Google Associate Cloud Engineer - Practice Test 2
You have sensitive data stored across multiple Cloud Storage buckets and have enabled data access logging. You need to audit a specific user's activities, including metadata label additions and file view events, for these buckets with the fewest possible steps. What is the most effective approach?
Stackdriver Logging (now Cloud Logging) is the centralized service for all Google Cloud logs, including data access logs for Cloud Storage. Filtering the logs in Cloud Logging allows for detailed queries based on user, resource, and activity type, making it the most efficient way to verify both metadata changes and file access events. While the Activity log in the GCP Console shows some events, Cloud Logging provides the comprehensive filtering capabilities required.
Your team manages several Linux virtual machines on Google Cloud. You need to implement a secure and cost-effective method for your team to SSH into these instances. Which approach should you take?
Using IAP (Identity-Aware Proxy) for TCP forwarding is the most secure and cost-effective method for SSH access to Google Cloud instances, especially those without public IPs. It leverages Google's global network and identity-based access control, eliminating the need for public IPs or dedicated bastion hosts. The specified IP range (35.235.240.0/20) is Google's internal IP range for IAP tunnel traffic, which must be allowed in firewall rules.
Your company's operational team manages numerous Compute Engine instances, and all employees use Google accounts. Each team member requires administrative access to these servers. The security team emphasizes efficient credential deployment and the ability to audit who accessed a specific instance. What is the most appropriate solution?
Option 2 leverages OS Login, which integrates SSH key management with Google identities and IAM roles. This approach provides centralized control, simplifies credential deployment, and allows for clear auditing of access based on Google accounts, aligning with both operational efficiency and security requirements. Distributing private keys or manually managing individual keys (Options 1, 3, and 4) are less secure and scalable solutions.
You are deploying an application on Google Cloud that requires a relational database for storage. Your company's security policies mandate that the application connect to the database via an encrypted and authenticated connection, with minimal management overhead and seamless integration with Identity and Access Management (IAM). What is the most appropriate solution?
The Cloud SQL Auth Proxy provides an encrypted connection and handles authentication seamlessly, including IAM database authentication, with minimal management. This approach eliminates the need for manual SSL/TLS certificate management, aligning with the requirement for minimal management and strong integration with IAM.
Your organization operates a nightly batch processing workload that utilizes a significant number of virtual machines (VMs). This workload is designed to be fault-tolerant and can gracefully handle the termination of some VMs without data loss. However, the current operational costs associated with these VMs are excessively high. What is the most cost-effective solution you should implement?
Preemptible VMs are significantly cheaper than standard VMs and are designed for fault-tolerant workloads that can withstand instance terminations. Since the batch workload is fault-tolerant and can handle VM terminations, using preemptible N1 Standard VMs is the most cost-effective solution. Testing with simulated maintenance events ensures the application's resilience before full implementation.