All About Best Quality Associate-Cloud-Engineer Exam Answers

NEW QUESTION 1
You built an application on Google Cloud Platform that uses Cloud Spanner. Your support team needs to monitor the environment but should not have access to table data. You need a streamlined solution to grant the correct permissions to your support team, and you want to follow Google-recommended practices. What should you do?

• A. Add the support team group to the roles/monitoring.viewer role
• B. Add the support team group to the roles/spanner.databaseUser role.
• C. Add the support team group to the roles/spanner.databaseReader role.
• D. Add the support team group to the roles/stackdriver.accounts.viewer role.

Answer: B

NEW QUESTION 2
Your company has a Google Cloud Platform project that uses BigQuery for data warehousing. Your data science team changes frequently and has few members. You need to allow members of this team to perform queries. You want to follow Google-recommended practices. What should you do?

• A. 1. Create an IAM entry for each data scientist's user account.2. Assign the BigQuery jobUser role to the group.
• B. 1. Create an IAM entry for each data scientist's user account.2. Assign the BigQuery dataViewer user role to the group.
• C. 1. Create a dedicated Google group in Cloud Identity.2. Add each data scientist's user account to the group.3. Assign the BigQuery jobUser role to the group.
• D. 1. Create a dedicated Google group in Cloud Identity.2. Add each data scientist's user account to the group.3. Assign the BigQuery dataViewer user role to the group.

Answer: D

NEW QUESTION 3
You are running multiple VPC-native Google Kubernetes Engine clusters in the same subnet. The IPs available for the nodes are exhausted, and you want to ensure that the clusters can grow in nodes when needed. What should you do?

• A. Create a new subnet in the same region as the subnet being used.
• B. Add an alias IP range to the subnet used by the GKE clusters.
• C. Create a new VPC, and set up VPC peering with the existing VPC.
• D. Expand the CIDR range of the relevant subnet for the cluster.

Answer: C

Explanation:
To create a VPC peering connection, first create a request to peer with another VPC.

NEW QUESTION 4
You have successfully created a development environment in a project for an application. This application uses Compute Engine and Cloud SQL. Now, you need to create a production environment for this application.
The security team has forbidden the existence of network routes between these 2 environments, and asks you to follow Google-recommended practices. What should you do?

• A. Create a new project, enable the Compute Engine and Cloud SQL APIs in that project, and replicate the setup you have created in the development environment.
• B. Create a new production subnet in the existing VPC and a new production Cloud SQL instance in your existing project, and deploy your application using those resources.
• C. Create a new project, modify your existing VPC to be a Shared VPC, share that VPC with your new project, and replicate the setup you have in the development environment in that new project, in the Shared VPC.
• D. Ask the security team to grant you the Project Editor role in an existing production project used by another division of your compan
• E. Once they grant you that role, replicate the setup you have in the development environment in that project.

Answer: A

NEW QUESTION 5
You want to find out when users were added to Cloud Spanner Identity Access Management (IAM) roles on your Google Cloud Platform (GCP) project. What should you do in the GCP Console?

• A. Open the Cloud Spanner console to review configurations.
• B. Open the IAM & admin console to review IAM policies for Cloud Spanner roles.
• C. Go to the Stackdriver Monitoring console and review information for Cloud Spanner.
• D. Go to the Stackdriver Logging console, review admin activity logs, and filter them for Cloud Spanner IAM roles.

Answer: B

NEW QUESTION 6
Your organization has a dedicated person who creates and manages all service accounts for Google Cloud projects. You need to assign this person the minimum role for projects. What should you do?

• A. Add the user to roles/iam.roleAdmin role.
• B. Add the user to roles/iam.securityAdmin role.
• C. Add the user to roles/iam.serviceAccountUser role.
• D. Add the user to roles/iam.serviceAccountAdmin role.

Answer: C

NEW QUESTION 7
You have an application that uses Cloud Spanner as a database backend to keep current state information about users. Cloud Bigtable logs all events triggered by users. You export Cloud Spanner data to Cloud Storage during daily backups. One of your analysts asks you to join data from Cloud Spanner and Cloud Bigtable for specific users. You want to complete this ad hoc request as efficiently as possible. What should you do?

• A. Create a dataflow job that copies data from Cloud Bigtable and Cloud Storage for specific users.
• B. Create a dataflow job that copies data from Cloud Bigtable and Cloud Spanner for specific users.
• C. Create a Cloud Dataproc cluster that runs a Spark job to extract data from Cloud Bigtable and Cloud Storage for specific users.
• D. Create two separate BigQuery external tables on Cloud Storage and Cloud Bigtabl
• E. Use the BigQuery console to join these tables through user fields, and apply appropriate filters.

Answer: D

NEW QUESTION 8
Your organization uses Active Directory (AD) to manage user identities. Each user uses this identity for federated access to various on-premises systems. Your security team has adopted a policy that requires users to log into Google Cloud with their AD identity instead of their own login. You want to follow the
Google-recommended practices to implement this policy. What should you do?

• A. Sync Identities with Cloud Directory Sync, and then enable SAML for single sign-on
• B. Sync Identities in the Google Admin console, and then enable Oauth for single sign-on
• C. Sync identities with 3rd party LDAP sync, and then copy passwords to allow simplified login with (he same credentials
• D. Sync identities with Cloud Directory Sync, and then copy passwords to allow simplified login with the same credentials.

Answer: A

NEW QUESTION 9
Your finance team wants to view the billing report for your projects. You want to make sure that the finance team does not get additional permissions to the project. What should you do?

• A. Add the group for the finance team to roles/billing user role.
• B. Add the group for the finance team to roles/billing admin role.
• C. Add the group for the finance team to roles/billing viewer role.
• D. Add the group for the finance team to roles/billing project/Manager role.

Answer: A

NEW QUESTION 10
You are asked to set up application performance monitoring on Google Cloud projects A, B, and C as a single pane of glass. You want to monitor CPU, memory, and disk. What should you do?

• A. Enable API and then share charts from project A, B, and C.
• B. Enable API and then give the metrics.reader role to projects A, B, and C.
• C. Enable API and then use default dashboards to view all projects in sequence.
• D. Enable API, create a workspace under project A, and then add project B and C.

Answer: D

NEW QUESTION 11
You need to update a deployment in Deployment Manager without any resource downtime in the deployment. Which command should you use?

• A. gcloud deployment-manager deployments create --config <deployment-config-path>
• B. gcloud deployment-manager deployments update --config <deployment-config-path>
• C. gcloud deployment-manager resources create --config <deployment-config-path>
• D. gcloud deployment-manager resources update --config <deployment-config-path>

Answer: B

NEW QUESTION 12
You have an application running in Google Kubernetes Engine (GKE) with cluster autoscaling enabled. The application exposes a TCP endpoint. There are several replicas of this application. You have a Compute Engine instance in the same region, but in another Virtual Private Cloud (VPC), called gce-network, that has no overlapping IP ranges with the first VPC. This instance needs to connect to the application on GKE. You want to minimize effort. What should you do?

• A. 1. In GKE, create a Service of type LoadBalancer that uses the application's Pods as backend.2. Set the service's externalTrafficPolicy to Cluster.3. Configure the Compute Engine instance to use the address of the load balancer that has been created.
• B. 1. In GKE, create a Service of type NodePort that uses the application's Pods as backend.2. Create a Compute Engine instance called proxy with 2 network interfaces, one in each VPC.3. Use iptables on this instance to forward traffic from gce-network to the GKE nodes.4. Configure the Compute Engine instance to use the address of proxy in gce-network as endpoint.
• C. 1. In GKE, create a Service of type LoadBalancer that uses the application's Pods as backend.2. Add an annotation to this service: cloud.google.com/load-balancer-type: Internal3. Peer the two VPCs together.4. Configure the Compute Engine instance to use the address of the load balancer that has been created.
• D. 1. In GKE, create a Service of type LoadBalancer that uses the application's Pods as backend.2. Add a Cloud Armor Security Policy to the load balancer that whitelists the internal IPs of the MIG's instances.3. Configure the Compute Engine instance to use the address of the load balancer that has been created.

Answer: A

NEW QUESTION 13
You need to reduce GCP service costs for a division of your company using the fewest possible steps. You need to turn off all configured services in an existing GCP project. What should you do?

• A. * 1. Verify that you are assigned the Project Owners IAM role for this project.* 2. Locate the project in the GCP console, click Shut down and then enter the project ID.
• B. * 1. Verify that you are assigned the Project Owners IAM role for this project.* 2. Switch to the project in the GCP console, locate the resources and delete them.
• C. 1. Verify that you are assigned the Organizational Administrator IAM role for this project.* 2. Locate the project in the GCP console, enter the project ID and then click Shut down.
• D. * 1. Verify that you are assigned the Organizational Administrators IAM role for this project.* 2. Switch to the project in the GCP console, locate the resources and delete them.

Answer: C

NEW QUESTION 14
You deployed an LDAP server on Compute Engine that is reachable via TLS through port 636 using UDP. You want to make sure it is reachable by clients over that port. What should you do?

• A. Add the network tag allow-udp-636 to the VM instance running the LDAP server.
• B. Create a route called allow-udp-636 and set the next hop to be the VM instance running the LDAP server.
• C. Add a network tag of your choice to the instanc
• D. Create a firewall rule to allow ingress on UDP port 636 for that network tag.
• E. Add a network tag of your choice to the instance running the LDAP serve
• F. Create a firewall rule to allow egress on UDP port 636 for that network tag.

Answer: C

NEW QUESTION 15
You built an application on your development laptop that uses Google Cloud services. Your application uses Application Default Credentials for authentication and works fine on your development laptop. You want to migrate this application to a Compute Engine virtual machine (VM) and set up authentication using Google- recommended practices and minimal changes. What should you do?

• A. Assign appropriate access for Google services to the service account used by the Compute Engine VM.
• B. Create a service account with appropriate access for Google services, and configure the application to use this account.
• C. Store credentials for service accounts with appropriate access for Google services in a config file, and deploy this config file with your application.
• D. Store credentials for your user account with appropriate access for Google services in a config file, and deploy this config file with your application.

Answer: B

NEW QUESTION 16
You need to produce a list of the enabled Google Cloud Platform APIs for a GCP project using the gcloud command line in the Cloud Shell. The project name is my-project. What should you do?

• A. Run gcloud projects list to get the project ID, and then run gcloud services list --project <project ID>.
• B. Run gcloud init to set the current project to my-project, and then run gcloud services list --available.
• C. Run gcloud info to view the account value, and then run gcloud services list --account <Account>.
• D. Run gcloud projects describe <project ID> to verify the project value, and then run gcloud services list--available.

Answer: A

NEW QUESTION 17
You are building an application that processes data files uploaded from thousands of suppliers. Your primary goals for the application are data security and the expiration of aged data. You need to design the application to:
•Restrict access so that suppliers can access only their own data.
•Give suppliers write access to data only for 30 minutes.
•Delete data that is over 45 days old.
You have a very short development cycle, and you need to make sure that the application requires minimal maintenance. Which two strategies should you use? (Choose two.)

• A. Build a lifecycle policy to delete Cloud Storage objects after 45 days.
• B. Use signed URLs to allow suppliers limited time access to store their objects.
• C. Set up an SFTP server for your application, and create a separate user for each supplier.
• D. Build a Cloud function that triggers a timer of 45 days to delete objects that have expired.
• E. Develop a script that loops through all Cloud Storage buckets and deletes any buckets that are older than 45 days.

Answer: AE

NEW QUESTION 18
......