Google Cloud Certified - Professional Cloud Architect 認定資格バッジ

Professional Cloud Architect Practice Exam (v2020-02-07) (English)

Professional Cloud Architect certification is available in the English and Japanese language.

Questions 1 to 53 are mock case study questions.
The questions are similar to the Professional Cloud Architect Practice Exam (v2019-04-16), but this one is more up-to-date in date (version).

Please see “Professional Cloud Architect Practice Questions (v2020-02-07) (Japanese)” for Japanese translation.


Google Cloud Certified – Professional Cloud Architect Practice Exam (100 Q)

v2020-02-07


QUESTION 1

For this question, refer to the JencoMart Games case study.
The JencoMart security team requires that all Google Cloud Platform infrastructure is deployed using a least privilege model with separation of duties for administration between production and development resources.
What Google domain and project structure should you recommend ?

  • A. Create two G Suite accounts to manage users: one for development/test/staging and one for production. Each account should contain one project for every application.
  • B. Create two G Suite accounts to manage users: one with a single project for all development applications and one with a single project for all production applications.
  • C. Create a single G Suite account to manage users with each stage of each application in its own project.
  • D. Create a single G Suite account to manage users with one project for the development/test/staging environment and one project for the production environment.

Correct Answer: D

Explanation:
The principle of least privilege and separation of duties are concepts that, although semantically different, are intrinsically related from the standpoint of security. The intent behind both is to prevent people from having higher privilege levels than they actually need.

  • Principle of Least Privilege: Users should only have the least amount of privileges required to perform their job and no more. This reduces authorization exploitation by limiting access to resources such as targets, jobs, or monitoring templates for which they are not authorized.
  • Separation of Duties: Beyond limiting user privilege level, you also limit user duties, or the specific jobs they can perform. No user should be given responsibility for more than one related function. This limits the ability of a user to perform a malicious action and then cover up that action.

Reference:
Separation of duties


QUESTION 2

For this question, refer to the JencoMart Games case study.
A few days after JencoMart migrates the user credentials database to Google Cloud Platform and shuts down the old server, the new database server stops responding to SSH connections. It is still serving database requests to the application servers correctly.
What three steps should you take to diagnose the problem ? (Choose 3 answers.)

  • A. Delete the virtual machine (VM) and disks and create a new one.
  • B. Delete the instance, attach the disk to a new VM, and investigate.
  • C. Take a snapshot of the disk and connect to a new machine to investigate.
  • D. Check inbound firewall rules for the network the machine is connected to.
  • E. Connect the machine to another network with very simple firewall rules and investigate.
  • F. Print the Serial Console output for the instance for troubleshooting, activate the interactive console, and investigate.

Correct Answer: C, D, F

Explanation:
D: Handling “Unable to connect on port 22” error message
Possible causes include:

  • There is no firewall rule allowing SSH access on the port. SSH access on port 22 is enabled on all Google Compute Engine instances by default. If you have disabled access, SSH from the Browser will not work. If you run sshd on a port other than 22, you need to enable the access to that port with a custom firewall rule.
  • The firewall rule allowing SSH access is enabled, but is not configured to allow connections from GCP Console services. Source IP addresses for browserbased SSH sessions are dynamically allocated by GCP Console and can vary from session to session.

F: Handling “Could not connect, retrying…” error
You can verify that the daemon is running by navigating to the serial console output page and looking for output lines prefixed with the accounts-from-metadata:
string. If you are using a standard image but you do not see these output prefixes in the serial console output, the daemon might be stopped. Reboot the instance to restart the daemon.

Reference:
SSH from the browser


QUESTION 3

For this question, refer to the JencoMart Games case study.
JencoMart has decided to migrate user profile storage to Google Cloud Datastore and the application servers to Google Compute Engine (GCE).
During the migration, the existing infrastructure will need access to Google Cloud Datastore to upload the data.
What service account key-management strategy should you recommend ?

  • A. Provision service account keys for the on-premises infrastructure and for the GCE virtual machines (VMs).
  • B. Authenticate the on-premises infrastructure with a user account and provision service account keys for the VMs.
  • C. Provision service account keys for the on-premises infrastructure and use Google Cloud Platform (GCP) managed keys for the VMs
  • D. Deploy a custom authentication service on GCE / Google. Kubernetes Engine (GKE) for the on-premises infrastructure and use GCP managed keys for the VMs.
READ MORE ABOUT THIS