GOOGLE CLOUD FUNDAMENTALS
CORE INFRASTRUCTURE EXAM
QUESTIONS WITH COMPLETE
SOLUTIONS
What is Titan? - ANSWER-A custom chip designed by Google that is deployed on both
servers and peripherals.
Examples of Google Cloud Security - ANSWER-1. Limited access to datacenters
2. Cryptographic privacy and integrity for data on-the-network, which is how Google
service communicate with each other.
3. The infrastructure automatically encrypts our PC traffic in transit between data
centers.
4. Google Central identity services, looks for multi-factor authentication, and challenges
users based off the device they're using and it's location
5. Encryption at rest is built into storage hardware hard drives and SSDs.
6. Google services that want to make themselves available on the Internet register
themselves with an infrastructure service called the Google Front End, checks network
connections for correct certificates and applies denial of service attacks.
7. Google conducts Red Team exercises, which are simulated attacks to improve the
effectiveness of their response.
8. Server and networking boards are custom designed by Google
9. Inside google's Infrastructure, machine intelligence and rules warn of possible
incidents
10. To help ensure that code is as secure as possible Google stores its source code
centrally and requires two-party review of new code
11. Google also gives its developers libraries that keep them from introducing certain
classes of security bugs
12. Google also runs a vulnerability rewards program, where we pay anyone who is
able to discover and inform us of bugs in our infrastructure or applications.
,What four tools does GCP use to help ensure you don't run up a GCP bill? - ANSWER-
1. Customizable Budgets and alerts that can be set per account or projects
2. Billing exports (can be put into a biq query datasets for detail analysis)
3. Reports (a visual tool that allows you to monitor expenditures)
4. Quotas (prevent overconsumption and are applied by GCP project
What are the two types of quotas within GCP? And how do they work? - ANSWER-1.
Rate Quotas (reset after a specific time i.e. Kubernetes engine 1,000 calls per 100
secs)
2. Allocation Quotas (govern the number of resources you can have on a GCP project
i.e. no more than 5 VPNs )
What is the principal of least privilege? - ANSWER-This principle says that each user
should have
only those privileges needed to do their jobs.
What 4 ways are used to interact with GCP's management layer? - ANSWER-1. Web
based console
2. Through the SDK (software development kit) and it's command-line tools
3. APIs
4. Mobile App
True/False does Google Cloud Platform handle all layers of the security stack?
(Explain) - ANSWER-False,
Google handles many of the lower layers of security, however there are upper layers of
security that are still the customer's responsibility, Google provides tools such as IAM to
help customers implement secure policies
What can GCP projects be grouped into? - ANSWER-Folders, which can be grouped
under an organization node
Where can policies be defined in GCP? and which direction are policies inherited? -
ANSWER-Organization nodes, Projects, folders, and resources, policies are inherited
downwards
How many projects does a Google Cloud Resource belong to? - ANSWER-1
Characteristics of GCP Project ID - ANSWER--Permanent unchangeable identifier,
unique across GCP
What do you need to use folders in GCP? - ANSWER-An organization node at the top
of the hierarchy
, What are some things you can do with the Organization node? - ANSWER--Designate
an organization policy administrator
-Assign project creator role
How do you automatically get an org node assigned to your GCP projects? - ANSWER-
Having a G suite domain, otherwise use Google Cloud identity to create one
Important rule to keep in mind when thinking about Policies, as they relate to Org and
Folders - ANSWER-The policies implemented at a higher level in
this hierarchy can't take away access that's granted at a lower level same vice versa.
For example, a user that can create modifications at the folder level, but not the org
level, will still allow the user to create modifications at the folder level. The less
restrictive policy ALWAYS wins no matter the hierarchy.
Services and APIs are enabled on a per-__________ basis. - ANSWER-Project
What does an IAM policy do? And what components make it up? - ANSWER-Lets
administrators authorize who can take action on specific resources. IAM has a "who
part", "can do what part", and "on which resource part"
What are examples of the GCP tools that can define the who part of an IAM policy? -
ANSWER-Google account, a Google group, a Service account,
an entire G Suite, or a Cloud Identity domain.
What are the the three kinds of roles in Cloud IAM? - ANSWER-1. Owner (change
permissions, set-up billing)
2. Editor (change resource state)
3. Viewer (examine resource)
What does the Compute Engine Instance Admin Role allow? - ANSWER-lets whoever
has that role perform a certain set of actions on virtual machines. The actions are: listing
them, reading and changing their configurations, and starting and stopping them.
Where can custom roles be used in the GCP hierarchy? - ANSWER-Custom roles can
be used at the project or organization levels, but not at the folder level.
What do you do if you want to gives permissions to a VM instead of an individual? -
ANSWER-Create a service account, that can as an example allow applications to have
certain permissions within a VM
True/False - You have to recreate VMs to change the permissions of a service account -
ANSWER-False
CORE INFRASTRUCTURE EXAM
QUESTIONS WITH COMPLETE
SOLUTIONS
What is Titan? - ANSWER-A custom chip designed by Google that is deployed on both
servers and peripherals.
Examples of Google Cloud Security - ANSWER-1. Limited access to datacenters
2. Cryptographic privacy and integrity for data on-the-network, which is how Google
service communicate with each other.
3. The infrastructure automatically encrypts our PC traffic in transit between data
centers.
4. Google Central identity services, looks for multi-factor authentication, and challenges
users based off the device they're using and it's location
5. Encryption at rest is built into storage hardware hard drives and SSDs.
6. Google services that want to make themselves available on the Internet register
themselves with an infrastructure service called the Google Front End, checks network
connections for correct certificates and applies denial of service attacks.
7. Google conducts Red Team exercises, which are simulated attacks to improve the
effectiveness of their response.
8. Server and networking boards are custom designed by Google
9. Inside google's Infrastructure, machine intelligence and rules warn of possible
incidents
10. To help ensure that code is as secure as possible Google stores its source code
centrally and requires two-party review of new code
11. Google also gives its developers libraries that keep them from introducing certain
classes of security bugs
12. Google also runs a vulnerability rewards program, where we pay anyone who is
able to discover and inform us of bugs in our infrastructure or applications.
,What four tools does GCP use to help ensure you don't run up a GCP bill? - ANSWER-
1. Customizable Budgets and alerts that can be set per account or projects
2. Billing exports (can be put into a biq query datasets for detail analysis)
3. Reports (a visual tool that allows you to monitor expenditures)
4. Quotas (prevent overconsumption and are applied by GCP project
What are the two types of quotas within GCP? And how do they work? - ANSWER-1.
Rate Quotas (reset after a specific time i.e. Kubernetes engine 1,000 calls per 100
secs)
2. Allocation Quotas (govern the number of resources you can have on a GCP project
i.e. no more than 5 VPNs )
What is the principal of least privilege? - ANSWER-This principle says that each user
should have
only those privileges needed to do their jobs.
What 4 ways are used to interact with GCP's management layer? - ANSWER-1. Web
based console
2. Through the SDK (software development kit) and it's command-line tools
3. APIs
4. Mobile App
True/False does Google Cloud Platform handle all layers of the security stack?
(Explain) - ANSWER-False,
Google handles many of the lower layers of security, however there are upper layers of
security that are still the customer's responsibility, Google provides tools such as IAM to
help customers implement secure policies
What can GCP projects be grouped into? - ANSWER-Folders, which can be grouped
under an organization node
Where can policies be defined in GCP? and which direction are policies inherited? -
ANSWER-Organization nodes, Projects, folders, and resources, policies are inherited
downwards
How many projects does a Google Cloud Resource belong to? - ANSWER-1
Characteristics of GCP Project ID - ANSWER--Permanent unchangeable identifier,
unique across GCP
What do you need to use folders in GCP? - ANSWER-An organization node at the top
of the hierarchy
, What are some things you can do with the Organization node? - ANSWER--Designate
an organization policy administrator
-Assign project creator role
How do you automatically get an org node assigned to your GCP projects? - ANSWER-
Having a G suite domain, otherwise use Google Cloud identity to create one
Important rule to keep in mind when thinking about Policies, as they relate to Org and
Folders - ANSWER-The policies implemented at a higher level in
this hierarchy can't take away access that's granted at a lower level same vice versa.
For example, a user that can create modifications at the folder level, but not the org
level, will still allow the user to create modifications at the folder level. The less
restrictive policy ALWAYS wins no matter the hierarchy.
Services and APIs are enabled on a per-__________ basis. - ANSWER-Project
What does an IAM policy do? And what components make it up? - ANSWER-Lets
administrators authorize who can take action on specific resources. IAM has a "who
part", "can do what part", and "on which resource part"
What are examples of the GCP tools that can define the who part of an IAM policy? -
ANSWER-Google account, a Google group, a Service account,
an entire G Suite, or a Cloud Identity domain.
What are the the three kinds of roles in Cloud IAM? - ANSWER-1. Owner (change
permissions, set-up billing)
2. Editor (change resource state)
3. Viewer (examine resource)
What does the Compute Engine Instance Admin Role allow? - ANSWER-lets whoever
has that role perform a certain set of actions on virtual machines. The actions are: listing
them, reading and changing their configurations, and starting and stopping them.
Where can custom roles be used in the GCP hierarchy? - ANSWER-Custom roles can
be used at the project or organization levels, but not at the folder level.
What do you do if you want to gives permissions to a VM instead of an individual? -
ANSWER-Create a service account, that can as an example allow applications to have
certain permissions within a VM
True/False - You have to recreate VMs to change the permissions of a service account -
ANSWER-False
