan` in a CI pipeline on feature branches before merge.
AnswersB, C, E

Even in trunk-based development, approval gates for production are recommended.

Why this answer

Trunk-based development involves short-lived branches merged frequently to main. Running `terraform plan` in a CI pipeline on feature branches provides early feedback. Running `terraform apply` from the main branch only after review ensures production changes are controlled.

Running `terraform validate` ensures syntax correctness.

22
MCQeasy

A DevOps engineer is designing a shared VPC topology for a multi-project environment. Which service project permission allows a project to use subnets from a host project?

A.compute.networkUser on the host project
B.resourcemanager.projectIamAdmin on the service project
C.compute.networkAdmin on the host project
D.compute.instanceAdmin on the service project
AnswerA

This role grants permission to use the host project's VPC networks and subnets.

Why this answer

To use shared VPC, the service project must have the compute.networkUser role on the host project's subnets.

23
MCQeasy

An organization wants to enforce that all Cloud Run services are not publicly accessible. Which organization policy should they use?

A.`compute.vmExternalIpAccess`
B.`run.allowedIngress`
C.`iam.allowedPolicyMemberDomains`
D.`cloudrun.allowedIngress`
AnswerB

This constraint controls ingress settings for Cloud Run services.

Why this answer

The `run.allowedIngress` organization policy constraint is specifically designed to control ingress settings for Cloud Run services, allowing administrators to enforce that all services restrict traffic to internal sources only (e.g., `internal` or `internal-and-cloud-load-balancing`). This directly prevents public accessibility by blocking external HTTP/S requests at the platform level, overriding any per-service configuration.

Exam trap

The trap here is that candidates confuse the valid constraint prefix `run.allowedIngress` with the non-existent `cloudrun.allowedIngress`, as Cloud Run's resource name in the API is `run` (not `cloudrun`), and they may also mistakenly apply VM-focused constraints like `compute.vmExternalIpAccess` to serverless services.

How to eliminate wrong answers

Option A is wrong because `compute.vmExternalIpAccess` is a constraint for Compute Engine VMs, not Cloud Run; it controls whether VMs can have external IP addresses, not ingress traffic to serverless services. Option C is wrong because `iam.allowedPolicyMemberDomains` restricts which external domains can be members of IAM policies, which is unrelated to network ingress controls for Cloud Run. Option D is wrong because `cloudrun.allowedIngress` is not a valid organization policy constraint name; the correct prefix is `run.allowedIngress` (Cloud Run uses the `run` service prefix in organization policies).

24
MCQmedium

A DevOps engineer is bootstrapping a new organization. They need to set up a centralized logging project to collect audit logs from all projects. What is the required step to enable cross-project log sinks?

A.Create a log sink in the central project that pulls logs from other projects.
B.Use Cloud Audit Logs API to stream logs to the central project.
C.Create a log sink in each source project with the destination set to the central project's BigQuery dataset.
D.Grant the central project's logging service account the `roles/logging.admin` role in each source project.
AnswerC

This is the correct method to aggregate logs cross-project.

Why this answer

To send logs from one project to another, you create a sink in the source project with a destination in the central project. The sink can be configured to include all logs or specific ones (e.g., audit logs). The destination must be a BigQuery dataset, Cloud Storage bucket, or Pub/Sub topic in the central project.

25
MCQmedium

An organization wants to implement policy-as-code to validate Terraform plans against security policies before applying them. They are using Terraform Cloud (TFE). Which tool is natively integrated with Terraform Cloud for policy checks?

A.Open Policy Agent (OPA)
B.Cloud Audit Logs
C.Conftest
D.Sentinel
AnswerD

Sentinel is the native policy engine for Terraform Cloud.

Why this answer

Sentinel is HashiCorp's policy-as-code framework, natively integrated with Terraform Cloud and Terraform Enterprise. OPA and Conftest can be used in CI/CD pipelines but are not natively integrated with Terraform Cloud.

26
Multi-Selecthard

A company is adopting Infrastructure as Code with Terraform and wants to enforce policy as code using Open Policy Agent (OPA). Which THREE components are required to implement this in a CI/CD pipeline? (Choose THREE.)

Select 3 answers
A.A GCS bucket to store policy files.
B.A Terraform provider for OPA.
C.A CI/CD pipeline step that runs the policy check and fails the build on violations.
D.OPA policy files written in Rego language.
E.A tool such as Conftest or OPA itself to evaluate policies against Terraform plan JSON.
AnswersC, D, E

The pipeline must include a step to execute the policy check and enforce the result.

Why this answer

To enforce OPA policies on Terraform plans, you need: 1) OPA policy files written in Rego, 2) a tool like Conftest or a custom OPA integration to evaluate policies against the Terraform plan JSON, and 3) a CI/CD pipeline step that runs the evaluation and fails the build if policies are violated.

27
Multi-Selecthard

A team uses Terraform and wants to enforce policy checks before code is committed to the repository. Which TWO tools can be used for pre-commit policy as code checks? (Choose 2)

Select 2 answers
A.Conftest
B.`terraform plan`
C.Cloud Build
D.Sentinel
E.OPA (Open Policy Agent)
AnswersA, E

Runs policy checks locally using OPA policies.

Why this answer

Conftest is designed for pre-commit checks using OPA policy language. OPA itself can be used via Conftest or other tools. Sentinel is for Terraform Cloud/Enterprise, not pre-commit. `terraform plan` is not a policy check.

Cloud Build runs after commit.

28
MCQmedium

An organization wants to enforce that Compute Engine instances cannot have public IP addresses. Which organization policy constraint should be applied?

A.compute.requireOsLogin
B.compute.disableSerialPortAccess
C.compute.vmExternalIpAccess
D.iam.disableServiceAccountKeyCreation
AnswerC

This constraint controls external IP access for VMs.

Why this answer

The `compute.vmExternalIpAccess` constraint restricts which VM instances are allowed to have external IP addresses. When enforced as a list deny, it can block all external IPs.

29
MCQeasy

A company wants to enforce that all Cloud Run services must not be publicly accessible. They need a preventive control rather than a detective one. Which approach should they use?

A.Use Cloud Audit Logs to monitor for public Cloud Run services and alert the security team.
B.Create a custom IAM role that denies the run.services.create permission.
C.Configure VPC Service Controls to restrict Cloud Run access to within the VPC.
D.Apply an organization policy with constraint 'constraints/run.allowedIngress' set to 'Internal and Cloud Load Balancing'.
AnswerD

This policy prevents services from being publicly accessible at creation time.

Why this answer

Organization policies provide preventive controls. The 'constraints/run.allowedIngress' policy can be set to 'Internal' or 'Internal and Cloud Load Balancing' to prevent public access. IAM roles can be used to grant/revoke access but are not preventive for resource configuration.

30
MCQmedium

An organization wants to restrict the creation of Cloud SQL instances outside of specific regions. Which organization policy constraint should they use?

A.`compute.requireShieldedVm`
B.`iam.disableServiceAccountKeyCreation`
C.`sql.restrictPublicIp`
D.`resourceLocations`
AnswerD

This constraint restricts resource creation to specified locations.

Why this answer

The `resourceLocations` constraint is the correct organization policy to restrict Cloud SQL instance creation to specific regions. This policy defines a list of allowed locations (e.g., `us-central1`, `europe-west1`) where all resources, including Cloud SQL instances, can be created. By setting this constraint at the organization, folder, or project level, any attempt to create a Cloud SQL instance outside the permitted regions will be denied.

Exam trap

The trap here is that candidates often confuse location-based restrictions with network-level controls (like public IP restrictions) or security-focused policies (like Shielded VM), failing to recognize that `resourceLocations` is the generic policy for controlling where any resource can be deployed.

How to eliminate wrong answers

Option A is wrong because `compute.requireShieldedVm` is a constraint that enforces Shielded VM features on Compute Engine instances, not a location restriction for Cloud SQL. Option B is wrong because `iam.disableServiceAccountKeyCreation` prevents the creation of service account keys, which is unrelated to controlling where Cloud SQL instances are deployed. Option C is wrong because `sql.restrictPublicIp` controls whether Cloud SQL instances can have public IP addresses, but does not restrict the geographic region of the instance.

31
Multi-Selectmedium

A team wants to enforce that all Compute Engine disks must be encrypted with Customer-Managed Encryption Keys (CMEK) stored in Cloud Key Management Service (KMS). Which TWO steps should they take? (Choose two.)

Select 2 answers
A.Apply an organization policy 'constraints/compute.requireCmek' at the desired level.
B.Create a KMS key ring and key in the same region as the disks.
C.Use gcloud commands to encrypt all existing disks with the KMS key.
D.Enable the Cloud KMS API in each project where the policy is enforced.
E.Grant the cloudkms.cryptoKeyEncrypterDecrypter role to the Compute Engine service account.
AnswersA, B

This policy enforces that all disks use CMEK.

Why this answer

Option A is correct because the organization policy constraint 'constraints/compute.requireCmek' enforces that all new Compute Engine disks in the specified hierarchy must be encrypted with a Customer-Managed Encryption Key (CMEK) from Cloud KMS. This policy prevents the creation of unencrypted disks or disks encrypted with Google-managed keys, ensuring compliance with security requirements.

Exam trap

The trap here is that candidates often confuse the IAM role required for the Compute Engine service account (which is the Compute Engine Service Agent, not the default compute service account) and mistakenly think enabling the Cloud KMS API is a step to enforce the policy rather than a prerequisite for using CMEK keys.

32
Multi-Selectmedium

A company wants to implement least-privilege access for service accounts. Which THREE practices should they follow? (Choose 3)

Select 3 answers
A.Use Workload Identity Federation instead of service account keys.
B.Grant primitive roles for simplicity.
C.Use predefined roles to ensure compatibility.
D.Regularly rotate service account keys.
E.Create custom roles with only necessary permissions.
AnswersA, D, E

Eliminates the need to manage keys.

Why this answer

Workload Identity Federation allows workloads running outside Google Cloud (e.g., on-premises, AWS, Azure) to authenticate to Google Cloud APIs without using long-lived service account keys. By exchanging tokens from an external identity provider for short-lived Google Cloud access tokens, it eliminates the need to store and manage static keys, directly supporting least-privilege access by reducing the attack surface and enabling automatic credential rotation.

Exam trap

The trap here is that candidates often confuse 'predefined roles ensure compatibility' with 'predefined roles are best for least-privilege,' but predefined roles still bundle permissions that may exceed what is strictly necessary, whereas custom roles allow exact permission scoping.

33
MCQeasy

What is the primary benefit of using Workload Identity Federation over service account keys when authenticating workloads running outside Google Cloud?

A.It allows using multiple service accounts simultaneously.
B.It enables workloads to run without any service account.
C.It provides higher performance for authentication requests.
D.It eliminates the need to create and manage long-lived service account keys, reducing the risk of key exposure.
AnswerD

Workload Identity Federation uses short-lived tokens and avoids the security risks of managing static keys.

Why this answer

Workload Identity Federation allows external workloads to impersonate a service account temporarily without needing to manage long-lived service account keys, which are a security risk.

34
MCQmedium

A company wants to centralize audit logs and billing data from multiple projects in a single project for analysis. What is the best approach?

A.Use Cloud Monitoring to view logs from all projects in one dashboard
B.Create a shared VPC project and enable VPC flow logs
C.Create a dedicated logging project, set up aggregated log sinks from all projects to that project, and export billing data to BigQuery in the same project
D.Enable billing export to BigQuery in each project and query across projects
AnswerC

This is the landing zone best practice: a centralized logging project with aggregated sinks and billing export.

Why this answer

Using a separate project for logging centralization with aggregated sinks to export logs and billing export to BigQuery in that project is the recommended landing zone design pattern.

35
MCQhard

An organization uses Terraform to manage infrastructure across multiple teams. They want to implement a branching strategy that supports rapid iteration and continuous integration for infrastructure changes while ensuring that the main branch always reflects the desired state. Which Git branching model is most aligned with GitOps principles for IaC?

A.Feature branching with long-lived branches for each environment (dev, staging, prod).
B.Trunk-based development with short-lived feature branches and automated CI/CD pipelines that apply changes upon merge to main.
C.Each team maintains its own fork and periodically submits pull requests to a central repository.
D.GitFlow with separate branches for develop, release, and hotfixes.
AnswerB

This aligns with GitOps: main is the source of truth, and merges trigger automated deployment.

Why this answer

Trunk-based development with short-lived feature branches is recommended for GitOps. Developers branch off main, make changes, commit frequently, and merge back to main after automated testing. This keeps main deployable and reduces merge conflicts.

36
MCQeasy

A DevOps engineer needs to create a custom IAM role that allows only the permission to create Compute Engine instances, but not to modify or delete them. What is the best practice for defining this role?

A.Create a custom role with permission `compute.instances.create`.
B.Use the predefined role `roles/compute.instanceAdmin.v1` and remove permissions.
C.Create a custom role with permission `compute.instances.*`.
D.Use the predefined role `roles/compute.instanceAdmin` and restrict it with conditions.
AnswerA

This grants exactly the required permission.

Why this answer

Custom roles are created with a list of permissions. To allow creation only, the role should include the `instances.create` permission. It should not include `instances.update`, `instances.delete`, or wildcards.

37
MCQmedium

A DevOps team uses Terraform Cloud to manage infrastructure. They want to enforce that all Terraform plans must pass a set of policy checks before they can be applied. The policies include restricting resource types and ensuring proper tagging. Which Terraform Cloud feature should they use?

A.Use Terraform Cloud's Cost Estimation feature.
B.Use Terraform Cloud's Run Triggers to chain workspaces.
C.Use Terraform Cloud's Sentinel policies.
D.Use Terraform Cloud's API to run custom scripts after plan.
AnswerC

Sentinel is designed for policy enforcement in Terraform Cloud/Enterprise.

Why this answer

Sentinel is Terraform Cloud's policy-as-code framework. It allows writing policies (in Sentinel language) that are evaluated during the plan phase. Policies can enforce constraints on resources and tags.

38
MCQeasy

A team wants to implement policy-as-code to check Terraform plans for compliance before deployment. They prefer an open-source tool that works with any CI/CD pipeline and can evaluate policies expressed in Rego. Which tool should they use?

A.Conftest
B.Cloud Deployment Manager
C.Sentinel
D.Cloud Build
AnswerA

Conftest uses OPA/Rego and is open-source, suitable for any CI/CD.

Why this answer

Conftest is a CLI tool that uses OPA/Rego to evaluate configuration files and Terraform plans. It is open-source and can be integrated into CI/CD. Sentinel is proprietary to Terraform Cloud.

Cloud Build is not a policy engine.

39
MCQmedium

An organization wants to enforce that no Compute Engine VM has an external IP address. Which approach should be used?

A.Use an organization policy with constraint `compute.vmExternalIpAccess`
B.Set IAM roles to deny `compute.instances.create` on all projects
C.Configure a firewall rule to block all traffic to 0.0.0.0/0
D.Use Shared VPC and only allow internal IPs
AnswerA

This policy prevents VMs from having external IPs.

Why this answer

Option A is correct because the organization policy constraint `compute.vmExternalIpAccess` is specifically designed to prevent Compute Engine VMs from being assigned external IP addresses. This policy can be applied at the organization, folder, or project level to enforce that no VM in the scope can have an external IP, regardless of how the VM is created. It directly addresses the requirement without affecting other resources or relying on indirect controls.

Exam trap

The trap here is that candidates often confuse network-level controls (firewall rules or Shared VPC) with resource-level enforcement, thinking that blocking traffic or using internal-only networks prevents the VM from having an external IP, when in fact the VM can still be assigned an external IP but simply be unreachable.

How to eliminate wrong answers

Option B is wrong because denying `compute.instances.create` prevents all VM creation, which is overly restrictive and does not specifically target external IP assignment; VMs could still be created with external IPs if the permission is granted elsewhere. Option C is wrong because a firewall rule blocking traffic to `0.0.0.0/0` would block all outbound traffic, not just external IP assignment, and does not prevent a VM from being configured with an external IP address; the VM would still have an external IP but be unable to communicate. Option D is wrong because Shared VPC only controls network configuration and internal IP assignment, but it does not enforce that VMs cannot have external IPs; users could still attach external IPs to VMs in the Shared VPC if not explicitly prohibited.

40
MCQeasy

An organization wants to enforce that all Compute Engine instances are created in a specific set of regions. Which Google Cloud feature should be used?

A.Organization policies
B.VPC Service Controls
C.IAM conditions
D.Firewall rules
AnswerA

Organization policies with the `gcp.resourceLocations` constraint can restrict the regions where resources can be created.

Why this answer

Organization policies allow you to set constraints on resources, such as the allowed locations for resource creation. The constraint `gcp.resourceLocations` restricts the regions where resources can be created.

41
Multi-Selecthard

An organization wants to enforce policy as code for Terraform configurations. Which TWO tools can be used to validate Terraform plans against custom policies before apply? (Choose 2)

Select 2 answers
A.Cloud Build
B.Cloud Audit Logs
C.gcloud CLI
D.Open Policy Agent (OPA) with Conftest
E.Sentinel
AnswersD, E

OPA/Conftest can evaluate policies against Terraform plans.

Why this answer

Sentinel is a policy-as-code framework for Terraform Enterprise/Cloud, and OPA (Open Policy Agent) with Conftest can be used to evaluate policies against Terraform plans or HCL files. Both can be integrated into CI/CD.

42
MCQmedium

A DevOps team is bootstrapping a new Google Cloud organization. They want to enforce that all Compute Engine instances must use Shielded VM features (Secure Boot, vTPM, Integrity Monitoring). Which organization policy should they set at the organization level?

A.Set the 'constraints/compute.disableSerialPortAccess' policy to true.
B.Set the 'constraints/compute.requireOsLogin' policy to true.
C.Set the 'constraints/compute.requireShieldedVm' policy to true.
D.Set the 'iam.allowedPolicyMemberDomains' policy to restrict membership.
AnswerC

Correct. This policy requires Shielded VM on all VMs.

Why this answer

The 'constraints/compute.requireShieldedVm' policy enforces that all new VMs must have Shielded VM enabled. Policies are set at the organization, folder, or project level using the Org Policy Service.

43
MCQhard

A company uses Terraform with remote state stored in GCS. They want to prevent concurrent `terraform apply` runs for the same configuration to avoid state corruption. Which feature should they use?

A.Set the `-lock` flag to `true` in the Terraform CLI command.
B.Enable state locking in the GCS bucket by setting `force_destroy = false`.
C.Use Terraform workspaces to isolate runs.
D.State locking is automatically enabled when using a GCS backend; no additional configuration is needed.
AnswerD

GCS backend supports native state locking.

Why this answer

Terraform state locking is automatically enabled when using a backend that supports it, like GCS. GCS uses object versioning and a lock file to prevent concurrent modifications. Workspaces and remote execution are unrelated to locking.

44
MCQmedium

A DevOps engineer is setting up CI/CD for a microservice application. They want to use Cloud Build to deploy to Google Kubernetes Engine (GKE) only if the build passes tests. Which Cloud Build configuration approach should they use?

A.Use two separate Cloud Build triggers: one for testing and one for deployment, and manually trigger the deployment after tests pass.
B.Create a cloudbuild.yaml with a test step that fails the build if tests fail, and a subsequent deploy step that runs only if all previous steps succeed.
C.Configure a single Cloud Build trigger that runs test and deploy steps in parallel.
D.Use Cloud Functions to orchestrate testing and deployment via separate Cloud Build API calls.
AnswerB

Cloud Build executes steps sequentially; if a step fails, the build fails and subsequent steps are skipped, ensuring only successful tests lead to deployment.

Why this answer

Cloud Build triggers can be configured to run a build config (cloudbuild.yaml) that includes steps for testing and deployment. Conditional deployment can be handled by the build steps themselves.

45
Multi-Selectmedium

A company is designing a landing zone in Google Cloud. They need to set up a shared VPC for multiple projects. Which TWO steps should they take? (Choose two.)

Select 2 answers
A.Create a VPC network in each service project and peer them with the host project.
B.Attach service projects to the host project using the Shared VPC admin.
C.Configure VPC peering between the host project and each service project.
D.Grant the compute.networkUser role on the host project to users who need to create resources in the shared VPC.
E.Create a host project and enable the Shared VPC API.
AnswersB, E

Service projects are attached to use the host project's VPC.

Why this answer

Option B is correct because attaching service projects to a host project is the fundamental step in setting up a Shared VPC. This allows the service projects to consume resources (like VMs and GKE clusters) from the shared VPC network in the host project, enabling centralized network management and isolation.

Exam trap

The trap here is confusing VPC peering with Shared VPC, as both involve multiple projects, but Shared VPC uses a host/service project model with centralized network ownership, while peering connects independent networks.

46
MCQmedium

A team wants to implement GitOps for their Terraform infrastructure. They want to automatically apply changes when a pull request is merged to the main branch. Which approach should they use?

A.Use Cloud Source Repositories with a webhook to a Compute Engine instance that runs Terraform
B.Set up a cron job that runs `terraform apply` every hour
C.Use Cloud Build with a trigger on push to main branch to run `terraform apply`
D.Use Terraform Cloud with VCS integration
AnswerC

Cloud Build can be configured to run Terraform on branch merge, implementing GitOps.

Why this answer

GitOps involves using a tool like Cloud Build with a trigger that runs Terraform on merge to main. Cloud Build can execute Terraform commands and apply changes.

47
MCQmedium

A company wants to enforce that all Compute Engine VMs have Shielded VM features enabled. Which mechanism should they use?

A.Set an organization policy with constraint `compute.requireShieldedVm`.
B.Configure a VPC firewall rule to block non-Shielded VMs.
C.Use Cloud Security Command Center to detect non-Shielded VMs.
D.Use IAM to restrict VM creation to users who have permissions to enable Shielded VM.
AnswerA

This constraint forces Shielded VM to be enabled on new instances.

Why this answer

Organization policy `compute.requireShieldedVm` enforces that new VMs must have Shielded VM features. This is an organization policy constraint.

48
Multi-Selectmedium

An organization wants to enforce that no Compute Engine instances have public IP addresses. Which TWO methods can achieve this? (Choose TWO.)

Select 2 answers
A.Set the organization policy constraint constraints/compute.vmExternalIpAccess at the desired folder or project level.
B.Create a custom IAM role that denies the compute.instances.create permission with external IP.
C.Configure Shared VPC and only provide subnets without default internet access to service projects, ensuring VMs are created without external IPs.
D.Use VPC Service Controls to restrict access to Compute Engine API.
E.Set the organization policy constraint constraints/compute.vmCanIpForward to deny.
AnswersA, C

This constraint directly denies the creation of VMs with external IPs.

Why this answer

Organization policies can restrict external IPs at the project level (constraints/compute.vmExternalIpAccess). Also, using a Shared VPC and only creating VMs in subnets without external IP access (by not having a default route to the internet) can prevent public IPs, although a more direct method is the org policy.

49
Multi-Selecthard

An organization uses Terraform with a GCS backend for state. They want to implement a GitOps workflow where changes merged to the main branch are automatically applied. The CI/CD pipeline uses a service account with Workload Identity Federation. Which THREE components are required? (Choose three.)

Select 3 answers
A.A Cloud Storage bucket with object versioning enabled for Terraform state.
B.A Terraform Cloud workspace configured with the same GCS backend.
C.A service account with permissions to modify resources in the target projects.
D.A Git repository containing Terraform configurations.
E.A CI/CD system (e.g., Cloud Build) that runs Terraform plan and apply on merge to main.
AnswersC, D, E

The pipeline needs a service account with IAM roles to create/update resources.

Why this answer

GitOps requires a Git repository as the source of truth, a CI/CD pipeline that triggers on changes to main, and a service account with appropriate permissions to apply changes. Terraform Cloud is not required; the pipeline can run Terraform directly.

50
MCQhard

A team uses Terraform with a GCS backend for state. They want to use remote state from another project to read output values. What Terraform configuration element is used to retrieve outputs from a different state file?

A.`module.terraform_remote_state`
B.`output.terraform_remote_state`
C.`resource.terraform_remote_state`
D.`data.terraform_remote_state`
AnswerD

Correct. `data.terraform_remote_state` is a data source that retrieves state from a remote backend, allowing access to output values from another configuration.

Why this answer

The `data.terraform_remote_state` data source is the correct Terraform configuration element used to retrieve output values from a different state file stored in a remote backend, such as GCS. It reads the state data from the specified backend configuration and exposes the outputs via the `outputs` attribute, allowing cross-project or cross-workspace state access without requiring direct module dependencies.

Exam trap

A common trap in Terraform is confusing the `terraform_remote_state` data source with a resource or module. For Google Cloud DevOps, users may incorrectly use `resource.terraform_remote_state` or `module.terraform_remote_state`, but only `data.terraform_remote_state` is valid for reading outputs from a remote state file stored in GCS.

How to eliminate wrong answers

Option A is wrong because `module.terraform_remote_state` is not a valid Terraform construct; modules are defined with `module` blocks referencing module sources, not a built-in `terraform_remote_state` module. Option B is wrong because `output.terraform_remote_state` is not a valid resource or data source; outputs are declared with `output` blocks to expose values, not to retrieve remote state. Option C is wrong because `resource.terraform_remote_state` does not exist; Terraform uses `data` sources for read-only access to external state, not `resource` blocks which manage infrastructure lifecycle.

51
MCQmedium

A company has a Google Cloud organization with separate folders for development, staging, and production. They want to deploy Terraform using a CI/CD pipeline that runs in a shared tools project. Where should the Terraform state files be stored and how should the pipeline authenticate?

A.Store state in Cloud Firestore; use a service account key stored in Secret Manager.
B.Store state in a Cloud Storage bucket in each environment project; use user credentials passed as secrets.
C.Store state in a central Cloud Storage bucket in the tools project; use a service account in the tools project with Workload Identity Federation to access the bucket and assume roles in environment projects.
D.Store state locally in the CI/CD runner; use Application Default Credentials from the runner's environment.
AnswerC

This is the recommended approach: central state bucket, and use a service account with Workload Identity Federation for secure, keyless authentication.

Why this answer

Terraform state should be stored in a GCS bucket with versioning enabled. The pipeline should use a service account from the tools project with Workload Identity Federation to access the bucket. This avoids long-lived keys and follows security best practices.

52
MCQmedium

A DevOps engineer needs to set up billing export to analyze costs by team and environment. They have organized projects with labels: team (e.g., 'platform', 'data') and environment (e.g., 'prod', 'dev'). Which billing export configuration should they use?

A.Use the Cloud Billing API to stream costs and store them in Firestore.
B.Export billing data to a Cloud Storage bucket and use a custom script to parse labels.
C.Set up BigQuery billing export in the billing account. The export includes labels, enabling cost analysis by team and environment.
D.Configure budgets and alerts for each label combination.
AnswerC

BigQuery export includes labels, resource IDs, and more, allowing straightforward SQL queries.

Why this answer

Option C is correct because BigQuery billing export automatically includes resource labels in the exported tables, allowing direct SQL-based cost analysis by team and environment without custom scripting. This is the native, scalable, and recommended approach for multi-dimensional cost breakdowns in Google Cloud.

Exam trap

The trap here is that candidates confuse budgets/alerts (Option D) with cost analysis exports, or assume that Cloud Storage export (Option B) is simpler than BigQuery, missing that BigQuery's native label support eliminates the need for custom parsing.

How to eliminate wrong answers

Option A is wrong because the Cloud Billing API streams cost data but does not automatically include labels in a queryable format, and Firestore is not designed for analytical cost queries. Option B is wrong because exporting to Cloud Storage requires a custom script to parse labels from the CSV/JSON files, adding complexity and maintenance overhead compared to BigQuery's native label support. Option D is wrong because budgets and alerts only notify on spending thresholds; they do not provide historical cost analysis or label-based breakdowns.

53
MCQmedium

A company has multiple teams in a GCP organization. They want to isolate environments (prod, staging, dev) and give each team a separate project for development. Which folder structure is recommended?

A.Create a flat list of projects with naming conventions like `team-project-env`
B.Create a single folder per team, with projects for each environment inside
C.Create folders for each environment (prod, staging, dev), and within each, folders for teams/products containing projects
D.Create folders per product, and within each, environment folders
AnswerC

This is the Google-recommended structure for environment isolation and policy inheritance.

Why this answer

Option C is correct because it aligns with Google Cloud's recommended resource hierarchy for multi-team, multi-environment isolation. By creating folders for each environment (prod, staging, dev) and then sub-folders for teams/products, you can apply consistent IAM policies and organization policies at the environment level (e.g., restrict prod access) while delegating project-level control to teams. This structure also supports the principle of least privilege and simplifies auditing.

Exam trap

A common mistake is to organize folders by team first (Option B), but this ignores the need for environment-wide policy enforcement in GCP, which is essential for compliance and security.

How to eliminate wrong answers

Option A is wrong because a flat list of projects with naming conventions does not provide hierarchical isolation; IAM policies must be applied per project, leading to management overhead and increased risk of misconfiguration. Option B is wrong because creating a single folder per team with environment projects inside prevents applying environment-wide policies (e.g., deny public IPs on all prod projects) without duplicating policies across team folders. Option D is wrong because organizing by product first and then environment makes it difficult to apply consistent environment-level controls (e.g., compliance rules for prod) across different products, and it mixes team boundaries with environment boundaries, complicating access management.

54
MCQmedium

A company needs to control cost by setting a budget alert on their billing account. They want to be notified when spending exceeds 80% of the budget. What should they configure?

A.Export billing data to BigQuery and set up a scheduled query with a Cloud Function to send alerts.
B.Create a budget in the GCP Billing console with alert threshold at 80%.
C.Create a budget alert rule in Cloud Monitoring with a metric threshold.
D.Use Cloud Scheduler to run a script that checks billing API and sends email.
AnswerB

Budgets and alerts are configured in the Billing console with threshold rules.

Why this answer

Option B is correct because Google Cloud's native budget alerts in the Billing console allow you to set a threshold (e.g., 80%) and automatically send email notifications when actual spending exceeds that percentage of the budget. This is the simplest, most direct, and recommended approach for cost control without needing additional services or custom code.

Exam trap

The trap here is that candidates often over-engineer the solution by choosing complex automation (like BigQuery exports or Cloud Scheduler scripts) instead of recognizing that Google Cloud provides a simple, built-in budget alert feature in the Billing console that directly meets the requirement.

How to eliminate wrong answers

Option A is wrong because exporting billing data to BigQuery and setting up a scheduled query with a Cloud Function is overly complex and unnecessary for a simple threshold alert; it introduces latency, additional cost, and maintenance overhead when the built-in budget alert already provides the same functionality. Option C is wrong because Cloud Monitoring alert rules are designed for monitoring resource metrics (e.g., CPU, memory), not billing amounts; billing data is not exposed as a metric in Cloud Monitoring, so a metric threshold alert cannot be created for spending. Option D is wrong because using Cloud Scheduler to run a script that checks the billing API and sends email is a custom, brittle solution that requires managing authentication, error handling, and scheduling, whereas the native budget alert handles all of this automatically and reliably.

55
Multi-Selectmedium

A DevOps engineer is designing a landing zone for a large enterprise. Which THREE components are essential for a well-architected landing zone? (Choose THREE.)

Select 3 answers
A.A shared VPC project to host common network resources.
B.A centralized security project for services like Cloud Armor, Security Command Center, and Cloud DLP.
C.A centralized logging project to store audit logs from all projects.
D.A single billing account per team.
E.A separate project per developer for sandbox environments.
AnswersA, B, C

Shared VPC allows centralized network management and connectivity.

Why this answer

A landing zone typically includes a shared VPC for network connectivity, a centralized logging project for audit logs, and a security project for centralized security services like Cloud Armor and Security Command Center.

56
MCQeasy

A team is adopting GitOps for infrastructure. They want to ensure that all Terraform configuration changes are automatically applied after merging to the main branch. Which CI/CD approach best supports this?

A.Run `terraform plan` on every commit and require manual approval before apply.
B.Have developers apply changes locally using `terraform apply`.
C.Use Cloud Deployment Manager with a trigger on Cloud Source Repository commits.
D.Use a CI/CD pipeline that runs `terraform apply` after a merge to the main branch.
AnswerD

This automates application on merge, aligning with GitOps principles.

Why this answer

GitOps uses Git as the single source of truth, and changes are automatically applied to the target environment when merged to the main branch. A CI/CD pipeline triggered on merge that runs `terraform apply` achieves this.

57
MCQeasy

A DevOps engineer is bootstrapping a new Google Cloud organization. They need to enforce that all Compute Engine VM instances must use Shielded VM features. Which method should they use?

A.Create a custom IAM role that grants compute.instances.create permission only for Shielded VM projects.
B.Use Deployment Manager templates that include Shielded VM initialization config.
C.Apply an organization policy with constraint constraints/compute.requireShieldedVm at the organization level.
D.Enable Shielded VM as a default in the Compute Engine service quota settings.
AnswerC

Organization policies enforce resource constraints across the hierarchy, and requireShieldedVm ensures all VMs have Shielded VM enabled.

Why this answer

Organization policies allow you to centrally constrain resource usage across the entire resource hierarchy. The 'constraints/compute.requireShieldedVm' policy enforces Shielded VM on all new VMs. IAM roles control access but not resource configurations.

58
MCQhard

An organization wants to implement privileged access management (PAM) for their Google Cloud environment. They need to grant temporary, just-in-time access to production projects for incident responders. Which GCP service should they use?

A.Use Cloud IAM Conditions to grant roles with a time constraint (e.g., request.time < timestamp).
B.Create custom roles that are only granted during incident response drills.
C.Use Cloud Audit Logs to monitor and revoke access after the incident.
D.Use VPC Service Controls to allow access only from specific IPs.
AnswerA

IAM Conditions can include temporal conditions, providing just-in-time access that expires automatically.

Why this answer

Cloud IAM Conditions with Access Context Manager can be used to enforce time-based conditions on IAM roles. Additionally, using Cloud IAM's 'iam.roles.update' with time-based conditions or using the Cloud Asset Inventory for access approval are not standard. The best approach is to use Cloud IAM Conditions to grant roles that expire after a defined duration, combined with Access Approval for review.

59
MCQhard

A financial services company is using Terraform to manage their Google Cloud infrastructure. They have multiple environments (dev, staging, prod) and want to use a single Terraform configuration with separate state files per environment. They also need to store the Terraform state securely in a shared backend. Which approach should they use?

A.Use Terraform Cloud's workspaces feature with a GCS backend configured in the Terraform Cloud workspace settings.
B.Create separate Terraform configurations for each environment and store state in a single GCS bucket with different object names.
C.Use Terraform workspaces with a local backend and store state files in a Cloud Storage bucket manually.
D.Use Terraform workspaces with a GCS backend. Each workspace automatically creates a separate state file (e.g., env:/dev/project.tfstate).
AnswerD

Workspaces with a remote backend like GCS store state per workspace in the same bucket with different paths, enabling secure collaboration.

Why this answer

Terraform workspaces allow using the same configuration with separate state files for each environment. Using a GCS backend with a prefix per workspace stores the state files in separate objects.

60
MCQhard

An organization uses Terraform to manage infrastructure across multiple projects. They want to use a single shared Terraform state file for their production environment but isolate state for development environments. The team uses Terraform Cloud workspaces. Which state management approach is most appropriate?

A.Use Terraform Enterprise instead of Terraform Cloud because it supports state isolation.
B.Use a single GCS bucket as the backend and store all states in the same prefix.
C.Use a single Terraform workspace for all environments, with separate state files via the -state flag.
D.Create separate Terraform Cloud workspaces for production and development environments.
AnswerD

Correct. Workspaces provide isolated state per environment.

Why this answer

Terraform Cloud workspaces provide isolated state per workspace. Using separate workspaces for production and development keeps state isolated while leveraging a single Terraform Cloud organization.

61
Multi-Selecteasy

A company wants to set up cost tracking by project, environment, and team. Which THREE methods should they use? (Choose 3)

Select 3 answers
A.Set up budget alerts to monitor spending.
B.Export billing data to BigQuery for detailed analysis.
C.Use Cloud Monitoring dashboards for billing.
D.Apply labels to resources (e.g., project, environment, team).
E.Use network tags for cost tracking.
AnswersA, B, D

Helps control costs proactively.

Why this answer

Labels and billing export to BigQuery are the primary methods. Budget alerts help manage costs. Tags are for network firewall rules.

Folders help organize but not directly track cost. Cloud Monitoring is for metrics.

62
MCQmedium

A team manages Terraform state for multiple projects using a single GCS bucket. They need to ensure that state operations are not concurrent to avoid corruption. What should they do?

A.Store state in a single file and use IAM to allow only one user at a time.
B.Use `terraform force_unlock` before each run.
C.Configure the GCS backend with `prefix` per project and rely on Terraform's built-in state locking via GCS.
D.Enable object versioning on the GCS bucket.
AnswerC

GCS backend automatically uses locking via object writes. Using separate prefixes isolates states, and locking prevents concurrent operations.

Why this answer

Option C is correct because Terraform's GCS backend natively supports state locking using the GCS object's generation number. By configuring a unique `prefix` per project, each project's state is stored in a separate object within the same bucket. Terraform automatically acquires a lock by creating a temporary lock file in GCS before any state operation, and releases it afterward, preventing concurrent modifications and state corruption.

Exam trap

The trap here is that candidates may confuse object versioning (which provides history) with state locking (which prevents concurrent writes), or think that IAM alone can manage concurrency, when in fact Terraform's built-in locking via GCS is the correct and automated solution.

How to eliminate wrong answers

Option A is wrong because storing all state in a single file would cause conflicts and IAM does not provide fine-grained concurrency control; Terraform's locking mechanism is designed to handle this at the object level, not via user permissions. Option B is wrong because `terraform force_unlock` is a manual command to break a stuck lock, not a preventive measure; running it before each run would defeat the purpose of locking and could still allow concurrent operations. Option D is wrong because enabling object versioning on the GCS bucket provides history and rollback capabilities but does not prevent concurrent writes; without locking, two simultaneous `terraform apply` commands could still corrupt the state.

63
MCQhard

A company uses a shared VPC with multiple service projects. The network team wants to allow a DevOps team to create Cloud Run services in a service project but prevent them from creating Cloud Run services with public access (allowUnauthenticated invocations). What is the best approach?

A.Use the organization policy constraint `run.allowedIngress` to restrict ingress to internal only.
B.Configure the shared VPC firewall to block incoming traffic from the internet to Cloud Run services.
C.Create a custom IAM role that includes only the run.services.create permission, and assign it to the DevOps team.
D.Use a service account with the run.services.create permission and enforce that the DevOps team uses it.
AnswerA

This constraint prevents public access for all Cloud Run services under the organization.

Why this answer

Organization policy `run.allowedIngress` can restrict Cloud Run services to only allow internal or internal-and-cloud-load-balancing traffic, effectively blocking public access. IAM roles control who can create services but not their properties. Service accounts would be used by services themselves, not for enforcement.

64
MCQeasy

What is the purpose of a Google Cloud organization node in the resource hierarchy?

A.It is used to group billing accounts.
B.It is the root node in the GCP resource hierarchy for centralized policy and billing management.
C.It is an alias for a project.
D.It represents a team within a company.
AnswerB

Correct definition.

Why this answer

The organization node is the root resource. It allows centralized management of policies, roles, and billing across all folders and projects. It is required for organization-level IAM and organization policies.

65
MCQmedium

A DevOps engineer is setting up a new Google Cloud organization for their company. They need to ensure that all projects are created within a structured hierarchy that separates production, staging, development, and sandbox environments. Which folder structure BEST supports this requirement?

A.Create a folder for each product under the organization node, and within each product folder, create subfolders for environments.
B.Create a flat folder structure under the organization node with one folder per team, and place all projects in their team folder regardless of environment.
C.Create a folder for each environment (prod, staging, dev, sandbox) directly under the organization node. Within each environment folder, create subfolders for teams or products, and place projects in those subfolders.
D.Create a flat folder structure with one folder per project type (shared VPC, logging, security) and place all projects in those folders.
AnswerC

This is the standard landing zone design that separates environments and allows inheritance.

Why this answer

The recommended landing zone design uses top-level folders for environments (prod, staging, dev, sandbox) under the organization node, with team/product subfolders inside each environment folder. This allows IAM and org policies to be inherited appropriately.

66
MCQhard

A company has multiple GCP projects and wants to audit all IAM policy changes. They need a solution that captures who made the change, what was changed, and when. The solution should be cost-effective and require minimal setup. What should they use?

A.Enable Access Transparency logs.
B.Use Cloud Asset Inventory to export IAM policies daily.
C.Set up Stackdriver (now Cloud Monitoring) alerts on IAM changes.
D.Enable Cloud Audit Logs for Admin Activity for all projects.
AnswerD

Admin Activity logs are enabled by default and capture IAM changes.

Why this answer

Cloud Audit Logs for Admin Activity automatically captures all API calls that modify IAM policies, including the identity of the caller, the change made, and the timestamp. This is enabled by default for all GCP projects at no additional cost, making it the most cost-effective and minimal-setup solution for auditing IAM changes.

Exam trap

The trap here is that candidates confuse Access Transparency (for Google support actions) with Cloud Audit Logs (for user actions), or think that monitoring alerts provide an audit trail when they only provide real-time notifications.

How to eliminate wrong answers

Option A is wrong because Access Transparency logs are designed to show actions taken by Google support personnel on your data, not internal IAM policy changes made by your own users. Option B is wrong because Cloud Asset Inventory exports are snapshots of current IAM policies, not a real-time audit trail of who made changes and when; they also require additional setup and incur costs for export operations. Option C is wrong because Stackdriver (Cloud Monitoring) alerts can notify you of IAM changes but do not provide a historical audit log of who made the change and what exactly was changed; they are for alerting, not auditing.

67
Multi-Selectmedium

A DevOps team is designing a landing zone on GCP. They want to centralize networking, logging, and security. Which TWO projects should they create? (Choose 2)

Select 2 answers
A.A project for IAM roles
B.A central Logging project
C.A Shared VPC project for networking
D.A project for each environment
E.A separate project per application
AnswersB, C

Centralized logging and billing export.

Why this answer

In a GCP landing zone, centralizing logging into a dedicated project ensures that audit logs, VPC flow logs, and other operational logs are aggregated in a single, secure location. This project is used to configure log sinks, export logs to BigQuery or Cloud Storage, and enforce retention policies across the organization, which is a best practice for compliance and troubleshooting.

Exam trap

The trap here is that candidates often confuse the landing zone's centralized infrastructure projects (Shared VPC and Logging) with environment-specific or application-specific projects, which are separate concerns in the GCP resource hierarchy.

68
MCQmedium

An organization wants to set up a landing zone with separate projects for development, staging, and production environments. They also need a shared VPC for networking and a centralized logging project. Which folder structure aligns with Google Cloud best practices?

A.Create a single folder /landing-zone and put all projects there.
B.Create folders: /dev, /staging, /prod. Place all projects directly under the root.
C.Create folders: /environments/dev, /environments/staging, /environments/prod, and /common. Place networking and logging projects in /common.
D.Create folders: /prod, /non-prod, /shared. Put dev and staging in /non-prod.
AnswerC

This follows the recommended pattern of environment folders and a common folder for shared infrastructure.

Why this answer

Option C is correct because it follows Google Cloud best practices by separating environments (dev, staging, prod) into their own folder under an /environments parent, and placing shared resources like networking and logging into a /common folder. This structure enables consistent IAM policy inheritance, resource isolation, and centralized management of shared services, which is critical for a landing zone in a DevOps pipeline.

Exam trap

The trap here is that candidates often think a flat folder structure or grouping by production vs. non-production is sufficient, but Google Cloud best practices require separate environment folders and a dedicated common folder for shared services to ensure proper IAM inheritance and resource isolation.

How to eliminate wrong answers

Option A is wrong because placing all projects in a single /landing-zone folder prevents granular IAM policy inheritance and resource isolation between environments, violating the principle of least privilege. Option B is wrong because placing projects directly under the root organization node bypasses folder-level policy inheritance and makes it impossible to apply environment-specific controls without manual per-project configuration. Option D is wrong because grouping dev and staging under /non-prod conflates non-production environments, which often have different compliance and access requirements, and fails to provide a dedicated folder for shared resources like networking and logging.

69
MCQmedium

A DevOps team uses Terraform to manage infrastructure. They want to store state files in a shared backend that supports locking and versioning. Which backend meets these requirements?

A.Consul backend
B.Google Cloud Storage (GCS) backend
C.Local backend
D.Terraform Cloud backend
AnswerB

GCS backend supports remote state, locking via object versioning (enable versioning on bucket), and is the standard choice for Terraform on GCP.

Why this answer

The Google Cloud Storage (GCS) backend is correct because it natively supports state file locking via object write consistency and versioning through object versioning, which are essential for preventing concurrent state corruption and enabling state rollback. Terraform's GCS backend uses a write-lock mechanism that relies on GCS's strong consistency for object creation, ensuring only one operation can modify the state at a time.

Exam trap

The trap here is that candidates often confuse Terraform Cloud (a managed service) with a backend type, or assume Consul's session-based locking implies versioning, when in fact Consul does not natively version state files like GCS does with object versioning.

How to eliminate wrong answers

Option A is wrong because the Consul backend, while supporting locking via sessions, does not provide built-in versioning of state files; versioning would require additional manual configuration or external tooling. Option C is wrong because the local backend stores state on the local filesystem, offering no locking mechanism for concurrent operations and no versioning beyond what the filesystem provides, making it unsuitable for team collaboration. Option D is wrong because Terraform Cloud backend is a managed service that supports locking and versioning, but the question asks for a shared backend that meets these requirements, and Terraform Cloud is a separate platform, not a backend type listed in the standard Terraform backend configuration options for direct state storage.

70
MCQmedium

A company wants to implement least-privilege IAM for their DevOps team. The team needs to manage Compute Engine instances and Cloud Storage buckets, but not delete resources. Which approach is recommended?

A.Grant predefined roles `roles/compute.instanceAdmin.v1` and `roles/storage.objectAdmin`.
B.Create custom roles with only the necessary permissions, excluding delete.
C.Use Cloud KMS to manage access.
D.Grant the primitive roles `roles/editor` and `roles/viewer`.
AnswerA, B

Granting predefined roles `roles/compute.instanceAdmin.v1` and `roles/storage.objectAdmin` provides the necessary permissions to manage Compute Engine instances and Cloud Storage objects without granting delete permissions on resources like instances and buckets, as these roles do not include delete actions on the resources themselves. This aligns with Google's recommendation to use predefined roles when they already meet the requirements, as they are maintained and reduce the risk of misconfiguration.

Why this answer

Both Option A and Option B are correct approaches for implementing least-privilege IAM. Option A uses predefined roles `roles/compute.instanceAdmin.v1` and `roles/storage.objectAdmin`, which provide the necessary permissions to manage Compute Engine instances and Cloud Storage objects without granting delete permissions on the resources themselves (instances and buckets). Option B allows creating custom roles that explicitly exclude delete permissions, offering more granular control.

Google recommends using predefined roles when they already meet the requirements, as they are maintained and reduce the risk of misconfiguration.

Exam trap

The trap here is that candidates may think custom roles (Option B) are always the best for least-privilege, but the exam emphasizes that predefined roles are recommended when they already meet the requirements, as they are maintained by Google and reduce the risk of permission errors.

How to eliminate wrong answers

Option B is wrong because creating custom roles with only necessary permissions, excluding delete, is also a valid approach for least-privilege IAM, but the question asks for the recommended approach, and predefined roles are preferred over custom roles when they meet the requirements to reduce management overhead and risk of misconfiguration. Option C is wrong because Cloud KMS is a key management service for encryption keys, not an IAM mechanism for managing access to Compute Engine or Cloud Storage resources. Option D is wrong because primitive roles like `roles/editor` grant broad permissions, including delete, which violates the least-privilege requirement, and `roles/viewer` is too restrictive for management tasks.

71
Multi-Selectmedium

A DevOps team is designing a landing zone in Google Cloud. They need to set up a folder structure that supports multiple teams and environments. Which TWO practices should they follow? (Choose 2)

Select 2 answers
A.Use organization policies at the project level only to enforce compliance.
B.Create a flat project structure under the organization node with no folders.
C.Create separate folders for each team (e.g., 'Team-A', 'Team-B') under the environment folders.
D.Use environment folders (e.g., prod, staging, dev) to isolate environments.
E.Place all team projects in a single folder named 'Teams' without further grouping.
AnswersC, D

Correct. Team folders under environment folders provide granular control.

Why this answer

Best practices for landing zone design include using environment folders (prod, staging, dev) and team folders for resource isolation. Shared VPC, logging, and security projects are also common.

72
MCQmedium

An organization wants to implement a landing zone with shared VPC, centralized logging, and security projects. Which folder structure best follows Google Cloud's recommended landing zone design?

A.Create a folder per product with subfolders for environments. Place shared projects under the product folder.
B.Create one folder per team with subfolders for each environment. Place shared projects under the corresponding environment folder.
C.Create a flat structure with all projects at the organization level.
D.Create a 'common' folder for shared projects (shared VPC, logging, security) and environment folders (dev, staging, prod) for workload projects.
AnswerD

This is the recommended approach: separate shared services in a common folder and isolate environments in their own folders.

Why this answer

Google's landing zone design recommends a folder per environment (prod, staging, dev) with common projects (shared VPC, logging, security) placed in a 'common' folder that sits at the same level as environment folders, allowing organization policies to be applied consistently.

73
MCQeasy

Which Git branching strategy is recommended for infrastructure as code in a DevOps environment to enable continuous delivery?

A.Forking workflow
B.Feature branch workflow without merging to main often
C.Trunk-based development
D.GitFlow
AnswerC

Trunk-based development encourages short-lived branches and frequent merges to main, aligning with CD.

Why this answer

Trunk-based development is recommended for IaC to avoid long-lived branches and merge conflicts. It involves short-lived feature branches and frequent merges to main. GitFlow is more complex and not ideal for IaC.

GitHub Flow is similar but trunk-based is the standard.

74
MCQeasy

A company wants to enforce that no Compute Engine instances are created with external IP addresses unless explicitly allowed. Which organization policy constraint should be used?

A.constraints/compute.vmExternalIpAccess
B.constraints/compute.disableSerialPortAccess
C.constraints/compute.setCommonInstanceMetadata
D.constraints/compute.requireOsLogin
AnswerA

Correct. This policy controls external IP addresses on VMs.

Why this answer

The 'constraints/compute.vmExternalIpAccess' policy restricts external IP usage on VMs. It can be set at the organization, folder, or project level.

75
MCQeasy

A DevOps engineer wants to manage Google Cloud resources as code using a declarative language. Which tool is the current industry standard and recommended by Google?

A.Terraform
B.Cloud Deployment Manager
C.Pulumi
D.Ansible
AnswerA

Terraform is widely adopted and recommended by Google for IaC on GCP.

Why this answer

Terraform is the current industry standard for Infrastructure as Code (IaC) and is recommended by Google for managing Google Cloud resources declaratively. It uses the HashiCorp Configuration Language (HCL) to define cloud resources, supports state management for tracking resource changes, and provides a consistent workflow across multiple cloud providers. Google’s own documentation and professional certification materials explicitly endorse Terraform as the primary IaC tool for GCP.

Exam trap

The trap here is that candidates often confuse Cloud Deployment Manager as the recommended tool because it is Google’s native offering, but the question specifically asks for the 'current industry standard' and 'recommended by Google,' which points to Terraform due to its broader adoption and explicit endorsement in Google’s official IaC guidance.

How to eliminate wrong answers

Option B is wrong because Cloud Deployment Manager is Google’s native IaC tool, but it is not the current industry standard; it uses YAML or Python templates and has limited community support and fewer integrations compared to Terraform. Option C is wrong because Pulumi is a modern IaC tool that uses general-purpose programming languages (e.g., TypeScript, Python) rather than a declarative language like HCL, and while it supports GCP, it is not the recommended standard by Google for declarative IaC. Option D is wrong because Ansible is a configuration management and automation tool that uses imperative playbooks (YAML) and is not primarily designed for declarative resource provisioning; it lacks native state management and is not the industry standard for declarative IaC on GCP.

Page 1 of 2 · 84 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Pcde Bootstrapping Org questions.