[PCDE] Google Cloud Certified Professional
Cloud DevOps Engineer Certification Exam
Preparation
Question 1. **Which Google Cloud resource hierarchy level is best suited for applying
organization‑wide IAM policies that affect all projects?**
A) Folder
B) Organization
C) Project
D) Service Account
Answer: B
Explanation: Organization‑level policies inherit down to all folders and projects, ensuring
consistent IAM controls across the entire hierarchy.
Question 2. **In Terraform, which block defines the provider and its configuration for Google
Cloud?**
A) resource
B) module
C) provider
D) variable
Answer: C
Explanation: The provider block specifies the GCP provider (e.g., google) and its authentication
details, enabling Terraform to manage GCP resources.
Question 3. **What is the primary purpose of a Shared VPC in a multi‑project environment?**
A) To allow VPC peering across regions
B) To centralize network resources while letting multiple projects use the same subnetworks
C) To encrypt traffic between VPCs automatically
D) To provide a private DNS zone for all projects
,[PCDE] Google Cloud Certified Professional
Cloud DevOps Engineer Certification Exam
Preparation
Answer: B
Explanation: Shared VPC lets a host project own network resources (subnets, routes, firewalls)
that service projects can consume, simplifying network management.
Question 4. **Which IAM role grants the least privilege needed for a Cloud Build service
account to push images to Artifact Registry?**
A) roles/artifactregistry.writer
B) roles/storage.admin
C) roles/cloudbuild.builds.editor
D) roles/owner
Answer: A
Explanation: roles/artifactregistry.writer allows write access to repositories without granting
broader storage or project‑level permissions.
Question 5. **When implementing GitOps with Cloud Deploy, which component stores the
declarative pipeline definitions?**
A) Cloud Source Repositories
B) Cloud Build triggers
C) Cloud Deploy releases
D) Cloud Deploy config files in the Git repository
Answer: D
Explanation: GitOps relies on pipeline definitions stored as YAML files in a Git repo; Cloud
Deploy reads these to orchestrate deployments.
,[PCDE] Google Cloud Certified Professional
Cloud DevOps Engineer Certification Exam
Preparation
Question 6. **Which Artifact Registry feature automatically scans newly uploaded container
images for known vulnerabilities?**
A) Binary Authorization
B) Container Analysis
C) Artifact Registry Lifecycle Policy
D) Cloud Security Scanner
Answer: B
Explanation: Container Analysis integrates with Artifact Registry to perform vulnerability
scanning on each image as it is uploaded.
Question 7. **In a blue/green deployment using Cloud Deploy, what determines traffic routing
to the new version?**
A) A manual update of the backend service’s target pool
B) Cloud Deploy’s automatic traffic split based on rollout percentage
C) Updating the Cloud Load Balancer’s URL map to point to the green service
D) Changing the DNS record to the new IP address
Answer: C
Explanation: Blue/green swaps traffic by updating the load balancer’s URL map to direct
requests from the blue (old) service to the green (new) service.
Question 8. **Which SLSA level requires that artifacts be built in a reproducible environment
and signed with a cryptographic key?**
A) Level 1
B) Level 2
C) Level 3
, [PCDE] Google Cloud Certified Professional
Cloud DevOps Engineer Certification Exam
Preparation
D) Level 4
Answer: C
Explanation: SLSA Level 3 mandates reproducible builds and signing, providing strong
guarantees about provenance and integrity.
Question 9. **What is the recommended method for granting a CI/CD pipeline access to a
Cloud SQL instance without storing credentials in code?**
A) Create a service account key file and embed it in the pipeline script
B) Use Cloud SQL Auth proxy with a workload‑identity‑federated service account
C) Store the password in Secret Manager and retrieve it at runtime
D) Enable public IP access and whitelist the CI runner’s IP address
Answer: B
Explanation: The Cloud SQL Auth proxy combined with Workload Identity Federation allows the
pipeline to authenticate via IAM without static credentials.
Question 10. **Which IAM principle is illustrated by granting a custom role that includes only
the permissions required for a specific CI job?**
A) Separation of duties
B) Least privilege
C) Role inheritance
D) Service perimeter enforcement
Answer: B
Explanation: The least‑privilege principle restricts access to the minimum set of permissions
needed to perform a task.
Cloud DevOps Engineer Certification Exam
Preparation
Question 1. **Which Google Cloud resource hierarchy level is best suited for applying
organization‑wide IAM policies that affect all projects?**
A) Folder
B) Organization
C) Project
D) Service Account
Answer: B
Explanation: Organization‑level policies inherit down to all folders and projects, ensuring
consistent IAM controls across the entire hierarchy.
Question 2. **In Terraform, which block defines the provider and its configuration for Google
Cloud?**
A) resource
B) module
C) provider
D) variable
Answer: C
Explanation: The provider block specifies the GCP provider (e.g., google) and its authentication
details, enabling Terraform to manage GCP resources.
Question 3. **What is the primary purpose of a Shared VPC in a multi‑project environment?**
A) To allow VPC peering across regions
B) To centralize network resources while letting multiple projects use the same subnetworks
C) To encrypt traffic between VPCs automatically
D) To provide a private DNS zone for all projects
,[PCDE] Google Cloud Certified Professional
Cloud DevOps Engineer Certification Exam
Preparation
Answer: B
Explanation: Shared VPC lets a host project own network resources (subnets, routes, firewalls)
that service projects can consume, simplifying network management.
Question 4. **Which IAM role grants the least privilege needed for a Cloud Build service
account to push images to Artifact Registry?**
A) roles/artifactregistry.writer
B) roles/storage.admin
C) roles/cloudbuild.builds.editor
D) roles/owner
Answer: A
Explanation: roles/artifactregistry.writer allows write access to repositories without granting
broader storage or project‑level permissions.
Question 5. **When implementing GitOps with Cloud Deploy, which component stores the
declarative pipeline definitions?**
A) Cloud Source Repositories
B) Cloud Build triggers
C) Cloud Deploy releases
D) Cloud Deploy config files in the Git repository
Answer: D
Explanation: GitOps relies on pipeline definitions stored as YAML files in a Git repo; Cloud
Deploy reads these to orchestrate deployments.
,[PCDE] Google Cloud Certified Professional
Cloud DevOps Engineer Certification Exam
Preparation
Question 6. **Which Artifact Registry feature automatically scans newly uploaded container
images for known vulnerabilities?**
A) Binary Authorization
B) Container Analysis
C) Artifact Registry Lifecycle Policy
D) Cloud Security Scanner
Answer: B
Explanation: Container Analysis integrates with Artifact Registry to perform vulnerability
scanning on each image as it is uploaded.
Question 7. **In a blue/green deployment using Cloud Deploy, what determines traffic routing
to the new version?**
A) A manual update of the backend service’s target pool
B) Cloud Deploy’s automatic traffic split based on rollout percentage
C) Updating the Cloud Load Balancer’s URL map to point to the green service
D) Changing the DNS record to the new IP address
Answer: C
Explanation: Blue/green swaps traffic by updating the load balancer’s URL map to direct
requests from the blue (old) service to the green (new) service.
Question 8. **Which SLSA level requires that artifacts be built in a reproducible environment
and signed with a cryptographic key?**
A) Level 1
B) Level 2
C) Level 3
, [PCDE] Google Cloud Certified Professional
Cloud DevOps Engineer Certification Exam
Preparation
D) Level 4
Answer: C
Explanation: SLSA Level 3 mandates reproducible builds and signing, providing strong
guarantees about provenance and integrity.
Question 9. **What is the recommended method for granting a CI/CD pipeline access to a
Cloud SQL instance without storing credentials in code?**
A) Create a service account key file and embed it in the pipeline script
B) Use Cloud SQL Auth proxy with a workload‑identity‑federated service account
C) Store the password in Secret Manager and retrieve it at runtime
D) Enable public IP access and whitelist the CI runner’s IP address
Answer: B
Explanation: The Cloud SQL Auth proxy combined with Workload Identity Federation allows the
pipeline to authenticate via IAM without static credentials.
Question 10. **Which IAM principle is illustrated by granting a custom role that includes only
the permissions required for a specific CI job?**
A) Separation of duties
B) Least privilege
C) Role inheritance
D) Service perimeter enforcement
Answer: B
Explanation: The least‑privilege principle restricts access to the minimum set of permissions
needed to perform a task.
