Practice Free Associate Cloud Engineer Exam Online Questions
You need to deploy an application in Google Cloud using savorless technology. You want to test a new version of the application with a small percentage of production traffic.
What should you do?
- A . Deploy the application lo Cloud. Run. Use gradual rollouts for traffic spelling.
- B . Deploy the application lo Google Kubemetes Engine. Use Anthos Service Mesh for traffic splitting.
- C . Deploy the application to Cloud functions. Saucily the version number in the functions name.
- D . Deploy the application to App Engine. For each new version, create a new service.
You need to immediately change the storage class of an existing Google Cloud bucket. You need to reduce service cost for infrequently accessed files stored in that bucket and for all files that will be added to that bucket in the future.
What should you do?
- A . Use the gsutil to rewrite the storage class for the bucket Change the default storage class for the bucket
- B . Use the gsutil to rewrite the storage class for the bucket Set up Object Lifecycle management on the bucket
- C . Create a new bucket and change the default storage class for the bucket Set up Object Lifecycle management on lite bucket
- D . Create a new bucket and change the default storage class for the bucket import the files from the previous bucket into the new bucket
You created a Kubernetes deployment by running kubectl run nginx image=nginx labels=app=prod. Your Kubernetes cluster is also used by a number of other deployments.
How can you find the identifier of the pods for this nginx deployment?
- A . kubectl get deployments Coutput=pods
- B . gcloud get pods Cselector=”app=prod”
- C . kubectl get pods -I “app=prod”
- D . gcloud list gke-deployments -filter={pod }
C
Explanation:
This command correctly lists pods that have the label app=prod. When creating the deployment, we used the label app=prod so listing pods that have this label retrieve the pods belonging to nginx deployments. You can list pods by using Kubernetes CLI kubectl get pods.
Ref: https://kubernetes.io/docs/tasks/access-application-cluster/list-all-running-container-images/
Ref: https://kubernetes.io/docs/tasks/access-application-cluster/list-all-running-container-images/#list-containers-filtering-by-pod-label
Configure your email address in the notification channel.
Explanation:
Specifying conditions for alerting policies This page describes how to specify conditions for alerting policies. The conditions for an alerting policy define what is monitored and when to trigger an alert. For example, suppose you want to define an alerting policy that emails you if the CPU utilization of a Compute Engine VM instance is above 80% for more than 3 minutes. You use the conditions dialog to specify that you want to monitor the CPU utilization of a Compute Engine VM instance, and that you want an alerting policy to trigger when that utilization is above 80% for 3 minutes. https://cloud.google.com/monitoring/alerts/ui-conditions-ga
https://cloud.google.com/monitoring/alerts/using-alerting-ui
https://cloud.google.com/monitoring/support/notification-options
Configure your email address in the notification channel.
Explanation:
Specifying conditions for alerting policies This page describes how to specify conditions for alerting policies. The conditions for an alerting policy define what is monitored and when to trigger an alert. For example, suppose you want to define an alerting policy that emails you if the CPU utilization of a Compute Engine VM instance is above 80% for more than 3 minutes. You use the conditions dialog to specify that you want to monitor the CPU utilization of a Compute Engine VM instance, and that you want an alerting policy to trigger when that utilization is above 80% for 3 minutes. https://cloud.google.com/monitoring/alerts/ui-conditions-ga
https://cloud.google.com/monitoring/alerts/using-alerting-ui
https://cloud.google.com/monitoring/support/notification-options
A colleague handed over a Google Cloud project for you to maintain. As part of a security checkup, you want to review who has been granted the Project Owner role.
What should you do?
- A . In the Google Cloud console, validate which SSH keys have been stored as project-wide keys.
- B . Navigate to Identity-Aware Proxy and check the permissions for these resources.
- C . Enable Audit logs on the IAM & admin page for all resources, and validate the results.
- D . Use the gcloud projects get-iam-policy command to view the current role assignments.
D
Explanation:
The gcloud projects get-iam-policy command displays the IAM policy for a project, which includes the roles and members assigned to those roles. The Project Owner role grants full access to all resources and actions in the project. By using this command, you can review who has been granted this role and make any necessary changes.
Reference:
1: Associate Cloud Engineer Certification Exam Guide | Learn – Google Cloud
2: gcloud projects get-iam-policy | Cloud SDK Documentation | Google Cloud
3: Understanding roles | Cloud IAM Documentation | Google Cloud
You deployed an LDAP server on Compute Engine that is reachable via TLS through port 636 using UDP. You want to make sure it is reachable by clients over that port.
What should you do?
- A . Add the network tag allow-udp-636 to the VM instance running the LDAP server.
- B . Create a route called allow-udp-636 and set the next hop to be the VM instance running the LDAP server.
- C . Add a network tag of your choice to the instance. Create a firewall rule to allow ingress on UDP port 636 for that network tag.
- D . Add a network tag of your choice to the instance running the LDAP server. Create a firewall rule to allow egress on UDP port 636 for that network tag.
C
Explanation:
A tag is simply a character string added to a tags field in a resource, such as Compute Engine virtual machine (VM) instances or instance templates. A tag is not a separate resource, so you cannot create it separately. All resources with that string are considered to have that tag. Tags enable you to make firewall rules and routes applicable to specific VM instances.
Your continuous integration and delivery (CI/CD) server can’t execute Google Cloud actions in a specific project because of permission issues. You need to validate whether the used service account has the appropriate roles in the specific project.
What should you do?
- A . Open the Google Cloud console, and run a query to determine which resources this service account can access.
- B . Open the Google Cloud console, and run a query of the audit logs to find permission denied errors for this service account.
- C . Open the Google Cloud console, and check the organization policies.
- D . Open the Google Cloud console, and check the Identity and Access Management (IAM) roles assigned to the service account at the project or inherited from the folder or organization levels.
D
Explanation:
This answer is the most effective way to validate whether the service account used by the CI/CD server has the appropriate roles in the specific project. By checking the IAM roles assigned to the service account, you can see which permissions the service account has and which resources it can access. You can also check if the service account inherits any roles from the folder or organization levels, which may affect its access to the project. You can use the Google Cloud console, the gcloud command-line tool, or the IAM API to view the IAM roles of a service account.
Every employee of your company has a Google account. Your operational team needs to manage a large number of instances on Compute Engine. Each member of this team needs only administrative access to the servers. Your security team wants to ensure that the deployment of credentials is operationally efficient and must be able to determine who accessed a given instance.
What should you do?
- A . Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key in the metadata of each instance.
- B . Ask each member of the team to generate a new SSH key pair and to send you their public key.
Use a configuration management tool to deploy those keys on each instance. - C . Ask each member of the team to generate a new SSH key pair and to add the public key to their Google account. Grant the “compute.osAdminLogin” role to the Google group corresponding to this team.
- D . Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key as a project-wide public SSH key in your Cloud Platform project and allow project-wide public SSH keys on each instance.
C
Explanation:
https://cloud.google.com/compute/docs/instances/managing-instance-access
Every employee of your company has a Google account. Your operational team needs to manage a large number of instances on Compute Engine. Each member of this team needs only administrative access to the servers. Your security team wants to ensure that the deployment of credentials is operationally efficient and must be able to determine who accessed a given instance.
What should you do?
- A . Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key in the metadata of each instance.
- B . Ask each member of the team to generate a new SSH key pair and to send you their public key.
Use a configuration management tool to deploy those keys on each instance. - C . Ask each member of the team to generate a new SSH key pair and to add the public key to their Google account. Grant the “compute.osAdminLogin” role to the Google group corresponding to this team.
- D . Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key as a project-wide public SSH key in your Cloud Platform project and allow project-wide public SSH keys on each instance.
C
Explanation:
https://cloud.google.com/compute/docs/instances/managing-instance-access