Free Associate Cloud Engineer Exam Questions – 2025 Updated

The gcloud compute ssh command is a wrapper around the standard ssh command that automates the entire connection process. When executed, it checks for the existence of SSH keys. If no keys are found, it automatically generates a new key pair (~/.ssh/googlecomputeengine), adds the public key to the project or instance metadata, and then initiates the SSH connection to the specified instance. This single command handles authentication, key generation, key distribution, and connection, making it the most efficient method with the fewest steps, as required by the question.

A. This method will fail. The standard ssh command requires a pre-existing private key on the local machine and a corresponding public key on the target instance, which the scenario states is not deployed.

C. This is an unnecessary step. While it would work, the gcloud compute ssh command will automatically generate the key pair for you if one doesn't exist, making the manual ssh-keygen step redundant.

D. This is the most complex and manual process. It involves multiple commands and manual key management, which is the exact opposite of the "easiest way" and "fewest steps" requirement.

1. Google Cloud Documentation

gcloud compute ssh: "If you do not have a public SSH key

gcloud compute ssh generates one for you. When you generate a new key

gcloud compute ssh adds the key to your project or instance metadata and connects you to the VM." This confirms that the command handles key generation automatically.

Source: Google Cloud SDK Documentation

gcloud compute ssh

Command Description section.

2. Google Cloud Documentation

Connect to Linux VMs: "The gcloud command-line tool provides the simplest way to connect to your instances... When you connect to a Linux instance by using the gcloud command-line tool

Compute Engine creates an ephemeral SSH key for you and sets a username."

Source: Google Cloud Documentation > Compute Engine > User guides > Connect to Linux VMs > Connect using Google Cloud tools.

3. Google Cloud Documentation

Managing SSH keys in metadata: "When you use gcloud compute ssh to connect to an instance

gcloud can automatically create and add an SSH key to the project for you."

Source: Google Cloud Documentation > Compute Engine > User guides > Access control > Managing SSH keys in metadata > How SSH keys work on Compute Engine instances.

The Storage Admin (roles/storage.admin) role provides full control over Cloud Storage resources. This includes all necessary permissions to manage both buckets (e.g., create, delete, list, set IAM policies) and the objects (files) within them. Using this predefined role adheres to the Google-recommended practice of applying the principle of least privilege. It grants the required permissions scoped specifically to the Cloud Storage service, unlike the overly broad Project Editor basic role. This role is the most suitable for colleagues who need comprehensive control over buckets and files without granting them permissions for other services in the project.

A. Project Editor: This is a basic role that grants broad permissions across most Google Cloud services, violating the principle of least privilege.

C. Storage Object Admin: This role grants permissions to manage objects (files) but lacks the necessary permissions to create, delete, or configure buckets.

D. Storage Object Creator: This role is highly restrictive, only allowing users to create objects. It does not permit managing objects or buckets.

1. Google Cloud Documentation

"Cloud Storage IAM roles": The table in this document explicitly states that the roles/storage.admin role provides "Full control of Cloud Storage resources

" which encompasses both buckets and objects. In contrast

roles/storage.objectAdmin is described as having "Full control of Cloud Storage objects

" which does not include bucket management.

Source: Google Cloud

Cloud Storage Documentation

"IAM roles for Cloud Storage".

2. Google Cloud Documentation

"Understanding roles": This guide explains the different types of roles. It recommends using predefined roles over basic roles (like Editor) to grant only the necessary permissions. "Whenever possible

we recommend that you grant predefined roles instead of basic roles. Predefined roles provide finer-grained access control and help you follow the principle of least privilege."

Source: Google Cloud

IAM Documentation

"Understanding roles"

Section: "Role types".

3. Google Cloud Documentation

"Using IAM permissions": This document reinforces the best practice of using the most limited predefined role that meets requirements. "Follow the principle of least privilege... When choosing a predefined role

pick one that contains the minimum set of permissions that your user needs."

Source: Google Cloud

IAM Documentation

"Granting

changing

and revoking access to resources"

Section: "Best practices".

The most secure, scalable, and manageable method to grant SSH access to a specific group of users for a single instance is by using OS Login. OS Login links a user's Google identity with their VM's POSIX account and manages access through IAM roles.

By setting the instance metadata enable-oslogin=true, you activate this feature for that specific instance. Granting the roles/compute.osLogin IAM role to the dev1 group provides the necessary permissions for its members to establish an SSH connection to any instance with OS Login enabled, without granting them broader administrative privileges. This combination precisely meets the requirement of providing scoped access to the specified group.

B. This option is incomplete. While it correctly enables OS Login, it fails to grant the necessary IAM role (compute.osLogin) to the dev1 group, so the users would have no permission to connect.

C. This method is insecure and unscalable. It requires manually generating, distributing, and managing individual SSH keys for each user, which is prone to error and becomes a significant administrative burden as the group changes.

D. Sharing a single private SSH key among multiple users is a severe security anti-pattern. It eliminates individual accountability and makes key revocation and rotation extremely difficult if the key is compromised.

1. Google Cloud Documentation - About OS Login: "OS Login lets you use Compute Engine IAM roles to grant and revoke SSH access to your Linux instances... OS Login is the recommended way to manage many users across multiple instances or projects." This document also specifies that you enable OS Login by setting the enable-oslogin metadata value to TRUE.

Source: Google Cloud Documentation

"About OS Login".

2. Google Cloud Documentation - Set up OS Login: "After you enable OS Login on one or more instances in your project

you need to grant the necessary IAM roles to users." It lists roles/compute.osLogin as the role required to connect to instances.

Source: Google Cloud Documentation

"Set up OS Login"

Step 2: Grant necessary IAM roles.

3. Google Cloud Documentation - Compute Engine predefined IAM roles: The compute.osLogin role is described as providing "permissions to log in to Compute Engine instances using OS Login. This role does not grant administrator access." This confirms it as the appropriate least-privilege role.

Source: Google Cloud Documentation

"Compute Engine IAM roles"

Predefined roles table.

4. Google Cloud Documentation - Managing SSH keys in metadata: This document describes the manual method of managing keys and contrasts it with OS Login. It explains that blocking project-wide keys is a way to restrict access

but it still relies on manually adding instance-level keys

which is less manageable than OS Login.

Source: Google Cloud Documentation

"Managing SSH keys in metadata"

section "Instance-level public SSH keys".

The standard and correct workflow for deploying a containerized application to Google Kubernetes Engine (GKE) begins with the Dockerfile. First, a container image must be built from the Dockerfile using a tool like Docker. This image must then be stored in a container registry that the GKE cluster can access; Google Container Registry (GCR) or Artifact Registry are the standard, integrated choices on Google Cloud. Next, a Kubernetes Deployment manifest (a YAML file) is created. This file declaratively defines the desired state, specifying the container image location (from the registry), the number of replicas, and other configurations. Finally, the kubectl command-line tool is used to apply this manifest to the GKE cluster, which then pulls the image and creates the Pods.

A. kubectl app deploy . is not a valid or standard kubectl command for deploying applications. The correct command to apply a configuration file is kubectl apply -f .

B. gcloud app deploy . is the command used to deploy applications to Google App Engine, which is a different service (Platform-as-a-Service) from Google Kubernetes Engine.

D. Google Cloud Storage is an object storage service, not a container registry. GKE nodes cannot pull container images directly from a Cloud Storage bucket; they require a registry that implements the Docker Registry API.

1. Google Cloud Documentation

"Deploying a containerized web application": This official tutorial outlines the exact steps described in the correct answer. It details building a container image

pushing it to Artifact Registry (Google's recommended container registry)

and then deploying it to a GKE cluster using a manifest file (deployment.yaml) and kubectl apply. (See steps 3

4

and 6 in the guide).

2. Google Cloud Documentation

"Container Registry overview": "Container Registry is a private container image registry that runs on Google Cloud... You can access Container Registry through HTTPS endpoints

from gcloud

or from Docker." This confirms that a registry

not object storage

is the correct location for images.

3. Google Cloud SDK Documentation

gcloud app deploy: The official documentation for this command states

"This command is used to deploy the source code and configuration of your application to the App Engine server." This explicitly links the command to App Engine

not GKE.

4. Kubernetes Documentation

"Deployments": "A Deployment provides declarative updates for Pods... You describe a desired state in a Deployment

and the Deployment Controller changes the actual state to the desired state at a controlled rate." This supports the use of a declarative YAML file as the standard practice.

A signed URL provides a secure, time-limited method for granting read or write access to a specific Cloud Storage object. It uses a cryptographic signature embedded in the URL, which authenticates the request without requiring the user to have a Google account. By setting a four-hour expiration, access is automatically revoked after the specified period. This approach directly addresses all requirements: it's secure for sensitive data, time-limited, works for users without Google accounts, and is the most direct method, requiring only a single step to generate the URL.

B. Making an object public is highly insecure for sensitive data, as anyone on the internet could potentially access it during the four-hour window.

C. Configuring a bucket as a static website also makes objects publicly accessible, which is not secure for sensitive content. This method is also more complex than generating a signed URL.

D. This method is inefficient, requiring multiple steps (create bucket, copy object, delete bucket). It also fails to specify the access mechanism, which would still need to be either public (insecure) or a signed URL (making option A superior).

1. Google Cloud Documentation - Signed URLs: "A signed URL is a URL that provides limited permission and time to make a request... Anyone who knows the signed URL can access the resource until the URL expires

regardless of whether they have a Google Cloud account." This document explicitly describes the use case of providing temporary access to users without Google accounts.

Source: Google Cloud Documentation

"Cloud Storage > How-to Guides > Using signed URLs".

2. Google Cloud Documentation - Overview of Access Control: This document outlines various access control methods. It implicitly discourages using public access for sensitive data by describing its function: "The allUsers identifier is a special identifier that represents any user who is on the internet." This highlights the insecurity of options B and C.

Source: Google Cloud Documentation

"Cloud Storage > Key Concepts > Overview of access control".

3. Google Cloud Documentation - Object Lifecycle Management: "Object Lifecycle Management lets you apply rules to a bucket that automatically take an action on the objects in the bucket when they meet the criteria you specify." The purpose is automated object state management (e.g.

deletion

changing storage class)

not for granting temporary

secure access to external users.

Source: Google Cloud Documentation

"Cloud Storage > How-to Guides > Using Object Lifecycle Management".

The Pending status for a Pod indicates that the Kubernetes scheduler has accepted the Pod but cannot yet place it onto a node. The most common reason for this is insufficient cluster resources (CPU or memory). In this scenario, the first replica of the Deployment was successfully scheduled and is Running, consuming resources on a node. The second replica, with identical resource requests, cannot be scheduled because the remaining available resources in the cluster are not sufficient to meet its needs. The Pod will remain Pending until resources are freed up or a new node is added to the cluster, for example, by the cluster autoscaler.

A: This is incorrect because one replica is already Running. As both Pods have identical resource requests, if one can fit on a node, the other's request is not inherently too large.

C: Incorrect image pull permissions would cause an ImagePullBackOff or ErrImagePull status after the Pod is scheduled to a node, not prevent it from being scheduled (i.e., leave it Pending).

D: While a node preemption could lead to this state, the direct cause of the Pending status is the lack of schedulable resources, which is more accurately described by option B.

1. Kubernetes Documentation

Pod Lifecycle

Pod Phase: The Pending phase is defined as: "The Pod has been accepted by the Kubernetes cluster

but one or more of the containers has not been set up and made ready to run. This includes time a Pod spends waiting to be scheduled..." This confirms that scheduling issues are a primary cause of the Pending state. (Source: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase)

2. Google Cloud Documentation

GKE

Cluster autoscaler: "Cluster autoscaler automatically resizes the number of nodes in a given node pool

based on the demands of your workloads. ... it adds nodes when there are Pods that failed to schedule in the node pool due to insufficient resources." This directly links the Pending state (failed to schedule) with resource insufficiency. (Source: https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-autoscaler

"How cluster autoscaler works" section).

3. Kubernetes Documentation

Kubernetes Scheduler: The scheduler's role is to assign Pods to nodes. "If no node is suitable

the pod remains unscheduled until the scheduler is able to place it." The primary filtering step in finding a suitable node is checking if a node has enough available resources to meet the Pod's specific resource requests. (Source: https://kubernetes.io/docs/concepts/scheduling-eviction/kube-scheduler/

"The kube-scheduler" section).

This architecture represents a classic streaming data pipeline on Google Cloud, particularly for time-series or IoT data.

1. Ingest (Cloud Pub/Sub): Cloud Pub/Sub is a fully managed, real-time messaging service designed to ingest high-throughput event streams from many sources, such as IoT devices.

2. Process (Cloud Dataflow): Cloud Dataflow is a unified stream and batch data processing service. It is ideal for executing pipelines that transform, enrich, and aggregate incoming data in real-time.

3. Serve (Cloud Bigtable): Cloud Bigtable is a NoSQL, wide-column database optimized for high-throughput reads and writes with very low latency. This makes it the perfect choice for serving time-series data to real-time dashboards and applications.

4. Analyze (BigQuery): BigQuery is a serverless, highly scalable data warehouse built for business intelligence and ad-hoc analysis. It allows for complex SQL queries over massive datasets.

A: Cloud Datastore is a document database designed for transactional web and mobile application backends, not for the high-throughput analytical workloads typical of time-series data.

B: Firebase Messages is for sending notifications to client applications, not a general-purpose data ingestion service. Cloud Spanner is a relational database, which is less suited for this specific time-series use case than Bigtable.

C: Cloud Storage is an object storage service, not a data processing engine. This option also incorrectly swaps the roles of BigQuery (for analysis) and Bigtable (for low-latency serving).

1. Google Cloud Documentation

"IoT overview": This document presents a reference architecture for IoT data that explicitly shows the flow: Cloud Pub/Sub (for ingestion) -> Cloud Dataflow (for processing) -> Cloud Bigtable (for processing and serving) and BigQuery (for data analysis). See the "Reference architecture" diagram.

2. Google Cloud Documentation

"Cloud Bigtable - Overview": Under the section "What it's good for

" the documentation lists "Time series data" as a primary use case

stating

"Cloud Bigtable is a great choice for storing and querying large amounts of time-series data."

3. Google Cloud Documentation

"Dataflow - Common use cases": This page describes using Dataflow for "Streaming analytics" and "IoT

" often in conjunction with Pub/Sub for ingestion and BigQuery or Bigtable for storage and analysis.

4. Google Cloud Documentation

"What is BigQuery?": The official documentation defines BigQuery as a "fully managed enterprise data warehouse that helps you manage and analyze your data

" which directly corresponds to the "Ad-hoc analysis" function in the diagram.

This solution describes a standard, event-driven, and fully automated pattern for scaling Google Cloud resources that do not have a native autoscaling feature. A Cloud Monitoring (formerly Stackdriver) alerting policy can monitor the Cloud Spanner instance's CPU utilization. When the utilization crosses a predefined threshold (either high or low), the policy triggers a notification to a webhook. A Cloud Function is configured with an HTTP trigger to listen on this webhook's endpoint. Upon receiving the alert, the function executes code that uses the Cloud Spanner API to resize the instance by adding or removing nodes, thus achieving automatic scaling.

A. A cron job is a scheduled, time-based trigger. While it can automate scaling for predictable patterns, it is less responsive to real-time metric fluctuations compared to an event-driven alerting policy.

B. This option relies on manual intervention by an on-call SRE to scale the instance. This fails to meet the requirement for an automatic scaling solution.

C. Involving Google Cloud Support for routine operational tasks like scaling is not a standard or appropriate procedure. This process is manual and not the intended use of the support service.

1. Google Cloud Blog - Tutorial: Autoscaling Cloud Spanner: This official tutorial explicitly details the recommended architecture for autoscaling Cloud Spanner. It states

"In this architecture

Cloud Monitoring periodically checks the CPU utilization of your Spanner instance. When the CPU utilization crosses a threshold

Monitoring sends a notification to a webhook. The notification triggers a Cloud Function that adds or removes a node from your Spanner instance." This directly validates option D.

Source: Google Cloud Blog

"Autoscaling Cloud Spanner".

2. Cloud Monitoring Documentation - Notification options: The official documentation lists webhooks as a notification channel. It explains

"You can use webhooks to send a notification to other services... When you create a webhook notification channel

you provide a URL to which Monitoring sends a POST request when a notification is triggered." This confirms the trigger mechanism.

Source: Google Cloud Documentation

Cloud Monitoring

"Notification options"

Section: "Webhooks".

3. Cloud Spanner Documentation - Monitoring with Cloud Monitoring: The documentation highlights high-priority CPU utilization as a key metric for monitoring Spanner performance and determining when to scale. It recommends keeping CPU utilization below 65% for multi-region instances and 75% for regional instances to ensure optimal performance. This validates using CPU metrics as the basis for scaling decisions.

Source: Google Cloud Documentation

Cloud Spanner

"Monitoring with Cloud Monitoring"

Section: "Alerting".

4. Cloud Functions Documentation - HTTP Triggers: This documentation explains how to create functions that can be invoked via HTTP requests

which is precisely how a webhook integration works. "HTTP functions can be invoked from standard HTTP requests. These functions must send a response."

Source: Google Cloud Documentation

Cloud Functions

"Develop"

"HTTP Triggers".

Google Cloud Deployment Manager can be extended to manage resources from third-party APIs by adding them as "Type Providers". The Kubernetes API is a RESTful API with an OpenAPI specification, making it a perfect candidate for a Type Provider. By creating the GKE cluster first, you can extract its API endpoint and credentials within the same deployment. You then use these outputs to dynamically configure a new Type Provider for that specific cluster's API. Finally, you use this new type to declaratively create the DaemonSet, all within a single Deployment Manager execution without needing extra services like Compute Engine.

B: Runtime Configurator is a service for storing and managing dynamic configuration data. It does not have the capability to apply configurations or create resources within a GKE cluster.

C: This approach requires an additional Compute Engine instance solely to run a kubectl command. This is inefficient and violates the principle of using the fewest possible services.

D: The Google Kubernetes Engine resource definition in Deployment Manager does not have a feature to interpret metadata entries as Kubernetes manifests to be applied to the cluster.

1. Google Cloud Documentation - Adding a Type Provider: This document explains how to extend Deployment Manager to work with third-party APIs. It states

"You can expand the types of Google Cloud resources that Deployment Manager can create by adding API-specific type providers... A type provider exposes all of the resources of a third-party API to Deployment Manager as base types that you can use in your configurations." The Kubernetes API is such a third-party API in this context.

Source: Google Cloud Documentation

"Adding a Type Provider"

Section: "Before you begin".

2. Google Cloud Documentation - Calling a Third-Party API: This guide provides a conceptual overview and explicitly mentions that the API must have an OpenAPI (formerly Swagger) specification

which the Kubernetes API does.

Source: Google Cloud Documentation

"Calling a Third-Party API"

Section: "About integrating with third-party APIs".

3. Google Cloud Community Tutorials - Automating GKE cluster and application deployment with Deployment Manager: This tutorial provides a step-by-step example of the exact process described in the correct answer. It shows creating a GKE cluster

then using its endpoint to create a Type Provider

and finally using that provider to deploy a Kubernetes application.

Source: Google Cloud Community Tutorials

"Automating GKE cluster and application deployment with Deployment Manager"

Sections: "Creating the Deployment Manager configuration" and "Creating the Kubernetes type provider".

This scenario describes a standard cross-project resource sharing pattern on Google Cloud. The most secure and manageable approach is for the entity requiring access (the partner) to create and manage their own identity. The partner creates a service account in their project, which they control. They then provide the service account's unique email address to you. As the owner of the BigQuery dataset, you grant the necessary IAM role (e.g., BigQuery Data Viewer) to that specific service account on your dataset. This adheres to the principle of least privilege and proper separation of concerns, where each party manages their own resources and identities.

A. Creating the service account in your project requires you to manage its lifecycle and securely share its credentials (keys) with the partner, which is a security risk and an anti-pattern.

B. This is illogical. The service account needs access to the BigQuery dataset in your project, not to resources in the partner's project.

C. The partner granting their service account access to their own project does not confer any permissions to access resources, like your dataset, in a different project.

1. Google Cloud Documentation

BigQuery

"Control access to datasets": In the section "Grant access to a dataset

" the procedure describes adding a "principal" to the dataset's IAM policy. A principal can be a "service account

" and its email address format ([email protected]) inherently allows for granting access to a service account from a different project. This document outlines the exact procedure described in the correct answer.

2. Google Cloud Documentation

IAM

"Overview of IAM": This document explains the core IAM concepts. It defines a "principal" as an identity that can be granted access to a resource. It states

"A principal can be a Google Account... a service account

a Google group

or a Google Workspace... that needs access to a Google Cloud resource." This confirms that a service account from the partner's project is a valid principal to which you can grant access.

3. Google Cloud Documentation

IAM

"Service accounts overview": This page clarifies that "Service accounts are principals in IAM policies" and are "identified by their email address

which is unique to the account." This supports the method of the partner providing their unique service account email for you to add to your dataset's IAM policy.

The IAM & Admin page in the Google Cloud Console provides a comprehensive view of the Identity and Access Management (IAM) policy for a specific resource, such as a project. This page lists all principals (members like users, groups, and service accounts) and the specific roles granted to them for that project. This directly allows an administrator to verify who has what level of access, fulfilling the question's requirement to check assigned users and roles. The gcloud projects get-iam-policy [PROJECTID] command provides the same information via the command line.

A. gcloud iam roles list only lists the available IAM roles in a project or organization; it does not show which members are assigned to those roles.

B. gcloud iam service-accounts list only lists the service accounts within a project. It does not show other member types (like users or groups) or their role assignments.

D. The "Roles" section in the GCP Console lists available roles and their associated permissions, similar to option A. It does not display the bindings of these roles to members.

---

1. Google Cloud Documentation - View access to a project

folder

or organization: "You can get a list of principals who have access to a project... using the Google Cloud console... In the Google Cloud console

go to the IAM page... The IAM page displays all of the principals who have IAM roles on your project

and what roles they are granted."

Source: Google Cloud Documentation

"IAM > Documentation > How-to guides > Granting

changing

and revoking access > View access to a project

folder

or organization".

2. Google Cloud SDK Documentation - gcloud projects get-iam-policy: This command is the CLI equivalent for viewing the full policy. "This command prints the IAM policy for a project... The output includes an etag field identifying the version of the policy." The policy itself contains the bindings between members and roles.

Source: Google Cloud SDK Documentation

gcloud projects get-iam-policy.

3. Google Cloud SDK Documentation - gcloud iam roles list: "List the IAM roles for a project or organization." This command's description confirms it only lists the roles themselves

not their assignments.

Source: Google Cloud SDK Documentation

gcloud iam roles list.

The gcloud iam roles copy command is specifically designed to duplicate a custom role from a source project or organization to a destination project or organization. Using this command-line tool is the most efficient method ("fewest possible steps") to replicate one or more roles, as it can be executed in a single line per role and easily scripted for bulk operations. This approach is significantly faster and less prone to human error than manually recreating roles through the Google Cloud Console.

B. Copying the role to the destination organization makes it available to all projects. This is a broader scope than requested and may not be desirable from a security or management perspective.

C. The ‘create role from role’ functionality in the console is a multi-step, manual process for each role, which is less efficient than a single gcloud command, especially if multiple roles are involved.

D. Manually creating a role and selecting permissions is the most inefficient and error-prone method, directly contradicting the requirement for the "fewest possible steps."

---

1. Google Cloud SDK Documentation

gcloud iam roles copy:

The official documentation for the command explicitly states its purpose: "is used to copy an IAM role." The examples demonstrate copying a role from a source project to a destination project using the --source-project and --dest-project flags. This directly supports option A as the purpose-built tool for the task.

Source: Google Cloud. (n.d.). gcloud iam roles copy. Google Cloud SDK documentation. Retrieved from https://cloud.google.com/sdk/gcloud/reference/iam/roles/copy

2. Google Cloud IAM Documentation

"Creating and managing custom roles":

Under the section "Copying an existing role

" the documentation provides the exact gcloud iam roles copy command as the method for this task. It highlights this as a primary way to replicate roles

reinforcing its status as the correct and most direct procedure.

Source: Google Cloud. (n.d.). Create and manage custom roles. IAM documentation. Retrieved from https://cloud.google.com/iam/docs/creating-custom-roles#copying-an-existing-role

3. Google Cloud IAM Documentation

"Custom roles overview":

This document explains the scope of custom roles

which can be created at either the project or organization level. This context clarifies why specifying the destination project (Option A) is more precise and appropriate for the user's request than specifying the organization (Option B).

Source: Google Cloud. (n.d.). Overview of IAM custom roles. IAM documentation. Retrieved from https://cloud.google.com/iam/docs/understanding-custom-roles#customroleavailability

The location of a Google App Engine application is a permanent setting chosen during its initial creation within a Google Cloud project. This location cannot be changed after the application is created. Furthermore, a single Google Cloud project can contain only one App Engine application. Therefore, to deploy the application in a new region (asia-northeast1), you must create an entirely new Google Cloud project. Within this new project, you can then create a new App Engine application and specify asia-northeast1 as its serving location during the setup process.

A. The project's default region setting primarily affects services like Compute Engine and does not alter the immutable location of an existing App Engine application.

B. The region of an App Engine application is an immutable property. It is set once at creation and cannot be modified later.

C. A Google Cloud project is limited to a single App Engine application. It is not possible to create a second one within the same project.

1. Google Cloud Documentation

App Engine Locations: "When you create an app

you must choose a location... The location you choose for your app is permanent and cannot be changed." This document also states

"Each Google Cloud project can contain only one App Engine app."

Source: Google Cloud

App Engine Locations

"Choosing a location" and "Location and your project" sections. https://cloud.google.com/appengine/docs/locations

2. Google Cloud SDK Documentation

gcloud app create: The official command-line tool documentation for creating an App Engine application explicitly states for the --region flag: "The region to create the App Engine application in. You can't change the region after you set it."

Source: Google Cloud SDK

gcloud app create

Command description. https://cloud.google.com/sdk/gcloud/reference/app/create

The most appropriate and secure method to grant read-only access to all resources within a Google Cloud project is by using the predefined Identity and Access Management (IAM) Viewer role (roles/viewer). This basic role provides broad, read-only permissions across all project services and resources, which aligns perfectly with the requirements for an auditor who needs to inspect but not alter the project's state. Using a predefined role is a best practice as it is managed by Google and ensures that the permissions are correctly and consistently applied for the intended purpose without the overhead of creating and maintaining a custom role.

A. Creating a custom role is unnecessary when a predefined role perfectly fits the requirement. It adds management overhead and potential for misconfiguration.

B. A custom role with "view-only service permissions" is ambiguous and likely insufficient, as the requirement is for all project items, not just specific services.

D. There is no single, built-in "service Viewer" role. Predefined viewer roles are specific to services (e.g., Compute Viewer), which would not grant the required project-wide access.

1. Google Cloud Documentation

IAM

Basic roles: "The Viewer role (roles/viewer) provides permissions for read-only actions that don't modify state

such as viewing (but not modifying) existing resources or data." This directly supports the use of the Viewer role for an auditor. (See section: "Basic roles"

subsection: "Viewer").

2. Google Cloud Documentation

IAM

Understanding roles: "Basic roles include the Owner

Editor

and Viewer roles. You can use these roles to grant principals broad access to all Google Cloud resources... When possible

we recommend that you grant predefined roles instead of basic roles." However

for project-wide read access

the basic Viewer role is the intended and most direct solution. (See section: "Role types").

3. Google Cloud Documentation

IAM

Creating and managing custom roles: "IAM also offers custom roles. These roles let you grant a fine-grained set of permissions that you define... Create a custom role only if the predefined roles don't meet your needs." This confirms that predefined roles should be used first

making option C superior to A. (See section: "Before you begin").

The most effective method for automating command-line operations across multiple Google Cloud projects is by using gcloud configurations. Each configuration stores a set of properties, including the project ID and account. By creating one configuration for the 'development' project and another for 'production', a script can programmatically switch between them using gcloud config configurations activate. For each active configuration, the gcloud compute instances list command is used to retrieve the instance data for that specific project. This entire workflow is scriptable, allowing it to be automated for daily execution via a cron job or Cloud Scheduler.

B. gsutil is the command-line tool for Cloud Storage, not Compute Engine. The command gsutil compute instances list is invalid and does not exist.

C. This option describes a manual daily action ("Go to Cloud Shell"), which fails to meet the core requirement of creating an "automated process".

D. This option describes a manual daily action ("Go to GCP Console"), which directly contradicts the requirement for an "automated process".

1. gcloud config configurations: The official documentation explains how to create and manage named sets of properties. "A configuration is a named set of gcloud CLI properties. These properties are key-value pairs that govern the behavior of the gcloud CLI."

Source: Google Cloud SDK Documentation

gcloud config configurations. (https://cloud.google.com/sdk/gcloud/reference/config/configurations)

2. gcloud compute instances list: This command is the correct tool for listing Compute Engine instances. The documentation states its purpose is to "List Google Compute Engine instances." It can be targeted at a specific project

which is controlled by the active gcloud configuration.

Source: Google Cloud SDK Documentation

gcloud compute instances list. (https://cloud.google.com/sdk/gcloud/reference/compute/instances/list)

3. gsutil Tool: The documentation clarifies that gsutil is for interacting with Cloud Storage. "gsutil is a Python application that lets you access Cloud Storage from the command line." It does not manage Compute Engine resources.

Source: Google Cloud Documentation

Cloud Storage

"gsutil tool". (https://cloud.google.com/storage/docs/gsutil)

To make a service on a Compute Engine instance accessible from outside the VPC network, you must create an ingress firewall rule. The standard and most effective method is to apply a network tag to the VM instance. This tag acts as an identifier. You then create a VPC firewall rule that allows ingress traffic, specifies the protocol (UDP) and port (636), and targets all instances with that specific network tag. This approach correctly configures the network security to permit the required client connections to the LDAP server.

A. Adding a network tag by itself does not create any network permissions. A tag is merely a label that must be referenced by a firewall rule to have any effect.

B. Routes are used to define paths for traffic to reach destinations, not to permit or deny connections. Firewall rules control access based on protocol and port.

D. An egress rule controls outbound traffic from the VM instance. To allow clients to connect to the server, an ingress (inbound) rule is required.

1. Google Cloud Documentation - VPC firewall rules overview: Under the "Components of a firewall rule" section

it states that a rule's target can be specified using "Target tags

" which applies the rule to instances with a matching network tag. The "Direction of traffic" component must be set to ingress for incoming connections.

Source: Google Cloud

"VPC firewall rules overview"

cloud.google.com/vpc/docs/firewalls#components.

2. Google Cloud Documentation - Using VPC firewall rules: This page provides examples of creating firewall rules. The common pattern shown is to define a rule with a direction (INGRESS)

a target (using targetTags)

a source filter

and a protocol/port specification. This directly aligns with the procedure described in the correct answer.

Source: Google Cloud

"Using VPC firewall rules"

cloud.google.com/vpc/docs/using-firewalls#creatingfirewallrules.

3. Google Cloud Documentation - Network tags overview: "Tags are useful for applying firewall rules... You make a firewall rule applicable to specific instances by using target tags." This reference clarifies that the primary purpose of tags in this context is to be used as targets for firewall rules

invalidating the option that suggests using a tag alone is sufficient.

Source: Google Cloud

"Configure network tags"

cloud.google.com/vpc/docs/add-remove-network-tags.

This scenario requires granting a principal (the service account from proj-sa) permissions to act on resources (VM disks) in a different project (proj-vm). The standard Google Cloud method for cross-project authorization is to grant the principal an Identity and Access Management (IAM) role on the project containing the resources. The Compute Storage Admin (roles/compute.storageAdmin) role contains the necessary permissions, such as compute.disks.createSnapshot, to manage storage resources like persistent disks and snapshots. By granting this role to the service account on the proj-vm project, you authorize it to perform the required actions.

A. Storing private keys in custom metadata is a significant security risk and does not grant the necessary cross-project permissions (authorization) for the service account to act on resources in another project.

B. Service account private keys are used for authenticating to Google Cloud APIs, not for user SSH access. SSH keys are a completely different authentication mechanism for interactive logins.

D. API scopes are a legacy authorization method that defines the maximum permissions for a service account attached to a VM. The primary and more granular method is IAM. This option fails to address the core requirement of granting the service account permissions in the target project (proj-vm).

1. Google Cloud Documentation

"Granting roles to service accounts": In the section "Granting a role to a service account for a project and resources within the project

" the documentation states

"To allow a service account to access resources in a different project

you can grant a role to the service account on the other project." This directly supports the cross-project IAM binding described in the correct answer.

2. Google Cloud Documentation

"IAM basic and predefined roles reference"

Compute Engine roles: The documentation for the Compute Storage Admin role (roles/compute.storageAdmin) confirms that it provides "Full control of Compute Engine storage resources

" which includes permissions for creating snapshots (compute.disks.createSnapshot).

3. Google Cloud Documentation

"Service accounts overview": This document clarifies that a service account is a principal

or an identity

which can be granted IAM roles to access resources. This reinforces the concept of treating the service account from proj-sa as an identity that needs permissions in proj-vm.

4. Google Cloud Documentation

"Access control for Compute Engine resources": This page contrasts IAM and API Scopes

stating

"In general

we recommend using IAM to manage access to Compute Engine resources instead of access scopes." This explains why relying on API scopes (Option D) is not the recommended or correct primary approach.

The most operationally efficient and rapid method to meet the requirements is to use a Managed Instance Group (MIG) based on an instance template. An instance template defines the configuration of the virtual machines, ensuring consistency. The MIG uses this template to manage a group of identical VMs. By configuring the MIG's autoscaler with a policy based on average CPU utilization, Google Cloud's managed service will automatically add or remove VMs to maintain the desired performance level. This native solution directly addresses the need to use VMs, scale on CPU, and do so efficiently without custom tooling.

A. Google Kubernetes Engine is a container orchestration service. It scales container pods, not virtual machines directly as required by the policy.

C. This option describes schedule-based autoscaling, which scales based on time, not on the required real-time CPU usage metric.

D. Building and maintaining a custom scaling solution with third-party tools is significantly less operationally efficient and more complex than using the native, fully managed autoscaler.

1. Google Cloud Documentation

"Autoscaling groups of instances": "Autoscaling helps your applications gracefully handle increases in traffic and reduces costs when the need for resources is lower. You define the autoscaling policy

and the autoscaler performs automatic scaling based on the measured load." The document further specifies CPU utilization as a primary scaling metric. (Source: Google Cloud

Compute Engine Documentation

"Autoscaling groups of instances").

2. Google Cloud Documentation

"Scaling based on CPU utilization": "You can configure the autoscaler to scale a managed instance group (MIG) based on the average CPU utilization of the instances in the group... The autoscaler adds or removes virtual machine (VM) instances from the MIG to maintain the target CPU level." This directly supports option B. (Source: Google Cloud

Compute Engine Documentation

"Autoscaling policies"

Section: "Scaling based on CPU utilization").

3. Google Cloud Documentation

"Instance templates": "An instance template is a resource that you can use to create VM instances and managed instance groups (MIGs). Instance templates define the machine type

boot disk image...

and other instance properties." This confirms that an instance template is the correct prerequisite for a MIG. (Source: Google Cloud

Compute Engine Documentation

"Instance templates").

4. Google Cloud Documentation

"Google Kubernetes Engine (GKE) overview": "GKE is a managed

production-ready environment for deploying containerized applications." This highlights that GKE's primary abstraction is the container

not the underlying VM

making option A incorrect for the stated requirement. (Source: Google Cloud

GKE Documentation

"Concepts"

Section: "Overview").

To allow SREs to approve access requests from Google support, they must be granted the accessapproval.requests.approve permission. This permission is included in the predefined IAM role roles/accessapproval.approver. Google's recommended best practice for managing permissions is to assign roles to groups rather than individual users. This approach simplifies administration, as membership changes are managed within the group without altering IAM policies. Therefore, the correct procedure is to add the SREs to a Google Group and then grant the roles/accessapproval.approver role to that group.

A. The roles/iam.roleAdmin role is for managing custom IAM roles, not for approving support access requests. It also violates the best practice of using groups.

B. While this assigns the correct role, it grants it to individual users directly, which contradicts the Google-recommended practice of using groups for scalable and manageable permissions.

C. This option correctly uses a group, but it assigns the roles/iam.roleAdmin role, which does not grant the necessary permissions to approve Access Approval requests.

1. Google Cloud Documentation

"Access Approval IAM roles": This document explicitly lists the roles/accessapproval.approver role and its associated permission

accessapproval.requests.approve

which is required to "Approve a request for access."

Source: Google Cloud > Documentation > Access Approval > Control access with IAM > Access Approval IAM roles.

2. Google Cloud Documentation

"Policy recommendations": This guide on best practices for IAM states

"Use Google Groups to manage principals... Using groups is a convenient way to manage access for a collection of users. You can grant and change access controls for a whole group at once

instead of granting or changing access controls for individual users one by one."

Source: Google Cloud > Documentation > Identity and Access Management > Best practices for using IAM > Policy recommendations > Use Google Groups to manage principals.

3. Google Cloud Documentation

"Overview of Access Approval": This document describes the purpose of the service: "Access Approval ensures that whenever a Google employee wants to access your user content for support and other services

they must get your explicit approval." This confirms that Access Approval is the correct service for the described scenario.

Source: Google Cloud > Documentation > Access Approval > Overview.

Google App Engine retains previously deployed versions of an application. The standard and immediate method for rolling back a faulty deployment is to use the built-in traffic splitting feature. By navigating to the 'Versions' page for the specific App Engine service, you can re-route 100% of the user traffic from the new, buggy version to a previously known stable version. This action is instantaneous and effectively reverts the application to its prior state without requiring a new deployment, thus minimizing downtime and impact on users.

A. gcloud app restore is not a valid gcloud command for App Engine. The correct command-line tool for managing traffic is gcloud app services set-traffic.

B. There is no single "Revert" button at the application level in the Google Cloud Console. Reverting is a function of traffic management between different versions.

D. This approach is incorrect and inefficient. App Engine automatically keeps prior versions, so redeploying is unnecessary. Furthermore, traffic is split between versions of a service, not between separate applications.

1. Google Cloud Documentation

"Splitting Traffic": "If you need to roll back a version

you can easily do so by migrating traffic to one or more other versions." This page details the process of using the Google Cloud Console to select a version and allocate 100% of traffic to it

which is the procedure described in the correct answer. (See section: "Migrating traffic to a single version").

2. Google Cloud Documentation

"Managing Versions": "When you deploy changes to your app

a new version is created and traffic is routed to it. You can

however

choose to not route traffic to the new version automatically... If you discover a bug in a new version

you can quickly roll back to a previous version by routing traffic to it." This confirms that previous versions are retained and that traffic routing is the intended rollback mechanism.

3. Google Cloud SDK Documentation

gcloud app services set-traffic: This command-line reference demonstrates the programmatic way to manage traffic splits. The documentation states its purpose is to "[s]et the traffic splitting configuration for a service." This reinforces that traffic management is the core concept for version control

and it implicitly shows that a command like gcloud app restore does not exist for this purpose.

Google App Engine is designed to support multiple versions of an application simultaneously. The platform's native traffic splitting feature allows you to incrementally roll out changes by directing a specific percentage of traffic to a new version. This is the standard method for performing A/B testing or canary deployments. Deploying the new code as a new version within the same application and then using the Google Cloud Console to configure the traffic split is the most direct and intended approach to achieve the goal.

A. Migrating to Google Kubernetes Engine is a major architectural change and is not the correct procedure for testing a new version of an existing App Engine application.

B. Migrating to Compute Engine is an unnecessary platform change that ignores the built-in versioning and traffic management capabilities of App Engine.

C. Traffic splitting in App Engine is managed between different versions within a single application/service, not between two entirely separate applications. This approach is functionally incorrect.

1. Google Cloud Documentation - App Engine - Splitting Traffic: "App Engine allows you to split incoming traffic for your app between two or more of its versions. Splitting traffic allows you to do A/B testing between your versions and provides control over the pace when rolling out features." This document explicitly describes the process in option D.

Source: Google Cloud Documentation

"Splitting Traffic"

App Engine standard environment for Python 3 docs.

2. Google Cloud Documentation - App Engine - How Requests are Routed: "Within a single project

you can deploy multiple apps as services. [...] Each service can have multiple versions

and you can split traffic between those versions." This clarifies that versions exist within a service/app

making option C incorrect.

Source: Google Cloud Documentation

"How Requests are Routed"

App Engine Concepts.

3. Google Cloud Documentation - Deploying a new service or version: "When you deploy a new version

you can choose to either immediately route traffic to it or deploy it without routing traffic and then later assign traffic to it." This confirms that deploying a new version is the first step

followed by traffic management.

Source: Google Cloud Documentation

"Deploying a new service or version"

App Engine standard environment for Python 3 docs.

This solution correctly uses OS Login, which is the recommended Google Cloud feature for managing instance access at scale. By having users add their public SSH keys to their own Google accounts, management is decentralized to the user. Access control is then centralized and managed efficiently using IAM roles assigned to a Google Group. Granting the roles/compute.osAdminLogin role to the group provides the necessary administrative (sudo) privileges. This approach is operationally efficient, as adding or removing users from the group automatically updates their access across all project instances. Crucially, OS Login creates a clear audit trail by linking the Linux user on the instance to the user's Google identity, fulfilling the security team's requirement.

A. Sharing a single private key is a major security anti-pattern. It makes auditing impossible as you cannot trace actions back to an individual user.

B. This manual approach is not operationally efficient for a large number of instances. It requires constant updates and re-deployments using a configuration tool whenever team membership changes.

D. This option suffers from the same critical flaw as option A. Sharing a private key, even at the project level, prevents individual user auditing and is insecure.

1. Google Cloud Documentation

"About OS Login": "OS Login lets you use Compute Engine IAM roles to grant SSH access to your Linux instances... OS Login simplifies SSH access management by linking your Linux user account to your Google identity. Administrators can easily manage access to instances by setting IAM permissions at an instance or project level." This supports the core concept of using IAM for SSH management.

2. Google Cloud Documentation

"Set up OS Login": Under the section "Grant OS Login IAM roles to a user

" it states: "To grant a user the ability to connect to VMs that have OS Login enabled

grant the user the necessary IAM roles... Grant the roles/compute.osAdminLogin role

which grants administrator permissions." This confirms that option C provides the required administrative access.

3. Google Cloud Documentation

"Managing instance access using OS Login": "When you use OS Login

the service configures the VM with the SSH public keys associated with the user's Google account... When a user is removed from a Google Group

they lose the IAM roles associated with that group." This highlights the operational efficiency of using Google Groups.

4. Google Cloud Documentation

"Managing SSH keys in metadata": "When you manage access to instances by using metadata-based SSH keys

you are responsible for creating users and managing SSH public keys on your instances... For improved access management

we recommend using OS Login." This reference explicitly contrasts the less efficient method (similar to options B and D) with the recommended OS Login approach.

The requirement is to run a single application with high memory (32 GB) and low CPU needs while minimizing cost. Google Compute Engine is the appropriate service for running a custom application on a virtual machine. The most cost-effective way to meet these specific, unbalanced resource requirements is by creating a custom machine type. This allows you to independently configure the vCPU count and memory. By selecting a low vCPU count (e.g., 2 vCPUs) and specifying 32 GB of extended memory, you can precisely match the application's needs without paying for unused CPU resources, thus minimizing cost.

A. Cloud Memorystore is a managed in-memory data store, not a compute service. It cannot execute the HTTP reverse proxy application itself; it can only act as a caching backend.

C. Using Kubernetes Engine with a large n1-standard-32 node is excessive for a single, low-CPU proxy. This approach introduces unnecessary cost and management overhead for a non-container-orchestration workload.

D. This option confuses an in-memory cache (RAM) with disk storage (SSD). An SSD is significantly slower than RAM and fails to meet the "in-memory" requirement for a latency-sensitive application.

1. Google Cloud Documentation - Compute Engine - Creating a VM instance with a custom machine type: "Custom machine types are ideal for workloads that require more processing power or more memory

but don't need all of the upgrades that are provided by a predefined machine type... If you need to optimize for cost

custom machine types can help you reduce your costs by letting you choose the number of vCPUs and the amount of memory that your instance needs." This directly supports using a custom instance for cost-effective

specific resource allocation.

Source: Google Cloud Documentation

"Creating a VM instance with a custom machine type"

Section: "Before you begin".

2. Google Cloud Documentation - Compute Engine - Custom machine types with extended memory: "If your VM requires more memory than the default amount offered for a machine type

you can use extended memory... Extended memory is useful for workloads... that benefit from large amounts of memory but are not CPU-intensive." This confirms the feasibility and intended use case for a low-CPU

high-memory configuration.

Source: Google Cloud Documentation

"Creating a VM instance with a custom machine type"

Section: "Custom machine types with extended memory".

3. Google Cloud Documentation - Cloud Memorystore for Redis - Overview: "Cloud Memorystore for Redis provides a fully-managed service that is powered by the Redis in-memory data store to build application caches..." This reference clarifies that Memorystore is a managed data store service

not a general-purpose compute environment for running applications like a proxy.

Source: Google Cloud Documentation

"Cloud Memorystore for Redis - Overview".

4. Google Cloud Documentation - Persistent Disk - Overview: "Persistent Disk is a durable and high-performance block storage service for Google Cloud." This distinguishes persistent disk (SSD or HDD) from RAM (memory)

highlighting why it's unsuitable for an in-memory cache.

Source: Google Cloud Documentation

"Persistent Disk - Overview".

The described failure, where a Managed Instance Group (MIG) cannot create new instances, is commonly caused by a resource name conflict. This occurs when the MIG attempts to create a new instance with a name that is already in use by an existing persistent disk, often an orphaned disk from a previously deleted instance.

The most comprehensive solution involves three steps:

1. Verify: Confirm the instance template has valid syntax, as an invalid template will also cause creation failures.

2. Remediate: Delete the conflicting persistent disk(s) to unblock the immediate creation of the new instance.

3. Prevent: Modify the instance template to set the disks.autoDelete property to true. This ensures that when an instance is deleted in the future, its boot disk is also deleted, preventing the issue from recurring. This requires creating a new template and updating the MIG.

Option C correctly incorporates all three of these critical steps, providing a complete and robust solution.

A. This option is a plausible but incomplete solution. While creating a valid template and deleting conflicting disks will resolve the immediate issue, it fails to address the root cause, leaving the MIG vulnerable to the same failure in the future.

B. This option is based on a flawed premise. For MIGs, instance names are generated automatically at runtime and are not specified within the instance template. Therefore, a name conflict cannot be identified by comparing values within the template.

D. This option suggests deleting the current instance template, which is an improper and often impossible action if the template is in use by a MIG. The correct procedure is to create a new template and perform a rolling update.

1. Google Cloud Documentation - Troubleshooting managed instance groups: Under the section "The group cannot create an instance

" the documentation identifies a key cause: "There is a persistent disk that has the same name as the instance that the MIG is trying to create." It then provides the solution: "To resolve this issue

delete the persistent disk that is blocking the instance creation. To prevent this from happening in the future

configure your boot disks to be auto-deleted when their instances are deleted." This directly supports the actions in option C.

2. Google Cloud Documentation - Setting the auto-delete state for a disk: "By default

when you delete a virtual machine (VM) instance

the boot disk for that VM is also deleted. Conversely

by default

when you delete a VM

any attached non-boot disks are detached and are not deleted... You can change this behavior by setting the auto-delete state for the disk." This explains the autoDelete property mentioned in option C.

3. Google Cloud Documentation - Creating instance templates: This document details the properties of an instance template

including the autoDelete flag for disks (--boot-disk-auto-delete for the gcloud CLI)

confirming how the preventative step in option C is implemented.

The most direct and efficient method to consolidate costs onto a single invoice is to link all projects to a single Cloud Billing account. A billing account can be associated with projects from different organizations. This action requires the necessary IAM permissions (Project Billing Manager on the projects and Billing Account User on the target billing account) but does not necessitate a complex and time-consuming migration of projects between organizations. This approach directly addresses the requirement of a single invoice and can be implemented quickly, meeting the "as of tomorrow" timeline.

B. This consolidates billing data for analysis in BigQuery but does not consolidate the invoicing. Each billing account would still generate a separate invoice from Google.

C. Migrating hundreds of projects between organizations is a complex, lengthy process that is not required to consolidate billing and cannot realistically be completed "as of tomorrow."

D. This is the most disruptive option, requiring the migration of all projects from both companies into a new organization. It is unnecessarily complex and time-consuming for the stated goal.

1. Google Cloud Documentation

"Modify a project's billing account": This document states

"You can change the Cloud Billing account that is linked to a project." It also details the required permissions

which do not depend on the project and billing account being in the same organization. This directly supports the feasibility and correctness of option A.

Source: Google Cloud Documentation > Cloud Billing > Docs > Guides > Modify a project's billing account.

2. Google Cloud Documentation

"Overview of Cloud Billing concepts": This guide explains the relationship between projects

organizations

and billing accounts. It clarifies that "A Cloud Billing account can be linked to one or more projects" and does not state a restriction that they must reside in the same organization.

Source: Google Cloud Documentation > Cloud Billing > Docs > Concepts > Overview of Cloud Billing concepts > "Relationships between organizations

projects

and Cloud Billing accounts".

3. Google Cloud Documentation

"Migrating projects": This page describes the process of moving a project between organizations. It outlines a multi-step process involving permission setup and policy evaluation

indicating that migrating hundreds of projects is a significant undertaking

making options C and D impractical for a next-day deadline.

Source: Google Cloud Documentation > Resource Manager > Docs > Migrating projects.

4. Google Cloud Documentation

"Set up Cloud Billing data export to BigQuery": This document explains that exporting billing data is for "detailed analysis of your Google Cloud costs." It does not mention invoice consolidation

confirming that option B addresses data analysis

not the generation of a single invoice.

Source: Google Cloud Documentation > Cloud Billing > Docs > How-to > Set up Cloud Billing data export to BigQuery.

For a custom Identity and Access Management (IAM) role to be suitable for production, it must only contain permissions with the SUPPORTED support level. Permissions marked as TESTING are for pre-release services and are not stable for production use. To communicate the status of a new role that is undergoing initial development and testing, the ALPHA launch stage is the most appropriate. This stage clearly indicates to the organization that the role is in its earliest phase and not yet finalized, fulfilling the requirement to share its status.

B: While using 'supported' permissions is correct, the 'BETA' stage implies a more mature, widely tested role. 'ALPHA' is the more accurate stage for a brand new, first-version role under initial testing.

C: Using 'testing' level permissions is incorrect. The official documentation explicitly warns against using these permissions in production environments as they are subject to change without notice.

D: This option is incorrect for two reasons: 'testing' level permissions are not suitable for production, and the 'BETA' stage is less appropriate than 'ALPHA' for a brand new role.

1. Google Cloud Documentation

IAM

Understanding custom roles

"Permissions support levels": "Each permission has one of the following support levels... SUPPORTED: This permission is fully supported... You can use these permissions in custom roles for production environments." and "TESTING: This permission is for use with Google Cloud services or features that are not yet generally available... Do not use these permissions in custom roles for production environments."

2. Google Cloud Documentation

IAM

Understanding custom roles

"Custom role launch stages": "Each custom role has a launch stage

which is stored in the stage property of the role... ALPHA: The role is in early development. It might not be feature-complete

and it might change in backward-incompatible ways." This source confirms that ALPHA is the correct stage for a role in its initial testing phase.

3. Google Cloud Documentation

IAM

Creating and managing custom roles: This page details the process of creating a custom role

including setting the --stage flag to values like ALPHA

BETA

or GA

reinforcing that the stage is a key property to be set during creation to communicate its lifecycle status.

The principle of least privilege dictates granting only the permissions necessary to perform a task. The support team needs to monitor the environment, not access its data. The roles/monitoring.viewer predefined role provides read-only access to Cloud Monitoring services, which includes viewing metrics, logs, and dashboards for Cloud Spanner performance. This role grants the required monitoring capabilities without providing any permissions to read or modify the data stored within the Spanner tables, perfectly aligning with the stated requirements and Google's recommended practices for security.

B. Add the support team group to the roles/spanner.databaseUser role.

This role grants permissions to read and write data in the database, which directly violates the requirement that the support team cannot access table data.

C. Add the support team group to the roles/spanner.databaseReader role.

This role grants permissions to read data and schema from the database, which is explicitly forbidden by the scenario's constraints.

D. Add the support team group to the roles/stackdriver.accounts.viewer role.

This is a legacy role for viewing Stackdriver Workspaces, not the standard, project-scoped role for viewing monitoring data. The correct modern role is roles/monitoring.viewer.

1. Google Cloud Documentation

"Access control for Cloud Monitoring": The "Monitoring Viewer" (roles/monitoring.viewer) role is described as providing permissions to "View Monitoring data and configurations." This does not include data access permissions for other services like Cloud Spanner.

Source: Google Cloud Documentation

Cloud Monitoring > Access control > Predefined roles.

2. Google Cloud Documentation

"Cloud Spanner access control with IAM": This document details the Spanner-specific roles. It explicitly states that roles/spanner.databaseReader grants spanner.databases.select permission

and roles/spanner.databaseUser grants spanner.databases.select and spanner.databases.update permissions

both of which allow access to table data.

Source: Google Cloud Documentation

Cloud Spanner > Security > Access control with IAM > Predefined roles for Cloud Spanner.

3. Google Cloud Documentation

"IAM recommendations": Google's best practices emphasize using the principle of least privilege. The documentation states

"When you grant roles

grant the least permissive roles that meet the needs of your principals." Granting a monitoring role instead of a data access role is a direct application of this principle.

Source: Google Cloud Documentation

Identity and Access Management > Documentation > Best practices for using IAM > Grant least privilege.

To create a budget for a specific project and service, you must have appropriate permissions on the parent billing account. The Billing Account Administrator or Billing Account Costs Manager roles are required. Among the choices, "project billing administrator" is the most plausible option indicating the necessary billing-related permissions, as project-level roles like Project Administrator are insufficient. The process involves navigating to the billing account, creating a budget, and then applying two filters: scoping the budget to the single, specific project and filtering costs to only include those from the Compute Engine service. Standard alert thresholds are configured as part of this process.

B: The term "custom alert" is imprecise. Standard budget functionality includes setting alert thresholds for email notifications. While programmatic notifications exist, the general requirement is met by creating a standard budget alert, not necessarily a "custom" one.

C: The Project Administrator role does not grant permissions to create or manage budgets on a billing account. This action also omits the critical requirement of setting an "alert," which is explicitly requested in the prompt.

D: This option is incorrect for two reasons: the Project Administrator role is insufficient for creating budgets, and the term "custom alert" is less accurate than the standard "alert" configured during budget creation.

1. Google Cloud Documentation - Create

edit

or delete budgets and budget alerts:

Reference: Under the "Permissions required to manage budgets" section

it states

"To create or own a budget for a Cloud Billing account

you need a role that includes the permission billing.budgets.create... By default

the Billing Account Administrator ( roles/billing.admin) and Billing Account Costs Manager (roles/billing.costsManager) roles have this permission." This confirms that a billing-specific role is required

invalidating options C and D.

Reference: The step-by-step guide for creating a budget shows that you first select the billing account

then scope the budget to projects

and filter by services like Compute Engine. It also details setting "Alert threshold rules

" which corresponds to the "alert" in option A.

2. Google Cloud Documentation - Overview of Cloud Billing access control:

Reference: The table describing billing roles clearly distinguishes between project-level roles and billing account-level roles. It shows that roles/billing.admin and roles/billing.costsManager are for managing billing account resources like budgets

while a role like Project Owner (roles/owner) does not inherently include these permissions. This further invalidates the roles mentioned in options C and D.

The most direct and secure method that follows Google-recommended practices is to grant the specific identity of the Compute Engine VM the precise permissions it needs on the target resource. The VM's identity is its attached service account. The required action is to create objects in a Cloud Storage bucket. The roles/storage.objectCreator IAM role grants exactly this permission (storage.objects.create) without providing excessive privileges like reading or deleting objects. By applying this role directly to the service account on the target bucket (corp-aggregate-reports-storage), you adhere to the principle of least privilege for cross-project resource access.

A. Moving projects into the same folder is an organizational action and does not grant IAM permissions between resources in those projects.

C. Shared VPC concerns network connectivity, which is irrelevant for accessing the global Cloud Storage API. Permissions must be granted on the target bucket, not the source project.

D. Making a bucket public is a severe security risk and directly contradicts the principle of least privilege. It is not a recommended practice for this type of controlled access.

1. Service Accounts as Principals: Official Google Cloud documentation states that a service account is a principal that can be granted access to resources. A Compute Engine instance uses its service account as its identity to call Google Cloud APIs.

Source: Google Cloud Documentation

"Service accounts

" Section: "Service account overview."

2. Cross-Project Resource Access: To allow a service account in one project to access a resource in another

you add the service account as a principal in the IAM policy of the resource in the second project.

Source: Google Cloud Documentation

"Granting roles to service accounts

" Section: "Granting a service account access to a resource in a different project."

3. IAM for Cloud Storage: Access control for Cloud Storage buckets is managed through IAM policies. To grant access

you assign a role to a principal on the specific bucket.

Source: Google Cloud Documentation

"Use IAM with buckets

" Section: "Overview."

4. Storage Object Creator Role: The predefined IAM role roles/storage.objectCreator grants only the storage.objects.create permission

allowing a principal to create objects without being able to view

overwrite

or delete them. This aligns with the principle of least privilege.

Source: Google Cloud Documentation

"IAM roles for Cloud Storage

" Section: "Predefined roles

" under the role Storage Object Creator.

This solution adheres to the principle of least privilege, a core Google-recommended security practice. The DevOps team requires access only to the production project, so permissions must be scoped at the project level, not the organization level. Using a custom role is essential because, unlike predefined roles (e.g., Project Editor), its permissions are explicitly defined by the user and are not automatically updated by Google. This directly fulfills the requirement to prevent future Google Cloud product changes from unintentionally broadening the team's permissions, ensuring a stable and secure access control model.

A. Incorrect. The Editor role is overly permissive, and granting it at the organization level provides unnecessary access to all projects, violating the principle of least privilege.

B. Incorrect. The basic Editor role is too broad. Its permissions are managed by Google and can change, which contradicts the requirement to prevent permission broadening.

D. Incorrect. Granting any role at the organization level is the wrong scope. The team only needs access to the specific production project, not all projects within the organization.

1. Google Cloud Documentation

IAM

"Understanding custom roles": In the section "Custom role maintenance

" it states

"You are responsible for maintaining your custom roles. When Google Cloud adds new features or services

your custom roles will not be updated automatically." This directly supports using a custom role to prevent permission broadening.

2. Google Cloud Documentation

IAM

"Best practices for using IAM": Under the section "Apply the principle of least privilege

" the documentation advises to "grant roles at the smallest scope necessary" and to "Be careful when granting the basic roles... It is a best practice to grant the most limited predefined roles or create custom roles that meet your specific needs." This supports both scoping to the project (C) and using a custom role over a basic one (B).

3. Google Cloud Documentation

IAM

"Basic and predefined roles reference": The description for the Editor role (roles/editor) states it contains permissions to "create and delete resources for most Google Cloud services." This highlights its overly permissive nature

making it unsuitable when following the principle of least privilege.

In Google Cloud, a Virtual Private Cloud (VPC) subnet is defined by a primary IPv4 range in CIDR notation. The size of the range is determined by the prefix length (the number after the /). A smaller prefix number indicates a larger IP address range. The largest permissible subnet range in Google Cloud VPC is one with a /8 prefix. The range 10.0.0.0/8 provides 2^(32-8) = 16,777,216 addresses, which is the maximum possible for a single subnet, making it the correct choice for the largest possible range.

A. 0.0.0.0/0 is not a valid range for a subnet. This CIDR block represents all IP addresses and is used in routing tables to define a default route, typically to the internet.

C. 172.16.0.0/12 is a valid subnet range, but it is smaller than a /8 range, providing only 2^(32-12) = 1,048,576 addresses.

D. 192.168.0.0/16 is also a valid subnet range, but it is significantly smaller than a /8 range, providing only 2^(32-16) = 65,536 addresses.

1. Google Cloud Documentation - VPC network overview: "Each subnet is associated with a single region and must have at least one primary IPv4 address range." This document establishes the fundamental relationship between VPCs and subnets.

Source: Google Cloud Documentation

"VPC network overview"

Section: "Networks and subnets".

2. Google Cloud Documentation - Subnets: "The prefix length for a primary IPv4 subnet range cannot be smaller than /8." A smaller prefix length number corresponds to a larger IP address block

confirming that /8 is the largest size allowed.

Source: Google Cloud Documentation

"Subnets"

Section: "Subnet ranges"

Subsection: "Valid ranges".

3. Google Cloud SDK Documentation - gcloud compute networks subnets create: The command-line interface documentation explicitly states the constraints on subnet creation: "The prefix length must be between 8 and 29

inclusive." This confirms that /8 is the minimum valid prefix length

which corresponds to the maximum range size.

Source: Google Cloud SDK Documentation

gcloud compute networks subnets create

Argument: --range.

4. IETF RFC 1918 - Address Allocation for Private Internets: This document defines the private IPv4 address spaces

which include 10.0.0.0/8

172.16.0.0/12

and 192.168.0.0/16. While all are valid private ranges

Google Cloud's implementation limits the maximum subnet size to /8.

Source: IETF RFC 1918

Section 3: "Private Address Space".

BigQuery's on-demand pricing model charges for the number of bytes read (processed) by a query, not the amount of data returned. The most effective way to estimate this cost without incurring any charges is to perform a dry run. The bq query --dryrun command-line flag or the query validator in the Google Cloud Console simulates the query execution. It validates the query and returns an estimate of the total bytes that will be processed. This byte estimate can then be entered into the Google Cloud Pricing Calculator to determine the monetary cost before you execute the actual query.

A. Switching pricing models is a commitment for managing overall costs, not a method for estimating the cost of a single on-demand query.

C. On-demand pricing is based on the volume of data read from the tables, not the volume of data returned to the user.

D. Running SELECT COUNT() is a billable query that processes data and provides a row count, not the byte-based estimate needed for cost calculation.

1. Google Cloud Documentation - BigQuery pricing

"Query pricing models": "On-demand pricing is based on the amount of data processed by your queries... You are charged for the number of bytes processed (also referred to as bytes read)." This confirms the pricing metric is bytes read.

2. Google Cloud Documentation - "Estimate query costs": "You can estimate the cost of a query before you run it. To estimate query costs

you can use: The query validator in the Google Cloud console... The --dryrun flag in the bq command-line tool... When you use one of these options

BigQuery returns an estimate of the number of bytes that the query will read." This directly supports using a dry run to estimate bytes read.

3. Google Cloud Documentation - bq command-line tool reference

"bq query": Describes the --dryrun flag: "If set

the query is not executed. Instead

a server-side analysis is performed to determine query statistics

such as the total bytes that are processed." This confirms the function of the command-line tool option.

Connecting to a Windows Server instance on Google Compute Engine requires three key steps performed in the most efficient sequence. First, you must create credentials by setting a Windows username and password through the Google Cloud Console. Second, you must ensure network connectivity by verifying that a firewall rule exists to allow ingress traffic on TCP port 3389, which is the standard for the Remote Desktop Protocol (RDP). Finally, the method with the fewest steps is to click the integrated "RDP" button in the Cloud Console for the specific instance, which simplifies the connection process, and then supply the credentials you created.

A: This option is incomplete. While an RDP client and firewall rule are necessary, it omits the essential step of creating a password to authenticate to the instance.

B: This method is less efficient. Manually configuring a separate RDP client involves more steps than using the streamlined "RDP" button provided in the Google Cloud Console.

C: This option is incorrect because it specifies verifying a firewall rule for port 22. Port 22 is used for SSH connections to Linux instances, not for RDP connections to Windows instances.

1. Google Cloud Documentation

Compute Engine

"Connect to Windows VMs": This document outlines the standard procedure. It states

"Before you can connect to a Windows VM

you must create a password for it." It then details using the "Set Windows password" button in the console. The document also confirms the use of the "RDP" button for the connection itself. (See section: "Connecting to Windows VMs using the Google Cloud console").

2. Google Cloud Documentation

VPC network

"Use VPC firewall rules": This page describes the default-allow-rdp rule that is automatically created for new VPC networks. It specifies

"This rule allows RDP connections from any source to any VM instance in the network on TCP port 3389." This confirms the port number and the firewall requirement. (See section: "Pre-populated rules in the default network").

3. Google Cloud Documentation

Compute Engine

"Creating and resetting Windows passwords": This guide explicitly details the process of using the Google Cloud Console to generate the necessary credentials for a Windows instance

which is a prerequisite for logging in via RDP. (See section: "Create a password for a new VM").

Creating a snapshot schedule is the official, Google-recommended method for automating backups of Compute Engine persistent disks. This managed service directly addresses all the requirements: it can be configured to create snapshots at regular intervals, it includes a retention policy to automatically delete older backups to control costs, and snapshots provide the fastest method for restoring a disk's data. This approach is more robust, manageable, and less error-prone than custom scripting solutions.

A. An instance template is a blueprint for creating new virtual machine instances; it does not back up the data of an existing, running workload.

C. Using a cron job with gcloud is a manual, self-managed solution that lacks the built-in retention policies and reliability of the managed snapshot schedule service.

D. Exporting an image to Cloud Storage is a valid backup method, but restoring from it is a multi-step process (import image, then create disk) which is slower than creating a disk directly from a snapshot.

1. Google Cloud Documentation - Create scheduled snapshots for persistent disk: "To back up your persistent disks

Google Cloud recommends that you set up a snapshot schedule. A snapshot schedule is a resource that defines the frequency of snapshot creation

a retention policy

and a location for the snapshots." This page details the creation and management of schedules

including the retention policy for automatic cleanup.

2. Google Cloud Documentation - About disk snapshots: "Use snapshots to back up data from your persistent disks. ... You can use a snapshot to create a new disk that contains the data from the snapshot." This confirms snapshots are the primary backup mechanism and can be used for quick restoration.

3. Google Cloud Documentation - Best practices for Compute Engine disk snapshots: "Automate your snapshot creation process by using snapshot schedules. This is the best practice for backing up your Compute Engine workloads." This explicitly states that using snapshot schedules is the recommended best practice.

The most effective and secure method is to create a Google Group for the external consultants and assign the BigQuery Viewer role to that group. This approach adheres to two key Google-recommended practices: the principle of least privilege and simplified access management. The BigQuery Viewer role grants the necessary read-only access without providing excessive permissions to modify or delete data. Using a Google Group allows for centralized management; access can be granted or revoked for individuals simply by adding or removing them from the group, which is more efficient and less error-prone than managing permissions for each user individually.

A. The BigQuery Editor role grants excessive permissions (create, update, delete), violating the principle of least privilege. Managing individual users is also not a recommended practice.

B. While the BigQuery Viewer role is correct for the required access level, managing permissions for each individual user is inefficient and not a scalable best practice.

C. Using a Google Group is the correct management approach, but the BigQuery Editor role grants excessive permissions, which contradicts the principle of least privilege.

1. Google Cloud Documentation

IAM Best Practices: "Use Google Groups to manage users. We recommend that you use Google Groups to manage users... When a user leaves the team

you can simply remove them from the group. This automatically revokes all of their permissions." This supports using groups for manageability.

Source: Google Cloud Documentation > Identity and Access Management > Documentation > Best practices for using IAM > "Use Google Groups to manage users".

2. Google Cloud Documentation

BigQuery Access Control: The roles/bigquery.dataViewer (BigQuery Data Viewer) role includes permissions to get and list tables and read table data

which aligns with the "view access" requirement. The roles/bigquery.dataEditor (BigQuery Data Editor) role includes permissions to create

update

and delete data

which is excessive.

Source: Google Cloud Documentation > BigQuery > Documentation > Guides > Introduction to IAM in BigQuery > "Predefined roles and permissions".

3. Google Cloud Architecture Framework

Security Pillar: "Apply the principle of least privilege. When you grant permissions to users

groups

and service accounts

grant them the minimal set of permissions that they need to perform their tasks." This supports choosing the Viewer role over the Editor role.

Source: Google Cloud Architecture Framework > Security

privacy

and compliance > Design principles for securing your cloud topology.