CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Google
  5. Google Associate Cloud Engineer

Free Google Associate Cloud Engineer Exam Braindumps (page: 8)

Page 7 of 74
PDF with 290 Questions

You need to configure IAM access audit logging in BigQuery for external auditors. You want to follow Google-recommended practices.
What should you do?

  1. Add the auditors group to the `logging.viewer' and `bigQuery.dataViewer' predefined IAM roles.
  2. Add the auditors group to two new custom IAM roles.
  3. Add the auditor user accounts to the `logging.viewer' and `bigQuery.dataViewer' predefined IAM roles.
  4. Add the auditor user accounts to two new custom IAM roles.

Answer(s): A

Explanation:

https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

Because if you directly add users to the IAM roles, then if any users left the organization then you have to remove the users from multiple places and need to revoke his/her access from multiple places. But, if you put a user into a group then its very easy to manage these type of situations. Now, if any user left then you just need to remove the user from the group and all the access got revoked

The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application. During normal access, the auditors' Google group is only granted access to view the historic logs stored in BigQuery. If any anomalies are discovered, the group is granted permission to view the actual Cloud Logging Admin Activity logs via the dashboard's elevated access mode. At the end of each audit period, the group's access is then revoked. Data is redacted using Cloud DLP before being made accessible for viewing via the dashboard application. The table below explains IAM logging roles that an Organization Administrator can grant to the service account used by the dashboard, as well as the resource level at which the role is granted.



You need to set up permissions for a set of Compute Engine instances to enable them to write data into a particular Cloud Storage bucket. You want to follow Google-recommended practices.
What should you do?

  1. Create a service account with an access scope. Use the access scope `https://www.googleapis.com/auth/devstorage.write_only'.
  2. Create a service account with an access scope. Use the access scope `https://www.googleapis.com/auth/cloud-platform'.
  3. Create a service account and add it to the IAM role `storage.objectCreator' for that bucket.
  4. Create a service account and add it to the IAM role `storage.objectAdmin' for that bucket.

Answer(s): C

Explanation:

https://cloud.google.com/iam/docs/understanding-service- accounts#using_service_accounts_with_compute_engine https://cloud.google.com/storage/docs/access-control/iam-roles



You have sensitive data stored in three Cloud Storage buckets and have enabled data access logging. You want to verify activities for a particular user for these buckets, using the fewest possible steps. You need to verify the addition of metadata labels and which files have been viewed from those buckets.
What should you do?

  1. Using the GCP Console, filter the Activity log to view the information.
  2. Using the GCP Console, filter the Stackdriver log to view the information.
  3. View the bucket in the Storage section of the GCP Console.
  4. Create a trace in Stackdriver to view the information.

Answer(s): A

Explanation:

https://cloud.google.com/storage/docs/audit-logs https://cloud.google.com/compute/docs/logging/audit-logging#audited_operations



You are the project owner of a GCP project and want to delegate control to colleagues to manage buckets and files in Cloud Storage. You want to follow Google-recommended practices.
Which IAM roles should you grant your colleagues?

  1. Project Editor
  2. Storage Admin
  3. Storage Object Admin
  4. Storage Object Creator

Answer(s): B

Explanation:

Storage Admin (roles/storage.admin) Grants full control of buckets and objects.
When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.

firebase.projects.get resourcemanager.projects.get resourcemanager.projects.list storage.buckets.*
storage.objects.*
https://cloud.google.com/storage/docs/access-control/iam-roles

This role grants full control of buckets and objects.
When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket. Ref: https://cloud.google.com/iam/docs/understanding-roles#storage-roles






Post your Comments and Discuss Google Google Associate Cloud Engineer exam with other Community members:

Google Associate Cloud Engineer Discussions & Posts