You have files in a Cloud Storage bucket that you need to share with your suppliers. You want to restrict the time that the files are available to your suppliers to 1 hour. You want to follow Google recommended practices. What should you do?

1. A. Create a service account with just the permissions to access files in the bucke
2. B. Create a JSON key for the service accoun
3. C. Execute the command gsutil signurl -m 1h gs:///*.
4. D. Create a service account with just the permissions to access files in the bucke
5. E. Create a JSON key for the service accoun
6. F. Execute the command gsutil signurl -d 1h gs:///**.
7. G. Create a service account with just the permissions to access files in the bucke
8. H. Create a JSON key for the service accoun
9. I. Execute the command gsutil signurl -p 60m gs:///.
10. J. Create a JSON key for the Default Compute Engine Service Accoun
11. K. Execute the command gsutil signurl -t 60m gs:///***

Correct Answer: B
This command correctly specifies the duration that the signed url should be valid for by using the -d flag. The default is 1 hour so omitting the -d flag would have also resulted in the same outcome. Times may be specified with no suffix (default hours), or with s = seconds, m = minutes, h = hours, d = days. The max duration allowed is 7d.Ref: https://cloud.google.com/storage/docs/gsutil/commands/signurl

You have developed a containerized web application that will serve Internal colleagues during business hours. You want to ensure that no costs are incurred outside of the hours the application is used. You have just created a new Google Cloud project and want to deploy the application. What should you do?

1. A. Deploy the container on Cloud Run for Anthos, and set the minimum number of instances to zero
2. B. Deploy the container on Cloud Run (fully managed), and set the minimum number of instances to zero.
3. C. Deploy the container on App Engine flexible environment with autoscalin
4. D. and set the value min_instances to zero in the app yaml
5. E. Deploy the container on App Engine flexible environment with manual scaling, and set the value instances to zero in the app yaml

Correct Answer: B
https://cloud.google.com/kuberun/docs/architecture-overview#components_in_the_default_installation

You are storing sensitive information in a Cloud Storage bucket. For legal reasons, you need to be able to record all requests that read any of the stored data. You want to make sure you comply with these requirements. What should you do?

1. A. Enable the Identity Aware Proxy API on the project.
2. B. Scan the bucker using the Data Loss Prevention API.
3. C. Allow only a single Service Account access to read the data.
4. D. Enable Data Access audit logs for the Cloud Storage API.

Correct Answer: D
Logged information Within Cloud Audit Logs, there are two types of logs: Admin Activity logs: Entries for operations that modify the configuration or metadata of a project, bucket, or object. Data Access logs: Entries for operations that modify objects or read a project, bucket, or object. There are several sub-types of data access logs: ADMIN_READ: Entries for operations that read the configuration or metadata of a project, bucket, or object. DATA_READ: Entries for operations that read an object. DATA_WRITE: Entries for operations that create or modify an object. https://cloud.google.com/storage/docs/audit-logs#types

You have a large 5-TB AVRO file stored in a Cloud Storage bucket. Your analysts are proficient only in SQL and need access to the data stored in this file. You want to find a cost-effective way to complete their request as soon as possible. What should you do?

1. A. Load data in Cloud Datastore and run a SQL query against it.
2. B. Create a BigQuery table and load data in BigQuer
3. C. Run a SQL query on this table and drop this table after you complete your request.
4. D. Create external tables in BigQuery that point to Cloud Storage buckets and run a SQL query on these external tables to complete your request.
5. E. Create a Hadoop cluster and copy the AVRO file to NDFS by compressing i
6. F. Load the file in a hive table and provide access to your analysts so that they can run SQL queries.

Correct Answer: C
https://cloud.google.com/bigquery/external-data-sources
An external data source is a data source that you can query directly from BigQuery, even though the data is not stored in BigQuery storage.
BigQuery supports the following external data sources: Amazon S3
Azure Storage Cloud Bigtable Cloud Spanner Cloud SQL Cloud Storage Drive

An application generates daily reports in a Compute Engine virtual machine (VM). The VM is in the project corp-iot-insights. Your team operates only in the project corp-aggregate-reports and needs a copy of the daily exports in the bucket corp-aggregate-reports-storage. You want to configure access so that the daily reports from the VM are available in the bucket corp-aggregate-reports-storage and use as few steps as possible while following Google-recommended practices. What should you do?

1. A. Move both projects under the same folder.
2. B. Grant the VM Service Account the role Storage Object Creator on corp-aggregate-reports-storage.
3. C. Create a Shared VPC network between both project
4. D. Grant the VM Service Account the role Storage Object Creator on corp-iot-insights.
5. E. Make corp-aggregate-reports-storage public and create a folder with a pseudo-randomized suffix name.Share the folder with the IoT team.

Correct Answer: B
Predefined roles
The following table describes Identity and Access Management (IAM) roles that are associated with Cloud Storage and lists the permissions that are contained in each role. Unless otherwise noted, these roles can be applied either to entire projects or specific buckets.
Storage Object Creator (roles/storage.objectCreator) Allows users to create objects. Does not give permission to view, delete, or overwrite objects.
https://cloud.google.com/storage/docs/access-control/iam-roles#standard-roles