Associate-Cloud-Engineer Google Cloud Certified - Associate Cloud Engineer Questions and Answers

In Cloud Identity, set up SSO with Google as an identity provider to access custom SAML apps.

In Cloud Identity, set up SSO with a third-party identity provider with Google as a service provider.

Obtain OAuth 2.0 credentials, configure the user consent screen, and set up OAuth 2.0 for Mobile & Desktop Apps.

Obtain OAuth 2.0 credentials, configure the user consent screen, and set up OAuth 2.0 for Web Server Applications.

1. Create an IAM entry for each data scientist's user account.2. Assign the BigQuery jobUser role to the group.

1. Create an IAM entry for each data scientist's user account.2. Assign the BigQuery dataViewer user role to the group.

1. Create a dedicated Google group in Cloud Identity.2. Add each data scientist's user account to the group.3. Assign the BigQuery jobUser role to the group.

1. Create a dedicated Google group in Cloud Identity.2. Add each data scientist's user account to the group.3. Assign the BigQuery dataViewer user role to the group.

Open the Google Cloud console, and run a query to determine which resources this service account can access.

Open the Google Cloud console, and run a query of the audit logs to find permission denied errors for this service account.

Open the Google Cloud console, and check the organization policies.

Open the Google Cloud console, and check the Identity and Access Management (IAM) roles assigned to the service account at the project or inherited from the folder or organization levels.

Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key in the metadata of each instance.

Ask each member of the team to generate a new SSH key pair and to send you their public key. Use a configuration management tool to deploy those keys on each instance.

Ask each member of the team to generate a new SSH key pair and to add the public key to their Google account. Grant the “compute.osAdminLogin” role to the Google group corresponding to this team.

Generate a new SSH key pair. Give the private key to each member of your team. Configure the public key as a project-wide public SSH key in your Cloud Platform project and allow project-wide public SSH keys on each instance.

Create a Service Account in your own project, and grant this Service Account access to BigGuery in your project

Create a Service Account in your own project, and ask the partner to grant this Service Account access to BigQuery in their project

Ask the partner to create a Service Account in their project, and have them give the Service Account access to BigQuery in their project

Ask the partner to create a Service Account in their project, and grant their Service Account access to the BigQuery dataset in your project

Cloud Run for Anthos

Cloud Run

App Engine Standard

Cloud Functions.

Create the instance without a public IP address.

Create the instance with Private Google Access enabled.

Create a deny-all egress firewall rule on the VPC network.

Create a route on the VPC to route all traffic to the instance over the VPN tunnel.

Ensure the checkbox "Serve this revision immediately" is unchecked when deploying the new revision. Before changing the traffic rules, use a traffic simulation tool to send load to the new revision.

Configure service autoscaling and set the minimum number of instances to 2.

Configure revision autoscaling for the new revision and set the minimum number of instances to 2.

Configure revision autoscaling for the existing revision and set the minimum number of instances to 2.

Use a Shielded VM.

Use a Preemptible VM.

Use a sole-tenant node.

Enable deletion protection on the instance.

Add your SREs to roles/iam.roleAdmin role.

Add your SREs to roles/accessapproval approver role.

Add your SREs to a group and then add this group to roles/iam roleAdmin role.

Add your SREs to a group and then add this group to roles/accessapproval approver role.

Create a signed URL with a four-hour expiration and share the URL with the company.

Set object access to ‘public’ and use object lifecycle management to remove the object after four hours.

Configure the storage bucket as a static website and furnish the object’s URL to the company. Delete the object from the storage bucket after four hours.

Create a new Cloud Storage bucket specifically for the external company to access. Copy the object to that bucket. Delete the bucket after four hours have passed.

Set metadata to enable-oslogin=true for the instance. Grant the dev1 group the compute.osLogin role. Direct them to use the Cloud Shell to ssh to that instance.

Set metadata to enable-oslogin=true for the instance. Set the service account to no service account for that instance. Direct them to use the Cloud Shell to ssh to that instance.

Enable block project wide keys for the instance. Generate an SSH key for each user in the dev1 group. Distribute the keys to dev1 users and direct them to use their third-party tools to connect.

Enable block project wide keys for the instance. Generate an SSH key and associate the key with that instance. Distribute the key to dev1 users and direct them to use their third-party tools to connect.

Search errors in Cloud Audit Logs to analyze the issue.

Configure Cloud Trace to analyze the issue.

View errors in Cloud Monitoring to analyze the issue.

Use the information schema views to analyze the underlying issue.

Use BigQuery Bl Engine to analyze the issue.

Write a script that runs gsutil Is -| – gs://myapp-gcp-ace-logs/ to find and remove items older than 90 days. Schedule the script with cron.

Write a lifecycle management rule in JSON and push it to the bucket with gsutil lifecycle set config-json-file.

Write a lifecycle management rule in XML and push it to the bucket with gsutil lifecycle set config-xml-file.

Write a script that runs gsutil Is -Ir gs://myapp-gcp-ace-logs/ to find and remove items older than 90 days. Repeat this process every morning.

Review details of the myapp-service Service object and check for error messages.

Review details of the myapp-deployment Deployment object and check for error messages.

Review details of myapp-deployment-58ddbbb995-lp86m Pod and check for warning messages.

View logs of the container in myapp-deployment-58ddbbb995-lp86m pod and check for warning messages.

Use Cloud Storage with Object Lifecycle Management to change the object storage class to Coldline after six months.

Use Cloud Storage with Object Lifecycle Management to change the object storage class to Standard after six months.

Store your documents on Filestore and move the documents to Cloud Storage with object storage class set to Coldline after six months.

Store your documents on Filestore and move the documents to Cloud Storage with object storage class set to Standard after six months.

Add users to roles/bigquery user role only, instead of roles/bigquery dataOwner.

Add users to roles/bigquery dataEditor role only, instead of roles/bigquery dataOwner.

Create a custom role by removing delete permissions, and add users to that role only.

Create a custom role by removing delete permissions. Add users to the group, and then add the group to the custom role.

Create individual VPCs per Google Cloud project. Peer all the VPCs together. Apply organization policies on the organization level.

Create individual VPCs for each Google Cloud project. Peer all the VPCs together. Apply hierarchical firewall policies on the organization level.

Create a host VPC project with each production project as its service project. Apply organization policies on the organization level.

Create a host VPC project with each production project as its service project. Apply hierarchical firewall policies on the organization level.

Create a Cloud Bigtable cluster and use the HBase API

Deploy MongoDB Alias from the Google Cloud Marketplace

Download a MongoDB installation package and run it on Compute Engine instances

Download a MongoDB installation package, and run it on a Managed Instance Group

Create a single custom VPC with 2 subnets. Create each subnet in a different region and with a different CIDR range.

Create a single custom VPC with 2 subnets. Create each subnet in the same region and with the same CIDR range.

Create 2 custom VPCs, each with a single subnet. Create each subnet is a different region and with a different CIDR range.

Create 2 custom VPCs, each with a single subnet. Create each subnet in the same region and with the same CIDR range.

Set the europe-west1-d zone as the default zone using the gcloud config subcommand.

In the Settings page for Compute Engine under Default location, set the zone to europe–west1-d.

In the CLI installation directory, create a file called default.conf containing zone=europe–west1–d.

Create a Metadata entry on the Compute Engine page with key compute/zone and value europe–west1–d.

Use the gcloud container clusters create command with the options--enable-multi-networking and--enable- autoscaling to create an autoscaling zonal cluster and deploy the application to it.

Use the gcloud container clusters create-auto command to create an autopilot cluster and deploy the application to it.

Use the gcloud container clusters update command with the option—region us-centrall to update the cluster and deploy the application to it.

Use the gcloud container clusters update command with the option—node-locations us-centrall-a,us-centrall-b to update the cluster and deploy the application to the nodes.

Create a service account with just the permissions to access files in the bucket. Create a JSON key for the service account. Execute the command gsutil signurl -m 1h gs:///*.

Create a service account with just the permissions to access files in the bucket. Create a JSON key for the service account. Execute the command gsutil signurl -d 1h gs:///.

Create a service account with just the permissions to access files in the bucket. Create a JSON key for the service account. Execute the command gsutil signurl -p 60m gs:///.

Create a JSON key for the Default Compute Engine Service Account. Execute the command gsutil signurl -t 60m gs:///*

Implement a Cloud Run job to rotate all service account keys periodically in pj-sa. Enforce an org policy to deny service account key creation with an exception to pj-sa.

Implement a Kubernetes Cronjob to rotate all service account keys periodically. Disable attachment ofservice accounts to resources in all projects with an exception to pj-sa.

Enforce an org policy constraint allowing the lifetime of service account keys to be 24 hours. Enforce an org policy constraint denying service account key creation with an exception on pj-sa.

Enforce a DENY org policy constraint over the lifetime of service account keys for 24 hours. Disable attachment of service accounts to resources in all projects with an exception to pj-sa.

Create a custom role with view-only project permissions. Add the user's account to the custom role.

Create a custom role with view-only service permissions. Add the user's account to the custom role.

Select the built-in IAM project Viewer role. Add the user's account to this role.

Select the built-in IAM service Viewer role. Add the user's account to this role.

kubectl get deployments –output=pods

gcloud get pods –selector=”app=prod”

kubectl get pods -I “app=prod”

gcloud list gke-deployments -filter={pod }

Select the MIG from the Compute Engine console and, in the menu, select Replace VMs.

Use the gcloud compute instance-groups managed recreate-instances command to recreate theVM.

Use the gcloud compute instances update command with a REFRESH action for the VM.

Update and apply the instance template of the MIG.

Create a file in Cloud Storage per device and append new data to that file.

Create a file in Cloud Filestore per device and append new data to that file.

Ingest the data into Datastore. Store data in an entity group based on the device.

Ingest the data into Cloud Bigtable. Create a row key based on the event timestamp.

Update your web application to use the protocol HTTP/2 instead of HTTP/1.1

Set the concurrency number to 1 for your Cloud Run service.

Set the maximum number of instances for your Cloud Run service to 100.

Set the minimum number of instances for your Cloud Run service to 3.

Option A

Option B

Option C

Option D

Grant the financial team the IAM role ofג€Billing Account Userג€ on the billing account linked to your credit card.

Set up BigQuery billing export and grant your financial department IAM access to query the data.

Create a ticket with Google Billing Support to ask them to send the invoice to your company.

Change the billing account of your projects to the billing account of your company.

Create two configurations using gcloud config. Write a script that sets configurations as active, individually. For each configuration, use gcloud compute instances list to get a list of compute resources.

Create two configurations using gsutil config. Write a script that sets configurations as active, individually. For each configuration, use gsutil compute instances list to get a list of compute resources.

Go to Cloud Shell and export this information to Cloud Storage on a daily basis.

Go to GCP Console and export this information to Cloud SQL on a daily basis.

Grant each individual external consultant the role of BigQuery Editor

Grant each individual external consultant the role of BigQuery Viewer

Create a Google Group that contains the consultants and grant the group the role of BigQuery Editor

Create a Google Group that contains the consultants, and grant the group the role of BigQuery Viewer

When creating the VM via the web console, specify the service account under the ‘Identity and API Access’ section.

Download a JSON Private Key for the service account. On the Project Metadata, add that JSON as the value for the key compute-engine-service-account.

Download a JSON Private Key for the service account. On the Custom Metadata of the VM, add that JSON as the value for the key compute-engine-service-account.

Download a JSON Private Key for the service account. After creating the VM, ssh into the VM and save the JSON under ~/.gcloud/compute-engine-service-account.json.

Split the users from business units to multiple projects.

Apply a user- or project-level custom query quota for BigQuery data warehouse.

Create separate copies of your BigQuery data warehouse for each business unit.

Split your BigQuery data warehouse into multiple data warehouses for each business unit.

Change your BigQuery query model from on-demand to flat rate. Apply the appropriate number of slots to each Project.

Create a Cloud Storage bucket. Establish an Identity and Access Management (IAM) role with write permissions to the bucket. Use the gsutil tool to directly copy files over the network to Cloud Storage.

Set up a Cloud Interconnect connection between the on-premises network and Google Cloud. Establish a private endpoint for Filestore access. Transfer the data from the existing Network File System (NFS) to Filestore.

Use Transfer Appliance to request an appliance. Load the data locally, and ship the appliance back to Google for ingestion into Cloud Storage.

Use Storage Transfer Service to move the data from the selected on-premises file storage systems to a Cloud Storage bucket.

Download the private key from the service account, and add it to each VMs custom metadata.

Download the private key from the service account, and add the private key to each VM’s SSH keys.

Grant the service account the IAM Role of Compute Storage Admin in the project called proj-vm.

When creating the VMs, set the service account’s API scope for Compute Engine to read/write.

In the Google Cloud console for your organization, select Create role from selection, and choose destination as the startup company's organization

In the Google Cloud console for the startup company, select Create role from selection and choose source as the startup company's Google Cloud organization.

Use the gcloud iam roles copy command, and provide the Organization ID of the startup company'sGoogle Cloud Organization as the destination.

Use the gcloud iam roles copy command, and provide the project IDs of all projects in the startup company s organization as the destination.

Use Spanner for all data.

Use Cloud SQL for customer data, Cloud Storage (Coldline) for historical logs, and BigQuery for sensor data.

Use Cloud SQL for customer data, Cloud Storage (Archive) for historical logs, and Bigtable for sensor data.

Use Firestore for customer data, Cloud Storage (Nearline) for historical logs, and Bigtable for sensor data.

1. Create a configuration for each project you need to manage.2. Activate the appropriate configuration when you work with each of your assigned GCP projects.

1. Create a configuration for each project you need to manage.2. Use gcloud init to update the configuration values when you need to work with a non-default project

1. Use the default configuration for one project you need to manage.2. Activate the appropriate configuration when you work with each of your assigned GCP projects.

1. Use the default configuration for one project you need to manage.2. Use gcloud init to update the configuration values when you need to work with a non-default project.

Configure an HTTP(S) load balancer.

Configure an internal TCP load balancer.

Configure an external SSL proxy load balancer.

Configure an external TCP proxy load balancer.

Deploy the application on a managed instance group and configure autoscaling.

Deploy the application on a Kubernetes Engine cluster and configure node pool autoscaling.

Deploy the application on Cloud Functions and configure the maximum number instances.

Deploy the application on Cloud Run and configure autoscaling.

Grant the Project Editor role to the Marketing learn for acme data digest

Create a Project Lien on acme-data digest and then grant the Project Editor role to the Marketing team

Create another protect with the ID acme-marketing-data-digest for the Marketing team and deploy the resources there

Create a new protect named Meeting Data Digest and use the ID acme-data-digest Grant the Project Editor role to the Marketing team.

Assign the pods of the image rendering microservice a higher pod priority than the older microservices

Create a node pool with compute-optimized machine type nodes for the image rendering microservice Use the node pool with general-purposemachine type nodes for the other microservices

Use the node pool with general-purpose machine type nodes for lite mage rendering microservice Create a nodepool with compute-optimized machine type nodes for the other microservices

Configure the required amount of CPU and memory in the resource requests specification of the image rendering microservice deployment Keep the resource requests for the other microservices at the default

– Create Compute Engine resources in us–central1–b.–Balance the load across both us–central1–a and us–central1–b.

– Create a Managed Instance Group and specify us–central1–a as the zone.–Configure the Health Check with a short Health Interval.

– Create an HTTP(S) Load Balancer.–Create one or more global forwarding rules to direct traffic to your VMs.

– Perform regular backups of your application.–Create a Cloud Monitoring Alert and be notified if your application becomes unavailable.–Restore from backups when notified.

Arrange to switch to Flat-Rate pricing for this query, then move back to on-demand.

Use the command line to run a dry run query to estimate the number of bytes read. Then convert that bytes estimate to dollars using the Pricing Calculator.

Use the command line to run a dry run query to estimate the number of bytes returned. Then convert that bytes estimate to dollars using the Pricing Calculator.

Run a select count (*) to get an idea of how many records your query will look through. Then convert that number of rows to dollars using the Pricing Calculator.

1. Create an ingress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.2.0/24)• Protocols: allow all2. Create an ingress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.1.0/24)• Protocols: allow all

1. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #2 service account• Source filter: all instances with tier #1 service account• Protocols: allow TCP:80802. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #3 service account• Source filter: all instances with tier #2 service account• Protocols: allow TCP: 8080

1. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #2 service account• Source filter: all instances with tier #1 service account• Protocols: allow all2. Create an ingress firewall rule with the following settings:• Targets: all instances with tier #3 service account• Source filter: all instances with tier #2 service account• Protocols: allow all

1. Create an egress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.2.0/24)• Protocols: allow TCP: 80802. Create an egress firewall rule with the following settings:• Targets: all instances• Source filter: IP ranges (with the range set to 10.0.1.0/24)• Protocols: allow TCP: 8080

• Create a custom role with Compute Engine, Cloud Functions, and Cloud SQL permissions in one project within the Google Cloud organization.• Copy the role across all projects created within the organization with the gcloud iam roles copy command.• Assign the role to developers in those projects.

• Add all developers to a Google group in Google Groups for Workspace.• Assign the predefined role of Compute Admin to the Google group at the Google Cloud organization level.

• Add all developers to a Google group in Cloud Identity.• Assign predefined roles for Compute Engine, Cloud Functions, and Cloud SQL permissions to the Google group for each project in the Google Cloud organization.

• Add all developers to a Google group in Cloud Identity.• Create a custom role with Compute Engine, Cloud Functions, and Cloud SQL permissions at the Google Cloud organization level.• Assign the custom role to the Google group.

Multi-Regional Storage

Regional Storage

Nearline Storage

Coldline Storage

Use Deployment Manager templates to describe the proposed changes and store them in a Cloud Storage bucket.

Use Deployment Manager templates to describe the proposed changes and store them in Cloud Source Repositories.

Apply the change in a development environment, run gcloud compute instances list, and then save the output in a shared Storage bucket.

Apply the change in a development environment, run gcloud compute instances list, and then save the output in Cloud Source Repositories.

Deploy your application to a second Cloud Run service, and ask your customers to use the second Cloud Run service.

Ask your customers to retry access to your service with exponential backoff to mitigate any potential problems after the new revision is deployed.

Gradually roll out the new revision and split customer traffic between the revisions to allow rollback in case a problem occurs.

Send all customer traffic to the new revision, and roll back to a previous revision if you witness any problems in production.

Create a Compute Engine snapshot of your base VM. Create your images from that snapshot.

Create a Compute Engine snapshot of your base VM. Create your instances from that snapshot.

Create a custom Compute Engine image from a snapshot. Create your images from that image.

Create a custom Compute Engine image from a snapshot. Create your instances from that image.

For each GCP product in the solution, review the pricing details on the products pricing page. Use the pricing calculator to total the monthly costs for each GCP product.

For each GCP product in the solution, review the pricing details on the products pricing page. Create a Google Sheet that summarizes the expected monthly costs for each product.

Provision the solution on GCP. Leave the solution provisioned for 1 week. Navigate to the Billing Report page in the Google Cloud Platform Console. Multiply the 1 week cost to determine the monthly costs.

Provision the solution on GCP. Leave the solution provisioned for 1 week. Use Stackdriver to determine the provisioned and used resource amounts. Multiply the 1 week cost to determine the monthly costs.

Create a VPC in the Premium Tier and deploy both production and development workloads on this VPC.

Create a VPC in the Standard Tier and deploy both production and development workloads on this VPC.

Create a VPC in the Standard Tier and one in the Premium Tier. Deploy development workloads in the Standard Tier and production workloads in the Premium Tier.

Create a VPC in the Standard Tier and one in the Premium Tier. Deploy production workloads in the Standard Tier and development workloads in the Premium Tier.

Enable Cloud CDN on the website frontend.

Enable ‘Share publicly’ on the PDF file objects.

Set Content-Type metadata to application/pdf on the PDF file objects.

Add a label to the storage bucket with a key of Content-Type and value of application/pdf.

Create Java packages that utilize the Google Cloud Client Libraries for Java to configure Google Cloud products. Store and share the packages in a source code repository.

Create bash scripts that utilize the Google Cloud CLI to configure Google Cloud products. Store and share the bash scripts in a source code repository.

Create Terraform modules that utilize the Google Cloud Terraform Provider to configure Google Cloud products. Store and share the modules in a source code repository.

Use the Google Cloud APIs by using curl to configure Google Cloud products. Store and share the curl commands in a source code repository.

Use gcloud to create the new project, and then deploy your application to the new project.

Use gcloud to create the new project and to copy the deployed application to the new project.

Create a Deployment Manager configuration file that copies the current App Engine deployment into a new project.

Deploy your application again using gcloud and specify the project parameter with the new project name to create the new project.

gcloud deployment-manager deployments create my-gcp-ace-cluster --config cluster.yaml

gcloud deployment-manager deployments create my-gcp-ace-cluster --type container.v1.cluster --config cluster.yaml

gcloud deployment-manager deployments apply my-gcp-ace-cluster --type container.v1.cluster --config cluster.yaml

gcloud deployment-manager deployments apply my-gcp-ace-cluster --config cluster.yaml

Run a Kubernetes job to scan the bucket regularly for incoming files, and call the Speech-to-Text API for each unprocessed file.

Create an App Engine standard environment triggered by Cloud Storage bucket events to submit the file URI to the Google Speech-to-Text API.

Run a Python script by using a Linux cron job in Compute Engine to scan the bucket regularly for incoming files, and call the Speech-to-Text API for each unprocessed file.

Create a Cloud Function triggered by Cloud Storage bucket events to submit the file URI to the Google Speech-to-Text API.

Ask the auditor for their Google account, and give them the Viewer role on the project.

Ask the auditor for their Google account, and give them the Security Reviewer role on the project.

Create a temporary account for the auditor in Cloud Identity, and give that account the Viewer role on the project.

Create a temporary account for the auditor in Cloud Identity, and give that account the Security Reviewer role on the project.

Persistent SSD on VM instances.

Cloud Filestore.

Multiregional Cloud Storage bucket.

Cloud Datastore database.

Create an Instance template with the container image, and deploy a Managed Instance Group withAutoscaling.

Upload Docker images to Artifact Registry, and deploy the application on Google Kubernetes Engine usingStandard mode.

Upload Docker images to the Cloud Storage, and deploy the application on Google Kubernetes Engine usingStandard mode.

Upload Docker images to Artifact Registry, and deploy the application on Cloud Run.

Migrate the workload to a Compute Engine Preemptible VM.

Migrate the workload to a Google Kubernetes Engine cluster with Preemptible nodes.

Migrate the workload to a Compute Engine VM. Start and stop the instance as needed.

Create an Instance Template with Preemptible VMs On. Create a Managed Instance Group from the template and adjust Target CPU Utilization. Migrate the workload.

When creating the VM, use machine type n1-standard-96.

When creating the VM, use Intel Skylake as the CPU platform.

Create the VM using Compute Engine default settings. Use gcloud to modify the running instance to have 96 vCPUs.

Start the VM using Compute Engine default settings, and adjust as you go based on Rightsizing Recommendations.

Use Cloud Logging filters to create log-based metrics for firewall and instance actions. Monitor the changes and set up reasonable alerts.

Install Kibana on a compute Instance. Create a log sink to forward Cloud Audit Logs filtered for firewalls andcompute instances to Pub/Sub. Target the Pub/Sub topic to push messages to the Kibana instance. Analyze the logs on Kibana in real time.

Turn on Google Cloud firewall rules logging, and set up alerts for any insert, update, or delete events.

Create a log sink to forward Cloud Audit Logs filtered for firewalls and compute instances to Cloud Storage.Use BigQuery to periodically analyze log events in the storage bucket.

Use the gcloud pubsub subscriptions seek email-updates command.

Use the gcloud pubsub topics describe new-orders command.

Use the gcloud pubsub subscriptions pull email-updates —auto-ack command.

Use the gcloud pubsub topics list-subscriptions new-orders —1ilter="email-updates" command.

Perform a rolling-action start-update with maxSurge set to 0 and maxUnavailable set to 1.

Perform a rolling-action start-update with maxSurge set to 1 and maxUnavailable set to 0.

Create a new managed instance group with an updated instance template. Add the group to the backend service for the load balancer. When all instances in the new managed instance group are healthy, delete the old managed instance group.

Create a new instance template with the new application version. Update the existing managed instance group with the new instance template. Delete the instances in the managed instance group to allow the managed instance group to recreate the instance using the new instance template.

Configure the gcloud CLI with Application Default Credentials using your user account. Issue a relevant BigGuery request through the gcloud CLI to test the access.

Grant the service account the BlgQuery Administrator 1AM role to ensure the service account has all required access.

Generate a service account key, and configure the gcloud CLI to use this key. Issue a relevant BlgQuery request through the gcloud CLI to test the access.

Configure the gcloud CLI to use service account impersonation. Issue a relevant BigQuery request through the gcloud CLI to test the access.

Use kubect1 to delete the topic resource.

Use gcloud CLI to delete the topic.

Use kubect1 to create the label deleted-by-cnrm and to change its value to true for the topic resource.

Use gcloud CLI to update the topic label managed-by-cnrm to false.

Add the users to roles/browser role.

Add the users to roles/iam.roleViewer role.

Add the users to a group, and add this group to roles/browser role.

Add the users to a group, and add this group to roles/iam.roleViewer role.

1. Verify that you ace assigned the Billing Administrator IAM role tor your organization's Google Cloud Project for the Marketing department2. Link the new project to a Marketing Billing Account

1. Verify that you are assigned the Billing Administrator IAM role for your organization's Google Cloud account2. Create a new Google Cloud Project for the Marketing department3. Set the default key-value project labels to department marketing for all services in this project

1. Verify that you are assigned the Organization Administrator IAM role for your organization's Google Cloud account2. Create a new Google Cloud Project for the Marketing department 3. Link the new project to a Marketing Billing Account.

1. Verity that you are assigned the Organization Administrator IAM role for your organization's Google Cloud account2. Create a new Google Cloud Project for the Marketing department3. Set the default key value project labels to department marketing for all services in this protect

Create a Google Group for all engineering team members and set up OS Login for this group on the project. Manage group membership when engineers join or leave the team.

Create a Google Group for all engineering team members, and grant them the Compute Viewer IAM role. Manage group membership when engineers join or leave the team.

Create a single SSH key pair to be shared by all engineering team members. Add the public SSH key to project metadata.

Create an SSH key pair for each engineer on the team and add the public SSH key to the metadata of the relevant instances.

Enable Audit Logs for all APIs that are related to data storage.

Review the IAM permissions for any role that allows for data access.

Review the Identity-Aware Proxy settings for each resource.

Create a Data Loss Prevention job.

Store the application data on a zonal persistent disk. Create a snapshot schedule for the disk. If an outage occurs, create a new disk from the most recent snapshot and attach it to a new VM in another zone.

Store the application data on a zonal persistent disk. If an outage occurs, create an instance in another zone with this disk attached.

Store the application data on a regional persistent disk. Create a snapshot schedule for the disk. If an outage occurs, create a new disk from the most recent snapshot and attach it to a new VM in another zone.

Store the application data on a regional persistent disk If an outage occurs, create an instance in another zone with this disk attached.

Cloud Pub/Sub, Cloud Dataflow, Cloud Datastore, BigQuery

Firebase Messages, Cloud Pub/Sub, Cloud Spanner, BigQuery

Cloud Pub/Sub, Cloud Storage, BigQuery, Cloud Bigtable

Cloud Pub/Sub, Cloud Dataflow, Cloud Bigtable, BigQuery

Use the GCP Console to transfer the file instead of gsutil.

Enable parallel composite uploads using gsutil on the file transfer.

Decrease the TCP window size on the machine initiating the transfer.

Change the storage class of the bucket from Nearline to Multi-Regional.

Store the database password inside the Docker image of the container, not in the YAML file.

Store the database password inside a Secret object. Modify the YAML file to populate the DB_PASSWORD environment variable from the Secret.

Store the database password inside a ConfigMap object. Modify the YAML file to populate the DB_PASSWORD environment variable from the ConfigMap.

Store the database password in a file inside a Kubernetes persistent volume, and use a persistent volume claim to mount the volume to the container.

Deploy an ingress resource on the GKE cluster to expose the API to the internet. Use Cloud Armor to filter for IP addresses that can connect to the API. On the Cloud Run service, configure the application to fetch its public IP address and update the Cloud Armor policy on startup to allow this IP address to call the API on ports 80 and 443.

Create an egress firewall rule on the VPC to allow connections to 0.0.0.0/0 on ports 80 and 443.

Create an ingress firewall rule on the VPC to allow connections from 0.0.0.0/0 on ports 80 and 443.

Deploy an internal Application Load Balancer to expose the API on GKE to the VPC. Configure Cloud DNS with the IP address of the internal Application Load Balancer. Deploy a Serverless VPC Access connector to allow the Cloud Run service to call the API through the FQDN on Cloud DNS.

Move your website to Google Kubemetes Engine (GKE). and move your background job to Cloud Functions

Move both your website and background job to Compute Engine

Move both your website and background job to Cloud Run.

Move your website to Google Kubemetes Engine (GKE), and move your background job to Compute Engine

1. Give the BigQuery Data Editor role on the platform-logs dataset to the service accounts used by your instances.2. Update your instances’ metadata to add the following value: logs-destination: bq://platform-logs.

1. In Stackdriver Logging, create a logs export with a Cloud Pub/Sub topic called logs as a sink.2. Create a Cloud Function that is triggered by messages in the logs topic.3. Configure that Cloud Function to drop logs that are not from Compute Engine and to insert Compute Engine logs in the platform-logs dataset.

1. In Stackdriver Logging, create a filter to view only Compute Engine logs.2. Click Create Export.3. Choose BigQuery as Sink Service, and the platform-logs dataset as Sink Destination.

1. Create a Cloud Function that has the BigQuery User role on the platform-logs dataset.2. Configure this Cloud Function to create a BigQuery Job that executes this query:INSERT INTO dataset.platform-logs (timestamp, log)SELECT timestamp, log FROM compute.logsWHERE timestamp > DATE_SUB(CURRENT_DATE(), INTERVAL 1 DAY)3. Use Cloud Scheduler to trigger this Cloud Function once a day.

Create a retention policy on the storage bucket of 30 days, and lock the bucket by using a retention policy lock.

Enable object versioning on the storage bucket and add lifecycle rules to expire non-current versions after 30 days

Create an object lifecycle on the storage bucket to change the storage class to Archive Storage for objects with an age over 30 days.

Create a cron job in Cloud Scheduler to call a Cloud Functions instance every day to delete files older than 30 days.

Configure Billing Data Export to BigQuery and visualize the data in Data Studio.

Visit the Cost Table page to get a CSV export and visualize it using Data Studio.

Fill all resources in the Pricing Calculator to get an estimate of the monthly cost.

Use the Reports view in the Cloud Billing Console to view the desired cost information.

Enable Cloud Identity in the GCP Console for your domain.

Grant them the required IAM roles using their G Suite email address.

Create a CSV sheet with all users’ email addresses. Use the gcloud command line tool to convert them into Google Cloud Platform accounts.

In the G Suite console, add the users to a special group called cloud-console-users@yourdomain.com. Rely on the default behavior of the Cloud Platform to grant users access if they are members of this group.

Create a Billing account, associate a payment method with it, and provide all project creators with permission to associate that billing account with their projects.

Grant all engineer’s permission to create their own billing accounts for each new project.

Apply for monthly invoiced billing, and have a single invoice tor the project paid by the finance team.

Create a billing account, associate it with a monthly purchase order (PO), and send the PO to Google Cloud.

Configure the Horizontal Pod Autoscaler for availability, and configure the cluster autoscaler for suggestions.

Configure the Horizontal Pod Autoscaler for availability, and configure the Vertical Pod Autoscaler recommendations for suggestions.

Configure the Vertical Pod Autoscaler recommendations for availability, and configure the Cluster autoscaler for suggestions.

Configure the Vertical Pod Autoscaler recommendations for availability, and configure the Horizontal Pod Autoscaler for suggestions.

Enable the BigQuery API and ensure that the BigQuery User IAM role is selected. Change the BigQuery dataset to select a data location.

Create a Cloud Billing account. Enable the BigQuery Data Transfer Service API to export pricing data.

Enable Cloud Billing data export to BigQuery when you create a Cloud Billing account.

Enable Cloud Billing on the project and link a Cloud Billing account. Then view the billing data table in the BigQuery dataset.

View System Event Logs in Stackdriver. Search for the user’s email as the principal.

View System Event Logs in Stackdriver. Search for the service account associated with the user.

View Data Access audit logs in Stackdriver. Search for the user’s email as the principal.

View the Admin Activity log in Stackdriver. Search for the service account associated with the user.

Use Bigtable.

Use BigQuery.

Use Spanner.

Use Cloud SQL for PostgreSQL.

Use the projects. move method to move the project to your organization. Update the billing account of the project to that of your organization.

Ensure that you have an Organization Administrator Identity and Access Management (IAM) role assigned to you in both organizations. Navigate to the Resource Manager in the startup's Google Cloud organization, and drag the project to your company's organization.

Create a Private Catalog tor the Google Cloud Marketplace, and upload the resources of the startup’s production project to the Catalog. Share the Catalog with your organization, and deploy the resources in your company’s project.

Create an infrastructure-as-code template tor all resources in the project by using Terraform. and deploy that template to a new project in your organization. Delete the protect from the startup's Google Cloud organization.

Modify the minimum number of Cloud Run instances.

Set a minimum concurrent requests environment variable for the application.

Modify the maximum number of Cloud Run instances.

Use traffic splitting.

Create a Google Kubernetes Engine cluster, and use horizontal pod autoscaling to scale the application.

Create an instance template, and use the template in a managed instance group with autoscaling configured.

Create an instance template, and use the template in a managed instance group that scales up and down based on the time of day.

Use a set of third-party tools to build automation around scaling the application up and down, based on Stackdriver CPU usage monitoring.

In the Google Cloud console, visualize the costs related to the projects in the Reports section.

In the Google Cloud console, visualize the costs related to the projects in the Cost breakdown section.

In the Google Cloud console, use the export functionality of the Cost table. Create a Looker Studiodashboard on top of the CSV export.

Configure Cloud Billing data export to BigOuery for the billing account. Create a Looker Studio dashboard on top of the BigQuery export.

Disable the flag “Delete boot disk when instance is deleted.”

Enable delete protection on the instance.

Disable Automatic restart on the instance.

Enable Preemptibility on the instance.

Add the auditors group to the ‘logging.viewer’ and ‘bigQuery.dataViewer’ predefined IAM roles.

Add the auditors group to two new custom IAM roles.

Add the auditor user accounts to the ‘logging.viewer’ and ‘bigQuery.dataViewer’ predefined IAM roles.

Add the auditor user accounts to two new custom IAM roles.

Deploy a Cloud SQL database with the SSL mode set to encrypted only, configure SSL/TLS client certificates, and configure a database user and password.

Deploy a Cloud SOL database and configure IAM database authentication. Access the database through the Cloud SQL Auth Proxy.

Deploy a Cloud SQL database with the SSL mode set to encrypted only, configure SSL/TLS client certificates, and configure IAM database authentication.

Deploy a Cloud SQL database and configure a database user and password. Access the database through the Cloud SQL Auth Proxy.

Upload the code to Cloud Functions. Use Cloud Scheduler to start the application.

Create a container for the set of binaries. Use Cloud Scheduler to start a Cloud Run job for the container.

Create a container for the set of binaries Deploy the container to Google Kubernetes Engine (GKE) and use the Kubernetes scheduler to start the application.

Lift and shift to a VM on Compute Engine. Use an instance schedule to start and stop the instance.

Configure regional storage for the region closest to the users Configure a Nearline storage class

Configure regional storage for the region closest to the users Configure a Standard storage class

Configure dual-regional storage for the dual region closest to the users Configure a Nearline storage class

Configure dual-regional storage for the dual region closest to the users Configure a Standard storage class

Create a service account per team, and grant the service account the Project Editor role. Ask the teams to provision their infrastructure through the Google Cloud CLI (gcloud CLI), while impersonating their dedicated service account.

Provide training for all engineering teams you work with to understand the company’s required practices. Allow the engineering teams to provision the infrastructure to best meet their needs.

Configure organization policies to enforce your company’s required practices. Ask the teams to provision their infrastructure by using the Google Cloud console.

Write Terraform modules for each component that are compliant with the company’s required practices, and ask teams to implement their infrastructure through these modules.