Bootstrapping and maintaining a Google Cloud organization
Drill 20 practice questions focused entirely on Bootstrapping and maintaining a Google Cloud organization for the Google Cloud PCDE exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
Your platform team runs an automated project factory using Terraform. A new business unit requests projects, and finance requires that every newly provisioned project is automatically linked to a specific billing account and cannot be moved to a different billing account by project-level users. Which approach best enforces this requirement while keeping the factory fully automated?
Your platform team is designing a CI/CD architecture for a company with separate Google Cloud projects for dev, staging, and production. The security team mandates that a container image which is deployed to production must be the exact same artifact that was tested in staging, and that no image should be rebuilt between environments. You are using Cloud Build and Artifact Registry. Which approach best satisfies these requirements?
Your platform team must bootstrap a new Google Cloud organization and standardize how infrastructure resources (projects, GKE clusters, networking) are provisioned declaratively using Kubernetes-style config. Leadership requires a Google-managed solution that runs Config Sync and Policy Controller out of the box, uses Config Connector to reconcile Google Cloud resources via KRM manifests stored in Git, and requires minimal operational maintenance of the underlying control plane. Which approach best meets these requirements?
Your organization runs a legacy on-premises batch application that cannot use Workload Identity Federation. It authenticates to Google Cloud APIs using a downloaded service account key. Security has flagged that the key has not been rotated in over a year, and they require a repeatable, automated process that minimizes the window during which any single key is valid while avoiding application downtime. Which approach should you implement?
Your organization is bootstrapping its Google Cloud environment. The security operations team must automatically receive Google's security-related notifications (such as vulnerability alerts and platform security bulletins) for every project in the organization, while a separate finance team should receive billing notifications. Leadership wants this routing to apply to all current and future projects without manually configuring each project. What is the most effective way to configure this?
Your organization is bootstrapping its Google Cloud resource hierarchy. Leadership requires that all production workloads for the finance department enforce a policy denying the creation of external IP addresses, while a separate sandbox environment used by developers must allow external IPs for experimentation. You want to design the folder structure and apply organization policies with the least administrative overhead and no risk of the sandbox setting affecting production. How should you structure the hierarchy and apply the constraint?
Your organization runs a mix of GKE clusters in Google Cloud and self-managed Kubernetes clusters in an on-premises data center. The platform team wants centralized, secure access to all clusters through a single control point so that developers can run kubectl commands against any cluster without opening inbound firewall ports to the on-premises environment or distributing static kubeconfig credentials. Which approach best meets these requirements?
Your platform team is bootstrapping a new Google Cloud environment for several application teams. Each team will receive its own GKE Autopilot cluster, and the platform team must ensure that every new cluster is automatically enrolled with a baseline set of tooling (namespaces, RBAC roles, resource quotas, and network policies) that stays consistent across all clusters over time. Manual kubectl steps must be eliminated, and the baseline must be enforced continuously so that any drift on a cluster is reverted. Which approach best meets these requirements?
Your organization runs an on-premises data center and a Google Cloud environment. The platform team must bootstrap a CI/CD architecture where Cloud Build pipelines deploy artifacts to both GKE clusters on Google Cloud and Kubernetes clusters running in the on-premises data center. The on-premises clusters are not reachable over the public internet, and security policy forbids exposing them with public endpoints. Which approach lets the same Cloud Build pipeline reliably deploy to both environments?
Your platform team manages infrastructure across Google Cloud and AWS using a single Terraform codebase. You want to bootstrap the tooling so that GCP and AWS resources can be provisioned and destroyed independently, while sharing common module definitions and enabling parallel CI/CD runs without one cloud's failures blocking the other. What is the recommended approach to structure the Terraform configuration?
Your platform team is bootstrapping a new Google Cloud organization. Compliance requires that all audit logs from every current and future project be exported centrally to a BigQuery dataset in a dedicated security project, with the guarantee that individual project owners cannot delete or bypass this export. What is the most effective way to configure this during organization bootstrap?
Your platform team must let application teams self-serve new Google Cloud projects. Every new project must land under the correct business-unit folder, have billing linked, enable a mandated baseline of APIs, apply standard IAM bindings, and be reproducible and auditable. Development teams should not receive Organization-level or billing IAM roles. What approach best satisfies these requirements?
Your company has just created its first Google Cloud organization resource that was automatically provisioned when a Cloud Identity super admin logged in. The platform team needs to bootstrap organization-level administration so that a dedicated group (gcp-org-admins@yourco.com) can manage IAM, create folders, and set org policies — without relying on the Cloud Identity super admin for day-to-day operations. What is the recommended first step to establish this delegated administration securely?
Your company is bootstrapping a new Google Cloud organization. Leadership wants three environment tiers (dev, staging, prod) that each contain multiple product teams. Security requires that production-specific org policy constraints (e.g., restricting external IP addresses) apply automatically to all production projects, while dev teams should have looser constraints. Product teams should be able to create their own projects without waiting on the platform team, but only within their assigned space. Which resource hierarchy design best meets these requirements?
Your company acquired a smaller firm that runs workloads in a separate Google Cloud organization. Leadership wants to consolidate the acquired workloads under your existing organization's resource hierarchy while minimizing downtime. Several projects in the acquired org contain running Compute Engine and Cloud SQL resources with dependent IAM bindings. What is the recommended approach to bring these projects into your organization?
Your platform team runs a CI/CD pipeline in a dedicated 'ci-tools' project. The pipeline must deploy resources into multiple environment projects (dev, staging, prod), each in different folders. Security policy forbids downloading or storing service account JSON key files anywhere, and each environment must have distinct permissions that can be audited. How should you configure the service accounts so the CI/CD workload can deploy across the environment projects?
Your platform team manages a Google Cloud organization with hundreds of service accounts created over several years. Security has raised concerns that many service accounts may be unused or over-privileged, creating attack surface. You need a repeatable, low-effort approach to identify service accounts that have not authenticated recently and detect roles granted but never used, so you can safely disable or right-size them. Which approach should you implement?
Your organization is designing its resource hierarchy on Google Cloud. The networking team must centrally own and manage all VPC networks, subnets, firewall rules, and IP address ranges. Multiple application teams, each working in their own projects, need to deploy Compute Engine instances into these shared networks without being able to modify the network configuration. You want to follow Google-recommended practices while giving application teams the least privilege necessary to launch workloads. What should you do?
Your organization is adopting Infrastructure as Code and you must create the very first Terraform bootstrap configuration that will provision the foundational resource hierarchy (folders, shared VPC host project, and org-level policies) for a brand-new Google Cloud organization. No projects, service accounts, or remote state backends exist yet. Following Google's recommended bootstrapping approach, how should you initially execute this first Terraform run and set up ongoing automation?
Your platform team runs all infrastructure changes through a Terraform pipeline in Cloud Build. Auditors require that no human can directly apply changes to production, that every production apply is preceded by a reviewed plan, and that the credentials used to apply have only the permissions needed for the target resources. Developers currently trigger builds by pushing to a shared branch, and the Cloud Build service account holds Owner on the production project. Which change best satisfies all three requirements?
More PCDE practice
Keep going with the other Professional Cloud DevOps Engineer domains, or take a full timed mock exam.
← Back to PCDE overview