You need to assign a Cloud Identity and Access Management (Cloud IAM) role to an external auditor. The auditor needs to have permissions to review your Google Cloud Platform (GCP) Audit Logs and also to review your Data Access logs. What should you do?

1. A. Assign the auditor the IAM role roles/logging.privateLogViewe
2. B. Perform the export of logs to Cloud Storage.
3. C. Assign the auditor the IAM role roles/logging.privateLogViewe
4. D. Direct the auditor to also review the logs for changes to Cloud IAM policy.
5. E. Assign the auditor’s IAM user to a custom role that has logging.privateLogEntries.list permissio
6. F. Perform the export of logs to Cloud Storage.
7. G. Assign the auditor’s IAM user to a custom role that has logging.privateLogEntries.list permissio
8. H. Direct the auditor to also review the logs for changes to Cloud IAM policy.

Correct Answer: B
Google Cloud provides Cloud Audit Logs, which is an integral part of Cloud Logging. It consists of two log streams for each project: Admin Activity and Data Access, which are generated by Google Cloud services to help you answer the question of who did what, where, and when? within your Google Cloud projects.
Ref: https://cloud.google.com/iam/docs/job-functions/auditing#scenario_external_auditors

You are designing an application that uses WebSockets and HTTP sessions that are not distributed across the web servers. You want to ensure the application runs properly on Google Cloud Platform. What should you do?

1. A. Meet with the cloud enablement team to discuss load balancer options.
2. B. Redesign the application to use a distributed user session service that does not rely on WebSockets and HTTP sessions.
3. C. Review the encryption requirements for WebSocket connections with the security team.
4. D. Convert the WebSocket code to use HTTP streaming.

Correct Answer: A
Google HTTP(S) Load Balancing has native support for the WebSocket protocol when you use HTTP or HTTPS, not HTTP/2, as the protocol to the backend.
Ref: https://cloud.google.com/load-balancing/docs/https#websocket_proxy_support
We dont need to convert WebSocket code to use HTTP streaming or Redesign the application, as
WebSocket support is offered by Google HTTP(S) Load Balancing. Reviewing the encryption requirements is a good idea but it has nothing to do with WebSockets.

Your company has a large quantity of unstructured data in different file formats. You want to perform ETL transformations on the data. You need to make the data accessible on Google Cloud so it can be processed by a Dataflow job. What should you do?

1. A. Upload the data to BigQuery using the bq command line tool.
2. B. Upload the data to Cloud Storage using the gsutil command line tool.
3. C. Upload the data into Cloud SQL using the import function in the console.
4. D. Upload the data into Cloud Spanner using the import function in the console.

Correct Answer: B
"large quantity" : Cloud Storage or BigQuery "files" a file is nothing but an Object

You are running a data warehouse on BigQuery. A partner company is offering a recommendation engine based on the data in your data warehouse. The partner company is also running their application on Google Cloud. They manage the resources in their own project, but they need access to the BigQuery dataset in your project. You want to provide the partner company with access to the dataset What should you do?

1. A. Create a Service Account in your own project, and grant this Service Account access to BigGuery in your project
2. B. Create a Service Account in your own project, and ask the partner to grant this Service Account access to BigQuery in their project
3. C. Ask the partner to create a Service Account in their project, and have them give the Service Account access to BigQuery in their project
4. D. Ask the partner to create a Service Account in their project, and grant their Service Account access to the BigQuery dataset in your project

Correct Answer: D
https://gtseres.medium.com/using-service-accounts-across-projects-in-gcp-cf9473fef8f0#:~:text=Go%20to%20t

You are the organization and billing administrator for your company. The engineering team has the Project Creator role on the organization. You do not want the engineering team to be able to link projects to the billing account. Only the finance team should be able to link a project to a billing account, but they should not be able to make any other changes to projects. What should you do?

1. A. Assign the finance team only the Billing Account User role on the billing account.
2. B. Assign the engineering team only the Billing Account User role on the billing account.
3. C. Assign the finance team the Billing Account User role on the billing account and the Project Billing Manager role on the organization.
4. D. Assign the engineering team the Billing Account User role on the billing account and the Project Billing Manager role on the organization.

Correct Answer: C
From this source:
https://cloud.google.com/billing/docs/how-to/custom-roles#permission_association_and_inheritance
"For example, associating a project with a billing account requires the billing.resourceAssociations.create permission on the billing account and also the resourcemanager.projects.createBillingAssignment permission on the project. This is because project permissions are required for actions where project owners control access, while billing account permissions are required for actions where billing account administrators control access. When both should be involved, both permissions are necessary."