How Many Questions Of Associate-Cloud-Engineer Dumps Questions

NEW QUESTION 1
Your company uses a large number of Google Cloud services centralized in a single project. All teams have specific projects for testing and development. The DevOps team needs access to all of the production services in order to perform their job. You want to prevent Google Cloud product changes from broadening their permissions in the future. You want to follow Google-recommended practices. What should you do?

• A. Grant all members of the DevOps team the role of Project Editor on the organization level.
• B. Grant all members of the DevOps team the role of Project Editor on the production project.
• C. Create a custom role that combines the required permission
• D. Grant the DevOps team the custom role on the production project.
• E. Create a custom role that combines the required permission
• F. Grant the DevOps team the custom role on the organization level.

Answer: C

Explanation:
Understanding IAM custom roles
Key Point: Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions.
Basic concepts
Custom roles are user-defined, and allow you to bundle one or more supported permissions to meet your specific needs. Custom roles are not maintained by Google; when new permissions, features, or services are added to Google Cloud, your custom roles will not be updated automatically.
When you create a custom role, you must choose an organization or project to create it in. You can then grant the custom role on the organization or project, as well as any resources within that organization or project.
https://cloud.google.com/iam/docs/understanding-custom-roles#basic_concepts

NEW QUESTION 2
You have an application that receives SSL-encrypted TCP traffic on port 443. Clients for this application are located all over the world. You want to minimize latency for the clients. Which load balancing option should you use?

• A. HTTPS Load Balancer
• B. Network Load Balancer
• C. SSL Proxy Load Balancer
• D. Internal TCP/UDP Load Balance
• E. Add a firewall rule allowing ingress traffic from 0.0.0.0/0 on the target instances.

Answer: C

NEW QUESTION 3
You need to provide a cost estimate for a Kubernetes cluster using the GCP pricing calculator for Kubernetes. Your workload requires high IOPs, and you will also be using disk snapshots. You start by entering the number of nodes, average hours, and average days. What should you do next?

• A. Fill in local SS
• B. Fill in persistent disk storage and snapshot storage.
• C. Fill in local SS
• D. Add estimated cost for cluster management.
• E. Select Add GPU
• F. Fill in persistent disk storage and snapshot storage.
• G. Select Add GPU
• H. Add estimated cost for cluster management.

Answer: A

Explanation:
https://cloud.google.com/compute/docs/disks/local-ssd

NEW QUESTION 4
Your company uses Cloud Storage to store application backup files for disaster recovery purposes. You want to follow Google’s recommended practices. Which storage option should you use?

• A. Multi-Regional Storage
• B. Regional Storage
• C. Nearline Storage
• D. Coldline Storage

Answer: D

NEW QUESTION 5
You need to verify that a Google Cloud Platform service account was created at a particular time. What should you do?

• A. Filter the Activity log to view the Configuration categor
• B. Filter the Resource type to Service Account.
• C. Filter the Activity log to view the Configuration categor
• D. Filter the Resource type to Google Project.
• E. Filter the Activity log to view the Data Access categor
• F. Filter the Resource type to Service Account.
• G. Filter the Activity log to view the Data Access categor
• H. Filter the Resource type to Google Project.

Answer: A

Explanation:
https://developers.google.com/cloud-search/docs/guides/audit-logging-manual

NEW QUESTION 6
You need to manage multiple Google Cloud Platform (GCP) projects in the fewest steps possible. You want to configure the Google Cloud SDK command line interface (CLI) so that you can easily manage multiple GCP projects. What should you?

• A. * 1. Create a configuration for each project you need to manage.* 2. Activate the appropriate configuration when you work with each of your assigned GCP projects.
• B. * 1. Create a configuration for each project you need to manage.* 2. Use gcloud init to update the configuration values when you need to work with a non-default project
• C. * 1. Use the default configuration for one project you need to manage.* 2. Activate the appropriate configuration when you work with each of your assigned GCP projects.
• D. * 1. Use the default configuration for one project you need to manage.* 2. Use gcloud init to update the configuration values when you need to work with a non-default project.

Answer: A

Explanation:
https://cloud.google.com/sdk/gcloud https://cloud.google.com/sdk/docs/configurations#multiple_configurations

NEW QUESTION 7
Your organization has a dedicated person who creates and manages all service accounts for Google Cloud projects. You need to assign this person the minimum role for projects. What should you do?

• A. Add the user to roles/iam.roleAdmin role.
• B. Add the user to roles/iam.securityAdmin role.
• C. Add the user to roles/iam.serviceAccountUser role.
• D. Add the user to roles/iam.serviceAccountAdmin role.

Answer: D

NEW QUESTION 8
You have a development project with appropriate IAM roles defined. You are creating a production project and want to have the same IAM roles on the new project, using the fewest possible steps. What should you do?

• A. Use gcloud iam roles copy and specify the production project as the destination project.
• B. Use gcloud iam roles copy and specify your organization as the destination organization.
• C. In the Google Cloud Platform Console, use the ‘create role from role’ functionality.
• D. In the Google Cloud Platform Console, use the ‘create role’ functionality and select all applicable permissions.

Answer: A

NEW QUESTION 9
You are about to deploy a new Enterprise Resource Planning (ERP) system on Google Cloud. The application holds the full database in-memory for fast data access, and you need to configure the most appropriate resources on Google Cloud for this application. What should you do?

• A. Provision preemptible Compute Engine instances.
• B. Provision Compute Engine instances with GPUs attached.
• C. Provision Compute Engine instances with local SSDs attached.
• D. Provision Compute Engine instances with M1 machine type.

Answer: D

Explanation:
M1 machine series Medium in-memory databases such as SAP HANA Tasks that require intensive use of memory with higher memory-to-vCPU ratios than the general-purpose high-memory machine types.
In-memory databases and in-memory analytics, business warehousing (BW) workloads, genomics analysis, SQL analysis services. Microsoft SQL Server and similar databases.
https://cloud.google.com/compute/docs/machine-types
https://cloud.google.com/compute/docs/machine-types#:~:text=databases%20such%20as-,SAP%20HANA,-In% https://www.sap.com/india/products/hana.html#:~:text=is%20SAP%20HANA-,in%2Dmemory,-database%3F

NEW QUESTION 10
You have a Dockerfile that you need to deploy on Kubernetes Engine. What should you do?

• A. Use kubectl app deploy <dockerfilename>.
• B. Use gcloud app deploy <dockerfilename>.
• C. Create a docker image from the Dockerfile and upload it to Container Registr
• D. Create a Deployment YAML file to point to that imag
• E. Use kubectl to create the deployment with that file.
• F. Create a docker image from the Dockerfile and upload it to Cloud Storag
• G. Create a Deployment YAML file to point to that imag
• H. Use kubectl to create the deployment with that file.

Answer: C

NEW QUESTION 11
Your organization has user identities in Active Directory. Your organization wants to use Active Directory as their source of truth for identities. Your organization wants to have full control over the Google accounts used by employees for all Google services, including your Google Cloud Platform (GCP) organization. What should you do?

• A. Use Google Cloud Directory Sync (GCDS) to synchronize users into Cloud Identity.
• B. Use the cloud Identity APIs and write a script to synchronize users to Cloud Identity.
• C. Export users from Active Directory as a CSV and import them to Cloud Identity via the Admin Console.
• D. Ask each employee to create a Google account using self signu
• E. Require that each employee use their company email address and password.

Answer: A

NEW QUESTION 12
You have one GCP account running in your default region and zone and another account running in a
non-default region and zone. You want to start a new Compute Engine instance in these two Google Cloud Platform accounts using the command line interface. What should you do?

• A. Create two configurations using gcloud config configurations create [NAME]. Run gcloud config configurations activate [NAME] to switch between accounts when running the commands to start the Compute Engine instances.
• B. Create two configurations using gcloud config configurations create [NAME]. Run gcloud configurations list to start the Compute Engine instances.
• C. Activate two configurations using gcloud configurations activate [NAME]. Run gcloud config list to start the Compute Engine instances.
• D. Activate two configurations using gcloud configurations activate [NAME]. Run gcloud configurations list to start the Compute Engine instances.

Answer: A

Explanation:
"Run gcloud configurations list to start the Compute Engine instances". How the heck are you expecting to "start" GCE instances doing "configuration list".
Each gcloud configuration has a 1 to 1 relationship with the region (if a region is defined). Since we have two different regions, we would need to create two separate configurations using gcloud config configurations createRef: https://cloud.google.com/sdk/gcloud/reference/config/configurations/create
Secondly, you can activate each configuration independently by running gcloud config configurations activate [NAME]Ref: https://cloud.google.com/sdk/gcloud/reference/config/configurations/activate
Finally, while each configuration is active, you can run the gcloud compute instances start [NAME] command to start the instance in the configurations region.https://cloud.google.com/sdk/gcloud/reference/compute/instances/start

NEW QUESTION 13
Your application is running on Google Cloud in a managed instance group (MIG). You see errors in Cloud Logging for one VM that one of the processes is not responsive. You want to replace this VM in the MIG quickly. What should you do?

• A. Select the MIG from the Compute Engine console and, in the menu, select Replace VMs.
• B. Use the gcloud compute instance-groups managed recreate-instances command to recreate theVM.
• C. Use the gcloud compute instances update command with a REFRESH action for the VM.
• D. Update and apply the instance template of the MIG.

Answer: A

NEW QUESTION 14
Your finance team wants to view the billing report for your projects. You want to make sure that the finance team does not get additional permissions to the project. What should you do?

• A. Add the group for the finance team to roles/billing user role.
• B. Add the group for the finance team to roles/billing admin role.
• C. Add the group for the finance team to roles/billing viewer role.
• D. Add the group for the finance team to roles/billing project/Manager role.

Answer: C

Explanation:
"Billing Account Viewer access would usually be granted to finance teams, it provides access to spend information, but does not confer the right to link or unlink projects or otherwise manage the properties of the billing account." https://cloud.google.com/billing/docs/how-to/billing-access

NEW QUESTION 15
You have a number of compute instances belonging to an unmanaged instances group. You need to SSH to one of the Compute Engine instances to run an ad hoc script. You’ve already authenticated gcloud, however, you don’t have an SSH key deployed yet. In the fewest steps possible, what’s the easiest way to SSH to the instance?

• A. Run gcloud compute instances list to get the IP address of the instance, then use the ssh command.
• B. Use the gcloud compute ssh command.
• C. Create a key with the ssh-keygen comman
• D. Then use the gcloud compute ssh command.
• E. Create a key with the ssh-keygen comman
• F. Upload the key to the instanc
• G. Run gcloud compute instances list to get the IP address of the instance, then use the ssh command.

Answer: B

Explanation:
gcloud compute ssh ensures that the user’s public SSH key is present in the project’s metadata. If the user does not have a public SSH key, one is generated using ssh-keygen and added to the project’s metadata. This is similar to the other option where we copy the key explicitly to the project’s metadata but here it is done automatically for us. There are also security benefits with this approach. When we use gcloud compute ssh to connect to Linux instances, we are adding a layer of security by storing your host keys as guest attributes. Storing SSH host keys as guest attributes improve the security of your connections by helping to protect against vulnerabilities such as man-in-the-middle (MITM) attacks. On the initial boot of a VM instance, if guest attributes are enabled, Compute Engine stores your generated host keys as guest attributes.
Compute Engine then uses these host keys that were stored during the initial boot to verify all subsequent connections to the VM instance.
Ref: https://cloud.google.com/compute/docs/instances/connecting-to-instanceRef: https://cloud.google.com/s

NEW QUESTION 16
Your company has an existing GCP organization with hundreds of projects and a billing account. Your company recently acquired another company that also has hundreds of projects and its own billing account. You would like to consolidate all GCP costs of both GCP organizations onto a single invoice. You would like to consolidate all costs as of tomorrow. What should you do?

• A. Link the acquired company’s projects to your company's billing account.
• B. Configure the acquired company's billing account and your company's billing account to export the billing data into the same BigQuery dataset.
• C. Migrate the acquired company’s projects into your company’s GCP organizatio
• D. Link the migrated projects to your company's billing account.
• E. Create a new GCP organization and a new billing accoun
• F. Migrate the acquired company's projects and your company's projects into the new GCP organization and link the projects to the new billing account.

Answer: A

Explanation:
https://cloud.google.com/resource-manager/docs/project-migration#oauth_consent_screen https://cloud.google.com/resource-manager/docs/project-migration

NEW QUESTION 17
You recently discovered that your developers are using many service account keys during their development process. While you work on a long term improvement, you need to quickly implement a process to enforce short-lived service account credentials in your company. You have the following requirements:
• All service accounts that require a key should be created in a centralized project called pj-sa.
• Service account keys should only be valid for one day.
You need a Google-recommended solution that minimizes cost. What should you do?

• A. Implement a Cloud Run job to rotate all service account keys periodically in pj-s
• B. Enforce an org policy to deny service account key creation with an exception to pj-sa.
• C. Implement a Kubernetes Cronjob to rotate all service account keys periodicall
• D. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.
• E. Enforce an org policy constraint allowing the lifetime of service account keys to be 24 hour
• F. Enforce an org policy constraint denying service account key creation with an exception on pj-sa.
• G. Enforce a DENY org policy constraint over the lifetime of service account keys for 24 hour
• H. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.

Answer: C

Explanation:
According to the Google Cloud documentation, you can use organization policy constraints to control the creation and expiration of service account keys. The constraints are:
constraints/iam.allowServiceAccountKeyCreation: This constraint allows you to specify which projects
or folders can create service account keys. You can set the value to true or false, or use a condition to apply the constraint to specific service accounts. By setting this constraint to false for the organization and adding an exception for the pj-sa project, you can prevent developers from creating service account keys in other projects.
constraints/iam.serviceAccountKeyMaxLifetime: This constraint allows you to specify the maximum lifetime of service account keys. You can set the value to a duration in seconds, such as 86400 for one day. By setting this constraint to 86400 for the organization, you can ensure that all service account ke expire after one day.
These constraints are recommended by Google Cloud as best practices to minimize the risk of service account key misuse or compromise. They also help you reduce the cost of managing service account keys, as you do not need to implement a custom solution to rotate or delete them.
References:
1: Associate Cloud Engineer Certification Exam Guide | Learn - Google Cloud
5: Create and delete service account keys - Google Cloud
Organization policy constraints for service accounts

NEW QUESTION 18
You need to reduce GCP service costs for a division of your company using the fewest possible steps. You need to turn off all configured services in an existing GCP project. What should you do?

• A. * 1. Verify that you are assigned the Project Owners IAM role for this project.* 2. Locate the project in the GCP console, click Shut down and then enter the project ID.
• B. * 1. Verify that you are assigned the Project Owners IAM role for this project.* 2. Switch to the project in the GCP console, locate the resources and delete them.
• C. * 1. Verify that you are assigned the Organizational Administrator IAM role for this project.* 2. Locate the project in the GCP console, enter the project ID and then click Shut down.
• D. * 1. Verify that you are assigned the Organizational Administrators IAM role for this project.* 2. Switch to the project in the GCP console, locate the resources and delete them.

Answer: A

Explanation:
https://cloud.google.com/run/docs/tutorials/gcloud https://cloud.google.com/resource-manager/docs/creating-managing-projects https://cloud.google.com/iam/docs/understanding-roles#primitive_roles
You can shut down projects using the Cloud Console. When you shut down a project, this immediately happens: All billing and traffic serving stops, You lose access to the project, The owners of the project will be notified and can stop the deletion within 30 days, The project will be scheduled to be deleted after 30 days. However, some resources may be deleted much earlier.

NEW QUESTION 19
Your company has a 3-tier solution running on Compute Engine. The configuration of the current infrastructure is shown below.

Each tier has a service account that is associated with all instances within it. You need to enable communication on TCP port 8080 between tiers as follows:
• Instances in tier #1 must communicate with tier #2.
• Instances in tier #2 must communicate with tier #3.
What should you do?

• A. 1. Create an ingress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.2.0/24)• Protocols: allow all2. Create an ingress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.1.0/24)•Protocols: allow all
• B. 1. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #2 service account• Source filter: all instances with tier #1 service account• Protocols: allow TCP:80802. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #3 service account• Source filter: all instances with tier #2 service account• Protocols: allow TCP: 8080
• C. 1. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #2 service account• Source filter: all instances with tier #1 service account• Protocols: allow all2. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #3 service account• Source filter: all instances with tier #2 service account• Protocols: allow all
• D. 1. Create an egress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.2.0/24)• Protocols: allow TCP: 80802. Create an egress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.1.0/24)• Protocols: allow TCP: 8080

Answer: B

Explanation:
* 1. Create an ingress firewall rule with the following settings: "¢ Targets: all instances with tier #2 service account "¢ Source filter: all instances with tier #1 service account "¢ Protocols: allow TCP:8080 2. Create an ingress firewall rule with the following settings: "¢ Targets: all instances with tier #3 service account "¢ Source filter: all instances with tier #2 service account "¢ Protocols: allow TCP: 8080

NEW QUESTION 20
......