GCP Associate (GCP-ACE) 자격증 시험 준비를 위해 덤프 문제를 풀어보려고 한다.
지난번 포스팅에 이어서 ExamTopic 사이트 문제를 풀어보겠다.
역시 GCP-ACE 시험은 영어로 봐야 하기 때문에 영어 지문으로 공부를 진행하겠다.
역시나 오답이 많은 것 같으니 꼭 토론이랑 구글 문서를 참고하고 공부해야 한다.
짧은 시간 내에 취득을 원하시는 분에게 오답으로 스트레스 받을 필요 없이 도움이 되면 좋겠다.
You are operating a Google Kubernetes Engine (GKE) cluster for your company where different teams can run non-production workloads. Your Machine Learning
(ML) team needs access to Nvidia Tesla P100 GPUs to train their models. You want to minimize effort and cost. What should you do?
A. Ask your ML team to add the "accelerator: gpu" annotation to their pod specification.
B. Recreate all the nodes of the GKE cluster to enable GPUs on all of them.
C. Create your own Kubernetes cluster on top of Compute Engine with nodes that have GPUs. Dedicate this cluster to your ML team.
D. Add a new, GPU-enabled, node pool to the GKE cluster. Ask your ML team to add the cloud.google.com/gke -accelerator: nvidia-tesla-p100 nodeSelector to their pod specification.
정답 : D
D는 ML 팀만 비용이 드는 GPU 지원 노트 풀에 액세스할 수 있도록 허용하므로 정답
GKE 클러스터는 ML 팀만이 아닌 다른 팀도 공유되므로 오답
Accelerator 사용하여 클러스터를 다시 생성/업데이트하면 GPU로 노드 업데이트가 가능하지만 모든 사람(ML 팀 제외) 만큼 비용이 많이 들어서 제외
Your VMs are running in a subnet that has a subnet mask of The current subnet has no more free IP addresses and you require an additional
10 IP addresses for new VMs. The existing and new VMs should all be able to reach each other without additional routes. What should you do?
A. Use gcloud to expand the IP range of the current subnet.
B. Delete the subnet, and recreate it using a wider range of IP addresses.
C. Create a new project. Use Shared VPC to share the current network with the new project.
D. Create a new subnet with the same starting IP but a wider range to overwrite the current subnet.
정답 : A
사이트는 C가 정답이라고 하지만, 토론을 보면 A가 압도적
서브넷이 생성된 후 서브넷의 기본 IP 범위를 확장할 수 있지만 교체하거나 축소할 수는 없음
서브넷 확장 방법 : gcloud compute compute networks subnets expand-ip-range
Your organization uses G Suite for communication and collaboration. All users in your organization have a G Suite account. You want to grant some G Suite users access to your Cloud Platform project. What should you do?
A. Enable Cloud Identity in the GCP Console for your domain.
B. Grant them the required IAM roles using their G Suite email address.
C. Create a CSV sheet with all users' email addresses. Use the gcloud command line tool to convert them into Google Cloud Platform accounts.
D. In the G Suite console, add the users to a special group called cloud-console-users@yourdomain.com. Rely on the default behavior of the Cloud Platform to grant users access if they are members of this group.
정답 : B
G Suite 이메일 주소를 사용하여 필요한 IAM 역할 부여
You have a Google Cloud Platform account with access to both production and development projects. You need to create an automated process to list all compute instances in development and production projects on a daily basis. What should you do?
A. Create two configurations using gcloud config. Write a script that sets configurations as active, individually. For each configuration, use gcloud compute instances list to get a list of compute resources.
B. Create two configurations using gsutil config. Write a script that sets configurations as active, individually. For each configuration, use gsutil compute instances list to get a list of compute resources.
C. Go to Cloud Shell and export this information to Cloud Storage on a daily basis.
D. Go to GCP Console and export this information to Cloud SQL on a daily basis.
정답 : A
gcloud compute instances list는 프로젝트의 모든 GCE 인스턴스를 표시함
기본적으로 모든 영역의 인스턴스가 나열되며 결과는 필터를 사용하여 좁힐 수 있음
You have a large 5-TB AVRO file stored in a Cloud Storage bucket. Your analysts are proficient only in SQL and need access to the data stored in this file. You want to find a cost-effective way to complete their request as soon as possible. What should you do?
A. Load data in Cloud Datastore and run a SQL query against it.
B. Create a BigQuery table and load data in BigQuery. Run a SQL query on this table and drop this table after you complete your request.
C. Create external tables in BigQuery that point to Cloud Storage buckets and run a SQL query on these external tables to complete your request.
D. Create a Hadoop cluster and copy the AVRO file to NDFS by compressing it. Load the file in a hive table and provide access to your analysts so that they can run SQL queries.
정답 : C
Cloud Storage 버킷을 가리키는 BigQuery에서 외부 테이블 만들고 SQL 쿼리 요청하는 방법
Cloud Datastore는 SQL 실행하기 좋은 선택지가 아니므로 A는 오답
이미 버킷에 있는 내용을 BigQuery에 데이터 로드하는 것은 비용이 많이 들어서 B는 오답
Hadoop에 파일을 압축하여 NDFS에 복사 후 하이브 테이블에 파일 로드 후 SQL 쿼리를 날리는 방법은 너무 복잡한 방법이라서 오답
You need to verify that a Google Cloud Platform service account was created at a particular time. What should you do?
A. Filter the Activity log to view the Configuration category. Filter the Resource type to Service Account.
B. Filter the Activity log to view the Configuration category. Filter the Resource type to Google Project.
C. Filter the Activity log to view the Data Access category. Filter the Resource type to Service Account.
D. Filter the Activity log to view the Data Access category. Filter the Resource type to Google Project.
정답 : A
사이트는 D가 정답이라고 하지만, 토론을 보면 A가 압도적
컨피그 카테고리를 보려면 활동 로그를 필터링, 리소스 유형을 서비스 계정으로 필터링 필요.
You deployed an LDAP server on Compute Engine that is reachable via TLS through port 636 using UDP. You want to make sure it is reachable by clients over that port. What should you do?
A. Add the network tag allow-udp-636 to the VM instance running the LDAP server.
B. Create a route called allow-udp-636 and set the next hop to be the VM instance running the LDAP server.
C. Add a network tag of your choice to the instance. Create a firewall rule to allow ingress on UDP port 636 for that network tag.
D. Add a network tag of your choice to the instance running the LDAP server. Create a firewall rule to allow egress on UDP port 636 for that network tag.
정답 : C
LDAP 서버가 CE에 배포되었고 UDP 포트 636에 대한 인바운드 트래픽 허용이 필요한 상황
CE 인스턴스에 대한 ingress UDP 트래픽을 허용하는 것이 해결 방법
You need to set a budget alert for use of Compute Engineer services on one of the three Google Cloud Platform projects that you manage. All three projects are linked to a single billing account. What should you do?
A. Verify that you are the project billing administrator. Select the associated billing account and create a budget and alert for the appropriate project.
B. Verify that you are the project billing administrator. Select the associated billing account and create a budget and a custom alert.
C. Verify that you are the project administrator. Select the associated billing account and create a budget for the appropriate project.
D. Verify that you are project administrator. Select the associated billing account and create a budget and a custom alert.
정답 : A
사이트는 B가 정답이라고 하지만 토론은 A가 압도적
맞춤 알림이 필요하지 않고, 프로젝트 관리자 역할이 아니기 때문에 답은 A
You are migrating a production-critical on-premises application that requires 96 vCPUs to perform its task. You want to make sure the application runs in a similar environment on GCP. What should you do?
A. When creating the VM, use machine type n1-standard-96.
B. When creating the VM, use Intel Skylake as the CPU platform.
C. Create the VM using Compute Engine default settings. Use gcloud to modify the running instance to have 96 vCPUs.
D. Start the VM using Compute Engine default settings, and adjust as you go based on Rightsizing Recommendations.
정답 : A
사이트는 C가 정답이라고 하지만 토론을 보면 A가 압도적
C는 실행 중인 인스턴스를 수정할 수 없기 때문에 중지하고 다시 실행이 필요함
You want to configure a solution for archiving data in a Cloud Storage bucket. The solution must be cost-effective. Data with multiple versions should be archived after 30 days. Previous versions are accessed once a month for reporting. This archive data is also occasionally updated at month-end. What should you do?
A. Add a bucket lifecycle rule that archives data with newer versions after 30 days to Coldline Storage.
B. Add a bucket lifecycle rule that archives data with newer versions after 30 days to Nearline Storage.
C. Add a bucket lifecycle rule that archives data from regional storage after 30 days to Coldline Storage.
D. Add a bucket lifecycle rule that archives data from regional storage after 30 days to Nearline Storage.
정답 : B
여러 버전의 데이터를 보관해야 된다고 언급함
한 달에 한 번 액세스하므로 Coldline은 적합하지 않아서 A, C는 오답
D의 경우 지역 스토리지 언급이 없기 때문에 오답
Your company's infrastructure is on-premises, but all machines are running at maximum capacity. You want to burst to Google Cloud. The workloads on Google
Cloud must be able to directly communicate to the workloads on-premises using a private IP range. What should you do?
A. In Google Cloud, configure the VPC as a host for Shared VPC.
B. In Google Cloud, configure the VPC for VPC Network Peering.
C. Create bastion hosts both in your on-premises environment and on Google Cloud. Configure both as proxy servers using their public IP addresses.
D. Set up Cloud VPN between the infrastructure on-premises and Google Cloud.
정답 : D
사이트는 B가 정답이라고 하지만 토론을 보면 D가 압도적
온 프레미스 네트워크 연결을 위해 VPN 터널 또는 상호 연결만 가능한 솔루션임
VPC 네트워크 피어링은 VPC 간에 이루어짐
You want to select and configure a solution for storing and archiving data on Google Cloud Platform. You need to support compliance objectives for data from one geographic location. This data is archived after 30 days and needs to be accessed annually. What should you do?
A. Select Multi-Regional Storage. Add a bucket lifecycle rule that archives data after 30 days to Coldline Storage.
B. Select Multi-Regional Storage. Add a bucket lifecycle rule that archives data after 30 days to Nearline Storage.
C. Select Regional Storage. Add a bucket lifecycle rule that archives data after 30 days to Nearline Storage.
D. Select Regional Storage. Add a bucket lifecycle rule that archives data after 30 days to Coldline Storage.
정답 : D
사이트는 C가 정답이라고 하지만 토론을 보면 D가 압도적
1년에 한번 액세스하기 때문에 Nearline인 B, C는 오답
데이터를 한 geographic location에서 가져오므로 A는 오답
Your company uses BigQuery for data warehousing. Over time, many different business units in your company have created 1000+ datasets across hundreds of projects. Your CIO wants you to examine all datasets to find tables that contain an employee_ssn column. You want to minimize effort in performing this task.
What should you do?
A. Go to Data Catalog and search for employee_ssn in the search box.
B. Write a shell script that uses the bq command line tool to loop through all the projects in your organization.
C. Write a script that loops through all the projects in your organization and runs a query on INFORMATION_SCHEMA.COLUMNS view to find the employee_ssn column.
D. Write a Cloud Dataflow job that loops through all the projects in your organization and runs a query on INFORMATION_SCHEMA.COLUMNS view to find employee_ssn column.
정답 : A
사이트는 D가 정답이라고 하지만 토론을 보면 D가 압도적
데이터 카탈로그로 이동 후 검색 상자에서 employee_ssn을 검색하면 쉽게 찾을 수 있음
You create a Deployment with 2 replicas in a Google Kubernetes Engine cluster that has a single preemptible node pool. After a few minutes, you use kubectl to examine the status of your Pod and observe that one of them is still in Pending status:
What is the most likely cause?
A. The pending Pod's resource requests are too large to fit on a single node of the cluster.
B. Too many Pods are already running in the cluster, and there are not enough resources left to schedule the pending Pod.
C. The node pool is configured with a service account that does not have permission to pull the container image used by the pending Pod.
D. The pending Pod was originally scheduled on a node that has been preempted between the creation of the Deployment and your verification of the Pods' status. It is currently being rescheduled on a new node.
정답 : B
pod이 pending에 멈춘 경우 노드에 예약할 수 없음을 의미함
노드가 선점형이고, 일반적으로 리소스가 부족하기 때문이며 (CPU, 메모리 부족 등)
pod을 삭제하거나 리소스 요청을 조정하거나 클러스터에 새 노드 추가가 필요함
You want to find out when users were added to Cloud Spanner Identity Access Management (IAM) roles on your Google Cloud Platform (GCP) project. What should you do in the GCP Console?
A. Open the Cloud Spanner console to review configurations.
B. Open the IAM & admin console to review IAM policies for Cloud Spanner roles.
C. Go to the Stackdriver Monitoring console and review information for Cloud Spanner.
D. Go to the Stackdriver Logging console, review admin activity logs, and filter them for Cloud Spanner IAM roles.
정답 : D
사이트는 B가 답이라고 하지만 토론을 보면 D가 압도적
문제는 GCP의 Cloud Spanner IAM 역할에 사용자가 추가된 시기를 확인하고자 함
Stackdriver 로깅을 사용하면 리소스(예 : Cloud Spanner)를 기준으로 로그를 필터링할 수 있으며
액세스 권한을 부여하는 하위 카테고리는 사용자에게 역할이 부여된 시기에 대한 정보를 제공함
Your company implemented BigQuery as an enterprise data warehouse. Users from multiple business units run queries on this data warehouse. However, you notice that query costs for BigQuery are very high, and you need to control costs. Which two methods should you use? (Choose two.)
A. Split the users from business units to multiple projects.
B. Apply a user- or project-level custom query quota for BigQuery data warehouse.
C. Create separate copies of your BigQuery data warehouse for each business unit.
D. Split your BigQuery data warehouse into multiple data warehouses for each business unit.
E. Change your BigQuery query model from on-demand to flat rate. Apply the appropriate number of slots to each Project.
정답 : BE
토론을 보면 의견이 분분함
프로젝트 또는 사용자 수준에서 할당량을 정의할 수 있고, 온디맨드에서 고정요금 모델로 변경하고 요구 사항에 따라 매개 변수를 정의할 수 있음
BE를 제외하고는 분할이 맞지만 비용을 줄이는 영향은 미치지 않을 것
특히 CD의 경우 비즈니스 단위 당 전체 데이터를 복제하는 것은 비용 효율적이지 않음
You are building a product on top of Google Kubernetes Engine (GKE). You have a single GKE cluster. For each of your customers, a Pod is running in that cluster, and your customers can run arbitrary code inside their Pod. You want to maximize the isolation between your customers' Pods. What should you do?
A. Use Binary Authorization and whitelist only the container images used by your customers' Pods.
B. Use the Container Analysis API to detect vulnerabilities in the containers used by your customers' Pods.
C. Create a GKE node pool with a sandbox type configured to gvisor. Add the parameter runtimeClassName: gvisor to the specification of your customers' Pods.
D. Use the cos_containerd image for your GKE nodes. Add a nodeSelector with the value cloud.google.com/gke-os-distribution: cos_containerd to the specification of your customers' Pods.
정답 : C
gviso로 구성된 샌드박스 유형으로 GKE 노드 풀을 만들어 최대한 격리
Your customer has implemented a solution that uses Cloud Spanner and notices some read latency-related performance issues on one table. This table is accessed only by their users using a primary key. The table schema is shown below.
You want to resolve the issue. What should you do?
A. Remove the profile_picture field from the table.
B. Add a secondary index on the person_id column.
C. Change the primary key to not have monotonically increasing values.
D. Create a secondary index using the following Data Definition Language (DDL):
정답 : D
토론을 보면 C, D 답이 분분함
기본 키를 다시 변경하면 성능에 영향을 주지만 새 인덱스에는 다른 키가 포함됨
D와 같이 새로운 인덱스를 생성하는 것이 읽기 지연 시간을 줄일 수 있음
Your finance team wants to view the billing report for your projects. You want to make sure that the finance team does not get additional permissions to the project. What should you do?
A. Add the group for the finance team to roles/billing user role.
B. Add the group for the finance team to roles/billing admin role.
C. Add the group for the finance team to roles/billing viewer role.
D. Add the group for the finance team to roles/billing project/Manager role.
정답 : C
사이트는 A가 답이라고 하지만 토론은 C가 압도적
roles/billing.viewer 결제 계정 비용 정보 및 거래를 볼 수 있는 결제 계정 뷰어 액세스는
일반적으로 재무 팀에게 부여되며 지출 정보에 대한 액세스만 가능하기 때문에 정답
Your organization has strict requirements to control access to Google Cloud projects. You need to enable your Site Reliability Engineers (SREs) to approve requests from the Google Cloud support team when an SRE opens a support case. You want to follow Google-recommended practices. What should you do?
A. Add your SREs to roles/iam.roleAdmin role.
B. Add your SREs to roles/accessapproval approver role.
C. Add your SREs to a group and then add this group to roles/iam roleAdmin role.
D. Add your SREs to a group and then add this group to roles/accessapproval approver role.
정답 : D
사이트는 B가 정답이라고 하지만 토론은 D가 압도적
그룹으로 만드는 것이 구글에서 추천하는 방법임
You need to host an application on a Compute Engine instance in a project shared with other teams. You want to prevent the other teams from accidentally causing downtime on that application. Which feature should you use?
A. Use a Shielded VM.
B. Use a Preemptible VM.
C. Use a sole-tenant node.
D. Enable deletion protection on the instance.
정답 : D
실수를 방지하기 위해서는 인스턴스에 deleteProtection 속성을 설정하여 삭제되지 않도록 해야 함
Your organization needs to grant users access to query datasets in BigQuery but prevent them from accidentally deleting the datasets. You want a solution that follows Google-recommended practices. What should you do?
A. Add users to roles/bigquery user role only, instead of roles/bigquery dataOwner.
B. Add users to roles/bigquery dataEditor role only, instead of roles/bigquery dataOwner.
C. Create a custom role by removing delete permissions, and add users to that role only.
D. Create a custom role by removing delete permissions. Add users to the group, and then add the group to the custom role.
정답 : A
사이트는 B가 정답이라고 하지만 토론을 보면 분분하나 그래도 A가 많음
A의 경우 데이터 세트의 메타 데이터를 읽고 데이터 세트의 테이블을 나열하는 기능을 제공함
roles/bigquery.dataEditor 역할에 삭제 권한이 있기 때문에 B는 오답
물론 구글의 모범 사례를 생각하면 D가 정답인 것 같기도 하다ㅋ
You have a developer laptop with the Cloud SDK installed on Ubuntu. The Cloud SDK was installed from the Google Cloud Ubuntu package repository. You want to test your application locally on your laptop with Cloud Datastore. What should you do?
A. Export Cloud Datastore data using gcloud datastore export.
B. Create a Cloud Datastore index using gcloud datastore indexes create.
C. Install the google-cloud-sdk-datastore-emulator component using the apt get install command.
D. Install the cloud-datastore-emulator component using the gcloud components install command.
정답 : C
사이트는 D가 답이라고 하며, 토론을 보면 C, D가 분분한데 실제 테스트했을 때 C가 답이라고 함
Cloud SDK 설치 후 google-cloud-sdk-datastore-emulator를 통해서 추가 구성요소 설치 가능
(gcloud components install 시도 시 오류 발생 후 apt-gel install을 실행하도록 지시했다고 함)
Your company set up a complex organizational structure on Google Could Platform. The structure includes hundreds of folders and projects. Only a few team members should be able to view the hierarchical structure. You need to assign minimum permissions to these team members and you want to follow Google- recommended practices. What should you do?
A. Add the users to roles/browser role.
B. Add the users to roles/iam.roleViewer role.
C. Add the users to a group, and add this group to roles/browser role.
D. Add the users to a group, and add this group to roles/iam.roleViewer role.
정답 : C
사이트는 A가 정답이라고 하지만 토론을 보면 C가 압도적
GCP 권장 모범 사례는 항상 그룹을 생성하는 것으로 A, B는 오답
iam.roleViewer role은 필요한 권한이 충분하지 않기 때문에 D는 오답
Your company has a single sign-on (SSO) identity provider that supports Security Assertion Markup Language (SAML) integration with service providers. Your company has users in Cloud Identity. You would like users to authenticate using your company's SSO provider. What should you do?
A. In Cloud Identity, set up SSO with Google as an identity provider to access custom SAML apps.
B. In Cloud Identity, set up SSO with a third-party identity provider with Google as a service provider.
C. Obtain OAuth 2.0 credentials, configure the user consent screen, and set up OAuth 2.0 for Mobile & Desktop Apps.
D. Obtain OAuth 2.0 credentials, configure the user consent screen, and set up OAuth 2.0 for Web Server Applications.
정답 : A
토론을 보면 A와 B로 답이 나눠지는데 구글도 SSO 설정이 가능하여 A라고 판단됨
타사 IdP가 있는 경우에도 Cloud ID 카탈로그에서 타사 앱에 대한 SSO 구성이 가능함
사용자 인증은 타사 IdP에서 이루어지며 Cloud ID는 클라우드 앱을 관리함
SSO에 Cloud ID를 사용하려면 사용자에게 Cloud ID 계정이 필요함
Your organization has a dedicated person who creates and manages all service accounts for Google Cloud projects. You need to assign this person the minimum role for projects. What should you do?
A. Add the user to roles/iam.roleAdmin role.
B. Add the user to roles/iam.securityAdmin role.
C. Add the user to roles/iam.serviceAccountUser role.
D. Add the user to roles/iam.serviceAccountAdmin role.
정답 : D
사이트는 C가 답이라고 하지만, 토론을 보면 D가 압도적
A, B는 올바른 역할이 아니거나 권한이 없기 때문에 오답
서비스 계정을 만들고 관리하는 전담 직원이기 때문에 serviceAccountUser는 서비스 계정을
만들 수 있는 권한이 없어서 C는 오답
serviceAccountAdmin은 서비스 계정을 만들 수 있는 권한이 있음 그래서 정답은 D
You are building an archival solution for your data warehouse and have selected Cloud Storage to archive your data. Your users need to be able to access this archived data once a quarter for some regulatory requirements. You want to select a cost-efficient option. Which storage option should you use?
A. Cold Storage
B. Nearline Storage
C. Regional Storage
D. Multi-Regional Storage
정답 : A
아카이브용으로 Cold 스토리지, Nearline 스토리지 둘 다 사용 가능하지만
분기마다 액세스가 필요하며 더 저렴한 Coldline 스토리지가 적합함
Nearline 스토리지는 한 달에 한 번 미만 액세스에 적합함
A team of data scientists infrequently needs to use a Google Kubernetes Engine (GKE) cluster that you manage. They require GPUs for some long-running, non- restartable jobs. You want to minimize cost. What should you do?
A. Enable node auto-provisioning on the GKE cluster.
B. Create a VerticalPodAutscaler for those workloads.
C. Create a node pool with preemptible VMs and GPUs attached to those VMs.
D. Create a node pool of instances with GPUs, and enable autoscaling on this node pool with a minimum size of 1.
정답 : D
사이트는 C가 정답이라고 하지만 토론을 보면 D가 압도적
기본적으로 다시 시작할 수 없는 작업이기 때문에 선점형(preemptible)은 불가하여 C는 오답
Your organization has user identities in Active Directory. Your organization wants to use Active Directory as their source of truth for identities. Your organization wants to have full control over the Google accounts used by employees for all Google services, including your Google Cloud Platform (GCP) organization. What should you do?
A. Use Google Cloud Directory Sync (GCDS) to synchronize users into Cloud Identity.
B. Use the cloud Identity APIs and write a script to synchronize users to Cloud Identity.
C. Export users from Active Directory as a CSV and import them to Cloud Identity via the Admin Console.
D. Ask each employee to create a Google account using self signup. Require that each employee use their company email address and password.
정답 : A
GCDS를 사용하면 AD/LDAP 서비스의 사용자, 그룹 및 기타 데이터를
구글 클라우드 도메인 디렉터리로 동기화할 수 있음
You have successfully created a development environment in a project for an application. This application uses Compute Engine and Cloud SQL. Now, you need to create a production environment for this application. The security team has forbidden the existence of network routes between these 2 environments, and asks you to follow Google-recommended practices. What should you do?
A. Create a new project, enable the Compute Engine and Cloud SQL APIs in that project, and replicate the setup you have created in the development environment.
B. Create a new production subnet in the existing VPC and a new production Cloud SQL instance in your existing project, and deploy your application using those resources.
C. Create a new project, modify your existing VPC to be a Shared VPC, share that VPC with your new project, and replicate the setup you have in the development environment in that new project, in the Shared VPC.
D. Ask the security team to grant you the Project Editor role in an existing production project used by another division of your company. Once they grant you that role, replicate the setup you have in the development environment in that project.
정답 : A
사이트는 C가 정답이라고 하지만 토론을 보면 A가 압도적
모범 사례는 프로덕션 환경의 경우 새로운 프로젝트를 만드는 것
공유 VPC는 보안 팀의 규칙을 위반하는 방식이기 때문에 제외
또한, 프로젝트 설정에서 복제하는 것은 모범 사례가 아님
Your management has asked an external auditor to review all the resources in a specific project. The security team has enabled the Organization Policy called
Domain Restricted Sharing on the organization node by specifying only your Cloud Identity domain. You want the auditor to only be able to view, but not modify, the resources in that project. What should you do?
A. Ask the auditor for their Google account, and give them the Viewer role on the project.
B. Ask the auditor for their Google account, and give them the Security Reviewer role on the project.
C. Create a temporary account for the auditor in Cloud Identity, and give that account the Viewer role on the project.
D. Create a temporary account for the auditor in Cloud Identity, and give that account the Security Reviewer role on the project.
정답 : C
사이트는 A가 정답이라고 하지만, 토론을 보면 C가 압도적
보안 검토자에게는 임시 계정을 부여하는 것이 안전함
D의 경우는 view 권한만 오픈하고 싶었기 때문에 오답
You have a workload running on Compute Engine that is critical to your business. You want to ensure that the data on the boot disk of this workload is backed up regularly. You need to be able to restore a backup as quickly as possible in case of disaster. You also want older backups to be cleaned automatically to save on cost. You want to follow Google-recommended practices. What should you do?
A. Create a Cloud Function to create an instance template.
B. Create a snapshot schedule for the disk using the desired interval.
C. Create a cron job to create a new disk from the disk using gcloud.
D. Create a Cloud Task to create an image and export it to Cloud Storage.
정답 : B
보기 중 최고의 옵션은 스냅샷임
A의 경우 인스턴스 템플릿을 만들지만 부팅 디스크 백업을 사용하지 않음
C의 경우 디스크를 만들지만 비율 효율적이지 않은 다른 gcloud 리소스가 필요함
D는 확실히 비용 효율적인 솔루션이 아님
You need to assign a Cloud Identity and Access Management (Cloud IAM) role to an external auditor. The auditor needs to have permissions to review your
Google Cloud Platform (GCP) Audit Logs and also to review your Data Access logs. What should you do?
A. Assign the auditor the IAM role roles/logging.privateLogViewer. Perform the export of logs to Cloud Storage.
B. Assign the auditor the IAM role roles/logging.privateLogViewer. Direct the auditor to also review the logs for changes to Cloud IAM policy.
C. Assign the auditor's IAM user to a custom role that has logging.privateLogEntries.list permission. Perform the export of logs to Cloud Storage.
D. Assign the auditor's IAM user to a custom role that has logging.privateLogEntries.list permission. Direct the auditor to also review the logs for changes to Cloud IAM policy.
정답 : B
사이트는 C가 정답이라고 하지만 토론은 B가 압도적
roles/logging.privateLogViewer(비공개 로그 뷰)를 통해 데이터 액세스 로그를 볼 수 있음
또한 roles/logging.viewer이 포함되기 때문에 관리자 활동 로그도 볼 수 있음
You are managing several Google Cloud Platform (GCP) projects and need access to all logs for the past 60 days. You want to be able to explore and quickly analyze the log contents. You want to follow Google-recommended practices to obtain the combined logs for all projects. What should you do?
A. Navigate to Stackdriver Logging and select resource.labels.project_id="*"
B. Create a Stackdriver Logging Export with a Sink destination to a BigQuery dataset. Configure the table expiration to 60 days.
C. Create a Stackdriver Logging Export with a Sink destination to Cloud Storage. Create a lifecycle rule to delete objects after 60 days.
D. Configure a Cloud Scheduler job to read from Stackdriver and store the logs in BigQuery. Configure the table expiration to 60 days.
정답 : B
C도 가능하지만 데이터를 빨리 분석해야 되기 때문에 BigQuery를 지원하는 B가 정답
You need to reduce GCP service costs for a division of your company using the fewest possible steps. You need to turn off all configured services in an existing
GCP project. What should you do?
A. 1. Verify that you are assigned the Project Owners IAM role for this project. 2. Locate the project in the GCP console, click Shut down and then enter the project ID.
B. 1. Verify that you are assigned the Project Owners IAM role for this project. 2. Switch to the project in the GCP console, locate the resources and delete them.
C. 1. Verify that you are assigned the Organizational Administrator IAM role for this project. 2. Locate the project in the GCP console, enter the project ID and then click Shut down.
D. 1. Verify that you are assigned the Organizational Administrators IAM role for this project. 2. Switch to the project in the GCP console, locate the resources and delete them.
정답 : A
사이트는 C가 정답이라고 하지만 토론은 A가 압도적
프로젝트 소유자가 프로젝트를 종료 또는 삭제하는 것이 맞음
You are configuring service accounts for an application that spans multiple projects. Virtual machines (VMs) running in the web-applications project need access to BigQuery datasets in crm-databases-proj. You want to follow Google-recommended practices to give access to the service account in the web-applications project. What should you do?
A. Give "project owner" for web-applications appropriate roles to crm-databases- proj
B. Give "project owner" role to crm-databases-proj and the web-applications project.
C. Give "project owner" role to crm-databases-proj and bigquery.dataViewer role to web-applications.
D. Give bigquery.dataViewer role to crm-databases-proj and appropriate roles to web-applications.
정답 : C
필요한 권한이 읽기 전용인지 지정하지 않았기 때문에 D는 오답이라고 판단됨
An employee was terminated, but their access to Google Cloud Platform (GCP) was not removed until 2 weeks later. You need to find out this employee accessed any sensitive customer information after their termination. What should you do?
A. View System Event Logs in Stackdriver. Search for the user's email as the principal.
B. View System Event Logs in Stackdriver. Search for the service account associated with the user.
C. View Data Access audit logs in Stackdriver. Search for the user's email as the principal.
D. View the Admin Activity log in Stackdriver. Search for the service account associated with the user.
정답 : C
사이트는 B가 정답이라고 하지만 토론은 C가 압도적
우선 서비스 계정은 사용자와 관련이 없기 때문에 B, D는 오답
시스템 이벤트 로그에 데이터 액세스 감사 로그를 통해 민감한 정보에 액세스했는지 확인 가능
You need to create a custom IAM role for use with a GCP service. All permissions in the role must be suitable for production use. You also want to clearly share with your organization the status of the custom role. This will be the first version of the custom role. What should you do?
A. Use permissions in your role that use the "˜supported' support level for role permissions. Set the role stage to ALPHA while testing the role permissions.
B. Use permissions in your role that use the "˜supported' support level for role permissions. Set the role stage to BETA while testing the role permissions.
C. Use permissions in your role that use the "˜testing' support level for role permissions. Set the role stage to ALPHA while testing the role permissions.
D. Use permissions in your role that use the "˜testing' support level for role permissions. Set the role stage to BETA while testing the role permissions.
정답 : A
사이트는 C가 정답이라고 하지만 토론을 보면 A가 압도적
첫 번째 버전을 테스트하기 때문에 ALPHA가 맞음
또한, 테스트는 프로덕션 사용에 적합하지 않음
Your company has a large quantity of unstructured data in different file formats. You want to perform ETL transformations on the data. You need to make the data accessible on Google Cloud so it can be processed by a Dataflow job. What should you do?
A. Upload the data to BigQuery using the bq command line tool.
B. Upload the data to Cloud Storage using the gsutil command line tool.
C. Upload the data into Cloud SQL using the import function in the console.
D. Upload the data into Cloud Spanner using the import function in the console.
정답 : B
구조화되지 않은 데이터를 지원하는 Cloud Storage가 정답
You need to manage multiple Google Cloud Platform (GCP) projects in the fewest steps possible. You want to configure the Google Cloud SDK command line interface (CLI) so that you can easily manage multiple GCP projects. What should you?
A. 1. Create a configuration for each project you need to manage. 2. Activate the appropriate configuration when you work with each of your assigned GCP projects.
B. 1. Create a configuration for each project you need to manage. 2. Use gcloud init to update the configuration values when you need to work with a non-default project
C. 1. Use the default configuration for one project you need to manage. 2. Activate the appropriate configuration when you work with each of your assigned GCP projects.
D. 1. Use the default configuration for one project you need to manage. 2. Use gcloud init to update the configuration values when you need to work with a non-default project.
정답 : A
사이트는 D가 답이라고 하지만 토론은 A가 압도적
D도 가능하지만 매번 프로젝트 구성을 초기화하도록 강제하여 GCP 권장 사항이 아님
Cloud SDK에서 gcloud init 또는 gcloud config set를 사용하여 속성을 설정할 수 있음
여러 프로젝트 또는 승인 계정으로 작업 시 gcloud config configuration 생성을 사용하여
여러 configuration을 설정하고 적절히 전환할 수 있음