




















































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The Google Cloud Certified Associate Cloud Engineer Practice Ultimate Exam is a comprehensive practice-based resource for cloud engineering professionals. This exam prep covers cloud infrastructure deployment, virtual machines, networking, IAM permissions, Kubernetes basics, storage management, monitoring, and troubleshooting within Google Cloud environments. Candidates gain hands-on conceptual understanding and exam readiness through realistic scenarios and detailed explanations.
Typology: Exams
1 / 60
This page cannot be seen from the preview
Don't miss anything!





















































Question 1. Which resource hierarchy level directly contains projects? A) Organization B) Folder C) Billing Account D) Resource Manager Answer: B Explanation: Folders sit between the Organization and Projects, allowing logical grouping of multiple projects. Question 2. When linking a Cloud Billing account to a project, which IAM role is required on the billing account? A) Billing Account Viewer B) Billing Account User C) Billing Account Administrator D) Project Billing Manager Answer: C Explanation: Billing Account Administrator can associate or disassociate billing accounts with projects. Question 3. Which IAM role grants the least privileges needed to view resources across all projects in an organization? A) roles/viewer B) roles/browser c) roles/owner D) roles/editor
Answer: A Explanation: The predefined Viewer role provides read-only access without modification rights. Question 4. What is the principle of least privilege for service accounts best enforced by? A) Granting Owner role to all service accounts B) Using predefined roles instead of custom roles C) Assigning only the permissions required for the workload D) Enabling all APIs for the service account Answer: C Explanation: Least privilege means giving a service account only the permissions it truly needs. Question 5. Which tool is pre-installed in Cloud Shell and provides a web-based terminal with gcloud, gsutil, and bq? A) Cloud SDK B) Cloud Console C) Cloud Scheduler D) Cloud Build Answer: A Explanation: Cloud Shell automatically loads the Cloud SDK, which includes gcloud, gsutil, and bq. Question 6. To enable the Compute Engine API for a new project, you should use which gcloud command? A) gcloud compute instances create
A) For workloads that require guaranteed uptime B) For short-lived batch jobs where cost savings outweigh interruptions C) For production databases that cannot tolerate restarts D) For workloads that need persistent SSD storage Answer: B Explanation: Preemptible VMs are cheaper but can be terminated at any time, making them ideal for batch processing. Question 10. Which Cloud Storage class is most appropriate for data accessed less than once a year? A) Standard B) Nearline C) Coldline D) Archive Answer: D Explanation: Archive is designed for data rarely accessed, offering the lowest storage cost. Question 11. Which managed database service provides horizontal scalability and strong consistency for transactional workloads? A) Cloud SQL B) Cloud Spanner C) Firestore in Datastore mode D) Bigtable Answer: B Explanation: Cloud Spanner offers globally distributed, horizontally scalable relational databases with strong consistency.
Question 12. For a web application that requires a NoSQL document store with automatic scaling, which service is best? A) Cloud SQL B) Cloud Spanner C) Firestore (Native mode) D) Bigtable Answer: C Explanation: Firestore (Native mode) is a serverless NoSQL document database that scales automatically. Question 13. When designing a VPC, what is the primary difference between a regional and a multi-regional subnet? A) Regional subnets span multiple zones; multi-regional span multiple regions B) Regional subnets have private IPs only; multi-regional have public IPs only C) Regional subnets are limited to one region; multi-regional subnets are not supported in GCP D) Regional subnets are automatically created; multi-regional must be manually defined Answer: A Explanation: A regional subnet is limited to a single region but spans all zones within it; GCP does not have multi-regional subnets—subnets are always regional. Question 14. Which IP address type changes after a VM is stopped and started? A) Static external IP
Explanation: A Deployment manages a ReplicaSet and specifies the replica count. Question 17. Which GKE feature allows workloads to use Google Cloud service accounts without storing keys in the pod? A) Workload Identity B) Service Account Impersonation C) Node-local DNS Cache D) GKE Autopilot Answer: A Explanation: Workload Identity maps Kubernetes service accounts to GCP service accounts, eliminating key management. Question 18. When deploying to App Engine Standard, which language runtimes automatically scale to zero instances? A) Java 8 B) Go 1. C) Python 3. D) All of the above Answer: D Explanation: All supported runtimes in App Engine Standard can scale down to zero when idle. Question 19. Which Cloud Run deployment option provides the fastest cold-start times? A) Fully managed (managed Cloud Run) B) Cloud Run on GKE (Anthos)
C) Cloud Run on Anthos with GPU D) Cloud Run (regional) with min-instances set to 0 Answer: A Explanation: Fully managed Cloud Run runs on a serverless environment optimized for low latency cold starts. Question 20. Which Cloud Function trigger type reacts to changes in a Cloud Storage bucket? A) HTTP trigger B) Pub/Sub trigger C) Cloud Storage trigger D) Cloud Scheduler trigger Answer: C Explanation: Cloud Functions can be invoked directly by Cloud Storage events (e.g., object finalize). Question 21. Which firewall rule direction permits inbound traffic to a VM on port 22 from any IP? A) Egress, allow, tcp: B) Ingress, deny, tcp: C) Ingress, allow, tcp: D) Egress, allow, icmp Answer: C Explanation: Ingress rules control inbound traffic; allowing tcp:22 opens SSH. Question 22. What is the default load balancing scheme for HTTP(S) traffic in GCP?
Question 25. Which Cloud Monitoring feature allows you to verify that a web endpoint is reachable from multiple regions? A) Dashboard B) Uptime Check C) Alert Policy D) Log-based Metric Answer: B Explanation: Uptime checks periodically probe endpoints from various locations. Question 26. Which metric type is automatically generated for each Compute Engine instance’s CPU utilization? A) Custom Metric B) Log-based Metric C) System Metric D) Distribution Metric Answer: C Explanation: System metrics include CPU usage, memory, and disk I/O for VM instances. Question 27. In Cloud Logging, which feature lets you create a metric based on a specific log entry pattern? A) Log-based Metric B) Metric Descriptor C) Alerting Policy D) Trace Viewer
Answer: A Explanation: Log-based metrics count occurrences of logs that match a filter. Question 28. Which IAM role is required to view audit logs for a project? A) roles/logging.viewer b) roles/owner c) roles/auditviewer d) roles/logging.admin Answer: A Explanation: The predefined Logging Viewer role grants read-only access to logs, including audit logs. Question 29. When rotating a service account key, which step should be performed first? A) Delete the old key B) Create a new key and distribute it to applications C) Grant Owner role to the new key D) Disable the service account Answer: B Explanation: Generate the new key and update applications before removing the old key to avoid downtime. Question 30. Which encryption option allows you to supply your own key stored in Cloud KMS for a Cloud Storage bucket? A) Google-managed encryption (default) B) Customer-supplied encryption keys (CSEK)
Question 33. Which command lists all IAM policy bindings for a specific project? A) gcloud projects get-iam-policy PROJECT_ID b) gcloud iam roles list --project=PROJECT_ID c) gcloud compute instances describe --project=PROJECT_ID d) gcloud billing accounts list --project=PROJECT_ID Answer: A Explanation: gcloud projects get-iam-policy returns the complete policy. Question 34. What is the effect of setting “Enable OS Login” on a Compute Engine instance? A) Users must use service accounts to SSH b) SSH keys are managed via IAM instead of project metadata c) All SSH access is blocked d) Only Google Cloud console can access the VM Answer: B Explanation: OS Login ties SSH authentication to IAM users, removing the need for project-wide SSH keys. Question 35. Which Cloud Scheduler frequency expression creates a job that runs at 02:30 UTC every Monday? A) 30 2 * * 1 b) 0 2 * * MON c) 30 2 * * MON d) 2 30 * * 1 Answer: C
Explanation: The cron format “minute hour day-of-month month day-of-week” uses 30 2 * * MON for 02:30 on Mondays. Question 36. Which Cloud Build trigger type automatically starts a build when code is pushed to a GitHub branch? A) Manual trigger b) Pub/Sub trigger c) Push trigger d) Schedule trigger Answer: C Explanation: A Push trigger fires on commits to the specified branch. Question 37. When configuring a custom image, which of the following must be true? A) The source disk must be a boot disk from a stopped VM b) The image must be stored in a Multi-regional bucket c) The image can only be used in the same project where it was created d) The image must be encrypted with a CMEK Answer: A Explanation: Custom images are created from a boot disk; the VM should be stopped to ensure consistency. Question 38. Which autoscaling metric is most appropriate for scaling a managed instance group based on CPU load? A) Load Balancing Utilization b) Stackdriver Monitoring Metric (CPU utilization) c) Request Count per Second
A) Service Account Impersonation b) IAM Conditional Role Binding c) IAM Revoke d) Resource Manager Hierarchy Answer: B Explanation: Conditional role bindings can include a time-based condition, providing temporary access. Question 42. Which Cloud KMS key purpose is required to encrypt data at rest in Cloud Storage? A) ENCRYPT_DECRYPT b) ASYMMETRIC_SIGN c) ASYMMETRIC_DECRYPT d) MAC Answer: A Explanation: ENCRYPT_DECRYPT keys are symmetric and used for data encryption/decryption. Question 43. What is the default behavior of a VPC firewall rule that does not specify a target tag? A) Applies to all instances in the network b) Applies to no instances (inactive) c) Applies only to instances with the “default” tag d) Applies only to instances in the same subnet Answer: A Explanation: Without target tags, the rule applies network-wide.
Question 44. Which Cloud Logging feature enables you to retain logs for longer than the default 30-day period? A) Log Sinks b) Log Buckets with custom retention c) Log Exclusions d) Log Views Answer: B Explanation: Log buckets can be configured with a custom retention period. Question 45. Which of the following best describes a “Custom Role” in IAM? A) A role that can be edited only by the organization admin b) A role that aggregates multiple predefined roles c) A role you define with a specific set of permissions d) A role that automatically updates with new permissions Answer: C Explanation: Custom roles let you select exactly the permissions needed for a specific job function. Question 46. When you create a VPC peering connection, which of the following is true? A) Routes are automatically exchanged between the two VPCs b) DNS resolution is automatically shared c) Traffic is encrypted by default d) Only subnets with the same CIDR can be peered
A) Absence b) Threshold c) Rate of change d) Outlier detection Answer: B Explanation: Threshold conditions evaluate metric values against a static limit over a defined duration. Question 50. Which command disables a Compute Engine API for a project? A) gcloud services disable compute.googleapis.com b) gcloud compute api disable c) gcloud projects update --no-enable-compute d) gcloud services delete compute.googleapis.com Answer: A Explanation: gcloud services disable turns off the specified API. Question 51. Which of the following storage options provides the fastest read latency for frequently accessed objects? A) Nearline b) Coldline c) Standard d) Archive Answer: C Explanation: Standard storage is optimized for low latency and high throughput.
Question 52. What is the maximum number of VPC firewall rules you can create per network by default? A) 100 b) 200 c) 500 d) 1000 Answer: B Explanation: The default quota for firewall rules per VPC network is 200. Question 53. Which Cloud Identity feature allows you to manage groups and users without a separate Google Workspace subscription? A) Cloud Identity Free b) Cloud Identity Premium c) Cloud Identity Basic d) Cloud Identity Enterprise Answer: A Explanation: Cloud Identity Free provides user and group management for GCP without a full Workspace license. Question 54. Which of the following is NOT a valid reason to use a custom image instead of a public image? A) Need pre-installed software not in the public marketplace b) Want to reduce VM provisioning time c) Require a specific OS version not offered publicly d) Want to avoid paying for the underlying OS license