Preparing for Your

Associate Cloud
Engineer Journey

Course Workbook
 Proprietary + Confidential

Certification Exam Guide Sections

1 Setting up a cloud solution environment

2 Planning and configuring a cloud solution

3 Deploying and implementing a cloud solution

4 Ensuring successful operation of a cloud solution

5 Configuring access and security

 Proprietary + Confidential

Section 1:
Setting up a cloud solution
environment
 Proprietary + Confidential

1.1 Diagnostic Question 01

Stella is a new member of a team in your company A. Assign Stella a roles/compute.viewer role.
who has been put in charge of monitoring VM B. Assign Stella compute.instances.get permissions on
instances in the organization. Stella will need the all of the projects she needs to monitor.
required permissions to perform this role.
C. Add Stella to a Google Group in your organization.
Bind that group to roles/compute.viewer.
D. Assign the “viewer” policy to Stella.
How should you grant her those permissions?
 Proprietary + Confidential

1.1 Diagnostic Question 02

A. Organization, Project, Resource, Folder.

How are resource hierarchies organized
in Google Cloud? B. Organization, Folder, Project, Resource.
C. Project, Organization, Folder, Resource.
D. Resource, Folder, Organization, Project.
 Proprietary + Confidential

1.1 Diagnostic Question 03

A. The Project ID.

What Google Cloud project attributes
can be changed? B. The Project Name.
C. The Project Number.
D. The Project Category.
 Proprietary + Confidential

1.1 Diagnostic Question 04

Jane will manage objects in Cloud Storage A. Assign Jane the roles/storage.objectCreator on every project.
for the Cymbal Superstore. She needs to B. Assign Jane the roles/viewer on each project and the
have access to the proper permissions for roles/storage.objectCreator for each bucket.
every project across the organization.
C. Assign Jane the roles/editor at the organizational level.
D. Add Jane to a group that has the roles/storage.objectAdmin role
assigned at the organizational level.
What should you do?
 Proprietary + Confidential

1.1 Diagnostic Question 05

You need to add new groups of employees A. Grant the most restrictive basic role to most services, grant
in Cymbal Superstore’s production predefined or custom roles as necessary.
environment. You need to consider B. Grant predefined and custom roles that provide necessary
Google’s recommendation of using permissions and grant basic roles only where needed.
least privilege.
C. Grant the least restrictive basic roles to most services and grant
predefined and custom roles only when necessary.
What should you do?
D. Grant custom roles to individual users and implement basic roles
at the resource level.
 Proprietary + Confidential

1.1 Diagnostic Question 06

The Operations Department at Cymbal A. compute.images.list

Superstore wants to provide managers B. compute.images.get
access to information about VM usage
C. compute.images.create
without allowing them to make changes
that would affect the state. You assign D. compute.images.setIAM
them the Compute Engine Viewer role. E. computer.images.update

Which two permissions will they receive?

 Proprietary + Confidential

Setting up cloud projects

1.1 and accounts

Courses Skill Badges Documentation

Google Cloud Fundamentals: Overview | IAM Documentation

Core Infrastructure
Resource hierarchy | Resource Manager
● M2 Resources and Access in the Google Cloud Google Cloud
Documentation
Cloud Implement Load Balancing Set Up an App Dev
on Compute Engine Environment on Google Understanding roles | IAM Documentation
Cloud
Architecting with Google
Compute Engine
● M4 Identity and Access
Management (IAM)

=
Essential Google Cloud
Infrastructure: Core Services
● M1 Identity and Access
Management (IAM)
 Proprietary + Confidential

1.2 Diagnostic Question 07

A. Set up Cloud Billing to pay for usage costs in Google

How are billing accounts applied to
Cloud projects and Google Workspace accounts.
projects in Google Cloud? (Pick two.)
B. A project and its resources can be tied to more than
one billing account.
C. A billing account can be linked to one or more projects.
D. A project and its resources can only be tied to one
billing account.
E. If your project only uses free resources you don’t need
a link to an active billing account.
 Proprietary + Confidential

1.2 Diagnostic Question 08

Fiona is the billing administrator for the A. Change the budget alert default threshold rules to
project associated with Cymbal include Jeffrey as a recipient.
Superstore’s eCommerce application. B. Use Cloud Monitoring notification channels to send
Jeffrey, the marketing department lead, Jeffrey an email alert.
wants to receive emails related to budget
C. Add Jeffrey and Fiona to the budget scope custom
alerts. Jeffrey should have access to no
email delivery dialog.
additional billing information.
D. Send alerts to a Pub/Sub topic that Jeffrey is
subscribed to.
What should you do?
 Proprietary + Confidential

1.2 Managing billing configuration

Courses Documentation

Google Cloud Fundamentals: Core Infrastructure

Create, modify, or close your
● M2 Resources and Access in the Cloud self-serve
Cloud Billing account
Create, edit, or delete budgets
Architecting with Google Essential Google Cloud
and budget alerts | Cloud Billing
Compute Engine Infrastructure: Core Services
● M6 Resource = ● M3 Resource
Management Management
Section 2:
Planning and configuring a
cloud solution
 Proprietary + Confidential

2.1 Diagnostic Question 01

Cymbal Superstore decides to migrate A. Implement an application using containers on Cloud Run.
their supply chain application to Google B. Implement an application using code on App Engine.
Cloud. You need to configure specific
C. Implement an application using containers on Google
operating system dependencies.
Kubernetes Engine.
D. Implement an application using virtual machines on
What should you do?
Compute Engine.
 Proprietary + Confidential

2.1 Diagnostic Question 02

Cymbal Superstore decides to pilot a A. SSH into a Compute Engine VM and execute your code.
cloud application for their point of sale B. Package your code to a container image and post it to
system in their flagship store. You want Cloud Run.
to focus on code and develop your
C. Implement a deployment manifest and run kubectl
solution quickly, and you want your
apply on it in Google Kubernetes Engine.
code to be portable.
D. Code your solution in Cloud Run functions.

How do you proceed?

 Proprietary + Confidential

2.1 Diagnostic Question 03

An application running on a A. Create Compute Engine Virtual Machines and

highly-customized version of Ubuntu migrate the app to that infrastructure.
needs to be migrated to Google Cloud. B. Deploy the existing application to App Engine.
You need to do this in the least amount
C. Deploy your application in a container image to Cloud Run.
of time with minimal code changes.
D. Implement a Kubernetes cluster and create pods
to enable your app.
How should you proceed?
 Proprietary + Confidential

2.1 Diagnostic Question 04

You want to deploy a microservices A. Cloud Run

application. You need full control of how B. App Engine
you manage containers, reliability, and
C. Google Kubernetes Engine
autoscaling, but don’t want or need to
manage the control plane. D. Compute Engine

Which compute option should you use?

 Proprietary + Confidential

Planning and configuring

2.1 compute resources
Courses Skill Badge

Google Cloud Fundamentals: Getting Started with Google

Core Infrastructure Kubernetes Engine Google Cloud

Develop your
● M3 Virtual Machines and ● M2 Introduction to Containers Google Cloud
Networks in the Cloud and Kubernetes Network
● M5 Containers in the Cloud
● M6 Applications in the Cloud

Architecting with Google Essential Google Cloud Documentation

Compute Engine Infrastructure: Foundation Choosing the right compute option in
● M3 Virtual Machines = ● M3 Virtual Machines GCP: a decision tree
Application Hosting Options
Tutorials | Compute Engine
Documentation
 Proprietary + Confidential

2.2 Diagnostic Question 05

Cymbal Superstore needs to analyze whether A. BigQuery

they met quarterly sales projections. Analysts B. Cloud SQL
assigned to run this query are familiar with SQL.
C. Spanner
D. Firestore

What data solution should they implement?

 Proprietary + Confidential

2.2 Diagnostic Question 06

Cymbal Superstore’s supply chain A. Archive

application frequently analyzes large B. Coldline
amounts of data to inform business
C. Nearline
processes and operational dashboards.
D. Standard

What storage class would make

sense for this use case?
 Proprietary + Confidential

2.2 Diagnostic Question 07

Cymbal Superstore has a need to populate visual A. BigQuery

dashboards with historical time-based data. This B. Cloud Storage
is an analytical use-case.
C. Firestore
D. Cloud SQL
Which two storage solutions could they use? E. Bigtable
 Proprietary + Confidential

Planning and configuring

2.2 data storage options

Courses Skill Badge Documentation

Cloud Storage Options

Google Cloud Fundamentals:
Core Infrastructure Storage classes
Google Cloud
● M4 Storage in the Cloud Develop your Google Cloud Data lifecycle | Cloud Architecture
Network Center
Architecting with Google
Compute Engine
● M5 Storage and Database
Services
=
Essential Google Cloud
Infrastructure: Core Services
● M2 Storage and
Database Services
 Proprietary + Confidential

2.3 Diagnostic Question 08

Cymbal Superstore is piloting an A. Implement a premium tier global external

update to its ecommerce app for the Application Load Balancer connected to the
flagship store in Minneapolis, web tier as the frontend, and a regional internal
Minnesota. The app is implemented as Application Load Balancer between the web tier and backend.
a three-tier web service with traffic B. Implement a global external proxy Network Load Balancer connected
originating from the local area and to the web tier as the frontend, and a premium tier passthrough
resources dedicated for it in Network Load Balancer between the web tier and the backend.
us-central1. You need to configure a
C. Configure a standard tier regional external Application Load Balancer
secure, low-cost network
connected to the web tier as a frontend and a regional internal
load-balancing architecture for it.
Application Load Balancer between the web tier and the backend.
D. Configure a regional internal proxy Network Load Balancer connected
How do you proceed? to the web tier as the frontend and a standard tier internal proxy
Network Load Balancer between the web tier and the backend.
 Proprietary + Confidential

2.3 Diagnostic Question 09

A. Global Application Load Balancer

What Google Cloud load balancing option
runs at Layer 7 of the TCP stack? B. Global proxy Network Load Balancer
C. Regional passthrough Network Load Balancer
D. Regional internal proxy Network Load Balancer
 Proprietary + Confidential

Planning and configuring

2.4 network resources
Courses Documentation

Google Cloud Fundamentals: Core Infrastructure

Cloud Load Balancing overview
● M3 Virtual Machines and Networks in the Cloud
● M4 Storage in the Cloud
Cloud Load Balancing

Architecting with Google Essential Google Cloud

Compute Engine Infrastructure: Foundation
● M2 Virtual Networks ● M2 Virtual Networks
● M5 Storage and Database
Services = Essential Google Cloud
Infrastructure: Core Services
● M9 Load Balancing ● M2 Storage and Database
and Autoscaling Services
Elastic Google Cloud Infrastructure:
Scaling and Automation
● M2 Load Balancing
and Autoscaling
Section 3:
Deploying and
implementing a cloud
solution
 Proprietary + Confidential

3.1 Diagnostic Question 01

Cymbal Superstore’s sales department has A. Find a MySQL machine image in Cloud Marketplace and
a medium-sized MySQL database. This configure it to meet your needs.
database includes user-defined functions B. Implement a database instance using Cloud SQL, back up
and is used internally by the marketing your local data, and restore it to the new instance.
department at Cymbal Superstore HQ. The
C. Configure a Compute Engine VM with an N2 machine type,
sales department asks you to migrate the
install MySQL, and restore your data to the new instance.
database to Google Cloud in the most
timely and economical way. D. Use gcloud to implement a Compute Engine instance with
an E2-standard-8 machine type, install, and configure
What should you do? MySQL.
 Proprietary + Confidential

3.1 Diagnostic Question 02

The backend of Cymbal Superstore’s A. Create a new instance template. Click Update VMs. Set
e-commerce system consists of managed the update type to Opportunistic. Click Start.
instance groups. You need to update the B. Create a new instance template, then click Update VMs.
operating system of the instances in an Set the update type to PROACTIVE. Click Start.
automated way using minimal resources.
C. Create a new instance template. Click Update VMs. Set
max surge to 5. Click Start.
D. Abandon each of the instances in the managed instance
What should you do? group. Delete the instance template, replace it with a new
one, and recreate the instances in the managed group.
 Proprietary + Confidential

Deploying and implementing

3.1 Compute Engine resources

Courses Documentation

Google Cloud Fundamentals: Core Infrastructure Compute Engine documentation |

Compute Engine Documentation
● M3 Virtual Machines and Networks in the Cloud
Creating managed instance groups |
Compute Engine Documentation

Architecting with Google Essential Google Cloud

Compute Engine Infrastructure: Foundation
● M3 Virtual Machines ● M3 Virtual Machines
● M9 Load Balancing and
Autoscaling = Elastic Google Cloud Infrastructure:
Scaling and Automation
● M10 Infrastructure ● M2 Load Balancing
Automation and Autoscaling
● M3 Infrastructure Automation
 Proprietary + Confidential

3.2 Diagnostic Question 03

The development team for the supply A. Implement an autopilot cluster in us-central1-a with a
chain project is ready to start building default pool and an Ubuntu image.
their new cloud app using a small B. Implement a private standard zonal cluster in us-central1-a
Kubernetes cluster for the pilot. The with a default pool and an Ubuntu image.
cluster should only be available to team
C. Implement a private standard regional cluster in
members and does not need to be highly
us-central1 with a default pool and container-optimized
available. The developers also need the
image type.
ability to change the cluster architecture
as they deploy new capabilities. D. Implement an autopilot cluster in us-central1 with an
Ubuntu image type.
How would you implement this?
 Proprietary + Confidential

Deploying and Implementing

3.2 Google Kubernetes Engine resources

Courses Skill Badge Documentation

Types of clusters | Kubernetes

Google Cloud Fundamentals:
Engine Documentation
Core Infrastructure Google Cloud

● M5 Containers in the Cloud Develop your Google

Cloud Network
Getting Started with Google
Kubernetes Engine
● M2 Introduction to Containers
and Kubernetes
● M3 Kubernetes Architecture
 Proprietary + Confidential

3.3 Diagnostic Question 04

You need to quickly deploy a containerized A. App Engine flexible environment

web application on Google Cloud. You know B. App Engine standard environment
the services you want to be exposed. You
C. Cloud Run
do not want to manage infrastructure. You
only want to pay when requests are being D. Cloud Run functions
handled and need support for custom
packages.

What technology meets these needs?

 Proprietary + Confidential

3.3 Diagnostic Question 05

You need to analyze and act on files being A. --trigger-event google.storage.object.finalize

added to a Cloud Storage bucket. Your B. --trigger-event google.storage.object.create
programming team is proficient in Python.
C. --trigger-event google.storage.object.change
The analysis you need to do takes at most 5
minutes. You implement a Cloud Run function D. --trigger-event google.storage.object.add
to accomplish your processing and specify a
trigger resource pointing to your bucket.

How should you configure the

--trigger-event parameter using gcloud?
 Proprietary + Confidential

Deploying and implementing Cloud Run

3.3 and Cloud Run functions resources

Courses Documentation

Google Cloud Fundamentals: Core Infrastructure Choose an App Engine

● M6 Applications in the Cloud environment | App Engine
● M7 Developing and Deploying in the Cloud Documentation
Application Hosting Options
Cloud Run: What no one tells you
about Serverless (and how it's
done)
Cloud Run functions
 Proprietary + Confidential

3.4 Diagnostic Question 06

You require a Cloud Storage bucket serving A. Run a gcloud storage objects command and specify
users in New York City and San Francisco. --remove-acl-grant.
Users in London will not use this bucket. B. Run a gsutil mb command specifying a multi-regional
You do not plan on using ACLs. location and an option to turn ACL evaluation off.
C. Run a gcloud storage buckets create command, but do
not specify –-location.
What CLI command do you use? D. Run a gcloud storage buckets create command
specifying –-placement us-east1, europe-west2
 Proprietary + Confidential

3.4 Diagnostic Question 07

Cymbal Superstore asks you to implement Cloud A. --availability-type

SQL as a database backend to their supply chain B. --replica-type
application. You want to configure automatic failover
C. --secondary-zone
in case of a zone outage. You decide to use the
gcloud sql instances create command set to D. --control_plane-instance-name
accomplish this.

Which gcloud command line argument is required

to configure the stated failover capability as you
create the required instances?
 Proprietary + Confidential

3.4 Diagnostic Question 08

Cymbal Superstore’s marketing A. Implement a bq load command in a command line script

department needs to load some slowly and schedule it with cron.
changing data into BigQuery. The data B. Read the data from your bucket by using the BigQuery
arrives hourly in a Cloud Storage bucket. streaming API in a program.
You want to minimize cost and implement
C. Create a Cloud Run function to push data to BigQuery
this in the fewest steps.
through a Dataflow pipeline.
D. Use the BigQuery Data Transfer Service to schedule a
What should you do?
transfer between your bucket and BigQuery.
 Proprietary + Confidential

Deploying and implementing

3.4 data solutions
Courses Skill Badges Documentation
Google Cloud Fundamentals: Creating storage buckets | Cloud
Core Infrastructure Storage
Google Cloud
● M4 Storage in the Cloud What is Cloud Storage?
Set Up an App Dev
Environment on Google Cloud SQL for MySQL features
Architecting with Google Cloud Creating instances | Cloud SQL for
Compute Engine MySQL
● M5 Storage and How to load, import, or ingest data
Database Services into BigQuery for analysis

= Google Cloud Introduction to loading data |

BigQuery
Develop your Google
Essential Google Cloud
Cloud Network
Infrastructure: Core Services
● M2 Storage and
Database Services
 Proprietary + Confidential

3.5 Diagnostic Question 09

Which Virtual Private Cloud (VPC) network A. Default Project network

type allows you to fully control IP ranges B. Auto mode network
and the definition of regional subnets? C. Custom mode network
D. An auto mode network converted to a custom network
 Proprietary + Confidential

Deploying and implementing

3.5 networking resources

Courses Skill Badge Documentation

VPC network overview

Architecting with Google
Compute Engine Google Cloud

● M2 Virtual Networks Develop your Google

Cloud Network
=
Essential Google Cloud
Infrastructure: Foundation
● M2 Virtual Networks
 Proprietary + Confidential

3.6 Diagnostic Question 10

What action does the terraform A. Downloads the latest version of the terraform provider.
apply command perform? B. Verifies syntax of terraform config file.
C. Shows a preview of resources that will be created.
D. Sets up resources requested in the terraform config file.
 Proprietary + Confidential

Implementing resources through

3.6 infrastructure as code

Documentation
Courses Skill Badge
Introduction
Architecting with Google Using Terraform with Google Cloud
Compute Engine Google Cloud

● M10 Infrastructure Automation Build Infrastructure with

Terraform on Google Cloud
=
Elastic Google Cloud Infrastructure:
Scaling and Automation
● M3 Infrastructure Automation
Section 4:
Ensuring successful
operation of a cloud
solution
 Proprietary + Confidential

4.1 Diagnostic Question 01

A. gcloud compute snapshots list

You want to view a description of your
available snapshots using the command B. gcloud snapshots list
line interface (CLI). What gcloud C. gcloud compute snapshots get
command should you use?
D. gcloud compute list snapshots
 Proprietary + Confidential

4.1 Diagnostic Question 02

You have a scheduled snapshot you A. Delete the downstream incremental snapshots before
are trying to delete, but the operation deleting the main reference.
returns an error. B. Delete the object the snapshot was created from.
C. Detach the snapshot schedule before deleting it.
What should you do to resolve
this problem? D. Restore the snapshot to a persistent disk before deleting it.
 Proprietary + Confidential

Managing Compute
4.1
Engine resources

Courses Documentation

Google Cloud Fundamentals: Core Infrastructure Working with persistent disk

snapshots | Compute Engine
● M3 Virtual Machines and Networks in the Cloud
Documentation
Working with persistent disk
snapshots | Compute Engine
Architecting with Google Essential Google Cloud
Documentation
Compute Engine Infrastructure: Foundation
Persistent disk snapshots | Compute
● M3 Virtual Machines ● M3 Virtual Machines
Engine Documentation
● M9 Load Balancing
and Autoscaling = Elastic Google Cloud Infrastructure:
Scaling and Automation
● M2 Load Balancing
and Autoscaling
 Proprietary + Confidential

4.2 Diagnostic Question 03

Cymbal Superstore’s GKE cluster requires an A. Annotate your ingress object with an ingress.class of “gce.”
internal Application Load Balancer. You are B. Configure your service object with a type: LoadBalancer.
creating the configuration files required
C. Annotate your service object with a “neg” reference.
for this resource.
D. Implement custom static routes in your VPC.

What is the proper setting for this scenario?

 Proprietary + Confidential

4.2 Diagnostic Question 04

A. Pod templates
What Kubernetes object provides
access to logic running in your cluster B. Pods
via endpoints that you define? C. Services
D. Deployments
 Proprietary + Confidential

4.2 Diagnostic Question 05

A. kubectl apply
What is the declarative way to initialize B. kubectl create
and update Kubernetes objects?
C. kubectl replace
D. kubectl run
 Proprietary + Confidential

Documentation
Managing Google Kubernetes
4.2 Engine resources Ingress for internal Application Load
Balancers
Ingress for external Application
Load Balancers
Configure Ingress for external
Application Load Balancers
Courses Skill Badge
Configuring Ingress for internal
Application Load Balancers
Google Cloud Fundamentals: Core GKE overview | Kubernetes Engine
Infrastructure Google Cloud Documentation
● M5 Containers in the Cloud Pod | Kubernetes Engine
Develop your Google
Cloud Network Documentation
Getting Started with Google
Kubernetes Engine Deployment | Kubernetes Engine
Documentation
● M3 Kubernetes Architecture
● M4 Kubernetes Operations Services | Kubernetes Engine
Documentation
Overview of deploying workloads |
Kubernetes Engine Documentation
Kubernetes Object Management
 Proprietary + Confidential

4.3 Diagnostic Question 06

You have a Cloud Run service with a A. Set Min instances.

database backend. You want to limit B. Set Max instances.
the number of connections to
C. Set CPU Utilization.
your database.
D. Set Concurrency settings.

What should you do?

 Proprietary + Confidential

4.3 Managing Cloud Run resources

Courses Documentation

Google Cloud Fundamentals: Core Infrastructure About container instance

autoscaling | Cloud Run
● M6 Applications in the Cloud
Documentation
 Proprietary + Confidential

4.4 Diagnostic Question 07

You want to implement a lifecycle rule that A. Age

changes your storage type from Standard B. CreatedBefore
to Nearline after a specific date.
C. MatchesStorageClass
D. IsLive
What conditions should you use?
E. NumberofNewerVersions
(Pick two.)
 Proprietary + Confidential

4.4 Managing storage and database solutions

Courses Documentation

Google Cloud Fundamentals: Core Infrastructure Object Lifecycle Management |

● M4 Storage in the Cloud Cloud Storage

Architecting with Google Essential Google Cloud

Compute Engine Infrastructure: Core Services
● M5 Storage and
= ● M2 Storage and
Database Services Database Services
 Proprietary + Confidential

4.5 Diagnostic Question 08

Cymbal Superstore has a subnetwork A. gcloud compute networks subnets expand-ip-range

called mysubnet with an IP range of mysubnet --region us-central1 --prefix-length 20
10.1.2.0/24. You need to expand this B. gcloud networks subnets expand-ip-range mysubnet
subnet to include enough IP addresses --region us-central1 --prefix-length 21
for at most 2000 users or devices.
C. gcloud compute networks subnets expand-ip-range
mysubnet --region us-central1 --prefix-length 21
D. gcloud compute networks subnets expand-ip-range
What should you do?
mysubnet --region us-cetnral1 --prefix-length 22
 Proprietary + Confidential

4.5 Managing networking resources

Courses Documentation

gcloud compute networks

Architecting with Google Essential Google Cloud subnets expand-ip-range
Compute Engine Infrastructure: Foundation
● M2 Virtual Networks = ● M2 Virtual Networks
Using VPC networks
 Proprietary + Confidential

4.6 Diagnostic Question 09

Cymbal Superstore’s supply chain A. Choose resource type of VM instance

management system has been and metric of CPU load, condition
deployed and is working well. You are trigger if any time series violates,
tasked with monitoring the system’s condition is below, threshold is .60, for 5 minutes.
resources so you can react quickly to B. Choose resource type of VM instance and metric of CPU utilization,
any problems. You want to ensure the condition trigger all time series violates, condition is above,
CPU usage of each of your Compute threshold is .60 for 5 minutes.
Engine instances in us-central1 remains
C. Choose resource type of VM instance, and metric of CPU utilization,
below 60%. You want an incident
condition trigger if any time series violates, condition is below,
created if it exceeds this value for 5
threshold is .60 for 5 minutes.
minutes. You need to configure the
proper alerting policy for this scenario. D. Choose resource type of VM instance and metric of CPU utilization,
condition trigger if any time series violates, condition is above,
threshold is .60 for 5 minutes.
What should you do?
 Proprietary + Confidential

4.6 Monitoring and logging

Courses Skill Badges Documentation

Managing metric-based alerting

Architecting with Google policies | Cloud Monitoring
Compute Engine Google Cloud
Introduction to alerting | Cloud
● M7 Resource Monitoring Set Up an App Dev Monitoring
Environment on Google

= Cloud

Essential Google Cloud

Infrastructure: Core Services
● M4 Resource Monitoring Google Cloud

Develop your Google

Cloud Network
Section 5:
Configuring access and
security
 Proprietary + Confidential

5.1 Diagnostic Question 01

You need to configure access to A. Assign permissions to a Google account referenced

Spanner from the GKE cluster that is by the application.
supporting Cymbal Superstore’s B. Assign permissions through a Google Workspace
ecommerce microservices application. account referenced by the application.
You want to specify an account type to
C. Assign permissions through service account
set the proper permissions.
referenced by the application.
D. Assign permissions through a Cloud Identity account
What should you do? referenced by the application.
 Proprietary + Confidential

5.1 Diagnostic Question 02

You are trying to assign roles to the dev and A. Ask your administrator for
prod projects of Cymbal Superstore’s resourcemanager.projects.setIamPolicy roles for
e-commerce app but are receiving an error each project.
when you try to run set-iam policy. The B. Ask your administrator for the
projects are organized into an ecommerce roles/resourcemanager.folderIamAdmin for the
folder in the Cymbal Superstore organizational ecommerce folder.
hierarchy. You want to follow best practices for
C. Ask your administrator for the
the permissions you need while respecting the
roles/resourcemanager.organizationAdmin for
practice of least privilege.
Cymbal Superstore.

What should you do? D. Ask your administrator for the

roles/iam.securityAdmin role in IAM.
 Proprietary + Confidential

5.1 Diagnostic Question 03

You have a custom role implemented for A. Make the change to the custom role locally
administration of the dev/test environment for and run an update on the custom role.
Cymbal Superstore’s transportation B. Delete the custom role and recreate a new
management application. You are developing a custom role with required permissions.
pilot to use Cloud Run instead of Cloud Run
C. Copy the existing role, add the new
functions. You want to ensure your
permissions to the copy, and delete the old
administrators have the correct access to the
role.
new resources.
D. Create a new role with needed permissions
and migrate users to it.
What should you do?
 Proprietary + Confidential

Managing Identity and

5.1 Access Management (IAM)

Courses Skill Badge Documentation

Google Cloud Fundamentals: Overview | IAM Documentation

Core Infrastructure
Google Kubernetes Engine security
● M2 Resources and Access in the overview
Cloud
Google Cloud

Architecting with Google Develop your Google

Compute Engine Cloud Network
● M4 Identity and Access
Management (IAM)

=
Essential Google Cloud
Infrastructure: Core Services
● M1 Identity and Access
Management (IAM)
 Proprietary + Confidential

5.2 Diagnostic Question 04

A. To directly access user data

Which of the scenarios below is an
example of a situation where you B. For development environments
should use a service account? C. For interactive analysis
D. For individual GKE pods
 Proprietary + Confidential

5.2 Diagnostic Question 05

Cymbal Superstore is implementing a mobile A. API key

app for end users to track deliveries that are en
B. OAuth 2.0 client
route to them. The app needs to access data
about truck location from Pub/Sub using C. Environment provided service account
Google recommended practices. D. Service account key

What kind of credentials should you use?

 Proprietary + Confidential

5.2 Managing service accounts

Courses Documentation

Google Cloud Fundamentals: Core Infrastructure Authenticating as a service

account | Authentication
● M2 Resources and Access in the Cloud
Authentication overview

Architecting with Google Essential Google Cloud

Compute Engine Infrastructure: Core Services
● M4 Identity = ● M1 Identity and Access
and Access Management (IAM)
Management (IAM)
 Proprietary + Confidential

When will you take the exam?

Plan time How many weeks do you have to

prepare?

to prepare How many hours will you spend

preparing for the exam each week?

How many total hours will you

prepare?
 Proprietary + Confidential

Example 6-week plan

Week 1 Week 2 Week 3 Week 4 Week 5 Week 6

Google Cloud Architecting with Getting started Logging, Getting Started Sample
Fundamentals: Compute Engine with GKE Monitoring and with Terraform questions
Core Observability in for Google Cloud
Infrastructure Set Up an App Google Cloud
Dev Environment Build Review
Implement Load on Google Cloud Develop your Infrastructure documentation
Balancing on Skill Badge Google Cloud with Terraform
Compute Engine Network on Google Cloud
Skill Badge Skill Badge Skill Badge
 Proprietary + Confidential

Weekly study plan

Now, consider what you’ve learned about your knowledge and skills
through the diagnostic questions in this course. You should have a
better understanding of what areas you need to focus on and what
resources are available.

Use the template that follows to plan your study goals for each week.
Consider:
● What exam guide section(s) or topic area(s) will you focus on?
● What courses (or specific modules) will help you learn more?
● What Skill Badges or labs will you work on for hands-on practice?
● What documentation links will you review?
● What additional resources will you use - such as sample
questions?
You may do some or all of these study activities each week.

Duplicate the weekly template for the number of weeks in your

individual preparation journey.
 Proprietary + Confidential

Weekly study template (example)

Area(s) of focus: Configuring access using IAM

Courses/modules Google Cloud Fundamentals: Core Infrastructure, Module 2 Getting Started with Google Cloud
to complete: Architecting with Google Compute Engine, Module 4 IAM

Skill Badges/labs Develop your Google Cloud Network

to complete:

Documentation https://cloud.google.com/iam/docs/overview
https://cloud.google.com/architecture/prep-kubernetes-engine-for-prod#managing_identity_and_access
to review: https://cloud.google.com/iam/docs/creating-custom-roles
https://cloud.google.com/docs/authentication/production#automatically
https://cloud.google.com/docs/authentication/

Additional study: Sample questions 1-5

 Proprietary + Confidential

Weekly study template

Area(s) of focus:

Courses/modules
to complete:

Skill Badges/labs
to complete:

Documentation
to review:

Additional study: