Google Associate Cloud Engineer - Practice Test 1
A third-party contractor requires read-only access to compute images and disks within a specific Google Cloud project. To adhere to the principle of least privilege and Google-recommended practices, what is the most appropriate method to grant these permissions?
The most appropriate method is to create a custom role with only the `compute.disks.list` and `compute.images.list` permissions. This adheres strictly to the principle of least privilege by granting only the necessary list access without providing broader permissions like those included in predefined roles or roles that allow resource creation. Option 2 is incorrect because the Compute Image User role allows creating resources, which goes beyond list access.
Your organization is integrating a new group of users into Cloud Identity. Some of these users already possess existing Google accounts (e.g., personal Gmail accounts). To adhere to Google's recommended practices and prevent account conflicts, what is the most appropriate action to take?
When integrating users with existing personal Google accounts into Cloud Identity, Google recommends inviting them to transfer their existing account. This process allows the user to migrate their account to the organization's Cloud Identity domain, avoiding conflicts and preserving data where possible. Other options like deleting accounts or using aliases are not the recommended best practice for conflict resolution.
You have sensitive data stored in three Cloud Storage buckets and have enabled data access logging. You need to audit a specific user's activities, including metadata label additions and file viewings, across these buckets with the fewest possible steps. What is the most efficient way to achieve this?
Stackdriver Logging (now Cloud Logging) is the centralized logging service for Google Cloud, where all audit logs, including data access logs for Cloud Storage, are aggregated. Filtering logs within Stackdriver allows for detailed querying based on user, resource, and activity type, making it the most efficient way to verify both metadata changes (Admin Activity logs) and file viewings (Data Access logs). The 'Activity log' in the GCP Console is a simplified view that pulls from Cloud Logging, but direct filtering in Cloud Logging provides more granular control and access to all relevant log types.
Your organization needs to store financial records and invoices in Google Cloud, ensuring they are retained for a total of three years. Analysts require frequent access to invoices from the last six months. After this initial six-month period, these documents should be archived for audit purposes only, with infrequent access expected. You aim to minimize storage costs while adhering to Google Cloud best practices. Which solution should you implement?
Cloud Storage is the recommended Google-managed solution for storing large amounts of unstructured data like invoices. Object Lifecycle Management allows for automated transitions between storage classes, which is crucial for cost optimization. Initially storing data in Standard or Nearline for frequent access and then transitioning to Coldline or Archive after six months for infrequent audit access minimizes costs while meeting retention requirements.
You need to establish a new billing account and associate it with an existing Google Cloud Platform project. Which of the following steps should you take?
To create a new billing account and link it to an existing project, you need the appropriate permissions. The Project Billing Manager role on the project allows you to link a project to a billing account. Creating a new billing account is a separate action, and then it can be linked to the existing project.