ACE — (Google Cloud Certified: Associate Cloud Engineer – ) Exam Blueprint
Practical exam blueprint for Google Cloud ACE candidates preparing for the Google Cloud Certified: Associate Cloud Engineer exam.
How to Use This Exam Blueprint
This checklist is for candidates preparing for the Google Cloud (Google Cloud Certified: Associate Cloud Engineer – ACE) exam, code ACE. Use it as a practical readiness map: review each topic area, confirm you can perform the task, and identify weak spots before moving into final practice.
The ACE exam is commonly associated with day-to-day Google Cloud engineering work: configuring cloud resources, deploying workloads, managing access, operating services, and troubleshooting common issues. This page does not assign exact weights or claim official scoring rules. Treat the sections below as readiness areas to verify before exam day.
Topic-Area Readiness Table
| Readiness area | What to review | You are ready when you can… |
|---|---|---|
| Google Cloud resource hierarchy | Organizations, folders, projects, resources, labels, naming, project selection | Explain where policies apply and choose the correct project, folder, or organization scope for a task |
| Identity and access management | IAM roles, principals, service accounts, least privilege, policy bindings | Grant only the access needed and identify when a service account is required |
| Billing and cost awareness | Billing accounts, project billing, budgets, alerts, labels, committed or sustained usage concepts at a high level | Connect projects to billing, use labels for cost allocation, and recognize basic cost-control choices |
| Cloud Shell and CLI basics | Google Cloud console, Cloud Shell, gcloud, configuration, active project, region, zone | Use the CLI safely without accidentally targeting the wrong project or location |
| Compute Engine | VM instances, machine types, boot disks, images, metadata, startup scripts, instance groups | Choose, deploy, connect to, resize, stop, troubleshoot, and monitor VM-based workloads |
| Google Kubernetes Engine | Clusters, nodes, workloads, Services, Ingress, autoscaling concepts, kubectl basics | Deploy a containerized workload, expose it, inspect pods, and identify common cluster issues |
| Serverless and application hosting | Cloud Run, App Engine, Cloud Functions at a practical selection level | Choose an appropriate managed compute option based on container, event, request, and operational needs |
| Storage services | Cloud Storage, persistent disks, Filestore basics, backup/snapshot concepts | Pick the right storage option for object, block, or shared file needs |
| Databases and data services | Cloud SQL, Firestore, Bigtable, Spanner, Memorystore, BigQuery at a service-selection level | Match database options to relational, document, wide-column, global, cache, and analytics scenarios |
| Networking | VPCs, subnets, firewall rules, routes, external/internal IPs, Cloud NAT, load balancing, DNS, VPN/interconnect concepts | Explain how traffic flows and troubleshoot basic connectivity problems |
| Security controls | IAM, service accounts, firewall rules, encryption concepts, Secret Manager, OS Login, audit logs | Apply least privilege and identify where access should be controlled |
| Deployment and configuration | Infrastructure setup, deployment commands, container images, environment variables, rollout checks | Deploy resources predictably and verify that the expected version/configuration is running |
| Monitoring, logging, and operations | Cloud Logging, Cloud Monitoring, alerts, metrics, uptime checks, error reporting concepts | Find logs and metrics, create basic alerts, and diagnose service health problems |
| Backup, resiliency, and recovery | Snapshots, managed backups, multi-zone/regional concepts, restart behavior, health checks | Identify how to reduce downtime and recover from common failure scenarios |
| Troubleshooting workflow | Permissions, quotas, network paths, health checks, logs, service status, misconfiguration | Narrow a problem using evidence rather than guessing |
Core Google Cloud Foundations
Resource Hierarchy and Project Control
Checklist:
- Explain the relationship between organization, folders, projects, and resources.
- Identify which project a command or deployment will affect.
- Recognize when a policy should be applied at project, folder, or organization level.
- Use labels to organize resources for cost, ownership, environment, or application tracking.
- Distinguish project identity from billing identity.
- Understand that many Google Cloud resources are regional, zonal, or global.
Can you answer these?
| Prompt | Ready answer |
|---|---|
| A team needs separate dev and prod environments. Where can separation happen? | Usually by separate projects and/or folders, with IAM, billing, network, and policy separation as needed |
| A user cannot see a resource. What do you check first? | Active project, IAM permissions, resource location, and whether the resource exists in the expected scope |
| A cost report needs to group resources by team. What helps? | Consistent labels and project structure |
Console, Cloud Shell, and CLI Readiness
You should be comfortable moving between the Google Cloud console and CLI.
Key command patterns to recognize:
gcloud config list
gcloud config set project PROJECT_ID
gcloud config set compute/region REGION
gcloud config set compute/zone ZONE
gcloud auth list
Readiness checks:
- Confirm the active account before running a command.
- Confirm the active project before creating or deleting resources.
- Know when to specify
--project,--region, or--zone. - Understand that an operation may fail because the wrong project, account, region, or zone is selected.
- Use
describe,list, and logs before changing a resource.
Common trap: running a command successfully, but in the wrong project or zone.
IAM and Security Readiness
IAM Roles, Principals, and Policy Bindings
| Concept | What to know for ACE readiness |
|---|---|
| Principal | A user, group, service account, or identity that can receive access |
| Role | A collection of permissions |
| Basic roles | Broad roles that are often too permissive for least-privilege design |
| Predefined roles | Google-managed roles for common job functions |
| Custom roles | Roles created for specific permission sets when predefined roles do not fit |
| Policy binding | Connects a principal to a role at a resource scope |
| Service account | Identity used by workloads and services, not a human user |
Checklist:
- Grant a user or group access to a project.
- Grant a service account access to another resource.
- Explain why least privilege matters.
- Identify when a predefined role is safer than a broad basic role.
- Recognize that permissions are inherited through the resource hierarchy.
- Distinguish granting access to a service account from allowing a user to act as that service account.
- Understand that some Google Cloud services use service agents.
Example command patterns:
gcloud projects add-iam-policy-binding PROJECT_ID \
--member="user:person@example.com" \
--role="roles/viewer"
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \
--display-name="App runtime service account"
Security Scenario Checks
| Scenario | What the exam may test | Good decision path |
|---|---|---|
| A VM application needs to read from Cloud Storage | Workload identity and least privilege | Attach or configure a service account with an appropriate storage role |
| A developer needs temporary troubleshooting visibility | Least privilege and scope | Grant a focused role at the narrowest practical scope |
| A user can deploy but the application cannot access a database | Human IAM vs workload IAM | Check the runtime service account and database permissions |
| A port is unreachable from the internet | Network security path | Check firewall rules, external IP, load balancer, routes, and service health |
| Secrets are stored in code or environment files | Secret handling | Use a managed secret approach such as Secret Manager where appropriate |
IAM Weak Areas
- Confusing project owner/editor/viewer with least-privilege roles.
- Granting permissions to a human user when the workload’s service account needs them.
- Forgetting inherited permissions from folder or organization level.
- Assuming an IAM role fixes a network firewall problem.
- Assuming a firewall rule fixes an IAM denial.
- Not checking whether the active account is the expected identity.
Compute Engine Checklist
VM Deployment and Operations
Be ready to work through common VM lifecycle tasks.
| Task | Readiness check |
|---|---|
| Create a VM | Select project, zone, machine family, boot disk, image, network, firewall needs, and service account |
| Connect to a VM | Use SSH or browser-based connection methods and understand firewall or OS Login implications |
| Resize a VM | Know that machine type changes and restart behavior may matter |
| Use metadata | Recognize startup scripts, custom metadata, and instance-level configuration |
| Manage disks | Understand boot disks, additional persistent disks, snapshots, and image usage |
| Use instance templates | Know why templates support repeatable instance creation |
| Use managed instance groups | Understand health checks, autoscaling, rolling updates, and self-healing concepts |
| Troubleshoot VM boot | Check serial console output, logs, startup scripts, disk/image issues, and permissions |
Command patterns to recognize:
gcloud compute instances list
gcloud compute instances describe INSTANCE_NAME \
--zone=ZONE
gcloud compute ssh INSTANCE_NAME \
--zone=ZONE
VM Scenario Cues
| Cue in a question | Likely topic |
|---|---|
| “Single VM failed and traffic stopped” | Need for managed instance group, load balancing, or more resilient design |
| “Startup script did not install the app” | Metadata, script syntax, logs, package repository access, network egress |
| “VM cannot reach the internet without external IP” | Cloud NAT or controlled egress path |
| “Need identical VMs for scaling” | Instance template and managed instance group |
| “Need to preserve disk state before change” | Snapshot or image planning |
Containers and Google Kubernetes Engine
GKE Concepts to Review
| Concept | You should be able to… |
|---|---|
| Cluster | Explain the control plane and node pool relationship at a practical level |
| Node pool | Understand that workloads run on nodes and node pools can vary by machine type/configuration |
| Pod | Recognize the smallest deployable unit in Kubernetes |
| Deployment | Use it to manage replicas and rolling updates |
| Service | Expose pods inside or outside the cluster depending on type |
| Ingress | Route HTTP/S traffic into services when configured |
| ConfigMap and Secret | Separate configuration and sensitive values from container images |
| Autoscaling | Recognize workload or node scaling concepts |
| Image registry | Understand how container images are built, stored, and deployed |
Useful kubectl checks:
kubectl get pods
kubectl get deployments
kubectl get services
kubectl describe pod POD_NAME
kubectl logs POD_NAME
kubectl apply -f manifest.yaml
Readiness checklist:
- Deploy a containerized app to GKE.
- Expose a workload using a Kubernetes Service.
- Check pod status and events.
- Read container logs.
- Recognize image pull, scheduling, readiness, and crash loop symptoms.
- Understand the difference between Kubernetes IAM/RBAC concepts and Google Cloud IAM at a high level.
- Know when a managed container platform such as Cloud Run may be simpler than GKE.
GKE Troubleshooting Cues
| Symptom | First checks |
|---|---|
| Pod stuck pending | Node capacity, scheduling constraints, node pool health |
| Pod crash looping | Container logs, command/entrypoint, environment variables, dependencies |
| Service has no traffic | Service selector, pod labels, endpoints, firewall/load balancer status |
| Image pull failure | Image name, registry access, service account permissions |
| App deployed but old version still served | Rollout status, image tag, deployment update, load balancer caching/path |
Serverless and Application Hosting
Service Selection
| Need | Service direction to consider |
|---|---|
| Run stateless containers with minimal infrastructure management | Cloud Run |
| Host an application on a platform-managed runtime | App Engine |
| Run event-driven code in response to cloud events or HTTP triggers | Cloud Functions |
| Run full VMs with OS control | Compute Engine |
| Orchestrate containers with Kubernetes APIs and cluster control | Google Kubernetes Engine |
Checklist:
- Distinguish container-based, function-based, platform-based, VM-based, and Kubernetes-based compute.
- Recognize when stateless design helps scaling and recovery.
- Identify where environment variables, service accounts, and secrets affect runtime behavior.
- Understand how request-driven scaling differs from always-on compute.
- Know how logs and revisions help validate a deployment.
Deployment Readiness
Can you do this?
- Deploy an app and verify the active revision or version.
- Roll back to a previous known-good version when supported by the service.
- Configure the service account used by the runtime.
- Send traffic to the intended version or revision.
- Check runtime logs after a failed deployment.
- Explain whether a workload needs persistent local state, long-running processes, background workers, or request-based execution.
Storage and Database Exam Blueprint
Storage Service Selection
| Requirement | Likely Google Cloud service or concept |
|---|---|
| Store objects such as images, backups, exports, or static assets | Cloud Storage |
| Attach block storage to a VM | Persistent Disk |
| Share file storage among supported compute workloads | Filestore |
| Preserve a point-in-time copy of a disk | Snapshot |
| Serve static web assets | Cloud Storage, often with appropriate access and routing design |
| Move or archive large object data | Cloud Storage lifecycle and storage class concepts |
Cloud Storage readiness:
- Create and manage buckets.
- Understand bucket location choices at a practical level.
- Configure object access using IAM and appropriate access controls.
- Recognize lifecycle management use cases.
- Understand retention and versioning concepts at a high level.
- Use
gsutilorgcloud storagecommand patterns conceptually.
Command patterns:
gcloud storage buckets list
gcloud storage cp ./file.txt gs://BUCKET_NAME/path/file.txt
gcloud storage ls gs://BUCKET_NAME
Database Service Selection
| Requirement | Service direction to review |
|---|---|
| Managed relational database | Cloud SQL |
| Globally scalable relational database with strong consistency needs | Cloud Spanner |
| Document database for app data | Firestore |
| Wide-column database for high-throughput, low-latency workloads | Bigtable |
| In-memory cache | Memorystore |
| Analytics warehouse | BigQuery |
Readiness checklist:
- Choose relational vs document vs wide-column vs analytics storage.
- Recognize when Cloud SQL is a better fit than running a database on a VM.
- Understand backups, maintenance, replicas, and connection methods at a practical level.
- Identify when BigQuery is for analytics rather than serving low-latency transactional app requests.
- Recognize when Memorystore is used as a cache, not the system of record.
Storage and Database Traps
- Choosing persistent disk for object storage use cases.
- Choosing Cloud Storage for frequently updated relational records.
- Treating BigQuery like an OLTP application database.
- Ignoring backup and restore requirements.
- Forgetting IAM or network controls around managed databases.
- Confusing object lifecycle management with application-level data retention logic.
Networking Readiness
VPC, Subnets, Firewalls, and IPs
| Topic | What to know |
|---|---|
| VPC network | Logical network boundary for resources |
| Subnet | Regional IP range within a VPC |
| Firewall rule | Controls allowed or denied traffic based on direction, targets, sources, protocols, and ports |
| Internal IP | Private communication inside VPC-connected resources |
| External IP | Internet-reachable address when allowed by configuration |
| Route | Determines traffic path |
| Cloud NAT | Provides outbound internet access for resources without external IPs |
| Cloud DNS | Managed DNS service |
| Load balancing | Distributes traffic across backends and supports resilient service access |
| Hybrid connectivity | VPN and interconnect concepts for connecting external networks |
Readiness checklist:
- Explain the difference between a VPC and a subnet.
- Identify whether a subnet is regional.
- Check firewall rules for source, target, protocol, and port.
- Distinguish ingress and egress rules.
- Determine whether a VM has internal-only or external connectivity.
- Recognize when Cloud NAT is needed for outbound access.
- Understand how load balancer health checks affect backend availability.
- Know that DNS resolution and firewall access are separate concerns.
Network Troubleshooting Workflow
flowchart TD
A[Connectivity problem] --> B{Correct project and region?}
B -- No --> B1[Fix context]
B -- Yes --> C{Resource has expected IP/path?}
C -- No --> C1[Check subnet, route, address]
C -- Yes --> D{Firewall allows traffic?}
D -- No --> D1[Review ingress/egress rule]
D -- Yes --> E{IAM or service auth required?}
E -- Yes --> E1[Check identity and permissions]
E -- No --> F{Backend healthy?}
F -- No --> F1[Check app logs and health checks]
F -- Yes --> G[Check DNS, load balancer, client path]
Networking Scenario Cues
| Scenario wording | Think about |
|---|---|
| “VM has no external IP but needs package updates” | Cloud NAT or private access pattern |
| “Traffic reaches load balancer but not backend” | Backend health checks, firewall rules, service port, named ports where relevant |
| “Two resources cannot communicate internally” | VPC, subnet, firewall, routes, service account/IAM if using managed service APIs |
| “Public users cannot access application” | External IP/load balancer, firewall, DNS, TLS/certificate configuration, backend health |
| “Need private connectivity to on-premises” | VPN or dedicated connectivity concepts |
| “Need to restrict inbound SSH” | Firewall source ranges, OS Login, IAM, bastion or managed access patterns |
Operations, Monitoring, and Logging
Observability Checklist
| Area | You should be able to… |
|---|---|
| Cloud Logging | Find application, audit, VM, and service logs |
| Cloud Monitoring | View metrics and create alerting policies conceptually |
| Uptime checks | Recognize use for external availability monitoring |
| Dashboards | Understand how to visualize service health |
| Error Reporting | Identify application errors when supported |
| Audit logs | Use for who-did-what investigation |
| Health checks | Connect backend health to load balancing and managed instance group behavior |
Readiness checklist:
- Locate logs for a VM, container, serverless service, or managed service.
- Interpret error messages before changing configuration.
- Create or recognize an alerting policy based on a metric condition.
- Identify whether an issue is application, infrastructure, IAM, or network related.
- Use audit logs to investigate administrative changes.
- Recognize the role of health checks in autoscaling and load balancing.
- Know that monitoring a service requires useful metrics and alert thresholds, not just logs.
Troubleshooting Prompts
Can you work through these?
- A deployment succeeded, but users see errors. Check service logs, revision/version, backend health, configuration, and recent changes.
- A VM is running but the app is unavailable. Check process status, listening port, firewall, route, logs, and health check.
- A service account permission error appears in logs. Identify the runtime identity and grant the minimum required role.
- A load balancer shows unhealthy backends. Check health check path/port, firewall rules, application response, backend service configuration.
- Costs increased unexpectedly. Check billing reports, labels, recently created resources, scaling behavior, and idle resources.
Deployment, Configuration, and Change Management
Practical Deployment Skills
| Task | Readiness target |
|---|---|
| Repeatable configuration | Use templates, manifests, scripts, or managed deployment tools where appropriate |
| Version control awareness | Understand that infrastructure and app configuration should be reproducible |
| Rollout validation | Confirm the new version is serving traffic and healthy |
| Rollback planning | Know how to return to a previous version, image, snapshot, or configuration |
| Environment separation | Keep dev/test/prod resources isolated through projects, folders, networks, and IAM |
| Runtime configuration | Use environment variables, secrets, and service accounts correctly |
Checklist:
- Verify deployment target before applying changes.
- Validate service health after deployment.
- Check logs immediately after rollout.
- Avoid embedding secrets in source code or container images.
- Understand how image tags, revisions, and rollout state can create confusion.
- Know when a snapshot, backup, or export should be created before a risky change.
Billing, Cost, and Governance
Cost-Awareness Checklist
You do not need to memorize prices, but you should understand cost drivers and governance controls.
- Identify which project is linked to billing.
- Use budgets and alerts conceptually to detect spending changes.
- Understand that idle resources can continue to cost money.
- Recognize that storage, compute, network egress, logs, and managed services can all contribute to cost.
- Use labels and project structure to allocate costs.
- Recognize when autoscaling can both help efficiency and increase spend if traffic or misconfiguration grows.
- Know that deleting an application may not delete all associated disks, IPs, snapshots, or logs.
Governance Scenario Checks
| Scenario | Strong response |
|---|---|
| A team needs to track cost by application | Use labels and project/resource organization |
| A project should stop generating charges after testing | Identify and delete or stop all billable resources, including disks and external IPs where applicable |
| A workload must not use overly broad access | Apply least privilege IAM and service accounts |
| Multiple teams need separation | Use project/folder structure, IAM boundaries, and network separation as appropriate |
| Unexpected spend appears | Review billing reports, recent deployments, scaling events, logs volume, and idle resources |
Backup, Resiliency, and Recovery
Resiliency Topics to Review
| Workload type | Readiness checks |
|---|---|
| VM workload | Snapshots, images, managed instance groups, health checks, zones/regions, startup automation |
| Container workload | Replica count, deployment rollout, node pool health, service exposure, image availability |
| Serverless workload | Revision/version management, service configuration, runtime identity, event source behavior |
| Database workload | Backups, replicas, maintenance windows, connection failover concepts, restore testing |
| Object storage | Versioning, lifecycle, retention, access control, replication/location concepts |
| Load-balanced app | Backend health, autoscaling, firewall rules, health check configuration |
Can you explain?
- Difference between backup, snapshot, image, and replica at a practical level.
- Why a single VM is less resilient than a managed group behind a load balancer.
- Why regional or multi-zone design may matter for availability.
- Why recovery plans must include data, configuration, IAM, networking, and DNS.
- How to validate recovery rather than assuming a backup works.
High-Value “Can You Do This?” Checklist
Use this section as a quick readiness test. If any item feels uncertain, review that area before taking full practice exams.
Environment and Resource Management
- Set the active project, region, and zone in
gcloud. - Identify whether a resource is global, regional, or zonal.
- Create a project-level label strategy for ownership and environment.
- Determine where an IAM policy should be applied.
- Explain how folders and projects help separate workloads.
IAM and Security
- Grant a user a role at the narrowest useful scope.
- Create and use a service account for an application.
- Identify whether a permission error belongs to the user identity or runtime identity.
- Explain why basic roles may be too broad.
- Use audit logs conceptually to investigate administrative actions.
- Choose Secret Manager or a managed secret pattern instead of hard-coded secrets.
Compute and Application Hosting
- Create and troubleshoot a Compute Engine VM.
- Use an instance template and managed instance group conceptually.
- Deploy a containerized workload to GKE or choose Cloud Run when cluster management is unnecessary.
- Inspect pod status and logs.
- Select between Compute Engine, GKE, Cloud Run, App Engine, and Cloud Functions for a scenario.
- Verify a rollout and identify the running version.
Storage and Data
- Select Cloud Storage for object data.
- Select persistent disk for VM block storage.
- Select Cloud SQL for common managed relational needs.
- Recognize when BigQuery is the analytics service.
- Identify backup and restore requirements for a database.
- Configure object access without making data unnecessarily public.
Networking
- Explain VPC, subnet, route, firewall, and IP address roles.
- Troubleshoot an unreachable VM or service.
- Determine when Cloud NAT is useful.
- Understand load balancer, backend, and health check relationships.
- Diagnose whether a connectivity problem is DNS, firewall, routing, IAM, or application health.
Operations
- Find logs for the affected service.
- Create or interpret a basic metric alert.
- Use health checks to reason about load-balanced backends.
- Investigate a failed deployment through logs and recent changes.
- Identify cost spikes through billing, labels, scaling, and idle resource review.
Scenario and Decision-Point Practice
Choose the Right Compute Option
| Scenario | Best readiness reasoning |
|---|---|
| Need full OS control and custom agents | Compute Engine is likely appropriate |
| Need Kubernetes APIs and container orchestration | GKE is likely appropriate |
| Need to run a stateless container without managing servers | Cloud Run is likely appropriate |
| Need event-triggered lightweight code | Cloud Functions may fit |
| Need a managed app platform with supported runtime model | App Engine may fit |
Decision prompts:
- Does the workload require OS-level control?
- Is the app packaged as a container?
- Does the team want to manage Kubernetes?
- Is traffic request-driven or continuously running?
- Does the workload need persistent local state?
- What identity will the runtime use?
Choose the Right Storage or Database
| Scenario | Better direction |
|---|---|
| User uploads images and documents | Cloud Storage |
| App needs a managed MySQL/PostgreSQL-style relational database | Cloud SQL |
| App needs document-style data access | Firestore |
| Analytics team queries large datasets | BigQuery |
| App needs a cache for session or frequently accessed data | Memorystore |
| VM needs attached block storage | Persistent Disk |
Decision prompts:
- Is the data structured, semi-structured, object, block, or analytical?
- Is the access pattern transactional or analytical?
- Does the application need SQL semantics?
- Is global scale or strong consistency a major requirement?
- What are the backup and restore needs?
- Who or what identity needs access?
Troubleshoot Access Problems
| Error pattern | Check first |
|---|---|
PERMISSION_DENIED from an application | Runtime service account permissions |
| User cannot view project resource | User/group IAM binding and active project |
| VM cannot connect to database | Network path, database authorized access/private connectivity, service account/IAM if applicable |
| Container cannot pull image | Registry path and workload identity/service account permissions |
| Public object access denied | Bucket/object IAM and access configuration |
Troubleshoot Connectivity Problems
| Symptom | Possible causes |
|---|---|
| Cannot SSH to VM | Firewall, OS Login/IAM, external IP, network path, instance state |
| App port unreachable | Firewall, app not listening, wrong port, route, health check failure |
| Backend unhealthy | Health check path/port, firewall, app response, instance group configuration |
| Private VM cannot reach internet | No NAT path or restricted egress |
| DNS resolves but app fails | Backend health, firewall, TLS, application errors |
| App works internally but not externally | Load balancer, external IP, firewall, DNS, certificate, backend service |
Command and Artifact Readiness
You do not need to memorize every command flag, but you should recognize common command structure and know what information each command helps confirm.
gcloud Context
gcloud config list
gcloud config set project PROJECT_ID
gcloud auth list
Use for:
- Confirming active project.
- Confirming active account.
- Avoiding accidental changes in the wrong environment.
Compute Engine Inspection
gcloud compute instances list
gcloud compute instances describe INSTANCE_NAME --zone=ZONE
Use for:
- Instance status.
- Zone placement.
- Network interfaces.
- Service account.
- Tags or labels.
- Attached disks.
IAM Review
gcloud projects get-iam-policy PROJECT_ID
Use for:
- Checking role bindings.
- Finding whether a principal has project-level access.
- Spotting overly broad permissions.
Kubernetes Inspection
kubectl get pods
kubectl describe pod POD_NAME
kubectl logs POD_NAME
Use for:
- Container state.
- Scheduling events.
- Crash loops.
- Application errors.
- Image pull problems.
Cloud Storage Inspection
gcloud storage ls gs://BUCKET_NAME
gcloud storage cp SOURCE DESTINATION
Use for:
- Verifying bucket/object paths.
- Copying data.
- Confirming object availability.
Common Weak Areas and Exam Traps
| Weak area | Why it hurts | What to practice |
|---|---|---|
| IAM vs networking | Candidates often try to solve permission errors with firewalls or connectivity errors with IAM | Classify the error before choosing a fix |
| Wrong project/zone | Many commands work but target the wrong context | Always check active project, region, and zone |
| Service account confusion | Workloads use service accounts, not the human deployer’s identity | Identify runtime identity in every scenario |
| Overly broad roles | Basic roles may solve the symptom but violate least privilege | Choose focused predefined roles when possible |
| GKE troubleshooting | Kubernetes has multiple layers: pod, service, node, image, cluster, IAM, network | Use get, describe, and logs in order |
| Load balancer health | Traffic failures often trace to unhealthy backends | Check health checks, firewall, backend service, app response |
| Storage mismatch | Object, block, file, relational, and analytics storage solve different problems | Map access pattern before choosing service |
| Serverless assumptions | Serverless does not remove IAM, networking, config, or logging concerns | Check runtime identity, environment, and logs |
| Cost blind spots | Deleted apps may leave disks, IPs, snapshots, logs, or databases | Review all related resources |
| Backup confidence | A backup is only useful if restore is understood | Practice restore reasoning, not just backup creation |
Final-Week Checklist
7 to 5 Days Out
- Review each readiness area and mark weak topics.
- Revisit IAM, service accounts, and least privilege.
- Practice scenario questions that require service selection.
- Review networking flows: VPC, subnet, firewall, route, NAT, load balancer, DNS.
- Review Compute Engine, GKE, Cloud Run, Cloud Storage, and Cloud SQL operations.
- Make a one-page list of commands and troubleshooting workflows.
4 to 2 Days Out
- Take timed practice sets and review every missed question.
- For each miss, identify whether the cause was concept, wording, service selection, or command familiarity.
- Practice explaining why the correct answer is better than plausible alternatives.
- Review logs/monitoring/troubleshooting scenarios.
- Review cost-control and governance scenarios.
- Avoid deep memorization of exact limits unless they appear in your official exam-prep materials.
Final 24 Hours
- Recheck high-value service selection tables.
- Review IAM vs network vs application troubleshooting.
- Review
gcloudcontext commands. - Review common GKE pod and service failure symptoms.
- Review storage and database use cases.
- Sleep, manage timing, and avoid last-minute overload.
Readiness Self-Assessment
Score yourself honestly:
| Score | Meaning |
|---|---|
| 1 | I recognize the topic but cannot apply it |
| 2 | I can answer definition questions only |
| 3 | I can solve straightforward scenarios |
| 4 | I can troubleshoot multi-step scenarios |
| 5 | I can explain tradeoffs and eliminate distractors |
Use this quick grid:
| Area | Score 1-5 | Review needed? |
|---|---|---|
| Resource hierarchy and projects | ||
| IAM and service accounts | ||
| Compute Engine | ||
| GKE and containers | ||
| Serverless services | ||
| Storage and databases | ||
| Networking | ||
| Monitoring and logging | ||
| Billing and governance | ||
| Troubleshooting workflows |
Practical Next Step
After reviewing this Exam Blueprint, move into scenario-based practice. For each practice question, force yourself to identify the service, the scope, the identity, the network path, and the operational evidence before choosing an answer. That habit is one of the best ways to turn Google Cloud knowledge into ACE exam readiness.