Associate Cloud Engineer · Difficulty

Hard ACE practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 7 hard questions available — no sign-up, always free.

Question 1 of 7

Your company is a Google Cloud reseller managing workloads for several independent client organizations. Finance requires that each client's charges appear on a separate invoice while all invoices roll up under your company's single payments profile for consolidated payment. Which approach should you use?

Reviewed for accuracy · Report an issue
Question 2 of 7

Your company has one Cloud Billing account that pays for all Google Cloud usage. The finance team wants each of the three business units to see and manage its own subset of projects and spending, while the overall payment and invoicing must remain centralized under the single master billing account. What should you do to give each business unit a view into and control over only its own projects' costs, without creating separate paid invoices?

Reviewed for accuracy · Report an issue
Question 3 of 7

Your team runs a payment API on Cloud Run and has defined a Cloud Monitoring service with a 99.9% availability SLO over a rolling 28-day window. On-call engineers complain they receive too many alerts for tiny, temporary error blips that never threaten the monthly target, yet they still want to be paged quickly when a real outage is rapidly consuming the error budget. Which Cloud Monitoring feature should you configure to meet both needs?

Reviewed for accuracy · Report an issue
Question 4 of 7

Your organization must ensure that no principal — regardless of any allow role they hold — can delete Cloud Storage buckets anywhere in the 'production' folder. Several project owners already have roles like roles/owner and roles/storage.admin that include the storage.buckets.delete permission. You want a solution that enforces this restriction centrally and takes precedence over existing allow grants. What should you do?

Reviewed for accuracy · Report an issue
Question 5 of 7

A Compute Engine VM was created with the default service account and the access scope set to 'Allow default access'. The application on the VM needs to write objects to a Cloud Storage bucket, but writes fail with a permission error even though the service account has been granted the Storage Object Admin IAM role at the project level. What is the most likely cause, and how should you fix it?

Reviewed for accuracy · Report an issue
Question 6 of 7

A Compute Engine VM runs a data-processing job that must write objects to a Cloud Storage bucket. The VM uses a custom service account that has been granted the roles/storage.objectAdmin IAM role on the bucket. However, the job fails with a 403 error when attempting to write objects. You inspect the VM and confirm the service account is correctly attached. What is the MOST likely cause of the failure?

Reviewed for accuracy · Report an issue
Question 7 of 7

A Compute Engine instance runs an application that must read objects from a Cloud Storage bucket. The instance uses the default Compute Engine service account, which already has the 'Storage Object Viewer' IAM role granted at the project level. However, the application receives a 403 permission error when calling the Cloud Storage API. You confirm the IAM binding is correct. What is the most likely cause and how should you fix it without recreating the instance?

Reviewed for accuracy · Report an issue