




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Google Cloud Certified Professional Cloud DevOps Engineer Certification Exam Preparation Guide addresses site reliability engineering, service monitoring, incident response, automation, and continuous delivery. It emphasizes reliability, scalability, operational excellence, and DevOps best practices within Google Cloud environments. Includes case studies, performance optimization techniques, real-world scenarios, and mock exams aligned with certification standards.
Typology: Exams
1 / 103
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which Google Cloud resource hierarchy level is best suited for applying organization‑wide IAM policies that affect all projects? A) Folder B) Organization C) Project D) Service Account Answer: B Explanation: Organization‑level policies inherit down to all folders and projects, ensuring consistent IAM controls across the entire hierarchy. Question 2. In Terraform, which block defines the provider and its configuration for Google Cloud? A) resource B) module C) provider D) variable Answer: C Explanation: The provider block specifies the GCP provider (e.g., google) and its authentication details, enabling Terraform to manage GCP resources. Question 3. What is the primary purpose of a Shared VPC in a multi‑project environment? A) To allow VPC peering across regions B) To centralize network resources while letting multiple projects use the same subnetworks C) To encrypt traffic between VPCs automatically D) To provide a private DNS zone for all projects
Answer: B Explanation: Shared VPC lets a host project own network resources (subnets, routes, firewalls) that service projects can consume, simplifying network management. Question 4. Which IAM role grants the least privilege needed for a Cloud Build service account to push images to Artifact Registry? A) roles/artifactregistry.writer B) roles/storage.admin C) roles/cloudbuild.builds.editor D) roles/owner Answer: A Explanation: roles/artifactregistry.writer allows write access to repositories without granting broader storage or project‑level permissions. Question 5. When implementing GitOps with Cloud Deploy, which component stores the declarative pipeline definitions? A) Cloud Source Repositories B) Cloud Build triggers C) Cloud Deploy releases D) Cloud Deploy config files in the Git repository Answer: D Explanation: GitOps relies on pipeline definitions stored as YAML files in a Git repo; Cloud Deploy reads these to orchestrate deployments.
D) Level 4 Answer: C Explanation: SLSA Level 3 mandates reproducible builds and signing, providing strong guarantees about provenance and integrity. Question 9. What is the recommended method for granting a CI/CD pipeline access to a Cloud SQL instance without storing credentials in code? A) Create a service account key file and embed it in the pipeline script B) Use Cloud SQL Auth proxy with a workload‑identity‑federated service account C) Store the password in Secret Manager and retrieve it at runtime D) Enable public IP access and whitelist the CI runner’s IP address Answer: B Explanation: The Cloud SQL Auth proxy combined with Workload Identity Federation allows the pipeline to authenticate via IAM without static credentials. Question 10. Which IAM principle is illustrated by granting a custom role that includes only the permissions required for a specific CI job? A) Separation of duties B) Least privilege C) Role inheritance D) Service perimeter enforcement Answer: B Explanation: The least‑privilege principle restricts access to the minimum set of permissions needed to perform a task.
Question 11. What does an SLO’s error budget represent? A) The total number of requests a service can handle per day B) The maximum allowable downtime or error rate within a measurement period C) The amount of money allocated for incident response D) The number of SLA breaches allowed per quarter Answer: B Explanation: An error budget quantifies the permissible amount of unreliability (e.g., 99.9% uptime = 0.1% error budget). Question 12. When an error budget is exhausted, which action is most appropriate? A) Increase the deployment frequency to catch bugs earlier B) Freeze new releases and focus on reliability improvements C) Reduce monitoring thresholds to catch more alerts D) Scale out the service aggressively to compensate for failures Answer: B Explanation: Exhausted error budget signals that reliability is suffering; the team should pause feature releases and work on stability. Question 13. In incident management, which GCP service can automatically redirect traffic away from a failing Cloud Run revision? A) Cloud Armor B) Traffic Director C) Cloud Load Balancing with traffic splitting D) Cloud Scheduler
Question 16. Which Cloud Logging export option allows logs to be retained indefinitely for compliance? A) Export to Cloud Storage with lifecycle rule set to “Never delete” B) Export to BigQuery with partition expiration of 1 day C) Export to Pub/Sub with message retention of 7 days D) Export to Cloud Monitoring logs viewer only Answer: A Explanation: Cloud Storage buckets can be configured with no lifecycle deletion, providing indefinite log retention. Question 17. When using Managed Service for Prometheus, which metric type is NOT natively supported? A) Counter B) Gauge C) Histogram D) Summary (requires custom exporter) Answer: D Explanation: Managed Service for Prometheus supports Counter, Gauge, and Histogram; Summary metrics need special handling. Question 18. What is the primary benefit of using Gemini Cloud Assist for log analysis? A) It automatically resolves incidents without human input B) It provides AI‑generated insights and suggested root‑cause hypotheses from raw logs C) It replaces Cloud Logging with a proprietary AI log store D) It encrypts logs using quantum‑resistant algorithms
Answer: B Explanation: Gemini Cloud Assist leverages generative AI to interpret large log volumes and surface likely causes, accelerating troubleshooting. Question 19. Which Cloud Logging feature enables redaction of PII before logs are stored? A) Log sinks with regex filters B) Log buckets with CMEK encryption C) Log exclusions based on severity D) Log-based alerts with masking rules Answer: A Explanation: Log sinks can apply a transformation that redacts fields matching a regex pattern, ensuring PII is removed before ingestion. Question 20. Which Cloud Trace sampling method reduces overhead while still capturing high‑latency requests? A) Always‑sample all requests B) Fixed‑rate sampling at 100% C) Probabilistic sampling with a higher probability for requests exceeding a latency threshold D) No sampling; rely on manual instrumentation only Answer: C Explanation: Adaptive sampling increases the chance of capturing slow requests, balancing cost and visibility. Question 21. What does Cloud Profiler primarily help developers identify? A) Security vulnerabilities in container images
Question 24. Which GCP feature assists in right‑sizing Compute Engine instances based on utilization patterns? A) Active Assist Recommender B) Cloud Scheduler C) Cloud DNS D) Cloud Identity Answer: A Explanation: Active Assist analyzes VM metrics and suggests downsizing or upsizing to improve cost efficiency. Question 25. What is the main advantage of using Private Service Connect for accessing Google‑managed services? A) It eliminates the need for VPC peering B) It provides a private IP endpoint within your VPC, avoiding public internet exposure C) It automatically encrypts data in transit with customer‑managed keys D) It allows cross‑project IAM policy inheritance Answer: B Explanation: Private Service Connect creates a private endpoint, ensuring traffic to Google services stays within Google’s network and never traverses the public internet. Question 26. Which Terraform feature enables reusing common infrastructure code across multiple projects? A) Backend configuration B) Provider aliasing
C) Modules D) Data sources Answer: C Explanation: Modules encapsulate reusable Terraform configurations that can be invoked in multiple projects. Question 27. In Cloud Build, what does the “--no-source” flag accomplish when triggering a build? A) It disables source code checkout, allowing you to supply source via a tarball or Docker image B) It prevents any logs from being emitted C) It forces the build to run in a privileged container D) It disables caching of build steps Answer: A Explanation: --no-source tells Cloud Build that the build will receive source artifacts directly, bypassing repository checkout. Question 28. Which IAM condition key can be used to restrict service account key creation to a specific time window? A) request.time B) resource.name C) iam.serviceAccountKey.name D) google.storage.object.name Answer: A Explanation: request.time allows you to write a condition that evaluates the time of the API call, enabling temporal restrictions.
D) It enforces network firewall rules for containers Answer: C Explanation: An attestor is a resource that holds public keys or other verification methods; Binary Authorization checks images against attestor policies during deployment. Question 32. Which Cloud Run feature helps protect services from sudden traffic spikes by queuing requests? A) Concurrency limit set to 1 B) Autoscaling with max instances set to 0 C) Cloud Run “max request queue length” configuration D) Traffic splitting between revisions Answer: C Explanation: Cloud Run allows configuring a request queue length; excess requests are queued rather than rejected, smoothing spikes. Question 33. What does the “gcloud beta compute ssh” command’s “--tunnel-through-iap” flag enable? A) Direct SSH over the public internet B) SSH tunneling through Identity‑Aware Proxy without exposing the VM’s external IP C) Automatic key rotation for the VM’s OS login D) Multi‑hop SSH through a bastion host Answer: B Explanation: --tunnel-through-iap routes SSH traffic via IAP, allowing access to VMs that have no external IP.
Question 34. In Cloud Monitoring, which alerting policy type evaluates a time‑series over a sliding window? A) Basic alerting policy B) Advanced alerting with MQL (Monitoring Query Language) C) Incident Auto‑closure policy D) Uptime check policy Answer: B Explanation: Advanced alerting policies can use MQL to define sliding‑window aggregations for more sophisticated conditions. Question 35. Which of the following is NOT a recommended practice for securing Service Account keys? A) Store keys in Secret Manager with rotation enabled B) Use workload identity federation instead of keys where possible C) Embed keys in application source code for convenience D) Restrict key creation via organization policy Answer: C Explanation: Embedding keys in code is insecure; best practices encourage external secret management or keyless authentication. Question 36. What does the “--region” flag specify when creating a Cloud Run service with gcloud? A) The region of the underlying Compute Engine VMs that host the service B) The region of the Cloud Storage bucket used for logs C) The region of the Cloud SQL instance the service connects to
Question 39. What is the effect of setting “max_instances” to 1 on a Cloud Run service? A) The service will scale down to zero instances when idle B) Only one container instance will ever run, limiting concurrency to the container’s concurrency setting C) The service will reject all traffic after the first request D) Autoscaling will be disabled, and the service will run on a single VM Answer: B Explanation: max_instances caps the total number of container instances; with a value of 1, only a single instance can serve traffic, respecting the container’s concurrency limit. Question 40. Which GCP service provides a managed, serverless environment for running container images without managing underlying infrastructure? A) Google Kubernetes Engine (GKE) Autopilot B) Cloud Run (fully managed) C) Compute Engine with Docker D) App Engine Flexible Environment Answer: B Explanation: Cloud Run fully manages the compute layer, executing container images in a serverless fashion. Question 41. In the context of SLOs, what does the term “burn rate” refer to? A) The rate at which budgeted cloud credits are consumed B) The speed at which the error budget is being used relative to the allowed rate C) The frequency of code deployments per week D) The time it takes to roll back a failed deployment
Answer: B Explanation: Burn rate measures how quickly the error budget is being depleted, indicating whether corrective actions are needed. Question 42. Which Cloud Logging feature allows you to route logs from multiple projects into a single central log bucket? A) Log sinks with “includeChildren” set to true IncludeChildren only works within a single project, not across projects. B) Multi‑project log export using a logging bucket in a “logging project” and configuring sinks in each source project C) Cloud Pub/Sub topics with fan‑out to each project’s log viewer D) Cloud Monitoring dashboards that aggregate logs automatically Answer: B Explanation: By creating a log bucket in a dedicated logging project and adding sinks from other projects that export to it, you can centralize logs across the organization. Question 43. When using Private Service Connect to access a Cloud SQL instance, which component must you configure in your VPC? A) A VPC peering connection to the Cloud SQL service network B) A Private Service Connect endpoint with a reserved IP address in your subnet C) A Cloud NAT gateway for outbound traffic D) A firewall rule allowing traffic to 0.0.0.0/0 on port 3306 Answer: B Explanation: Private Service Connect requires a consumer‑side endpoint (with an internal IP) that forwards traffic to the Cloud SQL service.
C) Cloud Build “options” with “machineType” set to “E2_HIGHCPU_8” D) Cloud Build “timeout” parameter set to 60 minutes Answer: B Explanation: By defining a volume that points to a GCS bucket, Docker can store and retrieve layer caches across builds. Question 47. In GKE, what does the “PodSecurityPolicy” replacement called “Pod Security Standards” enforce? A) Network firewall rules for pods B) Runtime security scanning of container images C) Baseline, restricted, and privileged pod security levels via admission controller D) Automatic patching of node OS images Answer: C Explanation: Pod Security Standards provide predefined policies (baseline, restricted, privileged) that the admission controller enforces on pod creation. Question 48. Which of the following is a key difference between a “canary” and a “rolling” deployment? A) Canary routes a fixed percentage of traffic to the new version; rolling gradually replaces all instances with the new version without traffic splitting. B) Rolling requires manual intervention; canary is fully automated. C) Canary can only be used with Cloud Functions; rolling is for Compute Engine VMs. D) Rolling deployments always result in zero downtime, while canary may cause brief outages. Answer: A
Explanation: Canary uses traffic splitting to expose a subset of users, whereas rolling updates replace pods incrementally without explicit traffic control. Question 49. What does the “gcloud projects add-iam-policy-binding” command do? A) Creates a new project and assigns an owner role B) Adds a binding (role‑member pair) to the project's IAM policy without overwriting existing bindings C) Deletes all IAM bindings from a project D) Generates a service account key for the specified project Answer: B Explanation: The command appends a new role‑member binding to the existing IAM policy, preserving other bindings. Question 50. Which Cloud Monitoring metric type is most appropriate for tracking request latency percentiles (e.g., 95th percentile)? A) Distribution B) Gauge C) Counter D) TimeSeries Answer: A Explanation: Distribution metrics capture statistical aggregations, including percentiles, making them suitable for latency analysis. Question 51. When configuring a Cloud Deploy release, what is the purpose of a “target”? A) It defines the repository where source code is stored