Google Google Certifications ASSOCIATE-CLOUD-ENGINEER Questions & Answers

• Question 201:

  You have sensitive data stored in three Cloud Storage buckets and have enabled data access logging. You want to verify activities for a particular user for these buckets, using the fewest possible steps. You need to verify the addition of metadata labels and which files have been viewed from those buckets. What should you do?

  A. Using the GCP Console, filter the Activity log to view the information.

  B. Using the GCP Console, filter the Stackdriver log to view the information.

  C. View the bucket in the Storage section of the GCP Console.

  D. Create a trace in Stackdriver to view the information.

  Correct Answer: A

  Activity log does indeed show information about metadata.

• Question 202:

  You need to configure IAM access audit logging in BigQuery for external auditors. You want to follow Google-recommended practices. What should you do?

  A. Add the auditors group to the `logging.viewer' and `bigQuery.dataViewer' predefined IAM roles.

  B. Add the auditors group to two new custom IAM roles.

  C. Add the auditor user accounts to the `logging.viewer' and `bigQuery.dataViewer' predefined IAM roles.

  D. Add the auditor user accounts to two new custom IAM roles.

  Correct Answer: C

  Reference: https://cloud.google.com/iam/docs/roles-audit-logging As per google best practices it is recommended to use predefined roles and create groups to control access to multiple users with same responsibility

• Question 203:

  You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. You want to follow Google-recommended practices. What should you do?

  A. Create a service account with an access scope. Use the access scope `https://www.googleapis.com/auth/devstorage.write_only'.

  B. Create a service account with an access scope. Use the access scope `https://www.googleapis.com/auth/cloud-platform'.

  C. Create a service account and add it to the IAM role `storage.objectCreator' for that bucket.

  D. Create a service account and add it to the IAM role `storage.objectAdmin' for that bucket.

  Correct Answer: C

  Reference: https://towardsdatascience.com/enlightened-datalab-notebooks-35ce8ef374c0 Best practice says, give minimum access that is required for the job and storage creator is minimum when you put it against admin who can do everything

• Question 204:

  You created an instance of SQL Server 2017 on Compute Engine to test features in the new version. You want to connect to this instance using the fewest number of steps. What should you do?

  A. Install a RDP client on your desktop. Verify that a firewall rule for port 3389 exists.

  B. Install a RDP client in your desktop. Set a Windows username and password in the GCP Console. Use the credentials to log in to the instance.

  C. Set a Windows password in the GCP Console. Verify that a firewall rule for port 22 exists. Click the RDP button in the GCP Console and supply the credentials to log in.

  D. Set a Windows username and password in the GCP Console. Verify that a firewall rule for port 3389 exists. Click the RDP button in the GCP Console, and supply the credentials to log in.

  Correct Answer: B

  Reference: https://medium.com/falafel-software/sql-server-in-the-google-cloud-a17e8a1f11ce

  RDP is enabled by default when you crate a Windows instance (no need to chek on it). Just make sure you install an RDP client ( chrome ext or RDP) and set windows password.

• Question 205:

  You have a project for your App Engine application that serves a development environment. The required testing has succeeded and you want to create a new project to serve as your production environment. What should you do?

  A. Use gcloud to create the new project, and then deploy your application to the new project.

  B. Use gcloud to create the new project and to copy the deployed application to the new project.

  C. Create a Deployment Manager configuration file that copies the current App Engine deployment into a new project.

  D. Deploy your application again using gcloud and specify the project parameter with the new project name to create the new project.

  Correct Answer: A

  Option B is wrong as the option to use gcloud app cp does not exist. Option C is wrong as Deployment Manager does not copy the application, but allows you to specify all the resources needed for your application in a declarative format using yaml Option D is wrong as gcloud app deploy would not create a new project. The project should be created before usage

• Question 206:

  You significantly changed a complex Deployment Manager template and want to confirm that the dependencies of all defined resources are properly met before committing it to the project. You want the most rapid feedback on your changes. What should you do?

  A. Use granular logging statements within a Deployment Manager template authored in Python.

  B. Monitor activity of the Deployment Manager execution on the Stackdriver Logging page of the GCP Console.

  C. Execute the Deployment Manager template against a separate project with the same configuration, and monitor for failures.

  D. Execute the Deployment Manager template using the --preview option in the same project, and observe the state of interdependent resources.

  Correct Answer: D

  Reference: https://cloud.google.com/deployment-manager/docs/deployments/updating-deployments

  Correct answer is D as Deployment Manager provides the preview feature to check on what resources would be created

• Question 207:

  You are building a pipeline to process time-series data. Which Google Cloud Platform services should you put in boxes 1,2,3, and 4?

  

  A. Cloud Pub/Sub, Cloud Dataflow, Cloud Datastore, BigQuery

  B. Firebase Messages, Cloud Pub/Sub, Cloud Spanner, BigQuery

  C. Cloud Pub/Sub, Cloud Storage, BigQuery, Cloud Bigtable

  D. Cloud Pub/Sub, Cloud Dataflow, Cloud Bigtable, BigQuery

  Correct Answer: D

  Reference: https://cloud.google.com/solutions/correlating-time-series-dataflow whenever IOT is present go with DataStore

• Question 208:

  You have one GCP account running in your default region and zone and another account running in a non-default region and zone. You want to start a new Compute Engine instance in these two Google Cloud Platform accounts using the command line interface. What should you do?

  A. Create two configurations using gcloud config configurations create [NAME]. Run gcloud config configurations activate [NAME] to switch between accounts when running the commands to start the Compute Engine instances.

  B. Create two configurations using gcloud config configurations create [NAME]. Run gcloud configurations list to start the Compute Engine instances.

  C. Activate two configurations using gcloud configurations activate [NAME]. Run gcloud config list to start the Compute Engine instances.

  D. Activate two configurations using gcloud configurations activate [NAME]. Run gcloud configurations list to start the Compute Engine instances.

  Correct Answer: A

  Reference: https://cloud.google.com/sdk/gcloud/reference/config/configurations/activate

  All the other options don't make any sense when day say "Run gcloud configurations list to start the Compute Engine instances". How the heck are you expecting to "start" GCE instances doing "configuration list". Obviously B,C,D don't make any sense.

• Question 209:

  You have a Linux VM that must connect to Cloud SQL. You created a service account with the appropriate access rights. You want to make sure that the VM uses this service account instead of the default Compute Engine service account. What should you do?

  A. When creating the VM via the web console, specify the service account under the `Identity and API Access' section.

  B. Download a JSON Private Key for the service account. On the Project Metadata, add that JSON as the value for the key compute-engine-service-account.

  C. Download a JSON Private Key for the service account. On the Custom Metadata of the VM, add that JSON as the value for the key compute-engine-service-account.

  D. Download a JSON Private Key for the service account. After creating the VM, ssh into the VM and save the JSON under ~/.gcloud/compute-engine-service-account.json.

  Correct Answer: A

  https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances

  Changing the service account and access scopes for an instance If you want to run the VM as a different identity, or you determine that the instance needs a different set of scopes to call the required APIs, you can change the service account and the access scopes of an existing instance. For example, you can change access scopes to grant access to a new API, or change an instance so that it runs as a service account that you created, instead of the Compute Engine default service account. However, Google recommends that you use the fine-grained IAM policies instead of relying on access scopes to control resource access for the service account.

  To change an instance's service account and access scopes, the instance must be temporarily stopped. To stop your instance, read the documentation for Stopping an instance. After changing the service account or access scopes, remember to restart the instance. Use one of the following methods to the change service account or access scopes of the stopped instance.

• Question 210:

  You need to set up a policy so that videos stored in a specific Cloud Storage Regional bucket are moved to Coldline after 90 days, and then deleted after one year from their creation. How should you set up the policy?

  A. Use Cloud Storage Object Lifecycle Management using Age conditions with SetStorageClass and Delete actions. Set the SetStorageClass action to 90 days and the Delete action to 275 days (365 - 90)

  B. Use Cloud Storage Object Lifecycle Management using Age conditions with SetStorageClass and Delete actions. Set the SetStorageClass action to 90 days and the Delete action to 365 days.

  C. Use gsutil rewrite and set the Delete action to 275 days (365-90).

  D. Use gsutil rewrite and set the Delete action to 365 days.

  Correct Answer: B

  There should be no reason to recalculate the time needed to delete after a year.