Text preview & study summary
Google Cloud PCA and PDE - Architecture Data Engineering BigQuery Dataflow Vertex AI
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
A professional cloud architect is reviewing a GCP architecture. The application uses Compute Engine VMs with service accounts. The security team finds that all VMs use the default Compute Engine service account with `roles/editor` access. Why is this a security risk?
Explanation
The default Compute Engine service account is automatically granted `roles/editor` — one of the most permissive roles, allowing read/write access to most GCP services. If any VM running with this service account is compromised, an attacker can use the instance metadata server to obtain service account credentials and gain Editor-level access to all project resources. Best practice: create dedicated service accounts per application with only the minimum required permissions (e.g., `roles/storage.objectReader` for an app that only reads from GCS).
Question 2
A data engineer uses Cloud Dataflow for ETL. During a job, they need to enrich incoming events with lookup data from a large static reference table (50 MB) stored in Cloud Storage. Which Apache Beam pattern efficiently handles this?
Explanation
Apache Beam side inputs provide read-only access to a secondary dataset from within a DoFn. The reference table is loaded once as a PCollectionView and broadcast to all worker threads. Within the DoFn's processElement method, the side input data is available as a dictionary for lookups — no per-element I/O calls. CoGroupByKey is used for joining two large PCollections (not static reference data). Loading from GCS per element creates massive I/O overhead. Pub/Sub is inappropriate for static reference data.
Question 3
A retail company processes 5 TB of daily transaction data in batch jobs overnight, with ad-hoc SQL queries from analysts during business hours. The architecture must minimize query costs and maximize performance for both batch and interactive queries. Which Google Cloud solution best meets this need?
Explanation
BigQuery is a serverless data warehouse optimized for large-scale SQL analytics. For 5 TB/day batch ingestion + ad-hoc queries, BigQuery provides: (1) Partition pruning — queries scan only relevant date partitions, dramatically reducing costs. (2) Clustering — orders data within partitions for faster selective filtering. (3) Automatic scaling for interactive queries without provisioning. Cloud SQL is for OLTP, not analytics at TB scale. Spanner is globally distributed OLTP. Bigtable excels at key-value lookups, not ad-hoc SQL analytics.
Question 4
A data engineer designs a streaming pipeline where IoT sensors emit temperature readings every second. The pipeline must calculate the average temperature per device over the last 5 minutes using a sliding window. Which Cloud Dataflow windowing type is used?
Explanation
Sliding windows in Apache Beam/Cloud Dataflow cover a fixed duration and advance by a specified step. For "last 5 minutes updated every 1 second," you'd configure a 5-minute sliding window with a 1-second slide interval. This produces overlapping windows, calculating the average over the last 5 minutes continuously. Fixed (tumbling) windows don't overlap (5-min window, 5-min step). Session windows are activity-based (gaps define window boundaries). Global windows contain all elements — no time-based partitioning.
Question 5
A company's architecture review board requires that all GCP resources comply with CIS Benchmark policies (e.g., no public Cloud Storage buckets, no default service accounts on VMs). Which GCP feature enforces these at organization level?
Explanation
Organization Policies (using constraints) enforce governance rules across all projects in a GCP organization. Examples: `constraints/storage.publicAccessPrevention` — prevents public Cloud Storage bucket ACLs, `constraints/compute.requireOsLogin` — requires OS Login on VMs, `constraints/iam.disableServiceAccountKeyCreation` — prevents service account key downloads. These policies are applied at Organization/Folder level and cannot be overridden by project owners. SCC detects security issues but doesn't prevent them. IAM Recommender suggests least-privilege changes. Binary Authorization controls container image deployments.
