A colleague handed over a Google Cloud Platform project for you to maintain. As part of a security checkup, you want to review who has been granted the Project Owner role. What should you do?
Correct Answer: D
A simple approach would be to use the command flags available when listing all the IAM policy for a given project. For instance, the following command: `gcloud projects get-iam-policy $PROJECT_ID --flatten=" bindings[].members" --format="table(bindings.members)" --filter="bindings.role:roles/owner"` outputs all the users and service accounts associated with the role 'roles/owner' in the project in question. https://groups. google.com/g/google-cloud-dev/c/Z6sZs7TvygQ?pli=1
Associate-Cloud-Engineer Exam Question 42
You assist different engineering teams in deploying their infrastructure on Google Cloud. Your company has defined certain practices required for all workloads. You need to provide the engineering teams with a solution that enables teams to deploy their infrastructure independently without having to know all implementation details of the company's required practices. What should you do?
Correct Answer: D
The goal is to enable teams to deploy infrastructure independently while ensuring compliance with company practices, without requiring teams to understand the underlying details of those practices. Option A provides deployment capability but doesn't enforce practices. The Editor role is overly broad, and using the gcloud CLI directly requires knowledge of how to configure resources compliantly. Option B requires teams to learn all the practices, contradicting the requirement that they don't need to know the implementation details. Option C (Organization Policies) is useful for setting constraints (e.g., disallowing public IPs, restricting regions), but it doesn't provide pre-configured, deployable components that embody best practices. Teams still need to figure out how to build compliant resources within the policy constraints. Option D (Terraform Modules): This approach encapsulates the company's required practices within reusable infrastructure-as-code modules. Engineering teams can then use these modules as building blocks, providing only the necessary input parameters (like application name or size). The module handles the compliant implementation details internally. This allows teams to deploy independently and ensures compliance without needing deep knowledge of every practice. Using standardized, compliant modules is a common pattern for enabling self-service infrastructure deployment while maintaining standards and governance. References: Terraform Modules: "Modules are containers for multiple resources that are used together... Modules allow complex resources to be abstracted away behind a clean interface." - https://developer.hashicorp.com /terraform/language/modules Google Cloud Architecture Framework - Security, privacy, and compliance: Recommends using IaC and pre- approved templates/modules to enforce security configurations. - https://cloud.google.com/architecture /framework/security-privacy-compliance/define-and-enforce-security-configurations Organization Policy Service: "The Organization Policy Service gives you centralized and programmatic control over your organization's cloud resources... define constraints..." (Focuses on constraints, not providing deployable components). - https://cloud.google.com/resource-manager/docs/organization-policy/overview
Associate-Cloud-Engineer Exam Question 43
You are hosting an application from Compute Engine virtual machines (VMs) in us-central1-a. You want to adjust your design to support the failure of a single Compute Engine zone, eliminate downtime, and minimize cost. What should you do?
Correct Answer: A
Choosing a region and zone You choose which region or zone hosts your resources, which controls where your data is stored and used. Choosing a region and zone is important for several reasons: Handling failures Distribute your resources across multiple zones and regions to tolerate outages. Google designs zones to be independent from each other: a zone usually has power, cooling, networking, and control planes that are isolated from other zones, and most single failure events will affect only a single zone. Thus, if a zone becomes unavailable, you can transfer traffic to another zone in the same region to keep your services running. Similarly, if a region experiences any disturbances, you should have backup services running in a different region. For more information about distributing your resources and designing a robust system, see Designing Robust Systems. Decreased network latency To decrease network latency, you might want to choose a region or zone that is close to your point of service.https://cloud.google.com/compute/docs/regions- zones#choosing_a_region_and_zone
Associate-Cloud-Engineer Exam Question 44
You are using Deployment Manager to create a Google Kubernetes Engine cluster. Using the same Deployment Manager deployment, you also want to create a DaemonSet in the kube-system namespace of the cluster. You want a solution that uses the fewest possible services. What should you do?
Correct Answer: A
Adding an API as a type provider This page describes how to add an API to Google Cloud Deployment Manager as a type provider. To learn more about types and type providers, read the Types overview documentation. A type provider exposes all of the resources of a third-party API to Deployment Manager as base types that you can use in your configurations. These types must be directly served by a RESTful API that supports Create, Read, Update, and Delete (CRUD). If you want to use an API that is not automatically provided by Google with Deployment Manager, you must add the API as a type provider. https://cloud.google.com/deployment-manager/docs/configuration/type-providers/creating-type-provider
Associate-Cloud-Engineer Exam Question 45
You need to create a copy of a custom Compute Engine virtual machine (VM) to facilitate an expected increase in application traffic due to a business acquisition. What should you do?
Correct Answer: D
A custom image belongs only to your project. To create an instance with a custom image, you must first have a custom image. Reference:https://cloud.google.com/compute/docs/instances/create-start-instance Preparing your instance for an image You can create an image from a disk even while it is attached to a running VM instance. However, your image will be more reliable if you put the instance in a state that is easier for the image to capture. Use one of the following processes to prepare your boot disk for the image: Stop the instance so that it can shut down and stop writing any data to the persistent disk. If you can't stop your instance before you create the image, minimize the amount of writes to the disk and sync your file system. Pause apps or operating system processes that write data to that persistent disk. Run an app flush to disk if necessary. For example, MySQL has a FLUSH statement. Other apps might have similar processes. Stop your apps from writing to your persistent disk. Run sudo sync. After you prepare the instance, create the image. https://cloud.google.com/compute/docs/images/create-delete-deprecate-private- images#prepare_instance_for_image