Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

ForME > ACE4 > Flashcards

ACE4 Flashcards

1
Q

While working on a project, an application administrator has been given the responsibility of managing all resources. He wants to delegate the responsibility of managing the existing service accounts to another administrator. He will also be responsible to manage the other service accounts that will be created. Which of the following is the best way to delegate the privileges required to manage all the service accounts?

A. Granting iam.serviceAccountUser to the administrator at the project level
B. Granting iam.serviceProjectAccountUser to the administrator at the project level
C. Granting iam.serviceAccountUser to the administrator at the service account level
D. Granting iam.serviceProjectAccountUser to the administrator at the service account level

A

Answer: A
A user can manage all the service accounts in the project if service account user role iam.serviceAccountUser is granted to him at the project level. Also, whenever a new service account will be created, the administrator will be granted iam.serviceAccountUser automatically for that new service account.
The service account user role (iam.serviceAccountUser) for all service accounts in a project can be granted at the project level. While the service account user role for a specific service account in a project can be granted at the service account level. So, as per given scenario, to delegate the privileges to manager all the service accounts, service account user role (iam.serviceAccountUser) will be granted to the administrator at the project level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You are currently working on a freelance project where you have to deploy a WordPress website on VM. You decided to use startup script to install WordPress and other libraries instead of manual install. While launching you forgot to use startup script and are wondering how to do it now?

A. Edit the instance by selecting it, add your startup script into the user data field and restart your instance.
B. Stop the instance, add a metadata with startup-script as key, and script content as value, and start the instance.
C. Stop the instance, add script into startup script field, and start the instance.
D. Edit the instance by selecting it, add a metadata with script as key, add script content as value, and restart the instance.

A

Answer: B

The startup script is executed every time an instance is started. By stopping an instance and launching it again will start it on a host resulting in execution of startup script.

Wrong:

  • Just restarting the instance does not trigger startup script.
  • There is no such field with name of startup script. You need to create a metadata with key as startup-script and value as script itself.
  • Script is an incorrect key. The correct key for metadata is startup-script.

Reference: https://cloud.google.com/compute/docs/startupscript

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Your company has decided to build an in-house application for payroll processing, and you have been assigned task to create a VM, Cloud SQL DB and bucket for the same. While testing the application, developers found that they couldn’t upload files to bucket. How would you fix it?

A. Enable ufw on linux instance and allow port 443.
B. Check if the default service account is attached to VM, if not edit the instance and attach it.
C. Check if egress firewall rules are applied to instance allowing connection between bucket and VM.
D. None of the above.

A

Answer D
None of the above-Tackle it this way:

Create a custom service account with write permission for Storage service and attach it to instance.

While launching the instance under Identity and API access section stick to default service account, click on “Set access for API” and select either Write Only or Read Write scope for your instance.

https://cloud.google.com/compute/docs/access/service-accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In VPC, which firewall rules are created by default while creating an automatic default VPC?
A. Deny all ingress, allow all egress
B. Deny all ingress and egress
C. Allow SSH, RDP, HTTP, HTTPS
D. Allow SSH, RDP, ICMP, and internal traffic

A

Answer D
While creating a default automatic VPC, rules are created by default and these are allow, SSH, RDP, ICMP, and internal traffic.

Wrong:

  • B By default, it creates allow all egress and denies all ingress
  • C Allow HTTP and HTTPS are not part of the firewall rules list that can be created during the VPC launch process.
  • A These rules exist, but are not shown in the Cloud Console. The implied rules cannot be removed, but they have the lowest possible priorities.

Reference:

https://cloud.google.com/vpc/docs/firewalls#more_rules_default_vpc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

As per your manager’s instruction, you created a custom VPC with a subnet mask of 24 which provides 256 IP addresses but are only able to use 252 addresses out of it. You manager is trying to figure out what’s going wrong and approaches you for the answer. What will you answer to your manager?

A

Answer B
Google Cloud always reserves 4 IP addresses for every subnet you create. Reason for this is: -First IP is a network address.
- Second is reserved for the default gateway.
- Second-to-last is reserved for future use.
- Last address is the broadcast address.
Wrong:
-A Subnet creation process has nothing to do with a smaller number of the available IP address.
-C Soft limit has nothing to do in this case.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Your company has been working on an application for the last three months and is now ready to roll out the same to the UAT environment for beta testing. Your manager has asked you to create a replica of dev project. Which is the best way to clone/replicate the existing project?

A

Answer D

There is no inbuilt option provided by GCP to clone/replicate the project.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You are a Google Cloud Engineer and assigned to set up a project for the team of four members. You need to grant only general permissions for all the resources of the project. You decided to grant a primitive role to each person for different levels of access on the basis of their responsibilities in the project. What is not considered as a primitive role in the Google Cloud Platform console?

A. Viewer
B. Editor
C. Owner
D. Publisher

A

Answer D
Publisher is not a primitive role in Google Cloud Platform, but a predefined role.

Reference:

Google Cloud Identity and Access Management Overview - https://cloud.google.com/iam/docs/overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A cloud engineer wants to create a VM named whiz-server-1 with four CPUs. Which of the following commands would he use to create the VM whiz-server-1?
A. gcloud compute instances create –machine-type=n1-standard-4 whiz-server-1
B. gcloud compute instances create –cpus=4 whiz-server-1
C. gcloud compute instances create –machine-type=n1-standard-4 –instancename whiz-server-1
D. gcloud compute instances create –machine-type=n1-4-cpu whiz-server-1

A

Answer A
gcloud compute instances create –machine-type=n1-standard-4 whiz-server-1 is the correct command to create VM with 4 CPUs. It includes a correct machine type and specifies the name of the instance properly.

Wrong:
-gcloud compute instances create –cpus=4 whiz-server-1 is wrong. This command includes cpus parameter that does not exist in a google cloud command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the gcloud command to create a cluster named ch09-cluster-10 with four nodes?
A. gcloud container clusters create ch09-cluster-10 4
B. gcloud container clusters create ch09-cluster-10 –num-nodes=4
C. gcloud clusters container create ch09-cluster-10 –num-nodes=4
D. gcloud container beta clusters create ch09-cluster-10 –nodes-num=4

A

Answer B
The command:
gcloud container clusters create ch09-cluster-10 –num-nodes=4 is the correct command to create a cluster named ch09-cluster-10 with four nodes as it uses the correct pattern.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q 
Which of the following IP address would you specify to define a CIDR range that will apply to all the destination addresses?
A. 0.0.0.0/0
B. 172.16.0.0/12
C. 192.168.0.0/16
D. 10.0.0.0/8
A

Answer A
The IP address 0.0.0.0/0 matches all the IP addresses. Using the 0.0.0.0/0 IP address, you can define a CIDR range that will apply to all the destination addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q 
You have set a firewall rule that will permit inbound connections to a VM instance named whizserver-2. You want to apply this rule only if there is not another rule that would deny that traffic. What priority would you give to this rule?
A. 1000
B. 1
C. 65535
D. 0
A

Answer C
If the rule will have the lowest priority, it will permit inbound traffic/connections to the VM instance whizserver-2. The large will be the number, the low will be the priority. The lowest priority will ensure that the other rules that match will apply. So, the largest number should be selected to make the priority lowest.Option A is incorrect. 1000 is not the largest number from the given options. For the lowest priority, it is required to choose the largest number.

B: is incorrect. 1 is a very small number, it will increase the priority. So, it is not the correct answer.

D: is incorrect. Lower the number, higher will be the priority. The number 0 will result in higher priority while the priority should be the lowest.

Reference: Virtual Private Cloud - Firewall Rules Overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You have recently joined a startup that is migrating its infrastructure from AWS to Google Cloud. A junior has been assigned the task of migrating one of their web servers with Amazon Linux OS from AWS to GCP in a public subnet of custom VPC. He is able to migrate the instance successfully, but not able to get SSH access of migrated instance. What are the possible steps to look for? (Multiple Answer)

A. Check if he has attached correct firewall rule with port udp:22 open to the instance.
B. Check if he has added SSH key to the instance while launching phase.
C. Google Cloud does not support Amazon Linux images because of market competition.
D. Make sure the firewall is attached to the instance with tcp port 22 open.

A

Answer B and D

B. Check if he has added SSH key to the instance while launching phase.
D. Make sure the firewall is attached to the instance with tcp port 22 open.

Wrong:
A. SSH by default does NOT work on UDP port 22

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You work for a retail company that has a busy online store. As you are approaching New Year, you find that your e-store is getting more and more traffic. You ensure that your web servers are behind a managed instance group. However, you notice that the web tier is frequently scaling, sometimes multiple times in an hour. You need to prevent the instance group from scaling up and down so rapidly. Which of the following options would help you to achieve this?

A. Change the auto scaling metric to use multiple metrics instead of just one metric.
B. Reduce the number of maximum instance count.
C. Associate a health check with instance group.
D. Increase the cool down period.

A

Answer D

Increasing the cool down period will make scaling policy wait slightly longer period before taking next action of either scale up or down.

A is incorrect: This will not be beneficial in anything except creating a complex scaling policy.

B: is incorrect: Just reducing the VM count will stop scaling policy to launch VMs more than threshold and won’t help us control rapid scaling up and down behaviour.

C: is incorrect: Health check only provides information whether instance is responding or not.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are working with a healthcare startup as Google Cloud Consultant on a new project which they are about to launch next week as a beta version. All the static files are stored on GCS and you have been asked to make one of the PDF named whizlabs-bucket publicly available for the customers to download. You only have access to CLI to achieve the same. Which of the following command would you use to do it?

A: gsutil acl ch -u allUsers:r gs://whizlabs-bucket/file.pdf
B: gsutil acl update -u allUsers:R gs://whizlabs-bucket/file.pdf
C: gcloud gs update-acl –public-read gs://whizlabs-bucket/file.pdf
D: gcloud storage update-acl –public-read gs://whizlabs-bucket/file.pdf

A

Answer A

gsutil acl ch -u allUsers:r gs://whizlabs-bucket/file.pdf
B: is incorrect: gsutil acl does not have update as an option. Only supported ones are set, get, and ch
C: is incorrect: gcloud does not have any group called gs
D: is incorrect: gcloud does not have any group with the name of storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which command will let you enable Google Compute service using gcloud CLI?

A. gcloud enable compute
B. gcloud service enable compute
C. gcloud service compute enable
D. gcloud services enable compute

A

Answer D
The gcloud command to enable compute engine API is:
gcloud services enable compute.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You want your application hosted on a VM to fetch metadata of that instance. Which command will help you to fetch it?

A. curl metadata.google.internal/compute-metadata/v1/
B. curl /metadata/v1/
C. curl metadata.google.internal/computeMetadata/v1/
D. curl internal.googleapi.com/computeMetadata/v1/

A

Answer C
The right command to fetch metadata is:
curl metadata.google.internal/computeMetadata/v1/

*The rest of the commands are not valid gcloud commands

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q 
Your department head has asked you to create a new custom manual VPC with three subnets having 20 usable IP addresses individually. Which subnet mask suits your requirement?
A. 24
B. 28
C. 18
D. 27
A

Answer D
IPv4 consists of 4 octets which sum up to 32 bit.

The formula to calculate the number of hosts is 2 power of n where n is the difference between 32 and subnet mask to be used.
In this case, it will be 2 power of 5 = 32 hosts. In each CIDR block, two IPs are reserved: one for the network address and another one for broadcast which leaves us with 30 usable IP addresses.

32 - 27 = 5

2 power of 5 = 32 total IP addresses

32 - 2 = 30 usable IP addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q 
You have 100TB of non-relational data and want to run analytics on it to see previous year net sales. Which tool suits best to your requirement?
A. BigQuery
B. BigTable
C. Datastore
D. GCS
A

Answer B

BigTable is a managed NoSQL DB service designed for handling and processing large amounts of data.

A: is incorrect: BigQuery is a relational database service, hence cannot be used to store non-relational data.

C: is incorrect: Datastore is NoSQL managed DB service but the amount of data we are looking at is quite big for Datastore to efficiently process.

D: is incorrect: GCS is only used for storing files. It does not support relational or non-relational data.
https://cloud.google.com/bigtable/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q 
Which of the following export options are available with Google Cloud Billing?
A. BigTable and Storage
B. BigQuery and File
C. BigQuery and BigTable
D. CloudSQL and BigTable
A

Answer B

Billing export at the time of writing supports only BigQuery and File export

A: is incorrect: Storage is supported, but not BigTable.

C: is incorrect: Billing export supports BigQuery but not BigTable.

D: is incorrect: Both CloudSQL and BigTable are supported as export option.

Reference:

https: //cloud.google.com/billing/docs/how-to/export-data-bigquery
https: //cloud.google.com/billing/docs/how-to/export-data-file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q 
Engineering team is building an application which routes request on TCP layer. They need a load balancer with support of SSL termination on load balancer. Which of the following is the best available option?
A. HTTPS Load Balancer
B. UDP Load Balancer
C. SSL Proxy Load Balancer
D. TCP Load Balancer
A

Answer C

SSL Proxy is a Layer 3 load balancer with support of SSL termination.

A: is incorrect: HTTPS LB does support SSL termination but works on Layer 7 i.e. application layer.

B: is incorrect: UDP LB, as the name says, works with UDP protocol and our application works on TCP protocol.

D is incorrect: TCP LB could have been the choice if we didn’t have SSL termination requirement.

Reference:
https://cloud.google.com/load-balancing/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A developer accidentally deleted some of the files from a bucket. Luckily, the files were not critical and were re-created soon. Because of this, your team lead has asked you to enable versioning on bucket. Which command would help you enable the same?
A. gsutil versioning enable gs://whizlabs-bucket
B. gsutil gs://whizlabs-bucket enable versioning
C. gsutil enable versioning gs://whizlabs-bucket
D. gsutil versioning set on gs://whizlabs-bucket

A

Answer D

The CLI command to enable versioning is
gsutil versioning set on gs://whizlabs-bucket. Hence, D is the correct answer.

Options A, B, and C are incorrect because these are invalid CLI commands.
Reference:
https://cloud.google.com/storage/docs/using-object-versioning

22
Q 
You created an application for a large hospital which stores around 1GB of files every day on GCS. Most of these files are accessed very rarely after six months from the day of the first upload but are important and cannot be deleted. Which storage class would you prefer to save money after 6 months?
A. Standard
B. Nearline
C. Coldline
D. Regional
A

Answer C

A: is incorrect: Standard class is the costliest storage option in GCP, applicable where data needs to be accessed on a daily basis.

B: is incorrect: Nearline could have been an option if the data access was required on a monthly basis.

D: is incorrect: Regional class is expensive compared to all other classes hence, does not serve our purpose.

Reference:
https://cloud.google.com/storage/docs/storage-classes:

23
Q 
A developer has asked you to create a single nginx server for dev environment. Which service would allow you to launch VM using predefined images?
A. GKE
B. GAE
C. CloudSQL
D. Marketplace
A

Answer D

Marketplace provides you with pre-built images which can be launched with just a few clicks without doing any configuration.

A: is incorrect: GKE is used to launch the Kubernetes cluster instead of a single server.

B: is incorrect: GAE does not provide you with nginx predefined image.

C: is incorrect: CloudSQL is used to launch MySQL or Postgres database service.
Reference:
https://cloud.google.com/marketplace/

24
Q 
Your team is building a media collection and analysis application for one of your clients. They have asked you to enable Google Photos API and YouTube API. Moreover, they want to test the API without integrating it within the application. Which service would help your development team test the API without integration?
A. API Library
B. API Explorer
C. API Manager
D. Marketplace Explorer
A

Answer B

API Explorer lets you make API calls to the service without actually integrating it within your application.Option
A: is incorrect: API Library is a collection of all the APIs which Google Cloud provides.

C: is incorrect: GCP does not have any service with the name of API Manager.

D: is incorrect: Marketplace Explorer is an invalid service.
Reference:
https://developers.google.com/apis-explorer/

25
Q

Your team has deployed a GKE cluster having 3 nodes for High Availability. The cluster was tested multiple times before moving to production, but it suddenly stopped working after deploying it to production environment. A team member approached you that he will need shell access to the container for a while to resolve the issue. Which command will give him access to the container?
A. kubectl exec -i -t whizlabs-web-server – /bin/bash
B. kubectl whizlabs-web-server ssh – /bin/bash
C. kubectl ssh whizlabs-web-server /bin/bash
D. kubectl exec whizlabs-web-server /bin/bash

A

Answer A
The correct command to get shell access of a container is:
kubectl exec -i -t whizlabs-web-server – /bin/bash.

Options B, C, and D are incorrect because these are invalid commands to get the shell access of a container.
Reference:
https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/

26
Q 
You are working for a service company that has an automobile client. The client has developed an application for internal use with Erlang and has approached your company to help him to ease the application deployment process on Google Cloud. The company does not have highly trained people so, wants you to deploy the application in such a way that post-deployment, they will be able to manage it without worrying about the infrastructure. Which of the following service would you prefer?
A. Cloud Functions
B. App Engine Standard
C. App Engine Flexible
D. GKE
A

Answer C
Using App Engine Flexible environment, you can deploy an application written in any language without managing instances, load balancers, etc. manually.
A: is incorrect: Cloud Functions does not support Erlang hence cannot be used for deployment.

B: is incorrect: App Engine Standard does not support Erlang. It only supports PHP, Python, Java, Go, .NET, Node.js and Ruby. If your application is written in any other language apart from supported ones you will have to use App Engine Flexible.

D: is incorrect: GKE could have been an option but requires more configuration compared to App Engine and requires the client to know Kubernetes as well.

Reference:
https://cloud.google.com/appengine/docs/flexible/

27
Q

Your team has deployed a few windows web servers on a custom VPC network and the same is running properly. After a few hours of the app suddenly crashes, developers are trying to remote access web servers, but are failing to do so. While troubleshooting the issue you realize that the firewall rule is missing. Which command will help you solve the problem?
A. gcloud compute firewall-rules create “remote-access” –network “whizlab-network” –allow tcp:22
B. gcloud compute firewall-rules create “tcp:3389”
C. gcloud compute firewall-rules create “remote-access” –network “whizlab-network” –allow tcp:3389
D. gcloud compute firewall-rules allow “udp:3389” –network “whizlab-network”

A

Answer C
The correct command to allow developers to remote access windows is
gcloud compute firewall-rules create “remote-access” –network “whizlab-network” –allow tcp:3389.

Options A, B, and D are incorrect because they are invalid commands to allow remote access.

Link:

28
Q

A bug has been identified within your Python application which is hosted using App Engine and you are about to rollout a new version of the application to resolve the bug, but do not want the traffic to automatically shift to new version just to make sure the new version does not break anything. How would you achieve it?
A. Pass a custom version ID so that App Engine does not send traffic to new version.
B. Pass –no-promote flag while deploying new version.
C. Pass –no-active flag while deploying new version.
D. Use –inactive-mode flag while deploying new version of the app.

A

Answer B
Using –no-promote flag while deploying new version of the app will not automatically send traffic to new version.Option

A: is incorrect. Passing version ID will be not serve the purpose.

C: is incorrect: –no-active flag is an invalid flag.

D: is incorrect: –inactive-mode is an invalid flag.

Link:
https://cloud.google.com/sdk/gcloud/reference/app/deploy

29
Q

A web application is hosted on VM and its resources are stored in a bucket. You have been asked to let any authenticated user access the very high level blueprint of company’s product. This blueprint does not contain any confidential data or IP data so can be made available to the public as well. What changes are required to make it work?
A. Add a new entry in permission with allUsers having public permission.
B. Create a new entry in permission with allAuthenticatedUsers having read permission.
C. Create a new entry in permission with allAuthorizedUsers having public permission.
D. Remove all existing entries from permission and add allAuthenticatedUsers having read permission.

A

Answer B
Create a new entry in permission with allAuthenticatedUsers having read permission

allAuthenticatedUsers will allow any Gmail or Cloud Identity supported authenticated user to access the file.

30
Q 
One of your clients has asked you to create an SFTP server on Google Cloud. Which storage service of Google Cloud will be the most reliable and durable option?
A. CloudSQL
B. Filestore
C. Firestore
D. VM
A

Answer B
For file storage purpose, Filestore is the best option. Cloud Filestore is a managed file storage service for applications that require a filesystem interface and a shared filesystem for data. Filestore gives users a simple, native experience for standing up managed Network Attached Storage (NAS) with their Google Compute Engine and Kubernetes Engine instances.

31
Q

Your project manager accidentally created an auto mode VPC. She is now asking you to convert the same to custom mode VPC as the applications are already deployed and they rely on static internal IP addresses. Is it possible?
A. True
B. False

A

Answer A

Auto mode VPC can be converted to manual but the vice versa is not possible.

32
Q

A GKE cluster was created with 4 nodes initially and after looking at the few months of monitoring report you realized that cluster is underutilized. You plan to reduce the number of nodes to 3 to save the cost. Which gcloud command will help you to do that?
A. gcloud container clusters whizlabs-cluster –new-size 3
B. gcloud container clusters resize whizlabs-cluster –num-nodes=3
C. gcloud container cluster resize whizlabs-cluster –size 3
D. gcloud container cluster update whizlabs-cluster –size 3

A

Answer B
The right way to update the number of nodes within a GKE cluster is via
gcloud container clusters resize whizlabs-cluster –num-nodes=3

33
Q 
Your engineering team has developed an application which will be deployed using GKE. The application needs a monitoring agent running on each node without fail and any change in the number of nodes should also update the count of the monitoring agent. Which API resource would you use to achieve the desired result?
A. Pod
B. StatefulSet
C. DaemonSet
D. ReplicaSet
A

Answer C
Daemon set is responsible for making sure that one pod is always running on each node and scales automatically depending on the count of nodes.

34
Q 
You are launching VMs for your company’s internal application via CLI and you are not able to recollect one of the flags. Using which command you can help yourself?
A. gcloud compute help instances create
B. man gcloud compute instances launch
C. gcloud help compute instances create
D. man gcloud compute instances create
A

Answer C
The correct command to get help on any command is
gcloud help compute instances create. https://cloud.google.com/sdk/gcloud/reference/help

35
Q 
You were inspecting the containers running on a VM and found out that a pod is running which is no more required. You try to delete it but every time a new pod is created. What do you need to delete now for removing that pod?
A. ReplicaSet
B. VM
C. Container
D. Service
A

Answer A
ReplicaSet is responsible for maintaining the desired number of pods hence, deleting it will delete the pod as well.

B: Straight away deleting a VM is not a good option as this will delete all other containers as well.
C: is incorrect: Deleting a container is same as deleting a pod.
D: is incorrect: Deleting a Service will not delete pod.

Link:

https: //kubernetes.io/docs/concepts/workloads/controllers/replicaset/
https: //kubernetes.io/docs/concepts/services-networking/service/

36
Q

A new junior engineer is joining your team. Your manager asks you to create an IAM user for him because he is out of the office today and has very limited access to the internet. You are trying to create an IAM user for the new joiner, but you receive an error saying: “Email addresses and domains must be associated with an active Google Account or Google Apps Account”. What is the possible reason for this?

A. You do not have permission to create new IAM users.
B. He does not have a GSuite account or an account with the Identity Platform your organisation has linked to Google Cloud for authentication purpose.
C. You need to ask new joiner to attach permission to his GSuite account to allow you to create IAM user.
D. IAM does not support custom domain name as IAM username. Please use his personal Gmail address to create an IAM account.

A

Answer B

He does not have a GSuite account or an account with the Identity Platform your organisation has linked to Google Cloud for authentication purpose.

37
Q

What is the correct command to create an IAM user using Google Cloud CLI?
A. gcloud iam create –name “bob@xyz.com” –role “roles/editor”
B. gcloud iam create-user –name “bob@xyx.com” –role “roles/editor”
C. gcloud projects add-iam-policy-binding whizlabs-prj –member “user:bob@xyz.com” –role “roles/editor”
D. gcloud projects add-iam-user-binding whizlabs-prj –member “user:bob@xyz.com” –role “roles/editor”

A

Answer C

The gcloud command to create an IAM user is

gcloud projects add-iam-policy-binding whizlabs-prj –member “user:bob@xyz.com” –role “roles/editor”.

38
Q

Your colleague has asked for help in creating an IAM role using Google Cloud CLI. Which of the following is the correct command to create an IAM role?
A. gcloud iam create role viewer-role –project whizlabs-prj –permissions “roles/viewer”
B. gcloud iam roles create viewer-role –project whizlabs-prj –permissions “roles/viewer”
C. gcloud iam roles create viewer-role –project whizlabs-prj –file=role-definition.yaml
D. gcloud project roles create –type iam viewer-role –project whizlabs-prj –file role-definition.yaml

A

Answer C

gcloud iam roles create viewer-role –project whizlabs-prj –file=role-definition.yaml

39
Q

Someone from a different team has approached you that he is working on a web application hosted on Google Cloud VM which needs view access to Google Cloud Storage service. Which of the following is the best approach?
A. Create a custom service account with Google Cloud Storage Viewer role, and attach it to the VM instance.
B. Create a custom service account with Google Cloud Storage Viewer role, create a JSON key pair, and provide it to him.
C. VM Instances by default have read access to Google Cloud Storage service, so nothing needs to be done.
D. Create an IAM user for him with Google Cloud Storage, create a JSON key pair, and provide it to him.

A

Answer C

VM Instances by default have read access to Google Cloud Storage service, so nothing needs to be done.

C: Each VM has a default service account attached which gives VM read access to Storage service.

A: is incorrect: You can do this but is not the best approach as by default VM has read access to Storage service.

B: is incorrect: This should not be implemented as it is very risky to use key pairs when other much-secured ways are available like attaching the service account to VM instance instead of creating a key pair.

D: is incorrect: Creation of JSON key pair for IAM user is not supported at the time of writing this question.

Reference:

https://cloud.google.com/compute/docs/access/service-accounts#compute_engine_default_service_account

40
Q 
Your company hired a Big Data consultant for creating real-time reporting application using Google Cloud service like BigQuery and PowerBI reporting tool. Your manager asked you to create an IAM user which gives him access to read, update, and delete the dataset but not to create one. Which role would you assign to him?
A. roles/bigquery.dataOwner
B. roles/bigquery.dataEditor
C. roles/bigquery.datasetEditor
D. roles/bigquery.admin
A

Answer A

roles/bigquery.dataOwnerroles/provides permission to read, update, and delete the dataset. can create table but not new dataset

41
Q 
Your company has purchased a threat detection service from a third party and have asked you to upload all network logs to the application. Which of the following service will meet your requirements?
A. Activity Logs
B. Flow Logs
C. Network Logs
D. System Logs
A

Answer B

Flow Logs capture each and every packet flowing within your network. It will record details like source IP, destination IP, source port, destination port, timestamp, etc.
A: incorrect. Activity logs record API activities such as launching of instance, creating firewall, attaching it to instance, creating bucket, etc.

42
Q

You have been asked to create VPC for a two-tier architecture for the frontend and backend of the application. Additionally, you need to make sure that backend instances are only reachable via frontend instances. What is the best approach to achieve this?
A. Add labels to your frontend instances and use the same labels as source tags while creating firewall rules for backend instances.
B. Add network tags to your frontend instances and use them under the targets section while creating a firewall for backend instance.
C. Select the service account attached to your frontend instance as a source filter while creating a firewall.
D. While creating a firewall, provide the IP address of frontend instance as a source filter and attach it to backend instance.

A

Answer C

Option C is correct: Just provide the service account attached to your frontend instance as a source filter for backend firewall and every instance launched in the future will be able to access it without additional changes.

43
Q

One of your team members had accidentally included service account private JSON key while pushing code to GitHub. What steps should you immediately perform?
A. Delete the JSON file from GitHub.
B. Delete the project and all its resources.
C. Delete the JSON file from GitHub, remove the key from Google Cloud IAM and generate a new key for use.
D. None of the above

A

Answer C
Delete the JSON file from GitHub, remove the key from Google Cloud IAM and generate a new key for use.Private keys are meant to be kept safe and if they are uploaded to repositories, you must immediately delete them from the source and repository as well.

A: incorrect: Mere deleting it from GitHub does not ensure complete safety. You will have to delete it from GCP IAM as well.

B is incorrect: Deleting project and resources is not an ideal option. If you have 10s or 100s of resources running, deleting and recreating them is not feasible.

44
Q

You are trying to fetch metadata of a VM using
“curl metadata.google.internal/computeMetadata/v1/” command but are constantly receiving 403 Forbidden. What could be the possible reason?
A. Service account is missing.
B. Metadata-Flavor: Google header is missing.
C. Metadata-Access: Google header is missing.
D. Firewall rule attached to the VM is blocking the request.

A

Answer B
Metadata-Flavor: Google header is missing.
While querying metadata of an instance you must provide header “Metadata-Flavor: Google”. This header indicates that the request was sent with the intention of retrieving metadata values, rather than unintentionally from an insecure source, and allows the metadata server to return the data you requested. If you do not provide this header, the metadata server denies your request.

45
Q

You created an update for your application on App Engine. You want to deploy the update without impacting your users. You want to be able to roll back as quickly as possible if it fails. What should you do?
A. Delete the current version of your application. Deploy the update using the same version identifier as the deleted version.
B. Notify your users of an upcoming maintenance window. Deploy the update in that maintenance window.
C. Deploy the update as the same version that is currently running.
D. Deploy the update as a new version. Migrate traffic from the current version to the new version.

A

Answer D

correct because this makes sure there is no downtime and you can roll back the fastest.
Migrating and Splitting Traffic

https://cloud.google.com/appengine/docs/admin-api/migrating-splitting-traffic

46
Q

You work in a small company where everyone should be able to view all resources of a specific project. You want to grant them access following Google’s recommended practices. What should you do?

A. Create a script that uses “gcloud projects add-iam-policy-binding” for all users’ email addresses and the Project Viewer role.
B. Create a script that uses “gcloud iam roles create” for all users’ email addresses and the Project Viewer role.
C. Create a new Google Group and add all users to the group. Use “gcloud projects add-iam-policy-binding” with the Project Viewer role and Group email address.
D. Create a new Google Group and add all members to the group. Use “gcloud iam roles create” with the Project Viewer role and Group email address.

A

Answer C

Create a new Google Group and add all users to the group.
Use “gcloud projects add-iam-policy-binding” with the Project Viewer role and Group email address. Google recommends to use groups where possible.

47
Q

What is the command for creating a storage bucket that has once per month access and is named ‘archive_bucket’?
A. gsutil rm -coldline gs://archive_bucket
B. gsutil mb -c coldline gs://archive_bucket
C. gsutil mb -c nearline gs://archive_bucket
D. gsutil mb gs://archive_bucket

A

Answer C
gsutil mb -c nearline gs://archive_bucket

mb is to make the bucket. Nearline buckets are for once per month access. Coldline buckets require only accessing once per 90 days and would incur additional charges for greater access.

gsutil mb [-c class] [-l location] [-p proj_id] url…

If you don’t specify a -c option, the bucket is created with the default storage class Standard Storage, which is equivalent to Multi-Regional Storage or Regional Storage, depending on whether the bucket was created in a multi-regional location or regional location, respectively.

If you don’t specify a -l option, the bucket is created in the default location (US). -l option can be any multi-regional or regional location.

Reference

mb - Make buckets: https://cloud.google.com/storage/docs/gsutil/commands/mb

48
Q

You need to deploy an update to an application in Google App Engine. The update is risky, but it can only be tested in a live environment. What is the best way to introduce the update to minimize risk?
A. Deploy a new version of the application but use traffic splitting to only direct a small number of users to the new version.
B. Deploy the application temporarily and be prepared to pull it back if needed.
C. Warn users that a new app version may have issues and provide a way to contact you if there are problems.
D. Create a new project with the new app version, then redirect users to the new version.

A

Answer A

Deploy a new version of the application but use traffic splitting to only direct a small number of users to the new version.
Deploying a new version of the app without assigning it as the default version will not create downtime for the application. Using traffic splitting allows for easily redirecting a small amount of traffic to the new version and can also be quickly reverted without application downtime

49
Q

You have created a Kubernetes engine cluster named ‘mycluster’. You’ve realized that you need to change the machine type for the cluster from n1-standard-1 to n1-standard-4. What is the command to make this change?
A. You must create a new node pool in the same cluster and migrate the workload to the new pool.
B. gcloud container clusters update mycluster –machine-type n1-standard-4
C. This action is not possible.
D. gcloud container clusters resize mycluster –machine-type n1-standard-4

A

Answer A

You must create a new node pool in the same cluster and migrate the workload to the new pool.
You cannot change the machine type for an individual node pool after creation. You need to create a new pool and migrate your workload over.

Here are the steps for “Migrating workloads to different machine types”

https://cloud.google.com/kubernetes-engine/docs/tutorials/migrating-node-pool

50
Q 
Your customer is moving their corporate applications to Google Cloud Platform. The security team wants detailed visibility of all projects in the organization. You provision the Google Cloud Resource Manager and set up yourself as the org admin. Which Google Cloud Identity and Access Management (Cloud IAM) roles should you give to the security team?
A. Org viewer, project owner
B. Org viewer, project viewer
C. Org admin, project browser
D. Project owner, network admin
A

Answer B

Org viewer, project viewer

ForME (4 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions