CCNA Gcp Devops Bootstrapping Questions

44 of 119 questions · Page 2/2 · Gcp Devops Bootstrapping topic · Answers revealed

76
MCQeasy

A startup is bootstrapping a Google Cloud organization for DevOps. They need to create a project for their CI/CD tooling and a separate project for logging and monitoring. What is the recommended way to structure the resource hierarchy?

A.Create a single project for all workloads and use labels to differentiate environments.
B.Create both projects directly under the organization node, with separate billing accounts.
C.Create a separate organization for each project to ensure isolation.
D.Create a folder called 'DevOps' and place both projects inside it, sharing a billing account.
AnswerD

Using a folder allows inheritance of IAM policies and organization policies, simplifying management.

Why this answer

Option D is correct because the recommended Google Cloud resource hierarchy for DevOps bootstrapping is to create a folder (e.g., 'DevOps') under the organization node and place both projects inside it. This structure allows centralized policy inheritance (e.g., IAM, org policies) and shared billing via a single billing account, while maintaining logical separation between CI/CD and logging/monitoring workloads. It aligns with Google's best practices for multi-project isolation without unnecessary organizational complexity.

Exam trap

Google Cloud often tests the misconception that projects must be placed directly under the organization node or that separate billing accounts are required for isolation, but the correct approach is to use folders for grouping and a shared billing account to maintain centralized control and policy inheritance.

How to eliminate wrong answers

Option A is wrong because using a single project with labels for environment differentiation violates the principle of workload isolation; labels are metadata for filtering, not a security or policy boundary, and cannot enforce separate IAM roles or resource quotas for CI/CD vs. logging. Option B is wrong because creating both projects directly under the organization node with separate billing accounts introduces unnecessary billing overhead and loses the ability to apply common folder-level policies; Google recommends using folders for grouping related projects. Option C is wrong because creating a separate organization for each project is excessive and unsupported—Google Cloud organizations are designed to contain multiple projects, and creating multiple organizations would require separate domains and break centralized management.

77
MCQmedium

A DevOps team is bootstrapping CI/CD pipelines that need access to API keys stored in Secret Manager. The pipelines run on Cloud Build. What is the best practice for granting access to secrets?

A.Use a custom service account with roles/secretmanager.admin and run Cloud Build as that account.
B.Store the API keys as build substitutions.
C.Grant the Cloud Build service account roles/secretmanager.secretAccessor on the project containing secrets.
D.Use Cloud KMS to encrypt secrets and pass them as environment variables.
AnswerC

This provides least-privilege access to secrets.

Why this answer

Option A is correct because granting the Cloud Build service account roles/secretmanager.secretAccessor on the project containing secrets provides fine-grained access. Option B is wrong because storing API keys as build substitutions is insecure and exposed in logs. Option C is wrong because roles/secretmanager.admin grants excessive permissions.

Option D is wrong because using Cloud KMS adds complexity without being a best practice for secret access.

78
MCQmedium

A DevOps engineer notices that a Cloud Build trigger is not firing when commits are pushed to a Cloud Source Repositories repository. The trigger is configured with an invert regex for the branch filter. What could be the issue?

A.The repository is in a different region.
B.The branch name matches the exclude pattern; the trigger ignores matching branches.
C.The commit was made by a service account.
D.The trigger's service account lacks read access to the repository.
AnswerB

Invert regex means the trigger is excluded for matching branches; push to a matching branch will not trigger.

Why this answer

When a Cloud Build trigger is configured with an invert regex for the branch filter, it means the trigger will fire only for branches that do NOT match the specified regex pattern. If the branch name matches the exclude pattern, the trigger ignores commits on that branch, which is why the trigger is not firing. This is the intended behavior of the invert_regex flag in Cloud Build triggers.

Exam trap

The trap here is that candidates often confuse 'invert regex' with 'regex match' and assume the trigger should fire when the pattern matches, whereas invert_regex causes the trigger to fire only when the pattern does NOT match.

How to eliminate wrong answers

Option A is wrong because Cloud Source Repositories and Cloud Build triggers are global resources; region does not affect trigger invocation. Option C is wrong because commits made by a service account still trigger Cloud Build triggers normally, as the trigger watches repository events regardless of the committer identity. Option D is wrong because the trigger's service account requires permissions to start the build, not to read the repository; the trigger itself uses the repository's IAM permissions to detect the push event.

79
MCQeasy

A company is bootstrapping a Google Cloud organization for the first time. They want to set up Cloud Identity to manage users and groups. What is the correct order of steps?

A.Add users and groups directly in Google Cloud without Cloud Identity.
B.Sign up for Cloud Identity, create the Google Cloud organization node, add users and groups, then enable Google Cloud services and set up billing.
C.Create the organization node first, then sign up for Cloud Identity, then add users.
D.Create the organization node, set up billing, then add Cloud Identity.
AnswerB

Cloud Identity provides the user directory needed for the organization.

Why this answer

Option B is correct because Cloud Identity is the foundation for managing users and groups in a Google Cloud organization. You must first sign up for Cloud Identity to create the identity realm, then create the organization node (which requires a Cloud Identity account), add users and groups, and finally enable services and set up billing. This order ensures that the organization node is linked to the correct Cloud Identity tenant and that users exist before they are granted access to resources.

Exam trap

Google Cloud often tests the misconception that the organization node can be created independently of Cloud Identity, leading candidates to choose option C or D, but in reality, Cloud Identity must be provisioned first as the identity backbone for the entire organization.

How to eliminate wrong answers

Option A is wrong because Cloud Identity is required to manage users and groups at the organization level; adding users directly in Google Cloud without Cloud Identity is not possible for organization-level identity management. Option C is wrong because the organization node cannot be created without first having a Cloud Identity account; Cloud Identity must be set up before the organization node is created. Option D is wrong because Cloud Identity must be established before the organization node is created, and billing setup typically occurs after the organization node exists and users are added.

80
Multi-Selecteasy

Which TWO are best practices for bootstrapping a Google Cloud organization for DevOps?

Select 2 answers
A.Share a single service account key across multiple projects for simplicity.
B.Disable Organization Policies to allow maximum flexibility for DevOps teams.
C.Use a separate project to host shared CI/CD tools and artifacts.
D.Set up Organization Policies to enforce compliance requirements across projects.
E.Create a single service account with broad permissions to be used by all projects.
AnswersC, D

Isolating CI/CD tools in a dedicated project improves security and manageability.

Why this answer

Option C is correct because hosting shared CI/CD tools and artifacts in a dedicated project follows the principle of resource isolation and centralized management. This approach simplifies access control, cost tracking, and lifecycle management for DevOps pipelines, as the project acts as a single source of truth for build outputs and deployment tools.

Exam trap

Google Cloud often tests the misconception that simplifying management by sharing credentials or disabling policies is a best practice, when in reality it undermines security and compliance in a multi-project organization.

81
MCQeasy

A DevOps engineer needs to assign IAM roles at the organization level. Which built-in role is specifically designed for managing IAM policies across the organization?

A.roles/resourcemanager.organizationAdmin
B.roles/owner
C.roles/editor
D.roles/iam.securityAdmin
AnswerD

This role is focused on managing IAM policies only.

Why this answer

The role `roles/iam.securityAdmin` is the built-in IAM role specifically designed for managing IAM policies across the organization. It grants permissions to get and set IAM policies at the organization, folder, and project levels, without granting other resource management permissions. This makes it the correct choice for a DevOps engineer who needs to assign IAM roles organization-wide.

Exam trap

The trap here is that candidates often confuse the `roles/iam.securityAdmin` role with the `roles/resourcemanager.organizationAdmin` role, mistakenly thinking that organization-level resource management includes IAM policy management, but the latter lacks the specific `iam.policies.set` permission.

How to eliminate wrong answers

Option A is wrong because `roles/resourcemanager.organizationAdmin` grants permissions to manage organization-level resources (like folders and projects) but does not include the `iam.policies.set` permission required to modify IAM policies. Option B is wrong because `roles/owner` is a primitive role that grants full access to all resources, including IAM management, but it is not specifically designed for managing IAM policies; it also grants many other permissions that are excessive for this task. Option C is wrong because `roles/editor` is a primitive role that allows modifying existing resources but does not include permission to modify IAM policies (it lacks `iam.policies.set`).

82
MCQeasy

Your organization requires that all new Google Cloud projects are automatically configured with a common set of VPC networks and subnets, and that these networks must be created before any resources are deployed. What is the best approach to enforce this requirement across the organization?

A.Create a Cloud Deployment Manager template and share it with all project owners.
B.Use Organization Policies with a custom constraint to enforce that all projects must have a specific VPC network configuration.
C.Set up VPC Network Peering between all projects to enforce network connectivity.
D.Configure a shared VPC host project and attach all new service projects to it.
AnswerB

Organization Policies can enforce requirements across all projects in the organization.

Why this answer

Organization Policies with custom constraints allow you to enforce that all new projects automatically include specific VPC networks and subnets before any resources are deployed. This is the only approach that provides mandatory, organization-wide enforcement at the project creation level, ensuring compliance without relying on manual templates or post-creation configuration.

Exam trap

The trap here is that candidates often confuse 'enforcing a configuration' with 'providing a tool or connectivity'—they choose Shared VPC or Deployment Manager because those are common networking or automation tools, but they fail to recognize that only Organization Policies can mandate the presence of specific resources at project bootstrap time.

How to eliminate wrong answers

Option A is wrong because Cloud Deployment Manager templates are not enforceable; sharing a template relies on project owners to manually apply it, which does not guarantee automatic or mandatory configuration. Option C is wrong because VPC Network Peering only establishes connectivity between existing VPCs, it does not create or enforce the presence of specific VPC networks or subnets in new projects. Option D is wrong because Shared VPC attaches service projects to a host project but does not automatically create the required VPC networks and subnets in each new project; it only provides network access from the host project.

83
MCQhard

An organization is using Cloud Source Repositories and wants to enforce that all commits are signed with a verified GPG key. How can they enforce this?

A.Use a branch protection rule in Cloud Source Repositories.
B.Use Cloud Functions to validate commits after push.
C.Enable the Signed Commits policy in the repository settings.
D.Use a pre-receive hook in Cloud Source Repositories.
AnswerC

Native feature to require GPG-signed commits.

Why this answer

Option C is correct because Cloud Source Repositories provides a built-in 'Signed Commits' policy in the repository settings that, when enabled, rejects any push containing commits that are not signed with a verified GPG key. This policy is enforced server-side at the repository level, ensuring that only signed commits are accepted without requiring external tools or custom scripts.

Exam trap

The trap here is that candidates confuse branch protection rules (which control merge behavior) with commit signing enforcement, or assume pre-receive hooks are available in Cloud Source Repositories when they are not supported in this managed service.

How to eliminate wrong answers

Option A is wrong because branch protection rules in Cloud Source Repositories control merge requirements (e.g., required reviews, status checks) but do not enforce commit signing; they operate on pull request merges, not on individual commits pushed directly. Option B is wrong because Cloud Functions can validate commits after push, but this is an asynchronous, post-hoc approach that cannot prevent the push from being accepted; the commits would already be in the repository, violating the enforcement requirement. Option D is wrong because Cloud Source Repositories does not support pre-receive hooks; this feature is available in self-managed Git servers (e.g., GitHub Enterprise, GitLab) but not in Google Cloud's managed repository service.

84
MCQhard

Refer to the exhibit. A DevOps engineer is trying to create a new project using the Cloud Console. The project creation fails with a policy violation. The engineer has permissions on folders/12345678 and folders/87654321 but not on any other folders. They select folder/87654321 as the parent. What is the most likely reason for the failure?

A.The engineer is missing the resourcemanager.projects.create permission.
B.The policy is enforced at the organization level but the engineer's IAM role does not allow creating projects in that folder.
C.The policy is set at the folder level, and folder/87654321 has a different policy.
D.The policy requires the project parent to be one of the allowed folders, and folder/87654321 is not listed.
AnswerD

The allowedValues only include folder/12345678.

Why this answer

Option D is correct because the policy violation indicates that the organization has a constraint restricting which folders can be used as project parents. The engineer selected folder/87654321, but the policy explicitly lists only certain allowed folders, and folder/87654321 is not among them. This is a common organization policy (e.g., a list constraint) that enforces project creation only in approved folders, regardless of the engineer's IAM permissions on that folder.

Exam trap

Google Cloud often tests the distinction between IAM permission errors (e.g., missing resourcemanager.projects.create) and organization policy constraint violations (e.g., list constraints), where candidates mistakenly attribute the failure to missing IAM roles rather than a policy that restricts allowed parent resources.

How to eliminate wrong answers

Option A is wrong because the engineer successfully navigated to the project creation UI and the error is a 'policy violation', not a permissions error; missing resourcemanager.projects.create would produce an 'access denied' or 'permission denied' message, not a policy violation. Option B is wrong because the policy is enforced at the organization level (as a constraint), not at the folder level, and the engineer's IAM role does allow creating projects in that folder (they have permissions on it); the failure is due to a policy constraint, not an IAM role limitation. Option C is wrong because the policy is not set at the folder level on folder/87654321; if it were, the engineer would see a folder-specific policy violation, but the question states the policy is enforced at the organization level, and the engineer has permissions on the folder itself.

85
Multi-Selecthard

Which THREE are key considerations when setting up a Google Cloud organization for DevOps?

Select 3 answers
A.Use a single project for development, staging, and production to reduce overhead.
B.Enable audit logging and set up log sinks to a centralized logging project.
C.Implement a shared VPC to enable network connectivity across projects.
D.Design a folder hierarchy that mirrors the organizational structure.
E.Store secrets directly in code repositories for easy access by CI/CD pipelines.
AnswersB, C, D

Centralized logging is essential for security and compliance.

Why this answer

Option B is correct because audit logging is essential for security and compliance in a DevOps environment. By enabling audit logs and setting up log sinks to a centralized logging project, you ensure that all API calls and administrative actions across the organization are captured in a single, immutable location, which is critical for incident response and forensic analysis.

Exam trap

Google Cloud often tests the misconception that consolidating all environments into a single project reduces complexity, but the correct approach is to use separate projects with a shared VPC and centralized logging to maintain isolation and compliance.

86
Multi-Selectmedium

Which THREE actions should be taken when bootstrapping a CI/CD pipeline on Google Cloud? (Select exactly 3)

Select 3 answers
A.Store secrets in Cloud Source Repositories.
B.Use Cloud Build with a Dockerfile.
C.Enable the Cloud Run API.
D.Create a service account with necessary permissions.
E.Configure triggers for automated builds.
AnswersB, D, E

Common pattern for building container images.

Why this answer

Option B is correct because Cloud Build can use a Dockerfile to build a container image from source code, which is a fundamental step in bootstrapping a CI/CD pipeline. This allows automated builds triggered by code changes, enabling continuous integration and delivery to services like Cloud Run or GKE.

Exam trap

Google Cloud often tests the misconception that enabling specific APIs (like Cloud Run API) is a mandatory step for bootstrapping any CI/CD pipeline, when in fact it is only required if that service is the deployment target.

87
Matchingmedium

Match each Kubernetes resource to its role in a DevOps pipeline.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Manages desired state for Pods

Stable network endpoint for Pods

External HTTP/S load balancing

Non-sensitive configuration data

Sensitive data like passwords

Why these pairings

Key Kubernetes objects for application management.

88
MCQmedium

Refer to the exhibit. A DevOps engineer is bootstrapping a Google Cloud organization and wants to ensure that no Compute Engine VM instances can have external IP addresses. The engineer applies this Terraform configuration. What is the effect of this configuration on the organization?

A.It blocks external IP access for all VMs in all projects under the organization.
B.It requires a separate script to enforce the policy on existing VMs.
C.It blocks external IP access only for the first project created in the organization.
D.It blocks both internal and external IP access for all VMs.
AnswerA

The boolean policy with enforced=true applies at the organization level, affecting all projects and folders.

Why this answer

The Terraform configuration uses a Google Cloud Organization Policy constraint (`compute.vmExternalIpAccess`) set to `true` in a list policy with `deny` as the enforcement action. This blocks external IP access for all Compute Engine VM instances across all projects within the organization, as organization policies are inherited by all child projects unless overridden. The policy applies to both new and existing VMs, as it is enforced at the resource creation and modification level.

Exam trap

The trap here is that candidates often confuse organization policy inheritance with project-level overrides, thinking the policy only applies to the first project or requires manual reapplication, when in fact it is automatically inherited by all projects and enforced on existing VMs via lifecycle hooks.

How to eliminate wrong answers

Option B is wrong because organization policies are enforced on all VMs, including existing ones, at the time of API calls (e.g., start, modify, or create), so no separate script is needed to retroactively apply the policy. Option C is wrong because organization policies apply to all projects under the organization, not just the first project created; they are inherited by all child resources. Option D is wrong because the constraint `compute.vmExternalIpAccess` specifically targets external IP access only, not internal IP access; internal IP communication remains unaffected.

89
MCQeasy

To securely manage secrets (e.g., API keys) used in Cloud Build pipelines, which service should be used?

A.Secret Manager
B.Cloud KMS
C.Cloud Key Management Service (duplicate)
D.Cloud Storage
AnswerA

Designed for storing secrets; integrates with Cloud Build via environment variables or volumes.

Why this answer

Option A is correct because Secret Manager is the recommended service for storing and accessing secrets like API keys. Cloud KMS is for encryption keys, not secrets. Cloud Storage is not designed for secrets, and Cloud KMS is not for direct secret storage.

90
Multi-Selectmedium

Which TWO options are best practices when bootstrapping a Google Cloud organization for DevOps? (Choose 2)

Select 2 answers
A.Grant the Owner role to a group of DevOps engineers to manage all projects.
B.Store service account keys in the source code repository for ease of use.
C.Create a single VPC network for all environments to simplify management.
D.Use folders to separate environments (e.g., dev, staging, prod) and apply policies at the folder level.
E.Use resource tags to enable conditional access policies and cost tracking.
AnswersD, E

Folders provide hierarchical policy enforcement and organization.

Why this answer

Option D is correct because using folders to separate environments (e.g., dev, staging, prod) allows you to apply IAM policies and organization policies at the folder level, which are inherited by all projects within that folder. This enforces consistent security controls and resource governance across each environment, a key DevOps practice for managing lifecycle and access boundaries.

Exam trap

Google Cloud often tests the misconception that a single VPC network simplifies management, but the trap here is that it sacrifices the network isolation required for safe multi-environment DevOps workflows, which is a core principle of Google Cloud's resource hierarchy design.

91
MCQmedium

A company uses Cloud Build for CI/CD. They want to allow Cloud Build to deploy to Cloud Run. What is the minimum IAM role to assign to the Cloud Build service account?

A.roles/cloudbuild.builds.builder
B.roles/run.admin
C.roles/editor
D.roles/run.invoker
AnswerB

Provides full control over Cloud Run services, enabling deployment.

Why this answer

The Cloud Build service account needs permission to create and manage Cloud Run resources, including deploying new revisions. The `roles/run.admin` role provides full control over Cloud Run services, which is the minimum required for deployment. The `roles/cloudbuild.builds.builder` role only allows building and managing Cloud Build triggers, not deploying to Cloud Run.

Exam trap

The trap here is that candidates often confuse the Cloud Build service account's role with the Cloud Build builder role (`roles/cloudbuild.builds.builder`), mistakenly thinking it includes deployment permissions, when in fact it only covers build orchestration.

How to eliminate wrong answers

Option A is wrong because `roles/cloudbuild.builds.builder` grants permissions only for Cloud Build operations (e.g., creating builds, viewing logs) and does not include any Cloud Run deployment permissions. Option C is wrong because `roles/editor` is a broad, basic role that includes many permissions beyond what is needed, violating the principle of least privilege; it is not the minimum IAM role. Option D is wrong because `roles/run.invoker` only allows invoking (calling) an existing Cloud Run service, not deploying or updating it.

92
Multi-Selectmedium

Which TWO of the following are required steps to set up a shared VPC for DevOps teams?

Select 2 answers
A.Attach the service projects to the host project.
B.Create a new VPC in the service project and peer it with the host project.
C.Configure Cloud Interconnect between the host and service projects.
D.Designate the host project and enable Shared VPC for it.
E.Grant the Shared VPC Admin role (roles/compute.xpnAdmin) to the service project team.
AnswersA, D

Service projects must be explicitly attached to use the shared VPC.

Why this answer

Option A is correct because attaching service projects to the host project is a mandatory step in Shared VPC setup. After designating the host project and enabling Shared VPC, you must attach each service project to the host project so that the service projects can consume subnets from the host project's VPC. Without this attachment, the service projects cannot use the shared networking resources.

Exam trap

Google Cloud often tests the misconception that Shared VPC requires VPC peering or that service projects need their own VPC, but the correct model is a single host project VPC shared via attachment, not peering.

93
MCQhard

An organization has multiple projects under a common folder. They want to enforce that all projects use the same VPC network from a central host project. However, one project needs to use a different VPC due to compliance requirements. How can this be achieved?

A.Set an organization policy to enforce shared VPC and create an exception for the specific project using the policy condition.
B.Use VPC Network Peering to connect the project to the host project.
C.Create a separate folder for the exception project and apply a different organizational policy.
D.Grant the project the necessary permissions to use its own VPC.
AnswerA

Organizational policies support conditions for exemptions.

Why this answer

Option A is correct because Google Cloud Organization Policies can enforce constraints like `compute.restrictSharedVpcHostProjects` to mandate shared VPC usage across projects. You can use policy conditions (e.g., `resource.matchTag`) to create an exception for a specific project that needs its own VPC, allowing it to bypass the constraint while all other projects remain bound to the central host project.

Exam trap

Google Cloud often tests the misconception that VPC peering or folder restructuring can solve policy enforcement exceptions, when in reality only organization policy conditions provide the precise, hierarchical override needed without breaking the uniform constraint.

How to eliminate wrong answers

Option B is wrong because VPC Network Peering connects two VPCs for communication but does not enforce that all projects use the same VPC from a central host project; it allows independent VPCs to exchange traffic, which contradicts the requirement of uniform VPC usage. Option C is wrong because creating a separate folder and applying a different organizational policy would affect all projects in that folder, not just the single exception project, and it violates the principle of minimal exception management. Option D is wrong because granting permissions to use its own VPC does not override an organization policy constraint; the policy must be explicitly exempted via conditions, not just by IAM permissions.

94
MCQmedium

A DevOps engineer is setting up a Cloud Build trigger that deploys to Cloud Run. The build succeeds but the deployment fails with 'Permission denied on the Cloud Run service'. What is the most likely cause?

A.The Cloud Run service account lacks the roles/cloudbuild.builds.builder role.
B.The trigger is missing the required deployment configuration.
C.The cloudbuild.yaml file has an incorrect image tag.
D.The Cloud Build service account lacks the roles/run.admin role.
AnswerD

This role is necessary to deploy to Cloud Run.

Why this answer

The Cloud Build service account (typically the Compute Engine default service account or a user-specified service account) requires the roles/run.admin role to deploy to Cloud Run. This role grants permission to create, update, and manage Cloud Run services. Without it, the deployment step fails with a 'Permission denied' error, even though the build itself succeeds.

Exam trap

The trap here is that candidates often confuse the Cloud Build service account with the Cloud Run service account, mistakenly thinking the Cloud Run service account needs the builder role, when in fact the Cloud Build service account needs the run.admin role to deploy.

How to eliminate wrong answers

Option A is wrong because the Cloud Run service account does not need the roles/cloudbuild.builds.builder role; that role is for triggering builds, not for deploying to Cloud Run. Option B is wrong because a missing deployment configuration would typically cause a different error (e.g., missing 'service' or 'region' fields), not a permission denied error. Option C is wrong because an incorrect image tag would cause a build or deployment failure related to image resolution (e.g., 'Image not found'), not a permission denied error on the Cloud Run service.

95
MCQeasy

You are a DevOps engineer for a startup bootstrapping their Google Cloud organization. They have a single project for all environments (dev, test, prod) and a flat resource hierarchy. Recently, a developer accidentally deleted a production Cloud Storage bucket, causing data loss. The team wants to prevent this in the future with minimal disruption. They also want to enforce that all new projects follow a naming convention like 'company-environment-xxx'. The CTO wants a solution using native Google Cloud services without third-party tools. What should you do?

A.Implement a Cloud Function that renames projects not following the convention and deletes buckets not in a folder.
B.Grant all users the Project Creator role but restrict bucket deletion with IAM.
C.Use Google Cloud Deployment Manager to create projects with predefined templates.
D.Create folders for each environment, move existing resources into folders, and apply an organization policy to enforce the naming convention on project creation.
AnswerD

Folders provide isolation; org policy enforces naming.

Why this answer

Option D is correct because creating folders for each environment (dev, test, prod) and moving existing resources into them establishes a hierarchical resource structure that allows organization policies to be applied at the folder level. The organization policy constraint `constraints/resourcemanager.allowedProjectCreation` can enforce the naming convention on project creation, and IAM roles can be scoped to folders to restrict bucket deletion (e.g., using `roles/storage.objectAdmin` instead of `roles/storage.admin`). This solution uses native Google Cloud services (Resource Manager, Organization Policies, IAM) with minimal disruption by not requiring code changes or third-party tools.

Exam trap

Google Cloud often tests the misconception that Cloud Functions or Deployment Manager can enforce governance retroactively, when in fact organization policies and folders are the only native Google Cloud services that can enforce naming conventions and resource hierarchy constraints at scale.

How to eliminate wrong answers

Option A is wrong because Cloud Functions cannot rename projects or delete buckets based on folder membership; project names are immutable after creation, and bucket deletion requires IAM permissions, not serverless functions. Option B is wrong because granting all users the Project Creator role would allow them to create projects without naming enforcement, and restricting bucket deletion with IAM alone does not prevent accidental deletion in a flat hierarchy where permissions are inherited broadly. Option C is wrong because Deployment Manager can create projects with templates but cannot enforce naming conventions retroactively on existing projects or prevent bucket deletion; it is a deployment tool, not a governance enforcement mechanism.

96
Multi-Selecthard

A DevOps team is designing a CI/CD pipeline using Cloud Build and Spinnaker. They want to ensure secrets are managed securely. Which three recommended practices should they implement? (Choose THREE.)

Select 3 answers
A.Grant Cloud Build service account access to secrets via IAM.
B.Use Cloud KMS to encrypt secrets before storing in Cloud Storage.
C.Base64 encode secrets and store them in Cloud Build substitutions.
D.Rotate secrets regularly using Secret Manager.
E.Store secrets in Cloud Secret Manager.
AnswersA, D, E

Least-privilege access to necessary secrets.

Why this answer

A is correct because Cloud Build's service account must be granted IAM roles (e.g., roles/secretmanager.secretAccessor) on the Secret Manager secret to allow the pipeline to retrieve the secret value at build time. Without explicit IAM binding, the service account lacks permission to access the secret, causing the build to fail. This follows the principle of least privilege and ensures that only authorized identities can read secrets.

Exam trap

Google Cloud often tests the misconception that Base64 encoding or encrypting secrets with Cloud KMS before storage is sufficient, when in fact Secret Manager provides native secure storage, access control, and rotation—making options like B and C redundant or insecure.

97
MCQeasy

A company is setting up a new Google Cloud organization. They want to ensure that all projects inherit common IAM policies. What is the best practice?

A.Apply IAM policies at the folder level.
B.Apply IAM policies at the project level.
C.Apply IAM policies at the organization level.
D.Use multiple organizations to isolate policies.
AnswerC

Organization-level policies apply to all projects and folders under the organization.

Why this answer

Applying policies at the organization level ensures all projects and folders inherit them, providing consistent enforcement and reducing administrative overhead.

98
MCQmedium

A DevOps engineer needs to set up a centralized logging solution for multiple projects. They want to store logs in a BigQuery dataset for analysis. What is the best approach?

A.Use Cloud Logging's export feature to Pub/Sub and then to BigQuery.
B.Use the BigQuery Data Transfer Service for logs.
C.Create a sink in each project to export logs to the BigQuery dataset.
D.Create an aggregated sink at the organization or folder level to export logs to BigQuery.
AnswerD

Centralized and efficient.

Why this answer

Option D is correct because an aggregated sink at the organization or folder level allows you to collect logs from all projects within that hierarchy into a single BigQuery dataset in a centralized project. This approach eliminates the need to configure individual sinks per project, reduces administrative overhead, and ensures consistent log routing across the entire organization.

Exam trap

The trap here is that candidates often choose Option C (per-project sinks) because they think each project must independently export its logs, failing to recognize that aggregated sinks at the organization or folder level provide a centralized, scalable solution that reduces management overhead.

How to eliminate wrong answers

Option A is wrong because Cloud Logging's export to Pub/Sub then to BigQuery introduces unnecessary complexity and latency; Pub/Sub is typically used for real-time streaming or fan-out to multiple subscribers, not as a direct path to BigQuery when a sink can write directly. Option B is wrong because the BigQuery Data Transfer Service is designed for scheduled data imports from external sources (e.g., Google Ads, Amazon S3), not for ingesting Cloud Logging logs. Option C is wrong because creating a sink in each project is inefficient and error-prone for a multi-project setup; it requires manual configuration per project and does not scale, whereas an aggregated sink centralizes management.

99
Multi-Selecteasy

A company is bootstrapping a Google Cloud organization for DevOps. Which TWO practices should be implemented to ensure secure and efficient management of infrastructure as code (IaC) pipelines?

Select 2 answers
A.Store infrastructure secrets (e.g., API keys) directly in Terraform configuration files for simplicity.
B.Use a dedicated project for CI/CD pipelines that houses Cloud Build triggers and Cloud Source Repositories.
C.Use a single project to host all development, staging, and production environments to reduce complexity.
D.Implement separation of duties by using least-privilege service accounts for Terraform and restricting direct human access to production projects.
E.Require manual approval from a security team for every infrastructure change.
AnswersB, D

A separate project isolates CI/CD resources and simplifies IAM management for pipeline service accounts.

Why this answer

Option B is correct because using a dedicated project for CI/CD pipelines isolates Cloud Build triggers and Cloud Source Repositories from other workloads, preventing accidental interference and simplifying access control. This aligns with Google Cloud's recommended landing zone pattern where pipeline infrastructure is managed separately from application environments.

Exam trap

The trap here is that candidates often confuse 'simplicity' with 'security' and choose a single project for all environments (Option C) or manual approval for every change (Option E), failing to recognize that Google Cloud's recommended architecture emphasizes isolation and automated guardrails over manual processes.

100
MCQeasy

Which tool is recommended for managing the initial setup of a Google Cloud organization, including creating folders, projects, and IAM policies in an automated and repeatable manner?

A.Terraform
B.Deployment Manager
C.Cloud Console
D.gcloud command line
AnswerA

Terraform is widely adopted and Google recommends it for infrastructure automation.

Why this answer

Terraform is the recommended tool for bootstrapping a Google Cloud organization because it is declarative, idempotent, and supports infrastructure-as-code (IaC) for creating folders, projects, and IAM policies in an automated and repeatable manner. Unlike Google Cloud's Deployment Manager, Terraform is cloud-agnostic and has a mature provider (hashicorp/google) that directly manages organization-level resources such as google_folder, google_project, and google_organization_iam_member. This aligns with DevOps best practices for version-controlled, reproducible infrastructure provisioning.

Exam trap

Google Cloud often tests the misconception that Deployment Manager is the best choice because it is Google-native, but the question specifically asks for a tool that is 'recommended' for automated and repeatable bootstrapping, which Terraform achieves through its declarative, stateful, and multi-cloud design.

How to eliminate wrong answers

Option B is wrong because Deployment Manager is a Google Cloud-native IaC tool that uses YAML or Python templates, but it is less portable and lacks the broad community support and multi-cloud capabilities of Terraform; it also does not natively support the same level of modularity and state management for bootstrapping an organization. Option C is wrong because Cloud Console is a manual, click-based web interface that cannot be automated or repeated programmatically, making it unsuitable for initial setup in a DevOps pipeline. Option D is wrong because the gcloud command line is imperative and requires sequential commands, which is error-prone and not designed for idempotent, stateful infrastructure management across multiple environments.

101
Multi-Selecteasy

A company is bootstrapping a Google Cloud organization with multiple projects. They want to enable consistent security and compliance across all projects. Which two organization policies should they consider? (Choose TWO.)

Select 2 answers
A.Require all service accounts to have a unique naming convention.
B.Restrict domain of users to the company domain.
C.Enforce that all projects have a Cloud Storage bucket.
D.Allow all projects to use any external IPs.
E.Prevent users from disabling audit logging.
AnswersB, E

Use constraints/resourcemanager.allowedPolicyMemberDomains.

Why this answer

Option B is correct because the 'Restrict domain of users to the company domain' organization policy (constraints/iam.allowedPolicyMemberDomains) ensures that only identities from the specified Google Workspace or Cloud Identity domain can be added as members in IAM policies across all projects. This prevents external users from gaining access, enforcing a consistent security boundary from the outset of bootstrapping.

Exam trap

The trap here is that candidates often confuse organization policies with project-level configurations or best practices, mistakenly thinking that naming conventions or resource creation requirements can be enforced as organization policies, when in reality only specific predefined constraints are available.

102
MCQmedium

An organization wants to enforce that all Compute Engine VMs use only specific machine families (e.g., N2, C2). Which mechanism should they use?

A.IAM deny policies
B.Quota management
C.Folders with different owners
D.Organization policy with compute.restrictComputeEngineMachineTypes
AnswerD

Org policies can restrict machine types.

Why this answer

Organization policies in Google Cloud allow administrators to enforce constraints on resources across the entire hierarchy. The `compute.restrictComputeEngineMachineTypes` constraint specifically limits which machine families (e.g., N2, C2) can be used when creating Compute Engine VMs, making it the correct mechanism for this requirement.

Exam trap

The trap here is that candidates often confuse IAM deny policies with organization policy constraints, thinking that deny policies can restrict resource configurations, when in fact they only control identity-based access, not resource properties.

How to eliminate wrong answers

Option A is wrong because IAM deny policies control who can perform actions (e.g., deny a user from creating VMs), not which machine types are allowed; they cannot restrict specific machine families. Option B is wrong because quota management limits the quantity of resources (e.g., number of vCPUs or GPUs) but does not restrict the selection of machine families like N2 or C2. Option C is wrong because folders with different owners are an organizational structure for delegating administration and access control, not a mechanism to enforce technical constraints on machine families.

103
MCQhard

A large enterprise is designing a centralized DevOps platform across multiple business units. They want to use a shared CI/CD pipeline that deploys to projects in different folders. Which approach ensures secure, auditable deployments while minimizing IAM administration?

A.Use a cross-project service account in the CI/CD project with required roles (e.g., Cloud Run Admin, Compute Admin) on target projects via IAM.
B.Use Cloud Build triggers directly in each target project with separate code repositories.
C.Grant the Cloud Build Editor role to all developers across projects to allow them to create pipelines.
D.Create a separate service account in each target project with the Cloud Build service agent role, and use impersonation from the CI/CD project.
AnswerA

Centralized service account with cross-project IAM is best practice; it simplifies management and audit.

Why this answer

Option A is correct because a cross-project service account in the CI/CD project, granted the necessary roles (e.g., Cloud Run Admin, Compute Admin) on target projects via IAM, allows the shared pipeline to deploy resources across folders without duplicating service accounts. This centralizes IAM administration, ensures auditability through a single identity, and follows the principle of least privilege by granting only required roles on target projects.

Exam trap

The trap here is that candidates often confuse the Cloud Build service agent role (used for internal Cloud Build operations) with the cross-project service account pattern, leading them to choose Option D, which adds unnecessary administrative overhead instead of leveraging IAM's native cross-project delegation.

How to eliminate wrong answers

Option B is wrong because using Cloud Build triggers directly in each target project with separate code repositories defeats the purpose of a centralized DevOps platform, increasing IAM administration overhead and fragmenting audit trails across multiple projects. Option C is wrong because granting the Cloud Build Editor role to all developers across projects violates the principle of least privilege, introduces excessive permissions, and undermines auditable deployments by allowing developers to create arbitrary pipelines. Option D is wrong because creating a separate service account in each target project with the Cloud Build service agent role and using impersonation from the CI/CD project adds unnecessary IAM complexity and administrative burden, as the cross-project service account approach in Option A achieves the same goal more efficiently.

104
Multi-Selecteasy

Which TWO statements about bootstrapping a Google Cloud organization for DevOps are correct?

Select 2 answers
A.After enabling the cloudresourcemanager.googleapis.com API, organization policies are automatically applied.
B.Cloud Asset Inventory can be used to discover all resources in the organization.
C.All projects in an organization automatically share a default VPC network.
D.Cloud Audit Logs are disabled by default and must be enabled for each service.
E.Organization policies can be applied at the organization, folder, or project level.
AnswersB, E

Correct: Cloud Asset Inventory provides a historical view of all resources.

Why this answer

Cloud Asset Inventory provides a complete view of all resources (e.g., Compute Engine instances, Cloud Storage buckets, IAM policies) across the entire organization, including all folders and projects. This is essential for DevOps bootstrapping to audit, monitor, and manage resources at scale. It uses the Cloud Asset API to export asset metadata and supports real-time feeds for change detection.

Exam trap

Google Cloud often tests the misconception that organization policies are automatically applied after enabling an API, or that Cloud Audit Logs are disabled by default, when in fact Admin Activity logs are always enabled and Data Access logs require explicit activation.

105
MCQmedium

A company is setting up a new Google Cloud organization for DevOps. They want to enforce that all projects have a specific set of VPC Service Controls perimeters. Which approach should they use to ensure these perimeters are automatically applied to all new projects?

A.Configure Cloud Shell to run a script that creates a perimeter when a new project is created.
B.Define an organization policy with a constraint that requires all projects to be within a perimeter.
C.Use Deployment Manager to deploy a configuration that creates a perimeter for each new project.
D.Create a VPC Service Controls perimeter and add the organization node as a member.
AnswerB

Organization policies can enforce constraints like 'vpcServiceControls' across projects.

Why this answer

Option B is correct because Google Cloud Organization Policies allow you to define and enforce constraints at the organization, folder, or project level. The `constraints/compute.restrictVpcServiceControls` constraint can be set to require all new projects to be within a specific VPC Service Controls perimeter, ensuring automatic enforcement without manual intervention.

Exam trap

The trap here is that candidates often confuse VPC Service Controls perimeter membership (which is a resource-level attribute) with organization policy enforcement (which is a hierarchical governance mechanism), leading them to choose Option D or A instead of the correct policy-based approach.

How to eliminate wrong answers

Option A is wrong because Cloud Shell scripts are not a scalable or reliable mechanism for enforcing policies on all new projects; they require manual execution or a separate trigger and do not provide automatic, organization-wide enforcement. Option C is wrong because Deployment Manager is an infrastructure-as-code tool for deploying resources, but it does not automatically apply to every new project created outside of its deployment scope; it would require a separate deployment per project. Option D is wrong because adding the organization node as a member to a VPC Service Controls perimeter does not automatically enforce that all projects within the organization are inside the perimeter; it only allows the organization to be a member, but projects must still be explicitly added or constrained via policy.

106
MCQhard

A large enterprise is migrating to Google Cloud and wants to bootstrap their organization for DevOps. They have multiple business units, each needing their own folder with projects. Security requires that all projects in the 'prod' folder must have a specific set of organization policies enforced, such as restricting service account key creation. They also want to allow individual teams to create project-level policies as long as they don't conflict with the organization policies. Which approach ensures this while minimizing administrative overhead?

A.Set the required organization policies on the 'prod' folder and allow teams to set additional policies at the project level as long as they don't conflict.
B.Set organization policies at the organization level and use IAM conditions to apply them only to the prod folder.
C.Create custom roles containing the required constraints and assign them to the team's IAM members.
D.Place all production workloads in a single project and use VPC Service Controls for security.
AnswerA

Folder-level policies are inherited; project policies can add restrictions but cannot relax them.

Why this answer

Option A is correct because Google Cloud Organization Policies can be set at the folder level, allowing the 'prod' folder to inherit constraints like `iam.disableServiceAccountKeyCreation` across all its projects. Teams can then add additional project-level policies that are more restrictive, as long as they do not conflict with the inherited folder-level policies, which is enforced by the policy hierarchy. This minimizes administrative overhead by centralizing mandatory controls at the folder level while delegating flexibility to teams.

Exam trap

The trap here is confusing IAM roles and conditions with organization policy constraints, leading candidates to incorrectly select Option B or C, when in fact organization policies are a separate, hierarchical mechanism that cannot be bypassed by IAM or custom roles.

How to eliminate wrong answers

Option B is wrong because organization policies cannot be applied selectively using IAM conditions; IAM conditions control access to resources, not the enforcement of organization policy constraints. Option C is wrong because custom roles define IAM permissions, not organization policy constraints; constraints like restricting service account key creation are enforced via organization policies, not IAM roles. Option D is wrong because placing all production workloads in a single project violates the requirement for multiple business units to have their own folders and projects, and VPC Service Controls address data exfiltration, not organization policy enforcement.

107
MCQhard

Your organization is bootstrapping a new Google Cloud environment for a DevOps team. The team consists of 15 engineers who will be working on multiple microservices deployed across several projects. You have created a folder called 'devops' under the organization node. Within this folder, you plan to create three projects: 'devops-dev', 'devops-staging', and 'devops-prod'. You want to enforce that all resources in these projects are created in a specific region (us-central1) and that no external IP addresses can be assigned to Compute Engine instances. Additionally, you want to ensure that all service accounts used by the applications have minimal permissions. After setting up the organization policies, you notice that a developer was able to create a Compute Engine instance with an external IP in the 'devops-dev' project. You check the organization policy constraints and find that the constraint 'compute.vmExternalIpAccess' is set to 'Deny' at the organization level, but the developer bypassed it. What is the most likely reason?

A.The project 'devops-dev' has a policy that overrides the organization-level deny.
B.The organization policy has not propagated to all projects yet.
C.The developer used the wrong constraint name; the correct constraint is 'compute.restrictExternalIp'.
D.The developer tagged the instance with a tag that exempts it from the organization policy.
AnswerA

Project-level policies override organization-level policies if they are less restrictive.

Why this answer

Option A is correct because organization policies can be overridden at a lower level in the resource hierarchy. Even though the constraint 'compute.vmExternalIpAccess' is set to 'Deny' at the organization level, a policy at the project level (or folder level) with a higher priority or a different binding can allow external IPs. In Google Cloud, organization policies are inherited by default, but a child policy can override the parent if it is explicitly set to 'Allow' or if the deny list is not enforced.

The developer likely had a project-level policy that allowed external IPs, bypassing the organization-level deny.

Exam trap

Google Cloud often tests the misconception that organization policies are absolute and cannot be overridden, but in reality, policies can be overridden at lower hierarchy levels unless explicitly configured to be enforced with a 'denyAll' or by using a boolean constraint that cannot be overridden.

How to eliminate wrong answers

Option B is wrong because organization policies propagate almost immediately to all projects under the hierarchy; there is no significant propagation delay that would allow a bypass. Option C is wrong because the correct constraint name for controlling external IPs on Compute Engine instances is 'compute.vmExternalIpAccess', not 'compute.restrictExternalIp'; the latter is not a valid Google Cloud constraint. Option D is wrong because tags do not exempt resources from organization policies; tags are used for metadata and access control, not for policy exemptions.

108
MCQhard

A multinational corporation is bootstrapping a Google Cloud organization with multiple subsidiaries. Each subsidiary needs its own folder with IAM policies that are managed locally, but the parent company wants to enforce a global policy that restricts the use of certain machine types (e.g., N2D) for cost control. However, one subsidiary has a legitimate need for those machine types in a specific project. What is the best way to handle this exception while maintaining the global policy?

A.Create a custom organization policy with a condition that excludes the exception project from the restriction.
B.Set an organization policy that denies N2D machine types, then create a separate policy at the project level to allow them for the exception project.
C.Use an audit-only policy and rely on a team to review and approve machine type usage.
D.Place each subsidiary in its own folder and set the machine type restriction only on folders that require it.
AnswerA

Custom policies with conditions allow fine-grained exceptions.

Why this answer

Option B is correct because custom organization policies with conditions can selectively exclude projects from certain restrictions. Option A is wrong because standard machine type constraints do not support per-project whitelists. Option C is wrong because it does not enforce the global policy across subsidiaries.

Option D is wrong because it only audits, not enforces.

109
MCQeasy

A DevOps team is setting up a CI/CD pipeline using Cloud Build. They want the Cloud Build service account to have permission to deploy to Cloud Run within a specific project. Which IAM role should be granted to the Cloud Build service account?

A.roles/run.admin
B.roles/run.invoker
C.roles/cloudbuild.builds.editor
D.roles/iam.serviceAccountUser
AnswerA

This allows deploying and managing Cloud Run services.

Why this answer

The Cloud Build service account needs the `roles/run.admin` role to deploy services to Cloud Run. This role grants full control over Cloud Run resources, including creating, updating, and deleting services, which is required for a CI/CD pipeline to perform deployments. Without this role, the service account would lack the necessary permissions to modify Cloud Run configurations.

Exam trap

Google Cloud often tests the distinction between roles that grant management permissions (like `roles/run.admin`) versus roles that only grant invocation or build management, leading candidates to mistakenly choose `roles/run.invoker` or `roles/cloudbuild.builds.editor` when deployment is required.

How to eliminate wrong answers

Option B is wrong because `roles/run.invoker` only allows invoking (calling) Cloud Run services, not deploying or managing them. Option C is wrong because `roles/cloudbuild.builds.editor` grants permissions to manage Cloud Build triggers and builds, but does not include any Cloud Run deployment permissions. Option D is wrong because `roles/iam.serviceAccountUser` allows a principal to impersonate a service account (e.g., to use its identity), but does not grant direct Cloud Run deployment permissions; it is often used in conjunction with other roles, not as a standalone deployment role.

110
MCQhard

An organization has a strict compliance requirement that all CI/CD pipelines must use customer-managed encryption keys (CMEK) for any artifacts stored in Cloud Storage. How can this be enforced at the organization level?

A.Use IAM conditions on storage buckets to require CMEK.
B.Create an Organization Policy with constraint `constraints/gcp.storageRequireCmeK`.
C.Use Cloud Asset Inventory to scan for non-compliant buckets.
D.Configure Cloud Audit Logs to monitor and alert on non-CMEK usage.
AnswerB

Enforces CMEK on all new Cloud Storage objects in projects under the organization.

Why this answer

Option B is correct because the Organization Policy constraint `constraints/gcp.storageRequireCmeK` is specifically designed to enforce that all new Cloud Storage buckets must be created with a customer-managed encryption key (CMEK). This policy is applied at the organization, folder, or project level and prevents the creation of buckets that do not use CMEK, thereby meeting the compliance requirement at the organizational level.

Exam trap

The trap here is that candidates confuse IAM conditions (which control access) with Organization Policy constraints (which enforce creation-time requirements), leading them to choose Option A instead of the correct policy-based enforcement.

How to eliminate wrong answers

Option A is wrong because IAM conditions on storage buckets can restrict access based on encryption key type, but they cannot enforce the requirement that buckets must be created with CMEK; IAM conditions control access, not creation policies. Option C is wrong because Cloud Asset Inventory can identify non-compliant buckets after they are created, but it does not prevent their creation or enforce the policy proactively. Option D is wrong because Cloud Audit Logs can monitor and alert on non-CMEK usage, but they are reactive and do not enforce the requirement at the time of bucket creation.

111
MCQeasy

A company uses Cloud Build and wants to trigger builds only from the master branch. Which configuration is required?

A.Create separate triggers for each branch.
B.Set the branch filter to 'master' in the trigger.
C.Use a custom Cloud Build step to check the branch name.
D.Use a Cloud Function to call Cloud Build for master only.
AnswerB

Directly filters on branch name.

Why this answer

Option B is correct because Cloud Build triggers allow you to specify a branch filter using a regex pattern. Setting the filter to 'master' ensures that only pushes or pull requests targeting the master branch initiate the build. This is the native, supported method for branch-based triggering without additional overhead.

Exam trap

Google Cloud often tests the misconception that you need external services or custom logic to filter branches, when in fact Cloud Build's built-in trigger branch filter is the simplest and most efficient solution.

How to eliminate wrong answers

Option A is wrong because creating separate triggers for each branch would cause builds for all branches, not just master, and adds unnecessary complexity. Option C is wrong because using a custom Cloud Build step to check the branch name would still trigger the build for every branch, wasting resources and time; the branch check should happen before the build starts, not during it. Option D is wrong because using a Cloud Function to call Cloud Build for master only introduces an unnecessary intermediary, adding latency and complexity when the native branch filter in the trigger already achieves the goal directly.

112
MCQhard

A company wants to enforce that all service accounts are created with a specific naming convention (e.g., prefix 'sa-'). What is the most efficient way to enforce this?

A.Use a custom role that restricts service account creation to users who follow the naming convention.
B.Use a Cloud Function that monitors and remediates non-compliant service accounts.
C.Use an organization policy constraint with a condition on the service account name.
D.Use a folder-level attribute with a policy on service account names.
AnswerB

A Cloud Function can detect violations and automatically delete or rename.

Why this answer

Option B is correct because a Cloud Function can be triggered by a Pub/Sub notification on the `google.cloud.audit.log.v1.activityLog` topic for `google.iam.admin.v1.CreateServiceAccount` events. The function can immediately delete or disable non-compliant service accounts that do not match the 'sa-' prefix, providing automated enforcement without blocking legitimate creation attempts. This approach is event-driven and avoids the latency or complexity of periodic scanning.

Exam trap

The trap here is that candidates often assume organization policy constraints can enforce naming conventions because they are familiar with resource location or domain restrictions, but Google Cloud's organization policies do not support regex or prefix matching on IAM resource names.

How to eliminate wrong answers

Option A is wrong because custom roles cannot enforce naming conventions at creation time; they only control permissions to call the API, not validate input parameters like the account name. Option C is wrong because organization policy constraints (e.g., `constraints/iam.allowedPolicyMemberDomains`) do not support conditions on service account names; they only restrict resource locations, domains, or specific IAM conditions, not naming patterns. Option D is wrong because folder-level attributes and policies in Google Cloud do not have a native mechanism to enforce naming conventions on service accounts; folder policies apply to resource hierarchies but cannot validate string patterns on IAM resources.

113
MCQmedium

A DevOps team wants to automate the deployment of a microservice application to Google Kubernetes Engine (GKE) using Cloud Build. They have a Cloud Build configuration file that builds a container image and deploys it to GKE. However, the deployment step fails with an authorization error. What is the most likely cause?

A.The Cloud Build service account does not have the Kubernetes Engine Developer IAM role.
B.The user triggering the build does not have IAM permissions to deploy to GKE.
C.Cloud Build does not have permission to access the source code repository.
D.The Docker image build step failed due to missing dependencies.
AnswerA

To deploy to GKE, the service account needs roles/container.developer or roles/container.clusterAdmin.

Why this answer

Cloud Build uses a default service account (the Cloud Build service account) to execute build steps, including deploying to GKE. The Kubernetes Engine Developer IAM role (roles/container.developer) grants the necessary permissions to deploy and manage workloads on GKE clusters. Without this role, the Cloud Build service account cannot authenticate to the GKE cluster's Kubernetes API, resulting in an authorization error during the deployment step.

Exam trap

Google Cloud often tests the distinction between the identity that triggers a build (user) and the identity that executes build steps (Cloud Build service account), leading candidates to incorrectly blame user permissions when the service account lacks the necessary Kubernetes Engine IAM role.

How to eliminate wrong answers

Option B is wrong because the user triggering the build only needs permission to start the Cloud Build execution; the actual deployment to GKE is performed by the Cloud Build service account, not the user's identity. Option C is wrong because an authorization error during the deployment step is distinct from source code repository access; if Cloud Build lacked repository permissions, the error would occur earlier during the source fetch step, not during deployment. Option D is wrong because a Docker build failure due to missing dependencies would cause a build step failure, not an authorization error; the error message specifically indicates an authorization issue, not a build failure.

114
MCQmedium

A company is bootstrapping a Google Cloud organization. They have created a Shared VPC host project. They want to allow a service project's default compute service account to launch instances that use the Shared VPC's subnets. Which IAM role should be granted to that service account at the host project level?

A.roles/compute.xpnAdmin
B.roles/compute.securityAdmin
C.roles/compute.networkUser
D.roles/compute.networkAdmin
AnswerC

This role allows using subnets in the host project.

Why this answer

The correct answer is C because the `roles/compute.networkUser` role grants a service account the necessary permissions to use the subnets of a Shared VPC host project. Specifically, this role includes the `compute.subnetworks.use` permission, which allows the service account to launch instances in the host project's subnets without granting broader network management rights.

Exam trap

The trap here is that candidates often confuse the `networkUser` role with the `networkAdmin` role, mistakenly thinking that launching instances requires full network administration privileges, when in fact only the `compute.subnetworks.use` permission is needed.

How to eliminate wrong answers

Option A is wrong because `roles/compute.xpnAdmin` is used for administering the Shared VPC (XPN) configuration itself, such as attaching or detaching service projects, not for granting a service account the ability to use subnets. Option B is wrong because `roles/compute.securityAdmin` provides permissions to manage firewall rules and SSL certificates, but does not include the `compute.subnetworks.use` permission required to launch instances in Shared VPC subnets. Option D is wrong because `roles/compute.networkAdmin` grants full control over network resources, including creating and deleting subnets, which is overly permissive and not the least-privilege role needed for simply using existing subnets.

115
MCQhard

When bootstrapping a new Google Cloud organization for DevOps, which set of initial IAM roles should be assigned to the DevOps team to enable them to create and manage projects, folders, and billing accounts?

A.Folder Admin, Billing Admin, Security Reviewer
B.Org Admin, Project Creator, Billing Admin
C.Project Creator, Billing Account User, Organization Policy Administrator
D.Project Creator, Billing Admin, Folder Admin
AnswerC

These roles provide the minimum required to create projects, link billing, and set policies.

Why this answer

Option C is correct because the DevOps team needs the Project Creator role to create new projects, the Billing Account User role to link billing accounts to those projects, and the Organization Policy Administrator role to set organization-wide policies that control resource constraints. These three roles together provide the minimum necessary permissions for bootstrapping a Google Cloud organization without granting excessive administrative privileges.

Exam trap

The trap here is that candidates often confuse Billing Admin (roles/billing.admin) with Billing Account User (roles/billing.user), mistakenly thinking full billing management is needed when only the ability to link projects to a billing account is required.

How to eliminate wrong answers

Option A is wrong because Folder Admin allows management of folder hierarchy but not project creation or billing account linking, and Security Reviewer only provides read-only access to IAM policies, lacking the permissions needed to create projects or manage billing. Option B is wrong because Org Admin grants broad organization-level management permissions that are too permissive for a DevOps team, and Project Creator alone cannot link billing accounts without the Billing Account User role. Option D is wrong because Billing Admin provides full billing account management (including modifying billing account settings) which is excessive, and Folder Admin is not required for initial project creation; the correct role for linking billing is Billing Account User, not Billing Admin.

116
MCQhard

A company is bootstrapping their Google Cloud organization for DevOps. They want to implement a least-privilege model for service accounts used by CI/CD pipelines. The pipelines need to deploy resources in multiple projects. What is the best practice for managing service account keys?

A.Use a user account for the CI/CD pipeline and assign it the necessary roles.
B.Store service account keys in Secret Manager and have the pipeline retrieve them at runtime.
C.Generate a single service account key and securely distribute it to the CI/CD system.
D.Use workload identity federation to allow the CI/CD system to impersonate a service account without keys.
AnswerD

Eliminates the need for keys and follows least privilege.

Why this answer

Option D is correct because workload identity federation allows an external CI/CD system (e.g., Jenkins, GitHub Actions) to impersonate a Google Cloud service account without managing or storing any long-lived keys. This eliminates the security risk of key leakage and aligns with the least-privilege principle by enabling short-lived, scoped credentials via the Security Token Service (STS) and OAuth 2.0 token exchange.

Exam trap

Google Cloud often tests the misconception that storing keys in a secure vault like Secret Manager is the best practice, but the trap here is that any long-lived key — even if encrypted at rest — introduces a persistent secret that can be exfiltrated, whereas workload identity federation eliminates the key entirely.

How to eliminate wrong answers

Option A is wrong because using a user account violates the least-privilege model — user accounts have persistent, broad permissions and are not designed for automated pipelines, creating a security risk and auditability gap. Option B is wrong because storing service account keys in Secret Manager still requires managing a long-lived, static secret that can be compromised; the key itself is a high-value target and must be rotated, which adds operational overhead. Option C is wrong because generating a single service account key and distributing it securely still introduces a long-lived credential that can be leaked, rotated only with manual effort, and violates the principle of using short-lived, just-in-time credentials.

117
MCQhard

A company wants to enforce that all projects in the organization have a specific VPC Service Controls perimeter. What is the most efficient way to achieve this?

A.Use folder-level VPC Service Controls perimeters.
B.Use project-level VPC Service Controls perimeters.
C.Use organization policies to set the perimeter.
D.Use a custom script to monitor and alert on non-compliant projects.
AnswerA

Folder-level perimeters apply to all projects in the folder, ensuring consistent enforcement.

Why this answer

Folder-level VPC Service Controls perimeters allow you to apply a single perimeter configuration to all projects within a folder, ensuring consistent enforcement across the organization without needing to configure each project individually. This is the most efficient method because it leverages the resource hierarchy to inherit the policy, reducing administrative overhead and preventing misconfigurations.

Exam trap

The trap here is that candidates often confuse organization policies with VPC Service Controls, assuming that an organization policy can directly set a perimeter, but in reality, organization policies are for different constraints and cannot define perimeters.

How to eliminate wrong answers

Option B is wrong because project-level perimeters require manual attachment to each project, which is inefficient and error-prone for enforcing a policy across many projects. Option C is wrong because organization policies (e.g., constraints/compute.restrictVpcPeering) cannot directly define VPC Service Controls perimeters; they are used for different types of restrictions like resource location or service usage. Option D is wrong because a custom script only monitors and alerts on non-compliance but does not enforce the perimeter, leaving a window of non-compliance and requiring additional remediation steps.

118
MCQeasy

Which Google Cloud service provides a fully managed, private Git repository that integrates with Cloud Build for continuous integration?

A.Cloud Deployment Manager
B.Cloud Source Repositories
C.Cloud Storage
D.Container Registry
AnswerB

Designed for hosted Git repositories; native integration with Cloud Build.

Why this answer

Cloud Source Repositories is the correct answer because it provides fully managed, private Git repositories hosted on Google Cloud. It integrates natively with Cloud Build, enabling automatic triggers for continuous integration (CI) pipelines whenever code is pushed to a repository branch or tag, without requiring external Git hosting.

Exam trap

The trap here is confusing Cloud Source Repositories with Container Registry, as both integrate with Cloud Build, but only Cloud Source Repositories provides Git repository hosting, while Container Registry stores built container images.

How to eliminate wrong answers

Option A is wrong because Cloud Deployment Manager is an infrastructure-as-code service for managing Google Cloud resources using declarative templates (YAML/Python), not a Git repository service. Option C is wrong because Cloud Storage is an object storage service for storing unstructured data (blobs) via HTTP/S, not a Git repository with version control or CI integration. Option D is wrong because Container Registry is a private container image registry for storing and managing Docker images, not a Git repository; it integrates with Cloud Build for building images from source, but it does not host Git repositories.

119
Multi-Selectmedium

Your organization is adopting DevOps practices and needs to bootstrap a Google Cloud organization with multiple projects. You want to enforce consistent resource naming conventions and apply common organization policies across all projects. Which two services should you use together to achieve this?

Select 2 answers
A.Cloud Shell and Cloud Source Repositories
B.Cloud Deployment Manager and Cloud Audit Logs
C.Service Accounts and IAM roles
D.Organization Policies and Resource Manager folders
AnswersC, D

Incorrect: Service accounts and IAM control access, not resource naming or organization policies.

Why this answer

Organization Policies allow you to centrally constrain actions across all projects in the hierarchy, while Resource Manager folders let you group projects and apply policies consistently. Together, they enable you to enforce naming conventions (e.g., via a custom constraint) and common policies (e.g., disabling external IPs) across multiple projects without manual per-project configuration.

Exam trap

Google Cloud often tests the distinction between identity/access management (IAM) and organization-level policy enforcement, leading candidates to mistakenly choose Service Accounts and IAM roles when the question specifically asks for consistent naming conventions and common policies across projects.

← PreviousPage 2 of 2 · 119 questions total

Ready to test yourself?

Try a timed practice session using only Gcp Devops Bootstrapping questions.