CCNA Bootstrapping a Google Cloud organization for DevOps Questions

75 of 119 questions · Page 1/2 · Bootstrapping a Google Cloud organization for DevOps · Answers revealed

1
Multi-Selecthard

A DevOps engineer is designing a CI/CD pipeline using Cloud Build. Which TWO configurations are necessary to ensure secure and reliable deployments? (Choose two.)

Select 2 answers
A.Use manual approval steps for production deployments.
B.Store secrets in Cloud Secret Manager.
C.Use Cloud Build triggers with branch filters.
D.Push all artifacts to a public Container Registry.
E.Enable Cloud Build service account with Editor role.
AnswersA, B

Provides a gate for reliability.

Why this answer

Options C and E are correct. Secret Manager provides security, and manual approval ensures reliability.

2
Multi-Selectmedium

Which TWO are best practices when bootstrapping a Google Cloud organization for DevOps? (Choose two.)

Select 3 answers
A.Use separate service accounts for each environment.
B.Use separate folders for development, staging, and production environments.
C.Enable audit logging for all projects at the organization level.
D.Create a single service account for all environments to simplify permissions.
E.Disable audit logging to reduce costs.
AnswersA, B, C

Isolates permissions and limits blast radius.

Why this answer

Option A is correct because using separate service accounts for each environment enforces the principle of least privilege, ensuring that credentials used in development cannot accidentally or maliciously affect production resources. This isolation aligns with Google Cloud's IAM best practices, where each service account should have only the permissions necessary for its specific environment, reducing the blast radius of a compromised account.

Exam trap

Google Cloud often tests the misconception that a single service account simplifies management and is acceptable for DevOps, but the trap is that this violates the core security principle of environment isolation, which is a fundamental requirement for bootstrapping a Google Cloud organization.

3
MCQeasy

A DevOps team wants to ensure that all audit logs from projects across the organization are sent to a central project for analysis. Which approach should they use?

A.Enable VPC Flow Logs in each project.
B.Configure each project to export logs to a central BigQuery dataset.
C.Use organization-level log sinks to route audit logs to a central Cloud Storage bucket.
D.Use Cloud Logging's default routing.
AnswerC

Organization-level sinks aggregate logs from all projects.

Why this answer

Option C is correct because organization-level log sinks allow you to aggregate audit logs from all projects within an organization into a single destination, such as a Cloud Storage bucket. This approach ensures centralized analysis and compliance without requiring per-project configuration, leveraging the hierarchical nature of Google Cloud resource management.

Exam trap

The trap here is that candidates confuse VPC Flow Logs (network logs) with audit logs (IAM and resource activity logs), or assume that per-project export is the only option, missing the organization-level sink capability.

How to eliminate wrong answers

Option A is wrong because VPC Flow Logs capture network traffic metadata, not audit logs, and they are per-VPC, not designed for cross-project aggregation. Option B is wrong because configuring each project individually to export logs to a central BigQuery dataset is operationally inefficient and error-prone; organization-level sinks provide a single, scalable configuration. Option D is wrong because Cloud Logging's default routing only sends logs to the project's own logs viewer, not to a central destination, and does not aggregate across projects.

4
MCQmedium

A DevOps engineer is bootstrapping a CI/CD pipeline using Cloud Build. They need to ensure that only specific service accounts can trigger builds on certain branches. What is the recommended approach?

A.Use Cloud Functions to validate branch names before triggering builds.
B.Use Cloud Source Repositories with branch protection rules.
C.Store the service account keys in Secret Manager and use them in build steps.
D.Use Cloud Build triggers with regular expressions on branch patterns and restrict access via IAM.
AnswerD

Cloud Build triggers support branch patterns and IAM can limit who can trigger.

Why this answer

Option D is correct because Cloud Build triggers natively support regular expressions on branch patterns, and IAM conditions can restrict which service accounts are allowed to invoke specific triggers. This provides a declarative, auditable, and least-privilege approach without custom code or external services.

Exam trap

Google Cloud often tests the distinction between branch protection (which controls Git pushes) and trigger authorization (which controls build invocation), leading candidates to confuse Cloud Source Repositories branch protection rules with Cloud Build trigger access control.

How to eliminate wrong answers

Option A is wrong because using Cloud Functions to validate branch names adds unnecessary complexity, latency, and cost; Cloud Build triggers already support branch pattern filtering natively. Option B is wrong because Cloud Source Repositories branch protection rules only prevent direct pushes to branches, not trigger invocations; they do not control which service accounts can trigger builds. Option C is wrong because storing service account keys in Secret Manager and using them in build steps does not restrict who can trigger builds; it only manages authentication for build steps, not authorization for trigger invocation.

5
MCQhard

A large enterprise is bootstrapping a Google Cloud organization with strict security requirements. They need to: (1) enforce multi-factor authentication (MFA) for all users, (2) prevent any new project from using default VPCs, (3) require customer-managed encryption keys (CMEK) for all Cloud Storage buckets, (4) automatically revoke access for offboarded employees within 24 hours. They have an existing Active Directory and plan to use Google Cloud's Identity Platform for SSO. Which combination of Google Cloud services and policies should they implement?

A.Configure MFA via organization policy, use a project creation Cloud Function to disable default VPC and enforce CMEK, and use a Cloud Scheduler job to scan for offboarded users daily.
B.Set up a Cloud VPN to Active Directory, use Cloud Run to enforce MFA, apply a custom organization policy for CMEK, and use Cloud Monitoring alerts for offboarding.
C.Use Identity Platform with MFA enforced in OIDC, apply organization policy 'compute.skipDefaultNetworkCreation' and 'storage.cmekRequired', and use Cloud Audit Logs to detect offboarded users.
D.Use Cloud Identity with MFA, apply organization policy for default VPC and CMEK, and use Cloud Functions to deactivate IAM accounts offboarded in HR system via a custom integration.
AnswerC

Identity Platform handles MFA; org policies enforce technical requirements.

Why this answer

Option C is correct because it uses Identity Platform with OIDC to enforce MFA via the existing Active Directory SSO, applies the organization policy 'compute.skipDefaultNetworkCreation' to prevent default VPCs, uses 'storage.cmekRequired' to enforce CMEK on Cloud Storage buckets, and leverages Cloud Audit Logs to detect offboarded users by monitoring identity changes, enabling automated revocation within 24 hours. This combination directly addresses all four requirements using native Google Cloud policies and services without custom code.

Exam trap

The trap here is that candidates often confuse organization policies with identity policies, thinking MFA can be enforced via organization policies, or they overcomplicate the solution with custom code when native services like Cloud Audit Logs and organization policies suffice.

How to eliminate wrong answers

Option A is wrong because MFA cannot be configured via an organization policy; organization policies do not enforce authentication methods like MFA. Option B is wrong because Cloud Run cannot enforce MFA, and Cloud Monitoring alerts do not automatically revoke access for offboarded users. Option D is wrong because Cloud Functions deactivating IAM accounts is not a native or recommended approach; Cloud Audit Logs should be used to detect offboarded users, and the integration with HR systems is overly complex and not directly supported.

6
MCQhard

A DevOps team is bootstrapping a Google Cloud organization. They have created a folder for a business unit and want to prevent users from moving projects out of that folder to other folders. Which organization policy constraint should they apply?

A.constraints/resourcemanager.allowedResourceRestrictions
B.constraints/resourcemanager.allowedPolicyMemberDomains
C.constraints/resourcemanager.allowedProjectParent
D.constraints/resourcemanager.disableProjectMove
AnswerD

This prevents projects from being moved.

Why this answer

Option D is correct because the `constraints/resourcemanager.disableProjectMove` organization policy constraint explicitly prevents users from moving projects out of a specified folder or organization. When applied at the folder level, this constraint blocks any move operation that would relocate a project to a different parent, ensuring projects remain within the designated business unit folder.

Exam trap

Google Cloud often tests the misconception that `allowedProjectParent` is a real constraint, but Google Cloud uses `disableProjectMove` instead, and candidates may confuse it with similar-sounding but unrelated constraints like `allowedPolicyMemberDomains`.

How to eliminate wrong answers

Option A is wrong because `constraints/resourcemanager.allowedResourceRestrictions` is not a valid Google Cloud organization policy constraint; the correct constraint for restricting resource types is `constraints/resourcemanager.allowedResourceTypes`. Option B is wrong because `constraints/resourcemanager.allowedPolicyMemberDomains` restricts which external domains can be added as members in IAM policies, not project move operations. Option C is wrong because `constraints/resourcemanager.allowedProjectParent` is not a real organization policy constraint; the actual constraint for controlling project parent is `constraints/resourcemanager.disableProjectMove`.

7
Matchingmedium

Match each Cloud Monitoring metric type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Cumulative value that only increases

Instantaneous measurement at a point in time

Statistical summary of values over time

Change in a counter over a time interval

Running total from start of observation

Why these pairings

Metric types used in Cloud Monitoring.

8
Multi-Selectmedium

A team is bootstrapping a new Google Cloud organization. Which TWO practices are recommended for managing project creation and resource hierarchy? (Choose two.)

Select 2 answers
A.Use a centralized service account to create projects via API.
B.Create a folder for each department to isolate resources.
C.Use a single project for all development environments.
D.Assign project creator role to all users by default.
E.Use organization policies to enforce naming conventions on projects.
AnswersB, E

Folders provide logical isolation.

Why this answer

Option B is correct because creating a folder for each department allows you to isolate resources, apply IAM policies at the folder level, and enforce organizational boundaries. This follows Google Cloud's recommended resource hierarchy best practices for multi-team environments, enabling delegated administration and cost tracking per department.

Exam trap

The trap here is that candidates often confuse 'centralized automation' (Option A) with best practices, but Google Cloud recommends using a project factory with a dedicated service account per automation scope rather than a single shared service account to avoid blast radius and credential management issues.

9
Multi-Selecteasy

Which TWO are benefits of using a shared VPC in a Google Cloud organization? (Choose 2)

Select 2 answers
A.Centralized management of network resources.
B.Eliminates the need for project administrators to have any IAM roles.
C.Ensures compliance with organizational policies.
D.Separation of network administration from project administration.
E.Automatically enables required APIs in all service projects.
AnswersA, D

Shared VPC allows network administrators to manage a common network.

Why this answer

Option A is correct because a shared VPC allows network resources (subnets, routes, firewalls) to be defined in a host project and consumed by multiple service projects, enabling centralized management. This reduces administrative overhead by having a single network team control the VPC configuration rather than each project managing its own.

Exam trap

The trap here is that candidates confuse 'separation of network administration from project administration' (Option D) with 'eliminating IAM roles' (Option B), or assume shared VPC automatically enforces compliance (Option C) or enables APIs (Option E), when in fact these require separate configuration.

10
MCQmedium

A government agency is bootstrapping a Google Cloud organization with strict compliance requirements. They must: (1) store all logs in a centralized project with retention of 7 years, (2) ensure no data leaves the United States, (3) use customer-managed encryption keys (CMEK) for all persistent disks and buckets, (4) automatically reject any resource creation outside allowed regions (us-central1 and us-east1). They have an existing on-premises SIEM that needs to receive logs via Pub/Sub. The network team wants to use Shared VPC. What is the correct order of steps to implement this?

A.Set up Pub/Sub for SIEM first, then create log sink, then apply org policies.
B.Create all projects first, then move them into folders, then apply org policies.
C.Create Shared VPC first, then set up org policies, then create log sink, then create folders.
D.Create folder hierarchy, set org policies for allowed regions and CMEK, configure aggregated log sink to centralized project, set up Shared VPC, and create Pub/Sub topic for SIEM.
AnswerD

Logical order: hierarchy, policies, logging, network, then external integration.

Why this answer

Option D is correct because it follows the recommended Google Cloud landing zone bootstrap order: first establish the folder hierarchy to apply organization policies (like constraints/compute.restrictResourceCreation and constraints/gcp.resourceLocations) and CMEK requirements at the correct level, then create the aggregated log sink to the centralized project with a 7-year retention bucket, set up Shared VPC for network isolation, and finally create the Pub/Sub topic for the SIEM. This sequence ensures that policies are inherited before resources are created, preventing non-compliant resource creation and ensuring logs are captured from the start.

Exam trap

Google Cloud often tests the order of operations in a Google Cloud landing zone, and the trap here is that candidates think they can create projects or Shared VPC first, not realizing that organization policies must be applied to the folder hierarchy before any resources are created to enforce compliance from the start.

How to eliminate wrong answers

Option A is wrong because it attempts to set up Pub/Sub and log sinks before applying organization policies, which would allow non-compliant resources to be created and logs to be stored without the required CMEK or regional constraints. Option B is wrong because creating projects before folders and org policies means the projects are not under the correct folder hierarchy, so they cannot inherit the required allowed regions and CMEK policies, leading to potential compliance violations. Option C is wrong because creating Shared VPC before org policies and log sinks would allow network resources to be created in unallowed regions and logs to be stored without CMEK, and creating folders after policies is out of order since folders must exist to scope policies correctly.

11
Multi-Selectmedium

When bootstrapping a Google Cloud organization for DevOps, which THREE steps are essential to set up a secure CI/CD foundation using Cloud Build?

Select 3 answers
A.Create a Cloud Source Repository for each application's code.
B.Set up a trigger that automatically builds on each commit to the main branch.
C.Disable default service accounts in all projects.
D.Enable the Cloud Build API and grant the Cloud Build service account the necessary roles (e.g., Cloud Run Admin, Artifact Registry Writer).
E.Configure VPC Service Controls for all projects.
AnswersA, B, D

Repositories are needed to host source code and trigger builds.

Why this answer

Creating a Cloud Source Repository for each application's code is essential because it provides a dedicated, version-controlled repository that integrates natively with Cloud Build triggers. This ensures that each application has its own isolated codebase, enabling precise CI/CD pipelines without cross-application interference.

Exam trap

Google Cloud often tests the distinction between 'essential' steps for a specific service (Cloud Build) versus general security best practices, leading candidates to select VPC Service Controls or disabling default service accounts as mandatory when they are actually optional or later-stage configurations.

12
MCQhard

During the bootstrapping of a Google Cloud organization, the DevOps team wants to implement a policy that prevents the deletion of certain resources, such as Cloud Storage buckets or Cloud SQL instances, unless a specific approval process is followed. Which approach best achieves this goal?

A.Configure Cloud Source Repositories to require code review for any changes to Terraform configurations that delete resources.
B.Implement Binary Authorization to require approvals for any delete commands.
C.Use Resource Manager locks on projects and set up a Cloud Function that triggers on audit logs to require approval before removing the lock.
D.Use VPC Service Controls to block delete operations on specific services.
AnswerC

Locks prevent deletion; Cloud Functions can automate approval workflows.

Why this answer

Option C is correct because Resource Manager locks prevent accidental deletion of critical resources by placing a deletion prevention lock on the project or resource hierarchy. By combining this with a Cloud Function that monitors audit logs for lock removal attempts and requires an approval workflow before the lock is removed, the team enforces a controlled approval process for any deletion, meeting the policy requirement precisely.

Exam trap

The trap here is that candidates may confuse Binary Authorization (which handles container deployment approvals) with a general-purpose approval system, or assume VPC Service Controls can block deletion when they are actually focused on data exfiltration prevention.

How to eliminate wrong answers

Option A is wrong because Cloud Source Repositories and code review only control changes to Terraform configurations, not the actual deletion of resources; a user could still delete resources via the console or API without touching Terraform. Option B is wrong because Binary Authorization is designed for container image deployment approvals, not for resource deletion operations; it cannot intercept or approve delete commands on Cloud Storage buckets or Cloud SQL instances. Option D is wrong because VPC Service Controls are used to define security perimeters around data access and exfiltration, not to block delete operations; they restrict data movement but do not prevent resource deletion.

13
Multi-Selecteasy

A company wants to implement a DevOps culture in their new Google Cloud organization. Which THREE practices align with Google's DevOps principles? (Choose three.)

Select 3 answers
A.Monitor systems with telemetry and logs.
B.Implement continuous integration and delivery.
C.Use a monolithic architecture to simplify deployments.
D.Centralize all operations in a single team.
E.Conduct post-mortems without blame.
AnswersA, B, E

Observability is key.

Why this answer

Option A is correct because Google's DevOps principles emphasize observability through telemetry and logs to gain insight into system behavior, enabling data-driven decisions and rapid troubleshooting. In Google Cloud, this aligns with services like Cloud Monitoring and Cloud Logging, which collect metrics and logs from resources such as Compute Engine instances and GKE clusters, supporting the 'monitor and improve' feedback loop central to DevOps.

Exam trap

Google Cloud often tests the misconception that monolithic architectures simplify deployments in a DevOps context, but the trap here is that Google's principles favor microservices and decoupled releases to reduce deployment risk and enable continuous delivery.

14
MCQeasy

A small team is setting up a Google Cloud organization for their DevOps pipeline. They have zero existing projects. Their planned architecture uses Cloud Build for CI/CD, Cloud Source Repositories for code, and Artifact Registry for images. They want to ensure that developers can only deploy to the production environment after code review and approval. They also want to automatically trigger builds on commits to the main branch. Which of the following is the most efficient way to implement this?

A.Use a single trigger and a build step that checks for a label in the commit to decide if deployment is allowed.
B.Use a Cloud Function to deploy code after a Pub/Sub message from a code review tool.
C.Create separate Cloud Build triggers for development and production, and use manual approval steps in the production trigger.
D.Set up a Cloud Build trigger on the main branch without any approval, and rely on code review outside Google Cloud.
AnswerC

Allows approval for production only.

Why this answer

Option C is correct because it uses separate Cloud Build triggers for development and production, allowing the production trigger to include a manual approval step. This enforces that code review and approval occur before deployment to production, while the development trigger can automatically build on commits to the main branch. Cloud Build's approval gates are the native way to require human sign-off before executing a build, aligning with the requirement for controlled production deployments.

Exam trap

Google Cloud often tests the misconception that a single trigger with conditional logic (like checking a label or commit message) can replace native approval mechanisms, but Cloud Build's approval gates are the only way to enforce mandatory human sign-off before deployment.

How to eliminate wrong answers

Option A is wrong because relying on a commit label for deployment decisions is insecure and bypasses the required code review and approval process; labels can be set by any developer with push access, and Cloud Build does not enforce review before the build runs. Option B is wrong because using a Cloud Function triggered by a Pub/Sub message from a code review tool adds unnecessary complexity and does not integrate natively with Cloud Build's CI/CD pipeline; it also lacks the automatic trigger on commits to the main branch that the team wants. Option D is wrong because setting up a Cloud Build trigger on the main branch without any approval violates the requirement that developers can only deploy to production after code review and approval; relying on external code review outside Google Cloud does not enforce the approval step within the pipeline.

15
MCQmedium

Your organization has multiple teams that need to deploy infrastructure using Terraform. You want to enforce that all Terraform state files are stored in a central Cloud Storage bucket with versioning enabled. You also need to ensure that only the CI/CD pipeline can write to the bucket. What is the best way to enforce this?

A.Use VPC Service Controls to restrict access to the bucket from only the CI/CD pipeline's VPC.
B.Create a custom IAM role with permissions to write to the bucket and assign it to the CI/CD service account.
C.Grant the Storage Object Admin role to the CI/CD service account at the bucket level.
D.Use IAM conditions to restrict access to the bucket only when the requester is the CI/CD service account.
AnswerD

IAM conditions can enforce that only the specific service account can write.

Why this answer

Option D is correct because IAM conditions allow you to bind a role to a principal (the CI/CD service account) and then restrict access based on attributes of the request, such as the requester's identity. By using a condition that checks `iam.googleapis.com/principal` equals the CI/CD service account email, you ensure that only that specific service account can write to the bucket, even if other principals have the role. This enforces the policy without relying on network constructs or overly broad role assignments.

Exam trap

Google Cloud often tests the distinction between identity-based access control (IAM conditions) and network-based controls (VPC Service Controls), leading candidates to choose VPC SC when the requirement is to restrict by identity, not network.

How to eliminate wrong answers

Option A is wrong because VPC Service Controls restrict access based on network origin (VPC perimeter), not the identity of the requester; the CI/CD pipeline might run outside the VPC or use a different network path, and VPC SC does not enforce that only the CI/CD service account can write. Option B is wrong because creating a custom IAM role with write permissions and assigning it to the CI/CD service account does not prevent other principals from being granted the same role or similar permissions on the bucket; it lacks a condition to exclusively limit writes to that service account. Option C is wrong because granting the Storage Object Admin role to the CI/CD service account at the bucket level gives that service account full write access, but it does not restrict writes to only that service account; any other principal with the same role or inherited permissions could also write.

16
MCQhard

An organization is bootstrapping their Google Cloud environment and wants to implement a shared VPC for DevOps workloads. The network team manages the host project, while DevOps teams have service projects. They need to ensure that DevOps teams can create resources in their service projects that use the shared VPC, but they cannot change the host project's network configuration. Which IAM roles should be granted to the DevOps team's service account on the host project?

A.roles/compute.securityViewer
B.roles/compute.admin
C.roles/compute.networkAdmin
D.roles/compute.networkUser
AnswerD

This role allows using existing networks and subnets but not modifying them.

Why this answer

The DevOps team needs to use the shared VPC's resources (e.g., subnets) from their service projects without modifying the host project's network configuration. The `roles/compute.networkUser` role grants permission to use existing networks and subnets in the host project, but not to create, modify, or delete them. This aligns with the principle of least privilege for a shared VPC setup.

Exam trap

The trap here is that candidates often confuse `roles/compute.networkUser` with `roles/compute.networkAdmin`, assuming that using a shared VPC requires administrative privileges, when in fact the `networkUser` role is the minimal permission needed to consume network resources without managing them.

How to eliminate wrong answers

Option A is wrong because `roles/compute.securityViewer` only allows read-only access to security policies and firewall rules, not the ability to use subnets or create resources in the shared VPC. Option B is wrong because `roles/compute.admin` grants full control over all Compute Engine resources, including the ability to modify the host project's network configuration, which violates the requirement that DevOps teams cannot change the host project's network. Option C is wrong because `roles/compute.networkAdmin` allows creating, modifying, and deleting networks and subnets in the host project, which is excessive and would let DevOps teams alter the shared VPC configuration.

17
Matchingmedium

Match each Google Cloud service to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

CI/CD pipeline

Metrics and alerting

Log management and analysis

Application error aggregation

Real-time code inspection

Why these pairings

These are core DevOps services on Google Cloud.

18
MCQeasy

A company is bootstrapping a new Google Cloud organization for DevOps. They want to separate development, staging, and production environments using folders. Which folder structure follows Google-recommended best practices?

A.Create a single folder called 'Environments' with subfolders Dev, Staging, Prod, and place projects in the subfolders.
B.Create a folder for each team, then subfolders for environments (e.g., Team1/Dev, Team1/Prod).
C.Use labels on projects to denote environment (e.g., env=dev) instead of folders.
D.Create folders under the Organization node: Development, Staging, Production. Place all projects in the appropriate folder.
AnswerD

This is the recommended structure for environment separation.

Why this answer

Option D is correct because Google Cloud best practices recommend creating top-level folders under the Organization node for each environment (Development, Staging, Production) to enforce consistent policy inheritance and resource isolation. This structure allows you to apply organization policies and IAM roles at the environment level, ensuring that production resources are strictly separated from development and staging resources, which is critical for compliance and security.

Exam trap

The trap here is that candidates often think a single 'Environments' parent folder (Option A) is cleaner or more organized, but Google specifically recommends against unnecessary nesting because it complicates policy inheritance and violates the principle of least privilege.

How to eliminate wrong answers

Option A is wrong because placing environment subfolders under a single 'Environments' folder adds an unnecessary nesting level that complicates policy inheritance and does not align with Google's recommended flat hierarchy for environments. Option B is wrong because organizing by team first, then by environment, makes it difficult to apply consistent policies across all environments (e.g., a production-wide policy would need to be applied to each team's Prod subfolder individually), increasing administrative overhead and risk of misconfiguration. Option C is wrong because labels are metadata tags and do not provide the structural isolation or policy inheritance that folders offer; labels cannot enforce resource hierarchy or prevent cross-environment access, making them unsuitable for environment separation.

19
MCQmedium

A DevOps engineer is setting up a Cloud Build trigger that builds a container image and deploys it to Cloud Run. The build fails with a permission error when trying to access resources in a different project. The engineer has created a service account in the project where Cloud Build runs and granted it roles/run.admin and roles/storage.objectViewer on the target project. What is the most likely cause of the failure?

A.The service account has been deleted or disabled.
B.Cloud Build’s default compute engine service account is being used instead of the custom one.
C.The Cloud Build service account lacks the iam.serviceAccounts.actAs permission on the Cloud Run runtime service account.
D.The service account must be created in the target project instead of the source project.
AnswerC

To deploy to Cloud Run, Cloud Build must act as the Cloud Run runtime service account.

Why this answer

The error occurs because Cloud Build needs the `iam.serviceAccounts.actAs` permission on the Cloud Run runtime service account to impersonate it when deploying the container. Even though the custom service account has `roles/run.admin` and `roles/storage.objectViewer` on the target project, without the `actAs` permission, Cloud Build cannot assume the runtime service account's identity to push the image and deploy the revision. This permission is typically granted via `roles/iam.serviceAccountUser` on the runtime service account itself.

Exam trap

The trap here is that candidates assume granting high-level roles like `roles/run.admin` on the target project is sufficient, overlooking the separate requirement for the `iam.serviceAccounts.actAs` permission on the specific runtime service account that Cloud Run uses.

How to eliminate wrong answers

Option A is wrong because the question states the service account was created and granted roles, and a deleted/disabled account would produce a 'not found' or 'disabled' error, not a generic permission error when accessing resources. Option B is wrong because the engineer explicitly created a custom service account; Cloud Build would use that custom account if it was properly configured in the trigger, and the default compute engine service account is only used if no custom service account is specified. Option D is wrong because service accounts can be created in any project and granted IAM roles on resources in other projects; the service account does not need to reside in the target project to access its resources.

20
MCQhard

A multinational corporation is bootstrapping their Google Cloud organization. They have multiple business units in different countries, each with its own compliance requirements (e.g., data residency, encryption keys). The organization structure must support: (1) each business unit as a separate folder with its own admin; (2) projects within each folder must have a label 'bu-<businessunit>'; (3) all resources must be created in regions allowed by the business unit; (4) audit logging must be centralized. They have 200 existing projects and 10,000 VMs. The team wants to use Google Cloud's native tools to enforce these policies without third-party software. What is the most effective first step?

A.Apply organization policies at the root level to restrict regions and labeling, and ignore folders.
B.Use a single folder for all projects and rely on IAM roles to enforce compliance per business unit.
C.Create a separate Cloud Function for each business unit to monitor resources and enforce compliance.
D.Create folders for each business unit, move all projects into corresponding folders using a script, and apply organization policies for allowed regions and labeling.
AnswerD

Folders provide isolation; org policies enforce regions and labels centrally.

Why this answer

Option D is correct because it establishes a folder hierarchy that mirrors the business units, enabling hierarchical inheritance of organization policies. By moving existing projects into the correct folders and applying organization policies for allowed regions and labeling at the folder level, each business unit's compliance requirements are enforced natively without third-party tools. This approach also supports centralized audit logging by enabling audit logs at the organization level, which aggregate logs from all folders and projects.

Exam trap

Google Cloud often tests the misconception that IAM roles alone can enforce compliance policies, when in fact IAM governs who can do what, not what resources can be created or where; organization policies are required for resource-level constraints.

How to eliminate wrong answers

Option A is wrong because applying organization policies at the root level ignores the need for per-business-unit compliance; it would enforce the same region and labeling constraints globally, violating data residency and encryption key requirements. Option B is wrong because using a single folder with IAM roles cannot enforce resource-level constraints like allowed regions or mandatory labels; IAM controls access, not resource configuration. Option C is wrong because creating separate Cloud Functions for monitoring introduces unnecessary complexity, latency, and potential for drift; Google Cloud's native organization policies provide real-time, preventive enforcement at resource creation time, which is more reliable and scalable.

21
MCQhard

A DevOps engineer notices that developers are accidentally deleting Cloud Storage buckets. The organization wants to prevent accidental deletion while still allowing developers to manage bucket objects. What is the best practice?

A.Set a bucket retention policy with deletion lock.
B.Enable Cloud Audit Logging and set up alerts on bucket deletion.
C.Set a bucket IAM policy denying storage.objects.delete for developers.
D.Use an organization policy to disable bucket deletion across the org.
AnswerA

Retention policy prevents deletion until lock expires.

Why this answer

A bucket retention policy with a deletion lock prevents the deletion of the bucket itself, even by users with owner permissions, while still allowing developers to manage objects within the bucket. This is the only option that directly enforces a hard, irreversible lock on bucket deletion, meeting the requirement to prevent accidental deletion without restricting object management.

Exam trap

The trap here is that candidates often confuse preventing object deletion with preventing bucket deletion, leading them to choose IAM policies that restrict object-level actions (Option C) instead of using the bucket-level retention lock mechanism.

How to eliminate wrong answers

Option B is wrong because Cloud Audit Logging with alerts only notifies administrators after a deletion occurs; it does not prevent the deletion from happening in the first place. Option C is wrong because denying storage.objects.delete prevents developers from deleting objects, which is not the requirement—the organization wants to allow object management while only preventing bucket deletion. Option D is wrong because an organization policy to disable bucket deletion across the org would block all bucket deletions for all users, including authorized administrators, which is overly restrictive and not a best practice for targeted accidental deletion prevention.

22
MCQmedium

An organization is bootstrapping its Google Cloud environment and needs to establish a secure CI/CD pipeline that deploys infrastructure using Terraform. The pipeline must run in a dedicated project, and Terraform state must be stored in a Cloud Storage bucket. What is the most secure way to grant the CI/CD service account the minimal permissions required to manage the state bucket?

A.Grant the service account the Storage Object Admin role on the service account itself.
B.Grant the service account the Storage Object Admin role at the project level.
C.Grant the service account the Storage Admin role at the project level.
D.Grant the service account the Storage Object Admin role on the specific Cloud Storage bucket.
AnswerD

This grants minimal permissions to manage objects in that bucket only.

Why this answer

Option D is correct because granting the Storage Object Admin role (roles/storage.objectAdmin) on the specific Cloud Storage bucket follows the principle of least privilege. This allows the CI/CD service account to manage objects (including Terraform state files) within that bucket without granting broader permissions to other buckets or project-level storage operations. The pipeline runs in a dedicated project, but the state bucket itself is the resource that needs access control, making a resource-level role assignment the most secure approach.

Exam trap

The trap here is that candidates often confuse granting roles at the project level versus the resource level, mistakenly thinking project-level permissions are required for a single bucket, or they incorrectly assume that roles can be granted on a service account itself rather than on the resource being accessed.

How to eliminate wrong answers

Option A is wrong because granting the Storage Object Admin role on the service account itself is nonsensical—IAM roles are granted to identities (like service accounts) on resources, not on the identity itself; this would not grant any permissions to manage the bucket. Option B is wrong because granting the Storage Object Admin role at the project level would apply the permission to all Cloud Storage buckets in the project, violating least privilege by allowing the service account to manage objects in any bucket, not just the Terraform state bucket. Option C is wrong because the Storage Admin role (roles/storage.admin) at the project level grants full control over all buckets and objects, including the ability to create, delete, and modify bucket configurations, which far exceeds the minimal permissions needed to manage state files and introduces unnecessary security risk.

23
Multi-Selecthard

A Cloud Build pipeline that deploys a container to Cloud Run fails with the error: `Missing required permission run.routes.invoke`. The Cloud Build service account has the 'Cloud Run Invoker' role. Which TWO additional steps should be taken?

Select 2 answers
A.Ensure the service account has the `iam.serviceAccounts.actAs` permission on the Cloud Run runtime service account.
B.Enable the Cloud Run API in the project.
C.Grant the 'Cloud Run Developer' role to the service account.
D.Use a different service account for deployment.
E.Add the `run.routes.invoke` permission to a custom role.
AnswersA, C

Required to deploy revisions because the service account acts as the runtime SA.

Why this answer

Option A is correct because the Cloud Build service account needs the `iam.serviceAccounts.actAs` permission on the Cloud Run runtime service account (the service account that Cloud Run uses to run the container). Without this permission, Cloud Build cannot impersonate the runtime service account to deploy the container, even if it has the Cloud Run Invoker role. The `run.routes.invoke` error occurs because the deployment process requires the ability to invoke the route, which is tied to the runtime service account's permissions.

Exam trap

Google Cloud often tests the misconception that granting the `run.routes.invoke` permission directly to the Cloud Build service account (via a custom role) will fix the error, when in fact the error arises because the runtime service account lacks the permission and the Cloud Build service account cannot impersonate it without the `actAs` permission.

24
MCQeasy

A startup wants to implement infrastructure as code for their Google Cloud environment to ensure reproducibility. They are using Terraform and want to manage state securely. What is the recommended approach?

A.Store Terraform state in a file in Cloud Shell home directory.
B.Store Terraform state in Cloud Source Repositories as a YAML file.
C.Store Terraform state locally on each developer's machine and use git to sync.
D.Store Terraform state in a Cloud Storage bucket with object versioning enabled.
AnswerD

Correct as explained.

Why this answer

Storing Terraform state in a Cloud Storage bucket with object versioning enabled is the recommended approach because it provides a centralized, remote backend that supports state locking (via Cloud Storage's object lease mechanism) and version history for rollback. This ensures consistency across team members and protects against state corruption or accidental deletion, aligning with infrastructure as code best practices for reproducibility.

Exam trap

The trap here is that candidates may assume Git-based version control is sufficient for state management, overlooking that Terraform state requires a backend with native locking and versioning support to prevent corruption from concurrent operations.

How to eliminate wrong answers

Option A is wrong because storing state in Cloud Shell's home directory is ephemeral and not shared across team members, leading to state drift and potential data loss when the Cloud Shell environment is reset. Option B is wrong because Cloud Source Repositories is a Git-based version control service for source code, not a state backend; storing state as a YAML file there would bypass Terraform's locking mechanism and risk corruption from concurrent writes. Option C is wrong because storing state locally on each developer's machine and using git to sync introduces merge conflicts and race conditions, as Terraform state is a binary file that cannot be safely merged via Git's text-based diffing.

25
MCQmedium

Refer to the exhibit. The Cloud Build fails with a permission error. The Cloud Build service account has roles/cloudbuild.builds.builder and roles/cloudfunctions.developer on the project. What is the missing permission?

A.cloudfunctions.functions.setIamPolicy
B.cloudfunctions.functions.get
C.iam.serviceAccounts.actAs
D.cloudfunctions.functions.sourceCodes.set
AnswerA

Required to set IAM policy for unauthenticated access.

Why this answer

Option A is correct because the --allow-unauthenticated flag requires the cloudfunctions.functions.setIamPolicy permission to make the function publicly accessible. The roles/cloudfunctions.developer does not include this permission. Option B is wrong because cloudfunctions.functions.get is included in the developer role.

Option C is wrong because iam.serviceAccounts.actAs is not needed for this deployment. Option D is wrong because cloudfunctions.functions.sourceCodes.set is part of the developer role.

26
MCQeasy

A startup wants to implement Infrastructure as Code (IaC) using Terraform for their Google Cloud environment. They need to manage state files securely. What is the best practice?

A.Use a Cloud SQL database to store state.
B.Store state in a Git repository.
C.Store Terraform state in Cloud Storage with uniform bucket-level access using a dedicated bucket.
D.Store state locally on the developer's machine.
AnswerC

Secure and collaborative.

Why this answer

Storing Terraform state in Cloud Storage with uniform bucket-level access is the best practice because it provides a centralized, durable, and versioned backend that supports state locking via object lease mechanisms. This approach prevents concurrent modifications and ensures consistency across team members, while uniform bucket-level access simplifies IAM management by disabling ACLs and enforcing bucket policies exclusively.

Exam trap

Google Cloud often tests the misconception that Git-based state management is acceptable for team collaboration, but the trap here is that Git lacks state locking and exposes sensitive data, making Cloud Storage with uniform bucket-level access the only secure and collaborative option.

How to eliminate wrong answers

Option A is wrong because Cloud SQL is a relational database not designed for Terraform state storage; it lacks native state locking and versioning support, and introduces unnecessary latency and cost. Option B is wrong because storing state in a Git repository exposes sensitive data (e.g., plaintext secrets, resource IDs) in version history, and Git does not provide state locking, leading to race conditions when multiple users run `terraform apply` simultaneously. Option D is wrong because storing state locally on a developer's machine creates a single point of failure, prevents team collaboration, and violates the principle of shared state required for consistent infrastructure management.

27
MCQmedium

A company uses Cloud Build to deploy applications and wants to ensure that builds from forked repositories cannot access sensitive environment variables. What is the best practice?

A.Disable builds from forks entirely.
B.Use Cloud Build's 'encrypted variables' and mark them as 'not available for pull requests from forks'.
C.Use Cloud Build's 'substitutions' instead of environment variables.
D.Use Cloud Build's 'secrets' manager instead of environment variables.
AnswerB

This option explicitly hides the variables from forked PR builds.

Why this answer

Option B is correct because Cloud Build allows you to mark encrypted variables as 'not available for pull requests from forks', which prevents forked PRs from accessing sensitive environment variables. This is the most direct and secure method to protect secrets in CI/CD pipelines involving external contributions.

Exam trap

The trap here is that candidates often assume Cloud Secret Manager is always the best choice for secrets, but the question specifically asks about preventing access from forked repositories, which requires the fork-specific restriction that only encrypted variables with the 'not available for pull requests from forks' flag provide.

How to eliminate wrong answers

Option A is wrong because disabling builds from forks entirely is overly restrictive and prevents legitimate contributions from external developers. Option C is wrong because substitutions are not designed for secrets; they are plain-text variables that can be overridden at build time and are still accessible to forked PRs if not explicitly restricted. Option D is wrong because while Cloud Secret Manager is a secure way to store secrets, it does not inherently restrict access based on fork status; you would still need additional controls to prevent forked PRs from accessing the secret.

28
MCQmedium

A DevOps team is setting up a Google Cloud organization and wants to ensure that all billing alerts are centrally managed. What should they do?

A.Use Cloud Monitoring to create custom metrics for billing.
B.Set up billing alerts individually for each project.
C.Create a project dedicated to billing and manage alerts there.
D.Set up billing alerts at the organization level using Cloud Billing.
AnswerD

Centralized management of alerts.

Why this answer

Setting up billing alerts at the organization level using Cloud Billing (Option D) is correct because it allows centralized management of billing thresholds, notifications, and budget policies across all projects within the organization. This approach leverages the Cloud Billing budget feature, which can be configured at the billing account level to send alerts to Pub/Sub topics or email recipients, ensuring consistent oversight without per-project configuration.

Exam trap

The trap here is that candidates often confuse project-level billing alerts with organization-level billing alerts, assuming a dedicated billing project (Option C) provides central management, when in fact billing alerts must be configured at the billing account level to apply across all projects in the organization.

How to eliminate wrong answers

Option A is wrong because Cloud Monitoring custom metrics are used for monitoring application or infrastructure performance, not for billing alerts; billing alerts are managed through Cloud Billing budgets, not Monitoring. Option B is wrong because setting up billing alerts individually for each project defeats centralized management, leading to administrative overhead and potential inconsistencies in alert thresholds. Option C is wrong because creating a dedicated project for billing does not centralize alerts; billing alerts are tied to the billing account, not to a specific project, and alerts must be configured at the billing account or organization level to apply across all projects.

29
MCQeasy

Refer to the exhibit. The output shows three folders created directly under the organization node. Which gcloud command was most likely executed to produce this output?

A.gcloud resource-manager folders list --organization=123456789012
B.gcloud organizations list
C.gcloud projects list --filter='parent.id:123456789012'
D.gcloud resource-manager folders list --folder=123456789012
AnswerA

This command lists folders under the given organization, matching the exhibit.

Why this answer

Option A is correct because the `gcloud resource-manager folders list --organization=123456789012` command lists all folders directly under the specified organization node. The output shows three folders (e.g., folder1, folder2, folder3) at the top level, which matches the behavior of listing folders with the organization ID as the parent. This command is specifically designed to retrieve immediate child folders of an organization, not nested folders.

Exam trap

Google Cloud often tests the distinction between listing resources under an organization vs. under a folder, and the trap here is that candidates confuse `--organization` with `--folder` or assume `gcloud projects list` can list folders, when in fact it only lists projects.

How to eliminate wrong answers

Option B is wrong because `gcloud organizations list` lists all organizations accessible to the authenticated user, not folders under a specific organization. Option C is wrong because `gcloud projects list --filter='parent.id:123456789012'` lists projects (not folders) that have the specified organization as their parent; it would show projects, not folder names. Option D is wrong because `gcloud resource-manager folders list --folder=123456789012` lists folders under a specific folder (using a folder ID), not under an organization; using an organization ID as a folder ID would either fail or return incorrect results because the resource type is different.

30
MCQmedium

You are a DevOps engineer tasked with bootstrapping a Google Cloud organization for a company that develops a SaaS product. The company has three teams: Platform, Application, and Data. Each team needs to manage their own projects, but the network should be centrally managed. You decide to use a shared VPC. You create a host project 'shared-vpc-host' and attach three service projects: 'platform-service', 'app-service', and 'data-service'. You grant the Network Admin role to the Platform team for the host project. The Application team needs to deploy Compute Engine instances in their service project, but they should not be able to modify network resources. You grant them the Compute Instance Admin role at the service project level. However, the Application team reports that they cannot create instances because they don't have permission to use the subnets in the shared VPC. What is the most likely missing step?

A.Grant the Application team the Compute Network Admin role on the host project.
B.Grant the Application team the Compute Network User role on the service project.
C.Grant the Application team the Compute Network User role on the host project or the specific subnets.
D.Grant the Application team the roles/compute.subnetUser on the subnet.
AnswerC

Compute Network User allows using subnets without managing them.

Why this answer

The Application team needs the Compute Network User role (roles/compute.networkUser) on the host project or the specific subnets to use the shared VPC subnets. This role allows them to attach instances to existing subnets without granting permission to modify network resources. Granting it at the service project level (Option B) is insufficient because the subnet permissions are inherited from the host project in a shared VPC setup.

Exam trap

Google Cloud often tests the misconception that granting a role on the service project is sufficient for shared VPC subnet access, when in fact the Compute Network User role must be granted on the host project or the specific subnets to allow instance attachment.

How to eliminate wrong answers

Option A is wrong because the Compute Network Admin role (roles/compute.networkAdmin) grants full control over network resources, which violates the requirement that the Application team should not be able to modify network resources. Option B is wrong because the Compute Network User role must be granted on the host project or the specific subnets, not on the service project, as subnet permissions are managed at the host project level in a shared VPC. Option D is wrong because roles/compute.subnetUser is not a valid predefined role; the correct role is roles/compute.networkUser, and it must be granted on the host project or subnet, not just the subnet without specifying the host project context.

31
MCQeasy

You are bootstrapping a Google Cloud organization for a DevOps team. You need to set up a shared VPC host project that will be used by multiple service projects. What is the minimal set of roles required for the DevOps team to create and manage service projects in the host project?

A.Project Creator and Service Project Admin
B.Compute Network Admin and Service Project Admin
C.Compute Shared VPC Admin
D.Owner and Service Project Admin
AnswerB

Compute Network Admin manages networks; Service Project Admin attaches service projects.

Why this answer

Option B is correct because the minimal set of roles required for a DevOps team to create and manage service projects in a shared VPC host project is Compute Network Admin (roles/compute.networkAdmin) on the host project and Service Project Admin (roles/compute.xpnAdmin) at the organization or folder level. Compute Network Admin grants permissions to manage networking resources, while Service Project Admin allows attaching service projects to the host project. Without both, the team cannot configure shared VPC networking or associate service projects.

Exam trap

Google Cloud often tests the misconception that a single role like Compute Shared VPC Admin is sufficient, but the exam trap is that you need both Compute Network Admin (for network management) and Service Project Admin (for project association) to fully bootstrap and manage shared VPC service projects.

How to eliminate wrong answers

Option A is wrong because Project Creator (roles/resourcemanager.projectCreator) only allows creating new projects but does not grant permissions to manage shared VPC networking or attach service projects to a host project. Option C is wrong because Compute Shared VPC Admin (roles/compute.xpnAdmin) alone allows attaching service projects but lacks the network management permissions (e.g., to create subnets or firewall rules) needed to fully manage the shared VPC environment. Option D is wrong because Owner (roles/owner) is a highly privileged role that grants full control over all resources, which is excessive for the minimal set required; it violates the principle of least privilege and is not minimal.

32
MCQhard

A DevOps engineer is troubleshooting a Cloud Build failure. The build log shows the error: 'Permission denied for resource projects/my-project/locations/us-central1/repositories/my-repo'. The Cloud Build service account (PROJECT_NUMBER@cloudbuild.gserviceaccount.com) is used. What is the most likely missing role?

A.roles/artifactregistry.reader
B.roles/artifactregistry.admin
C.roles/cloudbuild.builds.builder
D.roles/artifactregistry.writer
AnswerD

This allows pushing artifacts to repositories.

Why this answer

The error 'Permission denied for resource projects/my-project/locations/us-central1/repositories/my-repo' indicates that the Cloud Build service account lacks permission to write artifacts to Artifact Registry. The Cloud Build service account needs the `roles/artifactregistry.writer` role to upload build artifacts (e.g., container images) to the repository. Without this role, the build fails at the step that attempts to push artifacts.

Exam trap

The trap here is that candidates often confuse `roles/artifactregistry.reader` (which only allows pulling) with the write permission needed for pushing artifacts, or they mistakenly think the default Cloud Build service account role includes Artifact Registry access.

How to eliminate wrong answers

Option A is wrong because `roles/artifactregistry.reader` only allows reading artifacts (e.g., pulling images), not writing them, so it would not resolve a permission denied error during artifact upload. Option B is wrong because `roles/artifactregistry.admin` grants full administrative control over repositories, which is excessive and violates the principle of least privilege; the build only needs write access, not admin rights. Option C is wrong because `roles/cloudbuild.builds.builder` is the default role for Cloud Build service accounts and provides permissions to execute builds, but it does not include Artifact Registry write permissions; the error is specifically about Artifact Registry, not Cloud Build itself.

33
Multi-Selecteasy

Which THREE are required steps when setting up a CI/CD pipeline with Cloud Build for the first time? (Choose three.)

Select 3 answers
A.Create a custom base image for builds.
B.Enable the Cloud Build API.
C.Grant the Cloud Build service account the roles/cloudbuild.builds.builder role.
D.Set up a Cloud Router for network connectivity.
E.Create a trigger with a repository connection.
AnswersB, C, E

APIs must be enabled for the service to work.

Why this answer

Option B is correct because the Cloud Build API must be enabled in your Google Cloud project before you can use any Cloud Build features, including triggers and builds. Without enabling the API, Cloud Build services are unavailable, and any attempt to create or run builds will fail with an API not found error.

Exam trap

Google Cloud often tests the distinction between mandatory prerequisites (like enabling the API and granting service account roles) and optional enhancements (like custom base images or network configuration), leading candidates to select unnecessary steps as required.

34
MCQhard

Your company is bootstrapping a Google Cloud organization for DevOps. The organization consists of three folders: Dev, Staging, and Prod. Each folder contains multiple projects for different microservices. You have been tasked with setting up a centralized CI/CD pipeline using Cloud Build and Cloud Deploy. The pipeline must deploy to multiple environments in sequence: Dev → Staging → Prod. Each environment requires approval from a different approver group. You have set up Cloud Deploy delivery pipelines with targets pointing to each environment. However, during testing, you notice that after a successful deployment to Dev, the pipeline automatically proceeds to Staging without waiting for approval. What is the most likely cause and solution?

A.Cause: The delivery pipeline is defined with a single target instead of multiple targets. Solution: Create separate delivery pipelines for each environment.
B.Cause: The delivery pipeline has a single promotion sequence that includes all targets. Solution: Remove Staging and Prod from the pipeline and create separate pipelines.
C.Cause: The Cloud Deploy service account lacks the `clouddeploy.approver` role on Staging and Prod projects. Solution: Grant the role to the service account.
D.Cause: The targets in Staging and Prod are missing the `require_approval` attribute set to `true`. Solution: Add `require_approval: true` to the Staging and Prod target definitions.
AnswerD

Correct: Without `require_approval: true`, Cloud Deploy proceeds automatically.

Why this answer

The correct answer is D because Cloud Deploy requires explicit `require_approval: true` on each target to enforce manual approval gates. Without this attribute, the pipeline treats the target as automatically approved and proceeds to the next target in the promotion sequence. The behavior described—automatic progression after Dev—indicates that Staging and Prod targets lack this flag, causing the pipeline to skip the approval step.

Exam trap

Google Cloud often tests the distinction between IAM roles (like `clouddeploy.approver`) and target-level configuration (`require_approval`), leading candidates to mistakenly focus on permissions when the real issue is a missing attribute in the target definition.

How to eliminate wrong answers

Option A is wrong because having a single target would prevent deployment to multiple environments, not cause automatic progression; the pipeline already has multiple targets. Option B is wrong because removing targets from the pipeline would break the sequential deployment requirement; a single pipeline with multiple targets is the correct approach for sequential promotions. Option C is wrong because the `clouddeploy.approver` role is used for approving rollouts, not for triggering automatic progression; the issue is about approval enforcement, not permissions.

35
Multi-Selecthard

Which TWO are valid methods to manage service account keys securely? (Select exactly 2)

Select 2 answers
A.Rotate keys manually every 90 days.
B.Automate key rotation using a Cloud Function.
C.Use workload identity federation to avoid keys.
D.Embed keys in application code.
E.Store keys in Cloud Storage with public access.
AnswersB, C

Automates rotation, reducing risk.

Why this answer

Option B is correct because automating key rotation with a Cloud Function ensures service account keys are rotated on a schedule without manual intervention, reducing the risk of key exposure. This aligns with Google Cloud's best practices for key management, as it enforces rotation policies programmatically and can integrate with Secret Manager to securely store and version keys.

Exam trap

Google Cloud often tests the misconception that manual rotation is acceptable, but the PCDOE exam emphasizes automation and keyless authentication as the only secure methods for managing service account keys at scale.

36
MCQeasy

A DevOps team is setting up a Google Cloud organization. They want to centralize logging and monitoring across all projects. What is the recommended approach?

A.Enable logging and monitoring in each project individually and use the Cloud Console to view them.
B.Create a dedicated project for logging and monitoring, and configure all other projects to send logs and metrics to that project.
C.Enable Cloud Audit Logs in the organization and view them from the Organization level.
D.Use Stackdriver (now Operations) to aggregate logs from all projects automatically.
AnswerB

This is the recommended pattern for centralized observability.

Why this answer

Option B is correct because the recommended approach for centralizing logging and monitoring in a Google Cloud organization is to create a dedicated project that acts as a log sink and metric aggregator. By configuring aggregated sinks at the organization or folder level, all projects automatically forward logs to the dedicated project's Cloud Logging bucket, and metrics can be collected via the Monitoring API. This ensures a single pane of glass for operations without manual per-project setup.

Exam trap

The trap here is that candidates confuse Cloud Audit Logs (which are a subset of logs) with full centralized logging, or assume that Google Cloud Operations automatically aggregates logs across projects without explicit configuration of sinks or a metrics scope.

How to eliminate wrong answers

Option A is wrong because enabling logging and monitoring in each project individually and using the Cloud Console to view them does not centralize data; it requires switching between projects and lacks a unified view, violating the principle of centralized observability. Option C is wrong because enabling Cloud Audit Logs at the organization level only captures admin activity and data access logs, not all logs (e.g., application logs, custom metrics), and viewing them from the Organization level does not aggregate metrics or provide monitoring dashboards. Option D is wrong because Stackdriver (now Google Cloud Operations) does not automatically aggregate logs from all projects; it requires explicit configuration of sinks, metrics scopes, or a dedicated project to receive logs and metrics.

37
Drag & Dropmedium

Order the steps to set up a CI/CD pipeline using Cloud Build and Cloud Deploy for a Cloud Run service.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Create build config, set trigger, define delivery pipeline, push code, promote.

38
MCQhard

A DevOps team is setting up a new Google Cloud organization. They want to enforce that all projects have a specific set of labels, and that Cloud Logging is enabled. They have written a custom Organization Policy constraint to enforce the labels. However, they are unsure how to enforce Cloud Logging. Which of the following approaches should they use?

A.Create a custom Organization Policy constraint that checks if Cloud Logging is enabled.
B.Disable the ability to turn off Cloud Logging by using the Organization Policy 'compute.disableCloudLogging'.
C.Use the Organization Policy 'constraints/gcp.resourceAuditLogging' to enforce audit logs.
D.Set a project-level default for Cloud Logging using Organization Policies.
AnswerC

This policy ensures audit logs are enabled, which is part of Cloud Logging.

Why this answer

Option C is correct because the Organization Policy constraint `constraints/gcp.resourceAuditLogging` enforces that audit logs (which include Cloud Logging) are enabled for all projects in the organization. This policy ensures that logging cannot be disabled at the project level, meeting the requirement to enforce Cloud Logging across the organization.

Exam trap

The trap here is that candidates may confuse custom Organization Policy constraints with built-in constraints, or mistakenly think that Cloud Logging can be enforced via a custom constraint or a project-level default, when in fact the built-in `constraints/gcp.resourceAuditLogging` is the correct mechanism.

How to eliminate wrong answers

Option A is wrong because custom Organization Policy constraints cannot check if Cloud Logging is enabled; they are limited to enforcing constraints on resource properties like labels, locations, or resource types, not service enablement. Option B is wrong because `compute.disableCloudLogging` is not a valid Organization Policy constraint; the correct constraint for logging is `constraints/gcp.resourceAuditLogging`, and there is no such policy to disable Cloud Logging. Option D is wrong because Organization Policies do not support setting project-level defaults for Cloud Logging; they enforce boolean constraints or lists, not default configurations.

39
MCQhard

A company is bootstrapping their organization using Terraform and wants to store the Terraform state file in a Cloud Storage bucket with versioning enabled. Which of the following is the best practice for securing the state file?

A.Use a bucket with fine-grained access and grant roles/storage.objectCreator to the Terraform service account.
B.Use a bucket with object versioning and enable VPC Service Controls.
C.Use a bucket with a CMEK key and grant roles/storage.objectAdmin to the Terraform service account.
D.Use a bucket with uniform access and grant roles/storage.objectViewer to the Terraform service account.
AnswerC

CMEK encrypts the state file, and objectAdmin allows full object control.

Why this answer

Option C is correct because using a CMEK (Customer-Managed Encryption Key) ensures the state file is encrypted at rest with a key controlled by the organization, and granting roles/storage.objectAdmin to the Terraform service account provides the necessary read, write, and delete permissions on objects. This combination meets the security requirements for a bootstrapping scenario where the state file contains sensitive infrastructure configuration and must be protected from unauthorized access while allowing Terraform to manage it.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls or uniform bucket access alone are sufficient for state file security, but the exam expects candidates to recognize that encryption key management (CMEK) and the correct IAM role (objectAdmin) are the best practices for protecting sensitive state data.

How to eliminate wrong answers

Option A is wrong because roles/storage.objectCreator only allows creating objects, not reading or deleting them, so Terraform would fail to read the state file for planning or destroy operations. Option B is wrong because VPC Service Controls restrict data exfiltration but do not provide encryption key management or granular access control; they are a network-level control, not a substitute for encryption or proper IAM. Option D is wrong because roles/storage.objectViewer provides read-only access, preventing Terraform from writing or updating the state file, which is required for state management.

40
MCQmedium

A company is bootstrapping a new Google Cloud organization. They want to ensure that all projects are created under specific folders and that certain IAM roles are automatically granted to a group for new projects. What is the most efficient approach?

A.Use folder-level IAM roles to grant permissions to projects.
B.Use Terraform to create projects and assign IAM roles.
C.Use a Cloud Function triggered by project creation events to apply IAM roles.
D.Use organization policies to restrict project creation to specific folders.
AnswerC

Cloud Functions can automate IAM assignment on creation.

Why this answer

Option C is correct because it leverages a Cloud Function that listens to the `google.cloud.resourcemanager.project.v1.created` event via Eventarc, enabling automated, event-driven application of IAM roles to new projects without manual intervention or polling. This approach is the most efficient for bootstrapping because it ensures that every newly created project automatically inherits the required IAM bindings, regardless of how the project was created (e.g., via Console, gcloud, or API).

Exam trap

The trap here is that candidates often confuse organization policies (which only restrict placement) with IAM inheritance (which only applies at the folder level) and fail to recognize that an event-driven Cloud Function is the only option that automatically applies IAM roles to new projects without manual or scheduled intervention.

How to eliminate wrong answers

Option A is wrong because folder-level IAM roles grant permissions to all projects within that folder at creation time, but they do not automatically grant specific roles to a group for new projects; they only set inherited permissions on the folder itself, not dynamic role assignments triggered by project creation. Option B is wrong because Terraform is an infrastructure-as-code tool that can create projects and assign IAM roles, but it requires manual execution or a CI/CD pipeline trigger for each new project, making it less efficient for an event-driven, fully automated bootstrapping scenario. Option D is wrong because organization policies (e.g., `constraints/resourcemanager.allowedPolicyMemberDomains`) restrict where projects can be created but do not automatically grant IAM roles to a group for new projects; they only enforce placement constraints.

41
MCQeasy

A company is setting up a new Google Cloud organization. They want to apply a consistent set of IAM roles to all projects within a specific department. What is the most efficient method to achieve this?

A.Use a script to apply roles to all projects periodically.
B.Assign roles directly to each project using the Google Cloud console.
C.Create a folder for the department and assign roles at the folder level.
D.Use a custom role and assign it to the organization node.
AnswerC

IAM policies at folder level are inherited by all projects in the folder.

Why this answer

Option C is correct because Google Cloud IAM supports hierarchical policy inheritance, where roles assigned at the folder level are automatically inherited by all projects within that folder. This eliminates the need for per-project assignments and ensures consistent permissions across the department's projects without manual overhead or scripting.

Exam trap

The trap here is that candidates often assume that roles must be assigned at the project level or organization level, overlooking the folder-level inheritance as the most efficient and scalable method for department-wide consistency.

How to eliminate wrong answers

Option A is wrong because using a script to periodically apply roles is inefficient, introduces potential drift between script runs, and violates the principle of declarative, inheritance-based IAM management. Option B is wrong because assigning roles directly to each project is manual, error-prone, and does not scale; it also bypasses the hierarchical inheritance that folders provide. Option D is wrong because assigning a custom role at the organization node would apply the role to all projects in the organization, not just the specific department, and custom roles are not required for this use case—predefined roles at the folder level suffice.

42
MCQeasy

You are bootstrapping a Google Cloud organization. You need to set up a hierarchical structure that allows you to apply policies to groups of projects based on their environment (e.g., development, staging, production). What is the recommended way to organize resources?

A.Use resource tags to label projects by environment and apply policies via tag-based conditions.
B.Create folders under the organization for each environment and place projects in the appropriate folder.
C.Create separate organizations for each environment.
D.Use labels on projects to identify environments and then use Cloud Asset Inventory to enforce policies.
AnswerB

Folders allow hierarchical policy inheritance and grouping.

Why this answer

Option B is correct because Google Cloud's resource hierarchy (Organization -> Folders -> Projects) is specifically designed to group projects by environment and apply consistent policies (e.g., IAM, organization policies) at the folder level. By creating folders for development, staging, and production, you can enforce environment-specific controls (like VPC Service Controls or resource location restrictions) without duplicating policies per project.

Exam trap

Google Cloud often tests the distinction between metadata (tags/labels) and hierarchical policy inheritance (folders), leading candidates to choose tags or labels because they seem simpler, but folders are the only mechanism that provides automatic, inheritable policy enforcement across groups of projects.

How to eliminate wrong answers

Option A is wrong because resource tags are metadata key-value pairs used for fine-grained access control via IAM conditions, but they do not create a hierarchical structure for policy inheritance; policies must be explicitly attached to each project or resource, leading to management overhead. Option C is wrong because creating separate organizations for each environment violates the recommended single-organization model, breaks centralized billing and audit logging, and prevents cross-environment resource sharing (e.g., shared VPC). Option D is wrong because labels are metadata for billing and filtering, not for policy enforcement; Cloud Asset Inventory is an asset discovery and monitoring tool, not a policy enforcement mechanism, and cannot apply or enforce policies based on labels.

43
MCQeasy

An organization is setting up a new Google Cloud organization and wants to enforce consistent resource naming conventions and policies across all projects. Which service should they use?

A.Organization Policies
B.VPC Service Controls
C.Cloud Run
D.Cloud Armor
AnswerA

Organization Policies can enforce constraints like resource location, naming, and service usage.

Why this answer

Organization Policies allow you to centrally constrain specific behaviors and enforce consistent naming conventions across all projects in a Google Cloud organization using constraints like `constraints/gcp.resourceLocations` or custom constraints via the `OrganizationPolicy` API. This service is the correct choice because it directly applies hierarchical policy enforcement at the organization, folder, or project level, ensuring resource naming and other governance rules are uniformly applied without requiring per-project configuration.

Exam trap

The trap here is that candidates often confuse Organization Policies with VPC Service Controls because both involve 'policies' and 'controls,' but VPC Service Controls focus on data exfiltration prevention, not resource naming or general governance, leading to a common misselection.

How to eliminate wrong answers

Option B (VPC Service Controls) is wrong because it is designed to mitigate data exfiltration risks by defining security perimeters around VPC services and API access, not for enforcing resource naming conventions or policies across projects. Option C (Cloud Run) is wrong because it is a fully managed compute platform for running stateless containers, not a policy enforcement or naming convention service. Option D (Cloud Armor) is wrong because it provides web application firewall (WAF) and DDoS protection for HTTP(S) load balancers, unrelated to organizational resource naming or policy governance.

44
MCQmedium

A company is bootstrapping their Google Cloud organization with multiple departments. Each department has several projects. They want to apply different IAM policies and organization policies per department. What is the recommended way to structure the resource hierarchy?

A.Use multiple organizations, one per department.
B.Use organization-level IAM for all departments.
C.Create a project for each department, then use labels to separate.
D.Create a folder for each department, then place projects under that folder.
AnswerD

Folders allow separate policies per department.

Why this answer

Option D is correct because folders in the Google Cloud resource hierarchy allow you to group projects under a common node and apply both IAM policies and organization policies (e.g., constraints from the Organization Policy Service) at the folder level. This enables each department to have its own administrative boundary and policy inheritance, while still being under a single organization for centralized billing and auditing.

Exam trap

The trap here is that candidates may confuse labels (which are only for metadata and cost tracking) with folders (which are the correct mechanism for hierarchical policy enforcement), leading them to choose Option C instead of D.

How to eliminate wrong answers

Option A is wrong because using multiple organizations per department breaks centralized billing, audit logging, and cross-department resource sharing; Google Cloud recommends a single organization with folders for multi-department setups. Option B is wrong because applying organization-level IAM for all departments would grant the same permissions across all departments, violating the requirement for different IAM policies per department. Option C is wrong because labels are metadata tags used for filtering and cost allocation, not for enforcing IAM or organization policies; they cannot provide the hierarchical policy inheritance that folders offer.

45
MCQeasy

A DevOps team is bootstrapping a new Google Cloud organization. They want to grant a group of engineers the ability to create and manage projects within the organization, but not to modify organization policies or folders. Which IAM role should be assigned at the organization level?

A.roles/owner
B.roles/resourcemanager.folderAdmin
C.roles/editor
D.roles/resourcemanager.projectCreator
AnswerD

This role allows project creation and grants Project Owner on new projects.

Why this answer

Option D, roles/resourcemanager.projectCreator, is correct because it grants the specific permission to create and manage projects within the organization without allowing modifications to organization policies or folders. This role includes permissions like resourcemanager.projects.create and resourcemanager.projects.update, but explicitly excludes permissions for organization-level policy management (e.g., resourcemanager.organizations.setIamPolicy) or folder administration (e.g., resourcemanager.folders.update).

Exam trap

The trap here is that candidates often confuse roles/resourcemanager.projectCreator with roles/editor or roles/owner, mistakenly thinking that project creation requires broader permissions, when in fact the projectCreator role is specifically designed to isolate project management from higher-level administrative actions.

How to eliminate wrong answers

Option A is wrong because roles/owner grants full control over all resources, including the ability to modify organization policies and folders, which violates the requirement to restrict such actions. Option B is wrong because roles/resourcemanager.folderAdmin grants permissions to manage folders (e.g., create, delete, update folders) but does not include the specific project creation permissions needed (e.g., resourcemanager.projects.create). Option C is wrong because roles/editor grants broad edit permissions across all services, including the ability to modify organization policies and folders, which exceeds the required scope.

46
Multi-Selectmedium

A DevOps team is bootstrapping a Google Cloud organization. They need to ensure that all projects have a consistent set of labels applied automatically. Which two approaches can they use? (Choose TWO.)

Select 2 answers
A.Use an organization policy that requires labels.
B.Use a Terraform module to create projects with labels.
C.Use a Cloud Function triggered by Project creation events to apply labels.
D.Use a folder-level constraint to enforce labels.
E.Use Cloud Asset Inventory to monitor labels.
AnswersA, C

The constraint constraints/resourcemanager.requireLabels can enforce label presence.

Why this answer

Option A is correct because Organization Policies can enforce that all new projects must have specific labels by using a constraint like `constraints/compute.requireOsLogin` is not for labels, but you can use a custom constraint with the `constraints/gcp.resourceLabels` to require labels on resources. However, for projects themselves, you can use an organization policy with a list constraint to mandate that certain labels are present on all projects, and the policy will block creation of any project that does not comply.

Exam trap

The trap here is that candidates often confuse folder-level resource constraints with project-level label enforcement, not realizing that folder constraints apply to resources inside the folder (like VMs or buckets) but not to the project resource itself.

47
MCQhard

Refer to the exhibit. A DevOps engineer applies this Terraform configuration but gets an error: "Error creating Project: googleapi: Error 403: The caller does not have permission to enable services". What is the most likely cause?

A.The service account used by Terraform lacks the Service Usage Admin role on the project.
B.The org_id is incorrect.
C.The organization requires that the Compute Engine API be enabled before project creation.
D.The project ID already exists.
AnswerA

Service Usage Admin grants permission to enable services.

Why this answer

The error 'The caller does not have permission to enable services' indicates that the identity (service account) used by Terraform to authenticate with the Google Cloud API lacks the required IAM permission to enable Google APIs on the project. The Service Usage Admin role (roles/serviceusage.serviceUsageAdmin) grants the necessary permissions, including serviceusage.services.enable and serviceusage.services.list, which are required to enable services like the Compute Engine API during resource creation. Without this role, the API call to enable services fails with a 403 error.

Exam trap

Google Cloud often tests the misconception that the error is due to a missing prerequisite API (like Compute Engine) or a duplicate project ID, when in fact the root cause is insufficient IAM permissions for the service account to enable services.

How to eliminate wrong answers

Option B is wrong because an incorrect org_id would typically cause a different error, such as 'Organization not found' or 'Invalid organization ID', not a permission error related to enabling services. Option C is wrong because the Compute Engine API does not need to be enabled before project creation; it is one of the services that Terraform attempts to enable during the project creation process, and the error is about the lack of permission to enable it, not about a prerequisite. Option D is wrong because if the project ID already exists, the error would be 'Error creating Project: googleapi: Error 409: Project already exists', not a 403 permission error.

48
MCQmedium

A DevOps engineer is trying to create a service account key for a CI/CD pipeline, but receives the error: 'Constraint constraints/iam.disableServiceAccountKeyCreation violated'. What is the most likely cause and solution?

A.The Organization Policy prevents key creation; the engineer needs to request an exception from the security team.
B.The Cloud Resource Manager API is disabled; enable it.
C.The project does not have billing enabled; enable billing.
D.The service account has been deleted; the engineer must recreate it.
AnswerA

The constraint explicitly blocks key creation. An exception or alternative method (e.g., workload identity federation) is needed.

Why this answer

The error 'Constraint constraints/iam.disableServiceAccountKeyCreation violated' indicates that an Organization Policy with the constraint `iam.disableServiceAccountKeyCreation` is enforced at the organization, folder, or project level. This policy explicitly blocks the creation of service account keys, which is why the engineer cannot generate a key for the CI/CD pipeline. The correct solution is to request an exception from the security team, who can either remove the policy or add the engineer's project to an exemption list.

Exam trap

Google Cloud often tests the distinction between Organization Policy constraints (like `iam.disableServiceAccountKeyCreation`) and other common errors (like API disablement or billing issues), so candidates mistakenly choose B or C because they assume a missing API or billing is the root cause, but the specific error message directly names the constraint.

How to eliminate wrong answers

Option B is wrong because disabling the Cloud Resource Manager API would prevent listing or managing projects and policies, but the specific error message references an IAM constraint violation, not an API disabled error. Option C is wrong because billing being disabled would cause a different error (e.g., 'billing account not found' or 'project not billable'), not a constraint violation related to service account key creation. Option D is wrong because if the service account were deleted, the error would be 'Service account not found' or 'Permission denied', not a constraint violation about key creation.

49
MCQmedium

During bootstrapping, a DevOps lead wants to ensure that all projects in the 'dev' folder have a consistent set of VPC firewall rules and network policies. They are considering using a shared VPC or VPC Network Peering. Which approach provides the most control and consistency for DevOps teams while minimizing administrative overhead?

A.Implement a shared VPC with a host project managed by the network team, and allow DevOps teams to use subnets in their service projects.
B.Use VPC Service Controls to define perimeters for each project.
C.Create a separate VPC in each project and use Cloud VPN to connect them.
D.Use VPC Network Peering between all projects to allow connectivity.
AnswerA

Shared VPC centralizes network administration while enabling resource reuse.

Why this answer

A shared VPC with a host project managed by the network team provides centralized control over VPC firewall rules and network policies, ensuring consistency across all service projects in the 'dev' folder. This approach minimizes administrative overhead because DevOps teams can create subnets in their service projects without needing to manage network infrastructure, while the network team enforces a uniform security posture.

Exam trap

The trap here is that candidates often confuse VPC Network Peering with shared VPC, assuming peering provides centralized policy control, but peering only enables connectivity while each VPC retains independent firewall and policy management.

How to eliminate wrong answers

Option B is wrong because VPC Service Controls are designed to define security perimeters around data (e.g., preventing data exfiltration), not to enforce consistent VPC firewall rules or network policies across projects. Option C is wrong because creating separate VPCs in each project and using Cloud VPN introduces significant administrative overhead for managing multiple VPN tunnels and does not provide centralized control over firewall rules or network policies. Option D is wrong because VPC Network Peering only enables connectivity between VPCs but does not enforce consistent firewall rules or network policies across peered networks, as each VPC retains its own independent firewall configuration.

50
Multi-Selecteasy

Which TWO are best practices when setting up a Google Cloud organization for multiple teams? (Select exactly 2)

Select 2 answers
A.Use a shared VPC to connect projects.
B.Create a separate billing account for each team.
C.Grant all users the Project Creator role.
D.Use folders to organize projects by environment or team.
E.Enable the Compute Engine API in every project.
AnswersA, D

Simplifies networking across projects.

Why this answer

A shared VPC allows multiple projects to share a common VPC network, enabling centralized control of networking resources, firewall rules, and IP addressing. This is a best practice for multi-team organizations because it reduces administrative overhead, ensures consistent network policies, and simplifies connectivity between projects without requiring complex peering or VPN setups.

Exam trap

Google Cloud often tests the misconception that each team needs its own billing account for cost tracking, but the correct approach is to use a single billing account with labels and budgets to allocate costs per team.

51
MCQmedium

During the bootstrapping of a Google Cloud organization, you need to ensure that all resources in a specific folder are subject to a particular VPC Service Controls perimeter. Which step is necessary to achieve this?

A.Use resource tags to label the projects and then create a tag-based perimeter.
B.Apply the perimeter to the folder directly.
C.Add the projects within the folder as members of the existing service perimeter.
D.Create an organization policy that forces all projects in the folder to be in a perimeter.
AnswerC

Projects must be explicitly added to the perimeter.

Why this answer

Option C is correct because VPC Service Controls perimeters are applied at the project level, not directly to folders. To enforce a perimeter on all resources within a folder, you must add each project in that folder as a member of the existing service perimeter. This ensures that all resources in those projects are subject to the perimeter's access restrictions.

Exam trap

Google Cloud often tests the misconception that VPC Service Controls can be applied hierarchically (e.g., to folders or via organization policies), when in fact they require explicit project-level membership.

How to eliminate wrong answers

Option A is wrong because resource tags are not supported for defining VPC Service Controls perimeters; perimeters are based on project membership, not tags. Option B is wrong because VPC Service Controls perimeters cannot be applied directly to a folder; they are configured at the project or organization level, and folder-level inheritance is not a feature. Option D is wrong because organization policies cannot force projects into a VPC Service Controls perimeter; perimeters are configured separately via Access Context Manager and require explicit project membership.

52
Multi-Selecthard

Which THREE of the following are valid considerations when using organization policies to enforce compliance in a DevOps environment?

Select 3 answers
A.Child-level organization policies can only add more restrictions, not remove restrictions set by a parent.
B.A list policy can be used to define an allowlist or blocklist of resources.
C.An organization policy must be enabled by a service agent before it can be used.
D.IAM conditions can be used to override an organization policy for specific resources.
E.Organization policies can be set at the organization, folder, or project level.
AnswersA, B, E

This is a fundamental property of organization policy inheritance.

Why this answer

Option A is correct because organization policies follow a hierarchical inheritance model where child policies can only impose additional restrictions (i.e., they are more restrictive) than the parent policy. This is enforced by the Google Cloud Resource Manager hierarchy, ensuring that a policy set at the organization level cannot be relaxed by a folder or project policy.

Exam trap

The trap here is that candidates often confuse IAM conditions with organization policies, thinking that IAM can override policy constraints, when in fact organization policies are a separate enforcement layer that cannot be bypassed by IAM.

53
Multi-Selecteasy

Which TWO of the following are best practices when bootstrapping a Google Cloud organization for DevOps?

Select 2 answers
A.Use the default Compute Engine service account for all DevOps automation.
B.Create separate projects for development, staging, and production environments.
C.Create a service account in each project that needs it, rather than a central admin project.
D.Grant the principle of least privilege to service accounts used by CI/CD pipelines.
E.Set organization policies only at the project level, not at the folder or organization level.
AnswersB, D

This provides isolation and allows tailored policies.

Why this answer

Option B is correct because creating separate projects for development, staging, and production environments enforces resource isolation, simplifies IAM policy management, and aligns with Google Cloud's recommended multi-project architecture for DevOps. This approach allows you to apply distinct organization policies, budgets, and monitoring per environment, reducing the risk of accidental changes to production.

Exam trap

Google Cloud often tests the misconception that using the default Compute Engine service account is acceptable for automation, when in fact it should be avoided due to its overly permissive `editor` role, and that organization policies should be set only at the project level, ignoring the power of hierarchical inheritance at the folder and organization levels.

54
MCQmedium

A Cloud Build pipeline fails with 'Permission denied' when trying to pull a Docker image from Artifact Registry in the same project. The Cloud Build service account has the Artifact Registry Reader role. What additional configuration is likely missing?

A.Cloud Build needs to be enabled in the Artifact Registry region.
B.The Artifact Registry repository has a VPC-SC perimeter blocking access.
C.The Docker image tag is incorrect.
D.The service account needs the Artifact Registry Writer role as well.
AnswerB

VPC-SC perimeters can deny access from outside the perimeter; cloudbuild may run outside unless configured.

Why this answer

The Cloud Build service account has the Artifact Registry Reader role, which grants permission to read (pull) images. However, if the Artifact Registry repository is inside a VPC Service Controls (VPC-SC) perimeter, the service account must also be explicitly added to the perimeter's allowed identities or the request must originate from within the perimeter. Without this, VPC-SC blocks all API calls from outside the perimeter, resulting in a 'Permission denied' error despite valid IAM roles.

Exam trap

Google Cloud often tests the distinction between IAM permissions and VPC-SC perimeter policies, tricking candidates into thinking that a missing IAM role is the only cause of 'Permission denied' when the real issue is a network-level access control boundary.

How to eliminate wrong answers

Option A is wrong because Cloud Build does not need to be 'enabled' in a specific Artifact Registry region; Artifact Registry is a global service with regional repositories, and Cloud Build can pull from any region as long as network and IAM permissions are correct. Option C is wrong because an incorrect Docker image tag would produce a 'not found' error (e.g., manifest unknown), not a 'Permission denied' error. Option D is wrong because the Artifact Registry Writer role is only needed for pushing images, not pulling; the Reader role is sufficient for pull operations.

55
MCQmedium

Refer to the exhibit. A DevOps engineer tries to create a project but gets this error. What is the most likely cause?

A.The organization has an organizational policy that restricts project creation.
B.The project ID already exists.
C.The user's billing account is not linked.
D.The user does not have the Project Creator role.
AnswerA

FAILED_PRECONDITION is typical for policy violations.

Why this answer

The error message indicates that project creation is blocked by an organizational policy. In Google Cloud, organization policies (e.g., constraints/compute.restrictNonCcmlProjects) can be set at the organization or folder level to restrict project creation. This is a common control for governance and cost management, and it overrides individual user permissions.

Exam trap

Google Cloud often tests the distinction between IAM permission errors and organizational policy errors, where candidates mistakenly attribute a policy-based denial to missing roles or billing issues.

How to eliminate wrong answers

Option B is wrong because a duplicate project ID would produce a '409 Conflict' error with a message like 'Project ID already exists', not a policy-based denial. Option C is wrong because an unlinked billing account would cause a 'billing account not found' or 'billing account is not associated' error during project creation, not a generic policy restriction. Option D is wrong because the Project Creator role (roles/resourcemanager.projectCreator) is required to create projects, but if the user lacked it, the error would be 'Permission denied' or 'The caller does not have permission', not an organizational policy violation.

56
MCQeasy

A DevOps team is bootstrapping their Google Cloud organization and wants to enable Infrastructure as Code (IaC) using Terraform. They need a service account that Terraform can use to create and manage resources across multiple projects. What is the best practice for creating and managing this service account?

A.Create a service account in a separate 'admin' project and grant it the required roles on each project via IAM.
B.Generate a service account key and store it in a Cloud Storage bucket accessible to the team.
C.Use a user account with two-factor authentication for Terraform automation.
D.Use the Compute Engine default service account from the project where Terraform runs.
AnswerA

This provides centralized control and separates credentials from workloads.

Why this answer

Option A is correct because creating a service account in a dedicated 'admin' project and granting it necessary roles across projects is a common pattern. Option B is wrong because the default service account has too many permissions and is not recommended. Option C is wrong because service account keys should be avoided in source control.

Option D is wrong because using a user account is not secure for automation.

57
MCQmedium

A DevOps team is migrating their infrastructure to Google Cloud. They have a complex environment with multiple VPC networks, shared services, and separate development and production projects. They want to bootstrap a new organization that supports: (1) centralized network management with shared VPC, (2) separate folders for dev and prod, (3) consistent firewall rules across all projects, (4) a single Cloud NAT for outbound traffic. They have an existing on-premises VPN that must connect to all projects. What is the most efficient approach?

A.Create separate VPCs for each project and peer them all together, then configure Cloud NAT and VPN in each project.
B.Use a single project for all environments and rely on VPC subnets and firewall rules to isolate workloads.
C.Create a folder for networking and a folder for projects, then use a Cloud VPN appliance from the Marketplace.
D.Create a host project for Shared VPC, attach all projects as service projects, and configure Cloud NAT and VPN in the host project. Use organization policies to enforce firewall rules.
AnswerD

Shared VPC allows central network; host project handles VPN and NAT.

Why this answer

Option D is correct because Shared VPC allows you to create a host project that centrally manages network resources (VPC, subnets, firewall rules, Cloud NAT, VPN) while attaching development and production projects as service projects. This satisfies all requirements: centralized network management, separate folders for dev/prod, consistent firewall rules via organization policies, a single Cloud NAT for outbound traffic, and a single VPN connection to on-premises that routes to all service projects through the host project's VPC.

Exam trap

The trap here is that candidates often assume VPC peering or a single project with subnets is sufficient, but they miss that Shared VPC is the only Google Cloud-native solution that provides centralized network management, transitive routing, and consistent policy enforcement across multiple projects with separate folders.

How to eliminate wrong answers

Option A is wrong because creating separate VPCs for each project and peering them all together does not provide centralized network management; VPC peering is a non-transitive connection, so a single Cloud NAT and VPN in one project cannot serve all projects without complex routing and additional NAT gateways. Option B is wrong because using a single project for all environments violates the requirement for separate folders for dev and prod, and it does not scale for complex environments with multiple projects; it also lacks the organizational structure needed for bootstrapping a new organization. Option C is wrong because creating a folder for networking and a folder for projects does not inherently enable Shared VPC; using a Cloud VPN appliance from the Marketplace adds unnecessary complexity and cost, and does not provide the centralized network management or consistent firewall rules across projects that Shared VPC with organization policies offers.

58
MCQmedium

A financial company is bootstrapping their Google Cloud organization for DevOps. They have strict compliance requirements: all projects must be under a folder hierarchy based on business units, and each project must have a Cloud Storage bucket with a retention policy of at least 1 year. They have 50 existing projects that need to be migrated into this hierarchy, and all future projects must comply. The team wants to automate as much as possible using Google Cloud services. Currently, projects are created manually with various ad-hoc permissions. What is the best approach to meet these requirements?

A.Write a Terraform config to create folders and projects, but allow any user to create projects.
B.Create folders for each business unit, use a Cloud Function to move existing projects into folders, and set up an organization policy to require retention policies on buckets.
C.Define a resource hierarchy with folders, use a Cloud Build trigger to run a script that creates new projects and applies bucket retention, and use an organization policy to restrict project creation to a service account.
D.Use a single folder for all projects, apply a bucket retention policy at the folder level using a custom organization policy.
AnswerC

Cloud Build can automate creation; org policy limits creation to service account for control.

Why this answer

Option C is correct because it uses Cloud Build triggers to automate project creation and bucket retention policy application, while restricting project creation to a service account via an organization policy ensures only authorized automation can create projects. This enforces the folder hierarchy and compliance requirements without manual intervention, aligning with DevOps automation principles.

Exam trap

The trap here is that candidates may think organization policies can directly apply retention policies to buckets, but they only enforce constraints on new bucket creation, not apply policies automatically, and they cannot set retention at the folder level.

How to eliminate wrong answers

Option A is wrong because allowing any user to create projects violates the compliance requirement to restrict project creation and does not automate the migration of existing projects. Option B is wrong because using a Cloud Function to move existing projects into folders is not the most scalable or automated approach; organization policies cannot directly enforce bucket retention policies—they can only enforce constraints on bucket settings, not apply retention policies automatically. Option D is wrong because using a single folder for all projects does not meet the requirement for a folder hierarchy based on business units, and a custom organization policy cannot apply a bucket retention policy at the folder level—retention policies must be set on individual buckets or via object lifecycle rules.

59
MCQmedium

A DevOps team is bootstrapping a new organization. They want to ensure that all projects created within the organization have a specific set of APIs enabled, such as Compute Engine, Cloud Storage, and Cloud Resource Manager. What is the most efficient way to achieve this?

A.Create a Cloud Function that triggers on project creation events and enables the required APIs.
B.Define an organization policy with a constraint that requires the APIs to be enabled.
C.Use Cloud Foundation Toolkit to deploy a project template that includes API enablement.
D.Create a shared VPC and enable the APIs in the host project only.
AnswerB

Organization policies can enforce API enablement via constraints.

Why this answer

Option B is correct because Organization Policies with constraints (like `constraints/compute.requireOsLogin` or custom constraints using the Resource Manager API) allow you to enforce API enablement across all projects in the organization. This is the most efficient approach as it is declarative, centrally managed, and automatically applies to new projects without any additional infrastructure or manual intervention.

Exam trap

Google Cloud often tests the distinction between reactive automation (Cloud Functions) and proactive policy enforcement (Organization Policies), leading candidates to choose the more familiar event-driven approach over the declarative, built-in governance mechanism.

How to eliminate wrong answers

Option A is wrong because Cloud Functions triggered on project creation events introduce latency, require maintaining a function and its dependencies, and are not a native enforcement mechanism — they rely on event-driven remediation rather than proactive policy. Option C is wrong because Cloud Foundation Toolkit (CFT) is a deployment framework for creating projects, but it does not enforce API enablement across all projects; it only applies to projects created via the template, leaving manually or otherwise created projects ungoverned. Option D is wrong because enabling APIs in a Shared VPC host project does not automatically enable those APIs in service projects — each project must have its own API enablement, and Shared VPC only shares network resources, not API states.

60
MCQeasy

Refer to the exhibit. The DevOps team is trying to create a new service account key. The operation fails with a permission error. What is the most likely cause?

A.The project-level IAM denies the action.
B.The service account is disabled.
C.The organization policy prevents uploading service account keys.
D.The service account lacks the iam.serviceAccountKeys.create permission.
AnswerC

The policy is enforced with LIST_POLICY: true.

Why this answer

The correct answer is C because organization policies can explicitly restrict the creation of service account keys at the organization, folder, or project level. When a key upload fails with a permission error despite the user having the necessary IAM roles, the most likely cause is an organization policy constraint such as `iam.disableServiceAccountKeyUpload` that blocks the operation. This policy overrides any IAM permissions granted to the user.

Exam trap

Google Cloud often tests the distinction between IAM permissions and organization policy constraints, where candidates mistakenly assume a missing IAM permission is the cause when a higher-level policy override is actually blocking the action.

How to eliminate wrong answers

Option A is wrong because project-level IAM denies are evaluated after organization policies; if the organization policy blocks key upload, the IAM deny is never reached. Option B is wrong because a disabled service account would cause a different error (e.g., 'disabled service account') rather than a permission error, and the question specifies a permission error. Option D is wrong because the user likely has the required `iam.serviceAccountKeys.create` permission (e.g., via the Service Account Key Admin role), but the organization policy overrides that permission, making the permission check irrelevant.

61
MCQeasy

During the bootstrapping of a Google Cloud organization, you need to create a shared CI/CD pipeline that can deploy resources to multiple projects. The pipeline must use a service account with minimal permissions. What is the recommended way to grant the pipeline service account permissions to deploy resources across projects?

A.Configure the pipeline to impersonate a project-level service account in each project.
B.Grant the service account the necessary roles on each target project individually.
C.Grant the service account the Project Editor role at the organization level.
D.Use the Cloud Build service account and grant it permissions on each project.
AnswerB

This provides least privilege by scoping permissions to each project.

Why this answer

Option C is correct because granting the service account the appropriate roles on each project is the standard method for cross-project deployments. Option A is wrong because organization-level roles would grant unnecessary broad permissions. Option B is wrong because Cloud Build service account is not needed.

Option D is wrong because impersonation is not required; direct grants are simpler and more secure.

62
MCQhard

An organization has a policy that all projects must have Cloud Logging enabled and logs must be retained for at least 365 days. What is the most efficient way to enforce this across all projects?

A.Create a custom role with logging permissions and assign to all projects.
B.Use an organization policy to enforce logging requirements.
C.Configure a sink at the organization level to aggregate logs and set retention.
D.Use Cloud Asset Inventory to monitor logging configurations.
AnswerC

Aggregated sinks enforce logging and retention across all projects.

Why this answer

Option C is correct because configuring a sink at the organization level allows you to aggregate logs from all projects into a single destination (e.g., a Cloud Storage bucket or BigQuery dataset) and set a retention policy of 365 days on that destination. This is the most efficient method as it enforces the logging and retention requirements centrally without needing to configure each project individually.

Exam trap

The trap here is that candidates often confuse organization policies (which are for resource constraints) with log sinks (which are for routing and retention), leading them to choose option B, but organization policies cannot enforce log retention or enablement directly.

How to eliminate wrong answers

Option A is wrong because creating a custom role with logging permissions and assigning it to all projects only grants users the ability to view or manage logs, but does not enforce that logging is enabled or that logs are retained for 365 days. Option B is wrong because organization policies in Google Cloud (using constraints) cannot directly enforce Cloud Logging enablement or log retention settings; they are used for restrictions like resource locations or service disablement, not for configuring logging sinks or retention. Option D is wrong because Cloud Asset Inventory is a monitoring and discovery tool that can alert on configuration drift, but it does not actively enforce logging or retention policies; it only reports on the current state.

63
MCQhard

Your company has recently migrated to Google Cloud and has set up an organization with three folders: Development, Staging, and Production. Each folder contains multiple projects. The DevOps team has established a centralized CI/CD pipeline using Cloud Build and Artifact Registry in a tools project under the Development folder. They want to ensure that only images built by the CI/CD pipeline are allowed to be deployed to the Production environment. They have configured Binary Authorization with a policy that requires attestations from the Cloud Build service account. However, a developer accidentally pushes a container image directly from their local machine to Artifact Registry using their personal IAM permissions, and then deploys that image to a Production project by bypassing the CI/CD pipeline. How can you prevent this from happening in the future?

A.Enable Cloud Audit Logs for Artifact Registry and set up alerts to detect unauthorized pushes.
B.Remove the Artifact Registry Writer role from all developers and only grant it to the Cloud Build service account.
C.Create a VPC Service Controls perimeter around Artifact Registry to restrict access.
D.Configure a Cloud Function to automatically delete images pushed outside of Cloud Build.
AnswerB

Directly prevents developers from pushing images.

Why this answer

Option B is correct because the root cause of the bypass is that developers have the Artifact Registry Writer (roles/artifactregistry.writer) IAM role, which allows them to push images directly. By removing this role from all developers and granting it exclusively to the Cloud Build service account, you enforce that only the CI/CD pipeline can write to the registry. Binary Authorization then requires attestations from that same service account, ensuring that only pipeline-built images can be deployed to Production.

Exam trap

Google Cloud often tests the distinction between preventive vs. detective controls, and candidates mistakenly choose audit logging or reactive deletion because they focus on detecting the breach rather than fixing the root cause (excessive IAM permissions).

How to eliminate wrong answers

Option A is wrong because Cloud Audit Logs and alerts are detective controls, not preventive; they notify you after an unauthorized push has already occurred, but do not block the action. Option C is wrong because VPC Service Controls restrict network access based on context (e.g., IP, VPC source), but they do not prevent a developer with valid IAM permissions from pushing an image from their local machine if they are within the allowed perimeter. Option D is wrong because a Cloud Function that deletes images post-push is a reactive, not preventive, measure; it introduces a race condition where the image could be deployed before deletion, and it adds complexity without addressing the underlying IAM misconfiguration.

64
MCQmedium

During bootstrapping, a DevOps engineer wants to ensure that all new projects automatically have a set of APIs enabled, such as Cloud Resource Manager API and Cloud Billing API. They also want to enforce that certain APIs cannot be disabled accidentally. What is the most efficient way to achieve this?

A.Use a custom Cloud Function that runs every time a project is created and enables the APIs.
B.Grant the roles/serviceusage.serviceUsageAdmin role to the DevOps team and have them manually enable APIs when creating projects.
C.Use organization policies to define the constraints 'compute.requireOsLogin' and 'serviceuser.services' to restrict/enable APIs.
D.Create a folder with a 'Required APIs' setting that applies to all child projects.
AnswerC

Organization policies can enforce required services across the hierarchy.

Why this answer

Option C is correct because organization policies in Google Cloud allow you to enforce constraints at the organization, folder, or project level. The `serviceuser.services` constraint can be used to specify a list of APIs that must be enabled (or cannot be disabled) on all projects under the policy scope, ensuring compliance without manual intervention or additional infrastructure.

Exam trap

The trap here is that candidates confuse folder-level settings with organization policies, assuming folders have a built-in 'Required APIs' feature, when in reality only organization policies can enforce API enablement and disablement restrictions across projects.

How to eliminate wrong answers

Option A is wrong because a custom Cloud Function triggered on project creation introduces latency, potential failure points, and additional cost; it also cannot prevent APIs from being disabled after creation. Option B is wrong because granting the `roles/serviceusage.serviceUsageAdmin` role and relying on manual enabling is inefficient, error-prone, and does not enforce that APIs remain enabled. Option D is wrong because Google Cloud folders do not have a 'Required APIs' setting; API enablement is controlled via organization policies or service usage constraints, not a folder-level configuration.

65
Multi-Selecthard

Which THREE actions should be taken to ensure compliance with the principle of least privilege when bootstrapping a Google Cloud organization? (Choose 3)

Select 3 answers
A.Use service accounts for automated processes and grant them the minimum required roles.
B.Use custom roles that include only the necessary permissions.
C.Grant roles at the project level rather than at the organization level when possible.
D.Assign the Owner role at the organization level to a small group of administrators.
E.Use primitive roles (Owner, Editor, Viewer) to simplify management.
AnswersA, B, C

Service accounts should have least privilege.

Why this answer

Option A is correct because service accounts are the recommended identity for automated processes in Google Cloud, and granting them only the minimum required roles directly implements the principle of least privilege. This prevents over-permissioning and reduces the attack surface for automated workflows.

Exam trap

Google Cloud often tests the misconception that assigning the Owner role at the organization level to a small group is acceptable for least privilege, when in fact the Owner role should be reserved for emergency break-glass accounts and never used for routine administration.

66
Drag & Dropmedium

Order the steps to set up a log-based metric in Cloud Logging for error tracking.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Filter logs, create metric, set alert, test, verify.

67
MCQhard

A company is bootstrapping a Google Cloud organization for DevOps. They have multiple teams that need to deploy infrastructure using a shared CI/CD pipeline. The security team requires that all deployments be reviewed and approved before production rollout. However, they also want to maintain a fast feedback loop for developers. What is the best way to balance these requirements?

A.Use Cloud Build with a manual approval step triggered via Cloud Pub/Sub
B.Use Spinnaker on GKE with a manual judgment stage between test and production
C.Use Cloud Run for production and Cloud Functions for testing, with IAM roles controlling access
D.Use Cloud Source Repositories with branch restrictions requiring code review
AnswerB

Correct: Spinnaker provides manual judgment stages for approval gates in the pipeline.

Why this answer

Spinnaker on GKE provides a native manual judgment stage that can be inserted between test and production deployments, enabling mandatory approval gates without sacrificing the fast feedback loop for developers. This balances security requirements with DevOps velocity by allowing automated testing to proceed quickly while blocking production rollout until explicit approval is given.

Exam trap

Google Cloud often tests the distinction between code review (e.g., branch restrictions) and deployment approval (e.g., manual judgment stage), leading candidates to choose Option D because they conflate code review with deployment gating.

How to eliminate wrong answers

Option A is wrong because Cloud Build with a manual approval step triggered via Cloud Pub/Sub does not natively support a manual judgment stage; it requires custom logic and lacks the built-in pipeline orchestration for approval gates that Spinnaker provides. Option C is wrong because using Cloud Run for production and Cloud Functions for testing with IAM roles does not introduce any approval or review mechanism for deployments; it only controls access, not the deployment pipeline itself. Option D is wrong because Cloud Source Repositories with branch restrictions requiring code review only enforces code review before merging, not a deployment approval gate after testing; it does not provide a manual judgment stage in the CI/CD pipeline.

68
MCQmedium

Refer to the exhibit. A Cloud Build pipeline using this configuration fails on the third step with a permission error. The Cloud Build service account has the 'Cloud Run Admin' role. What is the most likely missing permission?

A.run.routes.invoke
B.iam.serviceAccounts.actAs on the Cloud Run runtime service account
C.storage.objects.list on the artifact bucket
D.resourcemanager.projects.get
AnswerB

Required to deploy revisions; the service account acts as the runtime service account.

Why this answer

The Cloud Build pipeline fails on the third step with a permission error because the Cloud Build service account, despite having the 'Cloud Run Admin' role, lacks the `iam.serviceAccounts.actAs` permission on the Cloud Run runtime service account. This permission is required for Cloud Build to impersonate the runtime service account when deploying to Cloud Run, as the deployment step needs to act on behalf of that service account to create or update the service.

Exam trap

Google Cloud often tests the misconception that the 'Cloud Run Admin' role alone is sufficient for Cloud Build to deploy to Cloud Run, when in fact the `iam.serviceAccounts.actAs` permission on the runtime service account is a separate, required permission that is not included in the Cloud Run Admin role.

How to eliminate wrong answers

Option A is wrong because `run.routes.invoke` is used to invoke a Cloud Run service (e.g., making HTTP requests), not for deploying or managing the service; it is unrelated to the deployment permission error. Option C is wrong because `storage.objects.list` on the artifact bucket is needed for reading artifacts, but the error occurs on the third step (likely the deployment step), not during artifact retrieval; the Cloud Build service account already has access to the bucket via its default permissions. Option D is wrong because `resourcemanager.projects.get` is a project-level read permission used for retrieving project metadata, not for deploying to Cloud Run; it is not required for the deployment step.

69
MCQhard

A company uses a Shared VPC and wants to enforce a set of firewall rules across all projects in a folder. They want these rules to be immutable by project owners. Which approach should they use?

A.Use hierarchical firewall policies at the folder level.
B.Use network tags and service accounts to enforce rules.
C.Use organization policy constraints to prevent project owners from modifying firewall rules.
D.Create firewall rules at the VPC level and assign them to the folder.
AnswerA

Hierarchical policies enforce rules across projects in a folder.

Why this answer

Hierarchical firewall policies allow you to enforce firewall rules at the folder level, which are inherited by all projects within that folder. These policies are immutable by project owners because they are managed at the folder level, not the project or VPC level, and cannot be overridden or deleted by lower-level roles unless explicitly granted permission.

Exam trap

The trap here is that candidates confuse hierarchical firewall policies with organization policy constraints, thinking that preventing modifications is the same as enforcing rules, but hierarchical policies both enforce and lock the rules in a single mechanism.

How to eliminate wrong answers

Option B is wrong because network tags and service accounts are used to apply firewall rules to specific VM instances, not to enforce rules across all projects in a folder or make them immutable. Option C is wrong because organization policy constraints can prevent project owners from modifying firewall rules, but they do not enforce the rules themselves; they only restrict changes, leaving the actual rules to be defined elsewhere. Option D is wrong because firewall rules are created at the VPC network level, not at the VPC level, and they cannot be assigned to a folder; hierarchical firewall policies are the correct mechanism for folder-level enforcement.

70
Multi-Selecthard

Which THREE are valid methods to enforce resource location restrictions in a Google Cloud organization? (Choose three.)

Select 3 answers
A.Use VPC Service Controls to limit resource access to specific regions.
B.Use folder-level IAM policies to restrict locations.
C.Apply a folder-level policy with the same organization policy constraint.
D.Apply an organization policy with the constraint 'constraints/gcp.resourceLocations'.
E.Use Cloud Audit Logs to detect and alert on resources created in non-compliant locations.
AnswersA, C, D

VPC SC can restrict access based on location.

Why this answer

Option A is correct because VPC Service Controls allow you to define perimeters that restrict resource access based on attributes such as region, preventing data exfiltration and ensuring resources are only accessible from allowed locations. This is a dedicated security feature that enforces location restrictions at the network level, complementing organization policies.

Exam trap

Google Cloud often tests the distinction between proactive enforcement (organization policies, VPC Service Controls) and reactive detection (Audit Logs), leading candidates to mistakenly select Cloud Audit Logs as a valid enforcement method.

71
Drag & Dropmedium

Arrange the steps to set up a Google Cloud Monitoring alerting policy for a Compute Engine instance.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

First create a notification channel, then define the condition, set evaluation parameters, attach the channel, and save.

72
MCQeasy

A startup is bootstrapping their Google Cloud organization with the following constraints: they have a small team of 10 developers, each with varying levels of expertise. They want a simple setup that allows developers to experiment in their own projects but prevents them from deleting production resources. They also want to enforce a budget limit on each project to avoid unexpected costs. The team has no prior Google Cloud experience and wants minimal operational overhead. Which of the following approaches best meets their needs?

A.Use a single project with VPC Service Controls to isolate resources.
B.Create a single project for all developers, use budget alerts, and give everyone Owner role.
C.Create a project per developer, give them Owner role, and set a budget on each project.
D.Create a folder for production and a folder for development, assign developers Editor on dev projects and Viewer on prod, set budget alerts on both folders.
AnswerD

Isolation of environments and budget control.

Why this answer

Option B provides clear separation and cost control with minimal complexity.

73
Multi-Selecteasy

Which TWO Organization Policy constraints are commonly used to enhance security in a DevOps environment?

Select 2 answers
A.constraints/cloudbuild.enableBuildManager
B.constraints/storage.uniformBucketLevelAccess
C.constraints/iam.disableServiceAccountKeyCreation
D.constraints/appengine.disableCodeDownload
E.constraints/compute.disablePublicIpAddress
AnswersC, E

Prevents creation of service account keys, reducing risk of key compromise.

Why this answer

Option C is correct because the `constraints/iam.disableServiceAccountKeyCreation` organization policy constraint prevents the creation of long-lived service account keys, which are a common security risk in DevOps pipelines. By enforcing this constraint, you force the use of short-lived credentials (e.g., workload identity federation or OAuth 2.0 access tokens) instead of static JSON keys that could be leaked or misused.

Exam trap

Google Cloud often tests the distinction between organization policy constraints and IAM roles or service-level settings, so candidates mistakenly select options like `constraints/storage.uniformBucketLevelAccess` or `constraints/cloudbuild.enableBuildManager` because they sound security-related but are not specifically designed to enhance DevOps security through credential management.

74
MCQhard

Refer to the exhibit. A DevOps engineer assigned this custom role to a service account used in Cloud Build. The pipeline fails when trying to access a secret stored in Secret Manager. Which permission is missing?

A.cloudbuild.builds.update
B.run.services.get
C.secretmanager.versions.access
D.iam.serviceAccounts.actAs
AnswerC

Required to access the latest version of a secret.

Why this answer

The custom role assigned to the Cloud Build service account lacks the `secretmanager.versions.access` permission, which is required to access the payload of a secret version in Secret Manager. Without this permission, any attempt to read the secret value during a build step will fail with a permission denied error, even if the service account has other roles on the project.

Exam trap

Google Cloud often tests the distinction between permissions that manage resources (e.g., `get`, `update`) and permissions that access data (e.g., `access`), leading candidates to pick a generic read permission like `get` instead of the specific `access` permission required for secret payloads.

How to eliminate wrong answers

Option A is wrong because `cloudbuild.builds.update` allows updating Cloud Build builds, not accessing secrets in Secret Manager. Option B is wrong because `run.services.get` grants read access to Cloud Run service metadata, not to secret payloads. Option D is wrong because `iam.serviceAccounts.actAs` is needed to impersonate a service account (e.g., for Cloud Build to deploy on behalf of another SA), but it does not grant access to secret data.

75
MCQeasy

A company wants to ensure that all projects in the organization have Cloud Resource Manager API enabled. What is the most efficient method?

A.Use a Cloud Scheduler job to enable the API in new projects.
B.Enable the API manually in each project.
C.Use a Terraform script that iterates over all projects.
D.Set an organization policy to require the API.
AnswerD

Automatically enforced for all projects.

Why this answer

Option D is correct because organization policies allow you to enforce constraints across all projects in the organization, ensuring the Cloud Resource Manager API is enabled automatically and cannot be disabled. This is the most efficient method as it requires no manual intervention or scripting, and it leverages the native Google Cloud policy framework to enforce compliance at scale.

Exam trap

The trap here is that candidates often choose a reactive automation solution like Terraform or Cloud Scheduler, missing that organization policies provide proactive, declarative enforcement that works at the infrastructure layer without requiring custom code or periodic runs.

How to eliminate wrong answers

Option A is wrong because Cloud Scheduler is a cron job service that triggers actions on a schedule, but it cannot proactively enable APIs in new projects before they are created; it would require a custom script and still not prevent projects from being created without the API. Option B is wrong because manually enabling the API in each project is not scalable, error-prone, and violates the principle of infrastructure as code and automation expected in a DevOps organization. Option C is wrong because a Terraform script that iterates over all projects is reactive and requires periodic execution; it cannot enforce the API being enabled at project creation time and may miss projects created outside the Terraform workflow.

Page 1 of 2 · 119 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Bootstrapping a Google Cloud organization for DevOps questions.