Google Professional-Cloud-Devops exam revealed answer (P. 14)

Question 131

Your organization stores all application logs from multiple Google Cloud projects in a central Cloud Logging project. Your security team wants to enforce a rule that each project team can only view their respective logs and only the operations team can view all the logs. You need to design a solution that meets the security team s requirements while minimizing costs. What should you do?

A. Grant each project team access to the project _Default view in the central logging project. Grant togging viewer access to the operations team in the central logging project.

B. Create Identity and Access Management (IAM) roles for each project team and restrict access to the _Default log view in their individual Google Cloud project. Grant viewer access to the operations team in the central logging project.

C. Create log views for each project team and only show each project team their application logs. Grant the operations team access to the _AllLogs view in the central logging project.

D. Export logs to BigQuery tables for each project team. Grant project teams access to their tables. Grant logs writer access to the operations team in the central logging project.

Question 132

Your company uses Jenkins running on Google Cloud VM instances for CI/CD. You need to extend the functionality to use infrastructure as code automation by using Terraform. You must ensure that the Terraform Jenkins instance is authorized to create Google Cloud resources. You want to follow Google-recommended practices. What should you do?

A. Confirm that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions.

B. Use the Terraform module so that Secret Manager can retrieve credentials.

C. Create a dedicated service account for the Terraform instance. Download and copy the secret key value to the GOOGLE_CREDENTIALS environment variable on the Jenkins server.

D. Add the gcloud auth application-default login command as a step in Jenkins before running the Terraform commands.

Question 133

You encounter a large number of outages in the production systems you support. You receive alerts for all the outages, the alerts are due to unhealthy systems that are automatically restarted within a minute. You want to set up a process that would prevent staff burnout while following Site Reliability Engineering (SRE) practices. What should you do?

A. Eliminate alerts that are not actionable

B. Redefine the related SLO so that the error budget is not exhausted

C. Distribute the alerts to engineers in different time zones

D. Create an incident report for each of the alerts

Question 134

As part of your company's initiative to shift left on security, the InfoSec team is asking all teams to implement guard rails on all the Google Kubernetes Engine (GKE) clusters to only allow the deployment of trusted and approved images. You need to determine how to satisfy the InfoSec team's goal of shifting left on security. What should you do?

A. Enable Container Analysis in Artifact Registry, and check for common vulnerabilities and exposures (CVEs) in your container images

B. Use Binary Authorization to attest images during your CI/CD pipeline

C. Configure Identity and Access Management (IAM) policies to create a least privilege model on your GKE clusters.

D. Deploy Falco or Twistlock on GKE to monitor for vulnerabilities on your running Pods

Question 135

Your company operates in a highly regulated domain. Your security team requires that only trusted container images can be deployed to Google Kubernetes Engine (GKE). You need to implement a solution that meets the requirements of the security team while minimizing management overhead. What should you do?

A. Configure Binary Authorization in your GKE clusters to enforce deploy-time security policies.

B. Grant the roles/artifactregistry.writer role to the Cloud Build service account. Confirm that no employee has Artifact Registry write permission.

C. Use Cloud Run to write and deploy a custom validator. Enable an Eventarc trigger to perform validations when new images are uploaded.

D. Configure Kritis to run in your GKE clusters to enforce deploy-time security policies.

Question 136

Your CTO has asked you to implement a postmortem policy on every incident for internal use. You want to define what a good postmortem is to ensure that the policy is successful at your company. What should you do? (Choose two.)

A. Ensure that all postmortems include what caused the incident, identify the person or team responsible for causing the incident, and how to prevent a future occurrence of the incident.

B. Ensure that all postmortems include what caused the incident, how the incident could have been worse, and how to prevent a future occurrence of the incident.

C. Ensure that all postmortems include the severity of the incident, how to prevent a future occurrence of the incident, and what caused the incident without naming internal system components.

D. Ensure that all postmortems include how the incident was resolved and what caused the incident without naming customer information.

E. Ensure that all postmortems include all incident participants in postmortem authoring and share postmortems as widely as possible.

Question 137

You are developing reusable infrastructure as code modules. Each module contains integration tests that launch the module in a test project. You are using GitHub for source control. You need to continuously test your feature branch and ensure that all code is tested before changes are accepted. You need to implement a solution to automate the integration tests. What should you do?

A. Use a Jenkins server for CI/CD pipelines. Periodically run all tests in the feature branch.

B. Ask the pull request reviewers to run the integration tests before approving the code.

C. Use Cloud Build to run the tests. Trigger all tests to run after a pull request is merged.

D. Use Cloud Build to run tests in a specific folder. Trigger Cloud Build for every GitHub pull request.

Question 138

Your company processes IoT data at scale by using Pub/Sub, App Engine standard environment, and an application written in Go. You noticed that the performance inconsistently degrades at peak load. You could not reproduce this issue on your workstation. You need to continuously monitor the application in production to identify slow paths in the code. You want to minimize performance impact and management overhead. What should you do?

A. Use Cloud Monitoring to assess the App Engine CPU utilization metric.

B. Install a continuous profiling tool into Compute Engine. Configure the application to send profiling data to the tool.

C. Periodically run the go tool pprof command against the application instance. Analyze the results by using flame graphs.

D. Configure Cloud Profiler, and initialize the cloud.google.com/go/profiler library in the application.

Question 139

Your company runs services by using Google Kubernetes Engine (GKE). The GKE dusters in the development environment run applications with verbose logging enabled. Developers view logs by using the kubectl logs command and do not use Cloud Logging. Applications do not have a uniform logging structure defined. You need to minimize the costs associated with application logging while still collecting GKE operational logs. What should you do?

A. Run the gcloud container clusters update --logging=SYSTEM command for the development cluster.

B. Run the gcloud container clusters update --logging=WORKLOAD command for the development cluster.

C. Run the gcloud logging sinks update _Default --disabled command in the project associated with the development environment.

D. Add the severity >= DEBUG resource.type = "k8s_container" exclusion filter to the _Default logging sink in the project associated with the development environment.

Question 140

You have deployed a fleet of Compute Engine instances in Google Cloud. You need to ensure that monitoring metrics and logs for the instances are visible in Cloud Logging and Cloud Monitoring by your company's operations and cyber security teams. You need to grant the required roles for the Compute Engine service account by using Identity and Access Management (IAM) while following the principle of least privilege. What should you do?

A. Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.

B. Grant the logging.admin and monitoring.editor roles to the Compute Engine service accounts.

C. Grant the logging.editor and monitoring.metricWriter roles to the Compute Engine service accounts.

D. Grant the logging.logWriter and monitoring.editor roles to the Compute Engine service accounts.

Win IT Exam with Last Dumps 2025

Google Professional-Cloud-Devops Exam

Page 14/21

Viewing Questions 131 140 out of 201 Questions

A. Grant each project team access to the project _Default view in the central logging project. Grant togging viewer access to the operations team in the central logging project.

B. Create Identity and Access Management (IAM) roles for each project team and restrict access to the _Default log view in their individual Google Cloud project. Grant viewer access to the operations team in the central logging project.

C. Create log views for each project team and only show each project team their application logs. Grant the operations team access to the _AllLogs view in the central logging project.

D. Export logs to BigQuery tables for each project team. Grant project teams access to their tables. Grant logs writer access to the operations team in the central logging project.

A. Confirm that the Jenkins VM instance has an attached service account with the appropriate Identity and Access Management (IAM) permissions.

B. Use the Terraform module so that Secret Manager can retrieve credentials.

C. Create a dedicated service account for the Terraform instance. Download and copy the secret key value to the GOOGLE_CREDENTIALS environment variable on the Jenkins server.

D. Add the gcloud auth application-default login command as a step in Jenkins before running the Terraform commands.

A. Eliminate alerts that are not actionable

B. Redefine the related SLO so that the error budget is not exhausted

C. Distribute the alerts to engineers in different time zones

D. Create an incident report for each of the alerts

A. Enable Container Analysis in Artifact Registry, and check for common vulnerabilities and exposures (CVEs) in your container images

B. Use Binary Authorization to attest images during your CI/CD pipeline

C. Configure Identity and Access Management (IAM) policies to create a least privilege model on your GKE clusters.

D. Deploy Falco or Twistlock on GKE to monitor for vulnerabilities on your running Pods

A. Configure Binary Authorization in your GKE clusters to enforce deploy-time security policies.

B. Grant the roles/artifactregistry.writer role to the Cloud Build service account. Confirm that no employee has Artifact Registry write permission.

C. Use Cloud Run to write and deploy a custom validator. Enable an Eventarc trigger to perform validations when new images are uploaded.

D. Configure Kritis to run in your GKE clusters to enforce deploy-time security policies.

Your CTO has asked you to implement a postmortem policy on every incident for internal use. You want to define what a good postmortem is to ensure that the policy is successful at your company. What should you do? (Choose two.)

A. Ensure that all postmortems include what caused the incident, identify the person or team responsible for causing the incident, and how to prevent a future occurrence of the incident.

B. Ensure that all postmortems include what caused the incident, how the incident could have been worse, and how to prevent a future occurrence of the incident.

C. Ensure that all postmortems include the severity of the incident, how to prevent a future occurrence of the incident, and what caused the incident without naming internal system components.

D. Ensure that all postmortems include how the incident was resolved and what caused the incident without naming customer information.

E. Ensure that all postmortems include all incident participants in postmortem authoring and share postmortems as widely as possible.

A. Use a Jenkins server for CI/CD pipelines. Periodically run all tests in the feature branch.

B. Ask the pull request reviewers to run the integration tests before approving the code.

C. Use Cloud Build to run the tests. Trigger all tests to run after a pull request is merged.

D. Use Cloud Build to run tests in a specific folder. Trigger Cloud Build for every GitHub pull request.

A. Use Cloud Monitoring to assess the App Engine CPU utilization metric.

B. Install a continuous profiling tool into Compute Engine. Configure the application to send profiling data to the tool.

C. Periodically run the go tool pprof command against the application instance. Analyze the results by using flame graphs.

D. Configure Cloud Profiler, and initialize the cloud.google.com/go/profiler library in the application.

A. Run the gcloud container clusters update --logging=SYSTEM command for the development cluster.

B. Run the gcloud container clusters update --logging=WORKLOAD command for the development cluster.

C. Run the gcloud logging sinks update _Default --disabled command in the project associated with the development environment.

D. Add the severity >= DEBUG resource.type = "k8s_container" exclusion filter to the _Default logging sink in the project associated with the development environment.

A. Grant the logging.logWriter and monitoring.metricWriter roles to the Compute Engine service accounts.

B. Grant the logging.admin and monitoring.editor roles to the Compute Engine service accounts.

C. Grant the logging.editor and monitoring.metricWriter roles to the Compute Engine service accounts.

D. Grant the logging.logWriter and monitoring.editor roles to the Compute Engine service accounts.