Try 10 focused Google Cloud Associate Cloud Engineer questions on Cloud Environment Setup, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try Google Cloud Associate Cloud Engineer on Web View full Google Cloud Associate Cloud Engineer practice page
| Field | Detail |
|---|---|
| Exam route | Google Cloud Associate Cloud Engineer |
| Topic area | Setting Up a Cloud Solution Environment |
| Blueprint weight | 10% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Setting Up a Cloud Solution Environment for Google Cloud Associate Cloud Engineer. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 10% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Setting Up a Cloud Solution Environment
Which TWO of the following IAM role assignment practices follow the principle of least privilege for common personas in a Google Cloud project? (Select TWO.)
Options:
A. Assign auditors the predefined roles roles/viewer and roles/logging.viewer on the project so they can read resource metadata and logs without modifying resources.
B. Give operations staff the basic Owner role on the project so they can manage all resources during incidents without additional configuration.
C. Grant application developers the predefined role roles/run.developer on the project where they deploy Cloud Run services instead of giving them the basic Editor role.
D. Allow a CI/CD service account to impersonate all service accounts in the organization so deployment pipelines never fail due to missing permissions.
E. To simplify management, always grant roles at the organization level rather than at the folder or project level; this is the best way to enforce least privilege.
Correct answers: A and C
Explanation: The principle of least privilege in IAM means granting identities only the minimal set of permissions they need to perform their job, and no more. On Google Cloud, you typically achieve this by using predefined roles that match a persona’s responsibilities and scoping those roles to the smallest resource level that still allows them to work effectively (usually project or folder).
For developers who deploy Cloud Run services, the roles/run.developer predefined role is designed specifically for managing Cloud Run resources without giving them broad control over other parts of the project. This is a clear example of least privilege compared with basic roles like Editor.
Auditors commonly need read-only visibility into resources and logs. Combining roles/viewer (read-only view of resources) with roles/logging.viewer (read-only view of logs) gives them the access they need without the ability to change infrastructure or data. This respects least privilege while still meeting their requirements.
By contrast, granting basic roles such as Owner or Editor, assigning roles at the organization level by default, or allowing excessive service account impersonation increases the scope and power of permissions far beyond what most personas require. These practices violate least privilege and create unnecessary security risks.
Topic: Setting Up a Cloud Solution Environment
Your company has created a new Google Cloud project for a development team. The security lead wants IAM permissions managed using groups instead of individual user accounts. Which approach should you take to configure access for the developers?
Options:
A. Create a Google Group for the development team and grant the required IAM roles to that group on the project.
B. Grant the required IAM roles to the entire corporate domain at the organization level so all employees have access.
C. Grant the required IAM roles directly to each developer’s user account on the project.
D. Create a shared service account with the required roles on the project and distribute its key to all developers.
Best answer: A
Explanation: Cloud Identity users and groups both map to IAM principals that you can bind roles to. Google best practice is to grant IAM roles to groups, not directly to individual user accounts, and then manage who has access by adding or removing users from those groups.
In this scenario, the security lead explicitly wants access to be managed using groups instead of individual users. The correct implementation is therefore to create a Google Group that represents the development team and grant the necessary IAM roles (for example, roles/viewer, roles/storage.objectAdmin, or a similar least-privilege set) to that group on the project. As people join or leave the team, only group membership changes; the IAM policy on the project remains stable.
The other options either assign roles directly to users, use an unsafe shared service account, or grant access far too broadly at the domain or organization level, and none of them implement the requested group-based access pattern.
Topic: Setting Up a Cloud Solution Environment
Your security team wants to standardize security controls across all current and future projects in your organization by using Google Cloud organization policies. They list several requirements.
Which requirement would NOT be an appropriate use of an organization policy in Google Cloud?
Options:
A. Force every Compute Engine VM instance name to start with a specific team prefix (for example, team-a-) across all projects.
B. Restrict all projects so that resources can only be created in a small set of approved regions.
C. Disallow assigning external IP addresses to Compute Engine VM instances in any project, except for a few approved projects.
D. Require that Cloud Storage buckets in all projects block public access from being granted to new objects or buckets.
Best answer: A
Explanation: Organization policies in Google Cloud are used to centrally enforce high-level constraints such as allowed regions, use of external IPs, and whether certain services or capabilities can be used in projects under the organization or folders.
They are not a mechanism for enforcing detailed naming conventions or per-resource formatting rules. Those types of standards are usually implemented through infrastructure-as-code templates, automation, or internal processes, not via organization policies.
In this scenario, most of the listed requirements match typical organization policy use cases (location restrictions, external IP control, and preventing public access). The requirement to force VM names to follow a specific prefix is the one that does not align with what organization policies are designed to do.
Topic: Setting Up a Cloud Solution Environment
Your company must ensure that all Google Cloud resources are created only in EU regions. The security team wants a single control that applies by default to all current and future projects in the organization, without configuring each project separately. Which approach should you use?
Options:
A. Require each project owner to use labels indicating EU-only and enforce them with a monitoring alert.
B. Use Cloud Armor to block traffic from non‑EU regions to your external HTTP(S) load balancers.
C. Create an organization policy at the organization node that restricts allowed resource locations to EU regions.
D. Create an IAM custom role that only grants permissions to create resources in EU regions and assign it at the organization level.
Best answer: C
Explanation: The scenario asks for a single, centralized control that enforces where resources can be created across all current and future projects. This is exactly what organization policies are for. By setting a location-related organization policy constraint at the organization node, you can restrict allowed regions to the EU, and this restriction will inherit down to folders and projects.
Services like Cloud Armor or IAM roles do not control resource creation locations. Labels and monitoring can help detect policy violations but cannot reliably prevent them. Organization policies implement preventive controls that the Resource Manager enforces during resource creation requests.
Topic: Setting Up a Cloud Solution Environment
Your company just created its first Cloud Billing account for a new Google Cloud organization. Finance needs to manage payment methods and view all charges, but must not modify any projects. Engineering team leads must be able to attach their project(s) to this billing account so they can start using Google Cloud resources, but must not manage payment methods. You must follow least privilege and assign permissions to groups, not individual users. Which configuration should you implement?
Options:
A. Create a finance-billing-admins Google Group and grant it the Billing Account Administrator role on the Cloud Billing account. Create an eng-billing-users Google Group and grant it the Billing Account User role on the same Cloud Billing account.
B. Grant the finance Google Group the Organization Owner role and grant each engineering lead the Project Owner role on all projects; do not assign any billing-specific IAM roles.
C. Create a finance-billing-viewers Google Group and grant it the Billing Account Viewer role on the Cloud Billing account. Grant the same group the Billing Account Administrator role so they can also attach projects on behalf of engineering.
D. Create an eng-billing-admins Google Group and grant it the Billing Account Administrator role on the Cloud Billing account. Grant the finance Google Group only the Billing Account Viewer role on that billing account.
Best answer: A
Explanation: Cloud Billing IAM roles are applied at the billing account level and are designed to separate responsibilities such as payment management, project association, and cost visibility.
In this scenario, finance must manage payment methods and see all charges, but not modify projects. Engineering leads must be able to attach their own projects to the billing account but must not manage payment methods. The correct solution uses billing‑specific predefined roles at the billing account scope and assigns them to Google Groups to follow least‑privilege and group‑based IAM best practices.
The Billing Account Administrator role on a specific Cloud Billing account allows managing payment methods and other billing settings for that account, which matches finance’s needs. The Billing Account User role on that billing account allows principals to attach projects they control to the billing account, but does not permit managing payment instruments, which matches engineering’s requirements. Using separate groups for finance and engineering cleanly separates duties.
Topic: Setting Up a Cloud Solution Environment
Your company has a single Google Cloud organization with about 20 projects. All projects currently sit directly under the organization node, and each project mixes development and production resources for a different team.
The security team wants to:
Which change to the resource hierarchy is the most appropriate to meet these goals?
Options:
A. Grant Organization Administrator to all department leads so they can manage IAM and policies for their own projects directly at the organization level.
B. Create a separate Google Cloud organization for each department and move that department’s projects into its own organization.
C. Merge all workloads into a single shared project under the organization and manage access with fine-grained IAM roles on individual resources.
D. Create department-level folders under the organization, move each team’s projects into the appropriate folder, and assign IAM and relevant organization policies at the organization and folder levels.
Best answer: D
Explanation: The Google Cloud resource hierarchy (organization → folders → projects) is designed to support centralized governance while still allowing isolation and delegated administration.
In this scenario, the company already has a single organization and many projects belonging to different teams. The goals are:
Using folders is the intended way to structure projects under the organization. Folders allow you to group projects (for example, by department or environment), apply IAM at that grouping level, and inherit organization policies down to all contained projects. This achieves both centralized control and scoped delegation.
By creating department-level folders and moving projects into those folders, the security team can:
Other options either reduce isolation, fragment governance, or violate least privilege and therefore do not meet all the stated goals.
Topic: Setting Up a Cloud Solution Environment
Your team is setting up Google Cloud Observability for a new project. They want dashboards and alerts based on CPU usage and latency metrics across services, not on individual log lines. Which Google Cloud Observability component should they primarily use for this purpose?
Options:
A. Cloud Logging, which stores and queries log entries from workloads and services
B. Cloud Trace, which records detailed latency traces for sampled requests
C. Cloud Monitoring, which ingests metrics and supports dashboards and alerting
D. Cloud Error Reporting, which groups and alerts on application errors from logs
Best answer: C
Explanation: Google Cloud Observability is composed of several integrated products, each focused on a different kind of telemetry. The key distinction in this scenario is between metrics (time-series numerical data like CPU utilization or request latency) and logs (discrete text records of events).
Cloud Monitoring is the Google Cloud Observability component designed to ingest and analyze metrics from Google Cloud services, custom applications, and external systems. It allows you to build dashboards, define SLOs, and create alerting policies based on metric thresholds or conditions.
Cloud Logging, Cloud Trace, and Cloud Error Reporting handle other forms of telemetry: log entries, traces, and error events. While they integrate with Cloud Monitoring, they are not the primary tools for building broad CPU and latency metric dashboards across services. Therefore, Cloud Monitoring is the best match for the requirement of dashboards and alerts based on CPU and latency metrics rather than individual log lines.
Topic: Setting Up a Cloud Solution Environment
Which TWO statements about the relationships between Cloud Billing accounts, organizations, and projects in Google Cloud are accurate? (Select TWO.)
Options:
A. If you delete a Cloud Billing account, all projects linked to it are immediately deleted along with their resources.
B. A project must belong to an organization before it can be attached to any Cloud Billing account.
C. Each project can be linked to at most one Cloud Billing account at a time, and changing the linked billing account does not move the project between organizations or folders.
D. A single Cloud Billing account can pay for multiple projects within the same organization.
E. Every organization can have only one Cloud Billing account, and all projects in that organization must use that single account.
Correct answers: C and D
Explanation: Cloud Billing accounts act as payers for resource usage, while organizations, folders, and projects form the resource hierarchy for ownership and access control. A single Cloud Billing account can fund many projects, and those projects can be arranged into folders and organizations independently of how they are billed.
Each project links to exactly one Cloud Billing account at any given time. You can change which billing account pays for a project (assuming you have the required permissions and organizational policies allow it), but doing so does not move the project between organizations or folders. The project’s place in the resource hierarchy and its IAM configuration are separate from its billing attachment.
Organizations are not limited to a single Cloud Billing account. It is common for one organization to operate several billing accounts to separate cost centers, environments, or business units. Projects can also exist without an organization, such as personal or standalone projects, and those can still be billed through a Cloud Billing account.
Topic: Setting Up a Cloud Solution Environment
Which TWO of the following statements about Google Cloud VPC networks and subnets are NOT correct and should NOT guide your initial project and network design? (Select TWO.)
Options:
A. When planning VPC CIDR blocks, it is good practice to avoid overlapping with existing on‑premises private IP ranges in case you later need VPN or Interconnect connectivity.
B. All primary IPv4 ranges for subnets within the same VPC network must be unique and non-overlapping with each other.
C. Auto mode VPC networks are the recommended choice when you require tight control of which regions have subnets and the exact IP ranges they use.
D. In a custom mode VPC network, you manually create regional subnets and select their primary IP ranges during planning and deployment.
E. Each subnet in a VPC network is a global resource that can span multiple regions, which simplifies IP planning.
Correct answers: C and E
Explanation: Google Cloud Virtual Private Cloud (VPC) networks are global resources, but their subnets are regional. When initially designing projects and networks, you must understand how auto mode and custom mode VPCs behave and how subnet IP ranges work.
Auto mode VPCs automatically create one subnet per region with predefined IP ranges. This can be convenient for quick tests but is not ideal when you need strict control over which regions are used and which IP ranges are assigned. Custom mode VPCs give you that fine-grained control because you create each regional subnet and choose its CIDR block.
Subnet primary IP ranges in a single VPC must be unique and non-overlapping, and it is a best practice to coordinate those ranges with any existing on-premises private IP space to avoid conflicts if you later add hybrid connectivity (for example, Cloud VPN or Cloud Interconnect).
Topic: Setting Up a Cloud Solution Environment
Last month a single Google Cloud project unexpectedly incurred $15,000 in charges. Your manager wants two things for this project going forward: (1) automatic email notifications when monthly spend reaches 50% and 90% of a fixed budget, and (2) the ability for the finance analytics team to query daily costs by service and custom labels using SQL in BigQuery. Which of the following actions will meet these requirements? (Select TWO.)
Options:
A. Enable Cloud Billing export of detailed usage cost data to a BigQuery dataset in the analytics project, and grant the finance group read access to that dataset.
B. Configure a Cloud Monitoring alert on the “Billing/account” metric at 90% of the desired monthly spend and send an email to the finance team, without configuring any billing export.
C. Lower Compute Engine CPU and instance quotas for the project so that future workloads cannot scale high enough to generate similar charges.
D. Create a Cloud Billing budget with a single 100% threshold for the billing account and rely on the console’s budget status indicator without configuring notifications.
E. Create a Cloud Billing budget scoped to the billing account but filtered to this project, add 50% and 90% threshold rules, and configure email notifications to the finance group.
F. Turn on the Billing reports page in the Google Cloud console and ask the finance team to manually download monthly CSV reports from the UI when needed.
Correct answers: A and E
Explanation: This scenario is about improving cost visibility and control at the project level using Cloud Billing budgets, alerts, and exports.
Cloud Billing budgets with threshold rules are the primary way to get automatic alerts when spending crosses a percentage of a budgeted amount. You can scope a budget to a specific project (by filtering on that project) even if the budget is created at the billing account level, and you can configure threshold rules (such as 50% and 90%) to send emails to designated recipients.
For deeper analysis of historical costs, the recommended approach is to enable Cloud Billing export to BigQuery. The detailed usage cost export writes daily rows containing costs by service, SKU, and labels, which analysts can query with SQL for fine-grained visibility.
Other options like generic console reports, quotas, or single late-stage alerts either do not provide the requested thresholds, do not use BigQuery for analysis, or both, so they fail one or more requirements in the scenario.
Use the Google Cloud Associate Cloud Engineer Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try Google Cloud Associate Cloud Engineer on Web View Google Cloud Associate Cloud Engineer Practice Test
Read the Google Cloud Associate Cloud Engineer Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.