Associate Cloud Engineer · 18% of the exam

Setting up a cloud solution environment: free practice questions

5 sample questions from our 45-question bank for this domain — answers and explanations included. These are the same scenario-based style as the real Google Cloud exam.

1. A startup is growing and needs to migrate from a flat project structure to a multi-level resource hierarchy with an organization node, folders, and projects. Which statement best describes the migration considerations and constraints? (Select TWO.)

  • A. Existing projects can be moved into the organization and organized into folders without downtime✓ Correct
  • B. All billing accounts must be reassigned to the organization node
  • C. IAM policies from the flat structure are preserved and automatically inherited by the new hierarchy
  • D. Once a project is placed in an organization, it cannot be removed to standalone status✓ Correct
  • E. Quota allocations at the project level are reset when moving projects into an organization
Explanation

Existing projects can be moved into an organization and organized into folders without service downtime (option A is true). Once a project belongs to an organization, it cannot be removed to standalone status (option D is true). Option B is false; billing accounts are separate from the organizational hierarchy and don't need reassignment based on org structure. Option C is false; IAM policies don't automatically migrate—you must reapply them as needed in the new structure. Option E is false; project-level quotas are not reset during organizational moves.

2. You are troubleshooting authentication issues with the gcloud CLI. A user runs 'gcloud auth list' and sees their account but cannot execute 'gcloud compute instances list'. The Cloud Compute API is enabled. What is the most likely cause and resolution?

  • A. The user is authenticated but lacks IAM permissions; grant them the Compute Instance Viewer role on the project✓ Correct
  • B. The gcloud CLI is not installed correctly; reinstall it
  • C. The Cloud Compute API is not enabled; enable it using 'gcloud services enable compute.googleapis.com'
  • D. The user's credentials are cached incorrectly; clear the cache with 'gcloud auth revoke'
Explanation

If the user can authenticate (shown by 'gcloud auth list') but cannot list instances, the issue is IAM permissions, not authentication or API enablement. Granting the Compute Instance Viewer role (option A) resolves this. Option B is unnecessary since authentication is working. Option C is ruled out because the question states the API is already enabled. Option D is incorrect; revocation removes all credentials rather than fixing permission issues.

3. Your organization's security policy prohibits downloading or storing service account key files on developer machines. However, developers still need to authenticate applications locally for testing. Which approach best aligns with this policy?

  • A. Generate a service account key file and share it among the development team via a secure channel
  • B. Use Application Default Credentials (ADC) with gcloud auth application-default login on developer machines, which uses user credentials for local testing✓ Correct
  • C. Have developers run all code on Compute Engine VMs where the VM's service account handles authentication automatically
  • D. Create separate user IAM roles for each developer with direct project permissions and avoid service accounts altogether
Explanation

Application Default Credentials with gcloud auth application-default login (option B) allows developers to test locally without downloading or storing service account keys. It uses the developer's own user credentials instead. Option A violates the policy by storing key files. Option C is impractical for local development/testing. Option D abandons the use of service accounts entirely, which are essential for application-to-application authentication and are recommended by Google Cloud security best practices.

4. A customer wants to export their Google Cloud billing data to analyze it with SQL queries over historical periods. They want this export to be automatic and continuous. Which solution should you recommend?

  • A. Manually download CSV billing reports from the Billing Console each month and upload them to BigQuery
  • B. Enable billing export to BigQuery in the Billing Console; Google will automatically stream detailed usage and cost data into a specified BigQuery dataset✓ Correct
  • C. Use Cloud Scheduler to trigger a Cloud Function daily that calls the Cloud Billing API and writes results to BigQuery
  • D. Enable billing export to a Cloud Storage bucket; then create a BigQuery external table over that bucket
Explanation

The native and recommended solution is enabling BigQuery billing export directly in the Billing Console. Once enabled, Google automatically and continuously exports detailed usage cost data and (optionally) pricing data into a specified BigQuery dataset. This requires no custom code and provides the most comprehensive, up-to-date data for SQL analysis. Manual CSV downloads (option A) are not automatic or continuous, and are error-prone. A scheduled Cloud Function (option C) could work but is an unnecessarily complex custom solution when native export already exists. Exporting to Cloud Storage (option D) with an external BigQuery table is a real GCP feature but is not the recommended billing export path for SQL analysis — it's less performant and less up-to-date than native BigQuery export.

5. Your organization has a parent folder containing three sub-folders (Engineering, Finance, Operations), each with multiple projects. A new compliance requirement mandates that no project can have publicly accessible Cloud Storage buckets. You want to enforce this with a single policy that applies to all current and future projects. Which resource level should you apply an Organization Policy to achieve this?

  • A. Apply the policy individually to each project
  • B. Apply the policy to the parent folder so it cascades to all sub-folders and projects beneath it✓ Correct
  • C. Apply the policy to the Organization node
  • D. Apply the policy to each sub-folder (Engineering, Finance, Operations)
Explanation

Option 2 is correct: Applying an Organization Policy at the parent folder level automatically cascades down to all child resources (sub-folders and projects), which is the most efficient approach for this hierarchy. Option 1 requires repeated work on each project and misses future projects. Option 3 (Organization node) is correct in principle but is unnecessarily broad if the requirement only applies to a subset of the organization. Option 4 requires three separate policy applications instead of one.

40 more questions in this domain

Practice the full bank with instant grading, flashcards, and a timed mock exam.

Start practicing free