Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Google
  5. ASSOCIATE-CLOUD-ENGINEER

Google ASSOCIATE-CLOUD-ENGINEER Exam
Associate Cloud Engineer (Page 18 )

Updated On: 25-Jan-2026
Page 12 of 63
PDF with 343 Questions

Your auditor wants to view your organization's use of data in Google Cloud. The auditor is most interested in auditing who accessed data in Cloud Storage buckets. You need to help the auditor access the data they need.
What should you do?

  1. Assign the appropriate permissions, and then use Cloud Monitoring to review metrics
  2. Use the export logs API to provide the Admin Activity Audit Logs in the format they want
  3. Turn on Data Access Logs for the buckets they want to audit, and Then build a query in the log viewer that filters on Cloud Storage
  4. Assign the appropriate permissions, and then create a Data Studio report on Admin Activity Audit Logs

Answer(s): C

Explanation:

Types of audit logs Cloud Audit Logs provides the following audit logs for each Cloud project, folder, and organization: Admin Activity audit logs Data Access audit logs System Event audit logs Policy Denied audit logs ***Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.
https://cloud.google.com/logging/docs/audit#types https://cloud.google.com/logging/docs/audit#data-access Cloud Storage: When Cloud Storage usage logs are enabled, Cloud Storage writes usage data to the Cloud Storage bucket, which generates Data Access audit logs for the bucket. The generated Data Access audit log has its caller identity redacted.



You are building an application that processes data files uploaded from thousands of suppliers. Your primary goals for the application are data security and the expiration of aged dat

  1. You need to design the application to:
    · Restrict access so that suppliers can access only their own data.
    · Give suppliers write access to data only for 30 minutes.
    · Delete data that is over 45 days old.
    You have a very short development cycle, and you need to make sure that the application requires minimal maintenance.
    Which two strategies should you use? (Choose two.)
  2. Build a lifecycle policy to delete Cloud Storage objects after 45 days.
  3. Use signed URLs to allow suppliers limited time access to store their objects.
  4. Set up an SFTP server for your application, and create a separate user for each supplier.
  5. Build a Cloud function that triggers a timer of 45 days to delete objects that have expired.
  6. Develop a script that loops through all Cloud Storage buckets and deletes any buckets that are older than 45 days.

Answer(s): A,B

Explanation:

(A) Object Lifecycle Management
Delete
The Delete action deletes an object when the object meets all conditions specified in the lifecycle rule.

Exception: In buckets with Object Versioning enabled, deleting the live version of an object causes it to become a noncurrent version, while deleting a noncurrent version deletes that version permanently.
https://cloud.google.com/storage/docs/lifecycle#delete

(B) Signed URLs
This page provides an overview of signed URLs, which you use to give time-limited resource access to anyone in possession of the URL, regardless of whether they have a Google account https://cloud.google.com/storage/docs/access-control/signed-urls



Your company uses a large number of Google Cloud services centralized in a single project. All teams have specific projects for testing and development. The DevOps team needs access to all of the production services in order to perform their job. You want to prevent Google Cloud product changes from broadening their permissions in the future. You want to follow Google-recommended practices.
What should you do?

  1. Grant all members of the DevOps team the role of Project Editor on the organization level.
  2. Grant all members of the DevOps team the role of Project Editor on the production project.
  3. Create a custom role that combines the required permissions. Grant the DevOps team the custom role on the production project.
  4. Create a custom role that combines the required permissions. Grant the DevOps team the custom role on the organization level.

Answer(s): C

Explanation:

Understanding IAM custom roles

Key Point: Custom roles enable you to enforce the principle of least privilege, ensuring that the user and service accounts in your organization have only the permissions essential to performing their intended functions.

Basic concepts
Custom roles are user-defined, and allow you to bundle one or more supported permissions to meet your specific needs. Custom roles are not maintained by Google; when new permissions, features, or services are added to Google Cloud, your custom roles will not be updated automatically.

When you create a custom role, you must choose an organization or project to create it in. You can then grant the custom role on the organization or project, as well as any resources within that organization or project.

https://cloud.google.com/iam/docs/understanding-custom-roles#basic_concepts



You are deploying a production application on Compute Engine. You want to prevent anyone from accidentally destroying the instance by clicking the wrong button.
What should you do?

  1. Disable the flag "Delete boot disk when instance is deleted."
  2. Enable delete protection on the instance.
  3. Disable Automatic restart on the instance.
  4. Enable Preemptibility on the instance.

Answer(s): D

Explanation:

Preventing Accidental VM Deletion This document describes how to protect specific VM instances from deletion by setting the deletionProtection property on an Instance resource. To learn more about VM instances, read the Instances documentation. As part of your workload, there might be certain VM instances that are critical to running your application or services, such as an instance running a SQL server, a server used as a license manager, and so on. These VM instances might need to stay running indefinitely so you need a way to protect these VMs from being deleted. By setting the deletionProtection flag, a VM instance can be protected from accidental deletion. If a user attempts to delete a VM instance for which you have set the deletionProtection flag, the request fails. Only a user that has been granted a role with compute.instances.create permission can reset the flag to allow the resource to be deleted.
https://cloud.google.com/compute/docs/instances/preventing-accidental-vm-deletion



The sales team has a project named Sales Data Digest that has the ID acme-data-digest You need to set up similar Google Cloud resources for the marketing team but their resources must be organized independently of the sales team.
What should you do?

  1. Grant the Project Editor role to the Marketing learn for acme data digest
  2. Create a Project Lien on acme-data digest and then grant the Project Editor role to the Marketing team
  3. Create another protect with the ID acme-marketing-data-digest for the Marketing team and deploy the resources there
  4. Create a new protect named Meeting Data Digest and use the ID acme-data-digest Grant the Project Editor role to the Marketing team.

Answer(s): C



Viewing page 18 of 63
Viewing questions 86 - 90 out of 343 questions



Post your Comments and Discuss Google ASSOCIATE-CLOUD-ENGINEER exam prep with other Community members:

Join the ASSOCIATE-CLOUD-ENGINEER Discussion