[Apr-2026] Associate-Cloud-Engineer Free Sample Questions to Practice One Year Update
Download Associate-Cloud-Engineer exam with Google Associate-Cloud-Engineer Real Exam Questions
To prepare for the exam, candidates can take advantage of Google's training resources, including online courses and hands-on labs. Additionally, there are many third-party resources available, such as study guides and practice exams, that can help candidates prepare for the exam. It is recommended that candidates have at least six months of experience working with Google Cloud technologies before taking the exam.
The Google Associate Cloud Engineer certification is designed to measure the candidates’ fundamental skills required to perform the deployment, monitoring, and maintenance of projects on Google Cloud. This certificate is a good starting point for those individuals who are new to Cloud and can be used as a stepping stone to the professional-level certifications of this vendor. To get certified, the applicants are required to complete one exam. The qualifying test measures the ability of the specialists to perform the following tasks: setting up the Cloud solution environment; planning and configuring Cloud solutions; deploying and implementing Cloud solutions; ensuring the effective operation of Cloud solutions; and configuring access & security.
NEW QUESTION # 26
You are building an application that processes data files uploaded from thousands of suppliers.
Your primary goals for the application are data security and the expiration of aged data. You need to design the application to:
- Restrict access so that suppliers can access only their own data.
- Give suppliers write access to data only for 30 minutes.
- Delete data that is over 45 days old.
You have a very short development cycle, and you need to make sure that the application requires minimal maintenance. Which two strategies should you use? (Choose two.)
- A. Set up an SFTP server for your application, and create a separate user for each supplier.
- B. Use signed URLs to allow suppliers limited time access to store their objects.
- C. Build a lifecycle policy to delete Cloud Storage objects after 45 days.
- D. Build a Cloud function that triggers a timer of 45 days to delete objects that have expired.
- E. Develop a script that loops through all Cloud Storage buckets and deletes any buckets that are older than 45 days.
Answer: C,E
NEW QUESTION # 27
You have deployed an application on a single Compute Engine instance. The application writes logs to disk. Users start reporting errors with the application. You want to diagnose the problem.
What should you do?
- A. Install and configure the Cloud Logging Agent and view the logs from Cloud Logging.
- B. Connect to the instance's serial console and read the application logs.
- C. Navigate to Cloud Logging and view the application logs.
- D. Configure a Health Check on the instance and set a Low Healthy Threshold value.
Answer: C
Explanation:
https://cloud.google.com/error-reporting/docs/setup/compute-engine
NEW QUESTION # 28
You are setting up a Windows VM on Compute Engine and want to make sure you can log in to the VM via RDP. What should you do?
- A. After the VM has been created, download the JSON private key for the default Compute Engine service account. Use the credentials in the JSON file to log in to the VM.
- B. After the VM has been created, use your Google Account credentials to log in into the VM.
- C. When creating the VM, add metadata to the instance using 'windows-password' as the key and a password as the value.
- D. After the VM has been created, use gcloud compute reset-windows-password to retrieve the login credentials for the VM.
Answer: D
Explanation:
You can generate Windows passwords using either the Google Cloud Console or the gcloud command-line tool. This option uses the right syntax to reset the windows password.
gcloud compute reset-windows-password windows-instance
Ref: https://cloud.google.com/compute/docs/instances/windows/creating-passwords-for-windows-instances#gcloud
NEW QUESTION # 29
You are the project owner of a GCP project and want to delegate control to colleagues to manage buckets and files in Cloud Storage. You want to follow Google-recommended practices. Which IAM roles should you grant your colleagues?
- A. Storage Admin
- B. Storage Object Creator
- C. Storage Object Admin
- D. Project Editor
Answer: A
Explanation:
Storage Admin (roles/storage.admin) Grants full control of buckets and objects.
When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.
firebase.projects.get
resourcemanager.projects.get
resourcemanager.projects.list
storage.buckets.*
storage.objects.*
https://cloud.google.com/storage/docs/access-control/iam-roles
This role grants full control of buckets and objects. When applied to an individual bucket, control applies only to the specified bucket and objects within the bucket.
Ref: https://cloud.google.com/iam/docs/understanding-roles#storage-roles
NEW QUESTION # 30
Your customer has implemented a solution that uses Cloud Spanner and notices some read latency-related performance issues on one table. This table is accessed only by their users using a primary key. The table schema is shown below.
You want to resolve the issue. What should you do?
- A. Option A
- B. Option D
- C. Option B
- D. Option C
Answer: D
Explanation:
As mentioned in Schema and data model, you should be careful when choosing a primary key to not accidentally create hotspots in your database. One cause of hotspots is having a column whose value monotonically increases as the first key part, because this results in all inserts occurring at the end of your key space. This pattern is undesirable because Cloud Spanner divides data among servers by key ranges, which means all your inserts will be directed at a single server that will end up doing all the work.https://cloud.
google.com/spanner/docs/schema-design#primary-key-prevent-hotspots
NEW QUESTION # 31
You need to immediately change the storage class of an existing Google Cloud bucket. You need to reduce service cost for infrequently accessed files stored in that bucket and for all files that will be added to that bucket in the future. What should you do?
- A. Use the gsutil to rewrite the storage class for the bucket Change the default storage class for the bucket
- B. Create a new bucket and change the default storage class for the bucket Set up Object Lifecycle management on lite bucket
- C. Create a new bucket and change the default storage class for the bucket import the files from the previous bucket into the new bucket
- D. Use the gsutil to rewrite the storage class for the bucket Set up Object Lifecycle management on the bucket
Answer: D
NEW QUESTION # 32
You need to configure IAM access audit logging in BigQuery for external auditors. You want to follow Google-recommended practices. What should you do?
- A. Add the auditors group to two new custom IAM roles.
- B. Add the auditor user accounts to two new custom IAM roles.
- C. Add the auditor user accounts to the 'logging.viewer' and 'bigQuery.dataViewer' predefined IAM roles.
- D. Add the auditors group to the 'logging.viewer' and 'bigQuery.dataViewer' predefined IAM roles.
Answer: D
Explanation:
https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors Because if you directly add users to the IAM roles, then if any users left the organization then you have to remove the users from multiple places and need to revoke his/her access from multiple places. But, if you put a user into a group then its very easy to manage these type of situations. Now, if any user left then you just need to remove the user from the group and all the access got revoked The organization creates a Google group for these external auditors and adds the current auditor to the group. This group is monitored and is typically granted access to the dashboard application. During normal access, the auditors' Google group is only granted access to view the historic logs stored in BigQuery. If any anomalies are discovered, the group is granted permission to view the actual Cloud Logging Admin Activity logs via the dashboard's elevated access mode. At the end of each audit period, the group's access is then revoked. Data is redacted using Cloud DLP before being made accessible for viewing via the dashboard application. The table below explains IAM logging roles that an Organization Administrator can grant to the service account used by the dashboard, as well as the resource level at which the role is granted.
NEW QUESTION # 33
You need to set a budget alert for use of Compute Engineer services on one of the three Google Cloud Platform projects that you manage. All three projects are linked to a single billing account.
What should you do?
- A. Verify that you are the project billing administrator. Select the associated billing account and create a budget and a custom alert.
- B. Verify that you are the project administrator. Select the associated billing account and create a budget for the appropriate project.
- C. Verify that you are the project billing administrator. Select the associated billing account and create a budget and alert for the appropriate project.
- D. Verify that you are project administrator. Select the associated billing account and create a budget and a custom alert.
Answer: C
Explanation:
To create a budget for your Cloud Billing account, you must be a Billing Account Administrator on the Cloud Billing account.
https://cloud.google.com/billing/docs/how-to/budgets
NEW QUESTION # 34
You've finally been given a new laptop, but you need to install all of the tools you need. You already installed the Cloud SDK, but none of the commands seem to be working correctly. What step did you likely forget?
- A. gcloud init
- B. gcloud config list
- C. gcloud config_list
- D. gcloud application_init
Answer: A,B
NEW QUESTION # 35
Your auditor wants to view your organization's use of data in Google Cloud. The auditor is most interested in auditing who accessed data in Cloud Storage buckets. You need to help the auditor access the data they need.
What should you do?
- A. Assign the appropriate permissions, and then use Cloud Monitoring to review metrics
- B. Assign the appropriate permissions, and then create a Data Studio report on Admin Activity Audit Logs
- C. Turn on Data Access Logs for the buckets they want to audit, and Then build a query in the log viewer that filters on Cloud Storage
- D. Use the export logs API to provide the Admin Activity Audit Logs in the format they want
Answer: C
Explanation:
Explanation
Types of audit logs Cloud Audit Logs provides the following audit logs for each Cloud project, folder, and organization: Admin Activity audit logs Data Access audit logs System Event audit logs Policy Denied audit logs ***Data Access audit logs contain API calls that read the configuration or metadata of resources, as well as user-driven API calls that create, modify, or read user-provided resource data.
https://cloud.google.com/logging/docs/audit#types
https://cloud.google.com/logging/docs/audit#data-access Cloud Storage: When Cloud Storage usage logs are enabled, Cloud Storage writes usage data to the Cloud Storage bucket, which generates Data Access audit logs for the bucket. The generated Data Access audit log has its caller identity redacted.
NEW QUESTION # 36
Your company is moving its entire workload to Compute Engine. Some servers should be accessible through the Internet, and other servers should only be accessible over the internal network. All servers need to be able to talk to each other over specific ports and protocols. The current on-premises network relies on a demilitarized zone (DMZ) for the public servers and a Local Area Network (LAN) for the private servers. You need to design the networking infrastructure on Google Cloud to match these requirements. What should you do?
- A. 1. Create a single VPC with a subnet for the DMZ and a subnet for the LAN.
2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public ingress traffic for the DMZ. - B. 1. Create a single VPC with a subnet for the DMZ and a subnet for the LAN.
2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public egress traffic for the DMZ. - C. 1. Create a VPC with a subnet for the DMZ and another VPC with a subnet for the LAN.
2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public ingress traffic for the DMZ. - D. 1. Create a VPC with a subnet for the DMZ and another VPC with a subnet for the LAN.
2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public egress traffic for the DMZ.
Answer: A
Explanation:
By default traffic between subnets on a VPC network is not allowed (except on the "default" network).
(This blocks traffic between all instances, not just traffic between subnets => FW rules must be defined to allow communications between all instances, regardless the subnets)
2 VPC will not work without peering.
NEW QUESTION # 37
You are building a data lake on Google Cloud for your Internet of Things (loT) application. The loT application has millions of sensors that are constantly streaming structured and unstructured data to your backend in the cloud. You want to build a highly available and resilient architecture based on Google-recommended practices. What should you do?
- A. Stream data to Pub/Sub. and use Storage Transfer Service to send data to BigQuery.
- B. Stream data to Dataflow, and use Storage Transfer Service to send data to BigQuery.
- C. Stream data to Dataflow, and use Dataprep by Trifacta to send data to Bigtable.
- D. Stream data to Pub/Sub, and use Dataflow to send data to Cloud Storage
Answer: D
NEW QUESTION # 38
You want to enable your development team to deploy new features to an existing Cloud Run service in production. To minimize the risk associated with a new revision, you want to reduce the number of customers who might be affected by an outage without introducing any development or operational costs to your customers. You want to follow Google-recommended practices for managing revisions to a service. What should you do9
- A. Ask your customers to retry access to your service with exponential backoff to mitigate any potential problems after the new revision is deployed.
- B. Gradually roll out the new revision and split customer traffic between the revisions to allow rollback in case a problem occurs.
- C. Send all customer traffic to the new revision, and roll back to a previous revision if you witness any problems in production.
- D. Deploy your application to a second Cloud Run service, and ask your customers to use the second Cloud Run service.
Answer: B
NEW QUESTION # 39
You are heading the Cloud & DevOps department in a financial company and have been asked to create a custom role for one of your colleague who needs access to deploy an application to App Engine. Which permission will you use?
- A. App Engine Editor
- B. App Engine Deployer
- C. App Engine Viewer
- D. App Engine Admin
Answer: B
NEW QUESTION # 40
Your company set up a complex organizational structure on Google Could Platform. The structure includes hundreds of folders and projects. Only a few team members should be able to view the hierarchical structure.
You need to assign minimum permissions to these team members and you want to follow Google- recommended practices. What should you do?
- A. Add the users to roles/iam.roleViewer role.
- B. Add the users to a group, and add this group to roles/browser role.
- C. Add the users to roles/browser role.
- D. Add the users to a group, and add this group to roles/iam.roleViewer role.
Answer: C
Explanation:
Explanation/Reference:
NEW QUESTION # 41
You have a number of compute instances belonging to an unmanaged instances group. You need to SSH to one of the Compute Engine instances to run an ad hoc script. You've already authenticated gcloud, however, you don't have an SSH key deployed yet. In the fewest steps possible, what's the easiest way to SSH to the instance?
- A. Run gcloud compute instances list to get the IP address of the instance, then use the ssh command.
- B. Use the gcloud compute ssh command.
- C. Create a key with the ssh-keygen command. Upload the key to the instance. Run gcloud compute instances list to get the IP address of the instance, then use the ssh command.
- D. Create a key with the ssh-keygen command. Then use the gcloud compute ssh command.
Answer: B
Explanation:
gcloud compute ssh ensures that the user's public SSH key is present in the project's metadata. If the user does not have a public SSH key, one is generated using ssh-keygen and added to the project's metadata. This is similar to the other option where we copy the key explicitly to the project's metadata but here it is done automatically for us. There are also security benefits with this approach. When we use gcloud compute ssh to connect to Linux instances, we are adding a layer of security by storing your host keys as guest attributes.
Storing SSH host keys as guest attributes improve the security of your connections by helping to protect against vulnerabilities such as man-in-the-middle (MITM) attacks. On the initial boot of a VM instance, if guest attributes are enabled, Compute Engine stores your generated host keys as guest attributes.
Compute Engine then uses these host keys that were stored during the initial boot to verify all subsequent connections to the VM instance.
Ref: https://cloud.google.com/compute/docs/instances/connecting-to-instance Ref: https://cloud.google.com/sdk/gcloud/reference/compute/ssh
NEW QUESTION # 42
You want to deploy an application on Cloud Run that processes messages from a Cloud Pub/Sub topic. You want to follow Google-recommended practices. What should you do?
- A. 1. Grant the Pub/Sub Subscriber role to the service account used by Cloud Run.
2. Create a Cloud Pub/Sub subscription for that topic.
3. Make your application pull messages from that subscription. - B. 1. Deploy your application on Cloud Run on GKE with the connectivity set to Internal.
2. Create a Cloud Pub/Sub subscription for that topic.
3. In the same Google Kubernetes Engine cluster as your application, deploy a container that takes the messages and sends them to your application. - C. 1. Create a Cloud Function that uses a Cloud Pub/Sub trigger on that topic.
2. Call your application on Cloud Run from the Cloud Function for every message. - D. 1. Create a service account.
2. Give the Cloud Run Invoker role to that service account for your Cloud Run application.
3. Create a Cloud Pub/Sub subscription that uses that service account and uses your Cloud Run application as the push endpoint.
Answer: D
Explanation:
You can use Pub/Sub to push messages to the endpoint of your Cloud Run service, where the messages are subsequently delivered to containers as HTTP requests. You cannot use Pub/Sub pull subscriptions because Cloud Run only allocates CPU during the processing of a request.
https://cloud.google.com/run/docs/tutorials/pubsub#integrating-pubsub
NEW QUESTION # 43
Your company has a 3-tier solution running on Compute Engine. The configuration of the current infrastructure is shown below.
Each tier has a service account that is associated with all instances within it. You need to enable communication on TCP port 8080 between tiers as follows:
* Instances in tier #1 must communicate with tier #2.
* Instances in tier #2 must communicate with tier #3.
What should you do?
- A. 1. Create an ingress firewall rule with the following settings:* Targets: all instances with tier #2 service account* Source filter: all instances with tier #1 service account* Protocols: allow TCP:80802. Create an ingress firewall rule with the following settings:* Targets: all instances with tier #3 service account* Source filter: all instances with tier #2 service account* Protocols: allow TCP: 8080
- B. 1. Create an ingress firewall rule with the following settings:* Targets: all instances with tier #2 service account* Source filter: all instances with tier #1 service account* Protocols: allow all2. Create an ingress firewall rule with the following settings:* Targets: all instances with tier #3 service account* Source filter: all instances with tier #2 service account* Protocols: allow all
- C. 1. Create an egress firewall rule with the following settings:* Targets: all instances* Source filter: IP ranges (with the range set to 10.0.2.0/24)* Protocols: allow TCP: 80802. Create an egress firewall rule with the following settings:* Targets: all instances* Source filter: IP ranges (with the range set to 10.0.1.0/24)* Protocols: allow TCP: 8080
- D. 1. Create an ingress firewall rule with the following settings:* Targets: all instances* Source filter: IP ranges (with the range set to 10.0.2.0/24)* Protocols: allow all2. Create an ingress firewall rule with the following settings:* Targets: all instances* Source filter: IP ranges (with the range set to 10.0.1.0/24)* Protocols: allow all
Answer: A
Explanation:
1. Create an ingress firewall rule with the following settings:
* Targets: all instances with tier #2 service account
* Source filter: all instances with tier #1 service account
* Protocols: allow TCP:8080 2. Create an ingress firewall rule with the following settings:
* Targets: all instances with tier #3 service account
* Source filter: all instances with tier #2 service account
* Protocols: allow TCP: 8080
NEW QUESTION # 44
You recently deployed a new version of an application to App Engine and then discovered a bug in the release. You need to immediately revert to the prior version of the application. What should you do?
- A. On the App Engine Versions page of the GCP Console, route 100% of the traffic to the previous version.
- B. On the App Engine page of the GCP Console, select the application that needs to be reverted and click Revert.
- C. Run gcloud app restore.
- D. Deploy the original version as a separate application. Then go to App Engine settings and split traffic between applications so that the original version serves 100% of the requests.
Answer: A
Explanation:
Reference: https://medium.com/google-cloud/app-engine-project-cleanup-9647296e796a
NEW QUESTION # 45
You have an application that is currently processing transactions by using a group of managed VM instances.
You need to migrate the application so that it is serverless and scalable. You want to implement an asynchronous transaction processing system, while minimizing management overhead. What should you do?
- A. Use Pub/Sub to acknowledge incoming transactions. Use Cloud Run to process transactions.
- B. Use Pub/Sub to acknowledge incoming transactions. Use VM instances to process transactions.
- C. Install Kafka on VM instances to acknowledge incoming transactions. Use Cloud Run to process transactions.
- D. Install Kafka on VM Instances to acknowledge incoming transactions. Use VM Instances to process transactions.
Answer: A
Explanation:
The goal is to create a serverless, scalable, and asynchronous transaction processing system with minimal management overhead.
* Serverless Requirement:Options involving installing Kafka on VMs (A, B) or using VM instances for processing (B, C) introduce management overhead associated with VMs (patching, scaling configuration, OS management) and Kafka cluster management, violating the serverless and minimal management criteria.
* Asynchronous Requirement:Both Kafka and Pub/Sub can handle asynchronous messaging. However, Pub/Sub is Google Cloud's fully managed, serverless messaging service, inherently minimizing management overhead compared to self-managed Kafka on VMs.
* Scalability and Processing:Cloud Run is a fully managed, serverless platform that automatically scales based on traffic, suitable for processing transactions without managing underlying infrastructure. VM instances require manual scaling configuration or managed instance groups, adding overhead.
Combining Pub/Sub for asynchronous message ingestion (fully managed, serverless) and Cloud Run for processing (fully managed, serverless, scalable) directly meets all requirements: serverless, scalable, asynchronous, and minimal management overhead. Option D is the only one that uses fully serverless components for both ingestion and processing.
References:
Google Cloud Pub/Sub Overview: "Pub/Sub is an asynchronous and scalable messaging service..." -
https://cloud.google.com/pubsub/docs/overview
Google Cloud Run Overview: "Cloud Run is a managed compute platform that lets you run containers directly on top of Google's scalable infrastructure." -https://cloud.google.com/run/docs/overview/what-is- cloud-run Serverless Patterns (Pub/Sub + Cloud Run): This combination is a standard pattern for event-driven, serverless applications. -https://cloud.google.com/run/docs/triggering/pubsub-push
NEW QUESTION # 46
......
Planning & Configuring Cloud Solutions
- Plan and configure network resources, which include distinguishing load balancing alternatives, configuring the Cloud DNS, establishing resource locations within a network for its availability.
- Plan and estimate the GCP product use with Pricing Calculator;
- Plan and configure data storage options with a focus on product choice and selecting storage options;
- Plan and configure compute resources with specific skills in choosing the relevant compute choices for a specific workload as well as utilizing preemptible virtual machines and custom machine types as relevant;
Real exam questions are provided for Google Cloud Certified tests, which can make sure you 100% pass: https://examcollection.vcetorrent.com/Associate-Cloud-Engineer-valid-vce-torrent.html