CDL Cheat Sheet
Digital Transformation
Cloud Transformation Drivers
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Concepts
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Scalability means capacity can grow; elasticity means it grows and shrinks automatically
Scalability is the ability to add or remove capacity to meet demand, while elasticity is doing that scaling automatically and quickly in both directions as load rises and falls. Every elastic system is scalable, but a system can be scalable (you can add capacity) without being elastic (it does not adjust on its own). When a scenario describes capacity following traffic up and back down without anyone placing an order, the answer is elasticity, not just scalability.
Trap Answering 'scalability' when the scenario specifically describes capacity expanding and contracting automatically: that automatic, two-way behavior is elasticity.
7 questions test this
- A retail company is experiencing unpredictable traffic spikes during sales events. They want their containerized application on GKE to…
- An organization runs a web application that experiences unpredictable traffic spikes throughout the day. They want to automatically adjust…
- An organization wants to understand how cloud elasticity differs from traditional on-premises infrastructure when using Compute Engine.…
- A retail company needs their e-commerce platform to automatically adjust compute resources to match real-time demand during flash sales…
- An online retailer experiences unpredictable spikes in website traffic during promotional events. The organization wants its Compute Engine…
- An organization runs a web application on Compute Engine that experiences significant variations in user traffic throughout the day. They…
- An online retailer experiences large spikes in traffic during seasonal sales and very low traffic at other times. They want their computing…
- Reliability is staying up and recovering through failures, achieved by spreading across failure domains
Reliability is a system's ability to keep performing its function and to recover when something fails. In the cloud it is achieved by running across independent failure domains so that one fault does not take everything down, which is why workloads are spread across multiple zones. It is a property of the system, distinct from flexibility and agility, which are about the organization.
- Flexibility is freedom to change tech; agility is the business speed it unlocks
Flexibility is the freedom to choose, combine, and change technologies, regions, and providers without buying new hardware first. Agility is the business outcome that flexibility enables: teams ship and change products faster because they no longer wait weeks for servers to arrive. A question about launching features in days rather than quarters is describing agility; one about freely swapping technologies is describing flexibility.
- Cloud shifts spending from CapEx to OpEx
Capital expenditure (CapEx) is money spent up front on assets you own and depreciate, such as buying servers sized for peak demand; operating expenditure (OpEx) is money spent on ongoing consumption. In the cloud most resource costs are treated as OpEx: you pay as you consume, with no up-front hardware purchase. This CapEx-to-OpEx shift is the most-tested cost concept, and 'move from CapEx to OpEx' is usually the right answer when a scenario complains about large up-front hardware spend.
Trap Calling pay-as-you-go cloud spending CapEx: owned, up-front, depreciated hardware is CapEx; consumption-based cloud billing is OpEx.
4 questions test this
- A manufacturing company purchases physical servers every few years to run applications in its own data center. It is evaluating Compute…
- A manufacturing company has traditionally purchased physical servers every few years, requiring large upfront investments before any…
- An organization refuses to adopt cloud technology and continues to size its on-premises data center to handle its highest expected peak…
- A startup with very limited capital wants to launch its application without building or owning any data center hardware, paying only for…
- Pay-as-you-go is the default: pay only for what you consume
Pay-as-you-go is the baseline cloud pricing model, where you pay only for the resources you actually consume with no commitment and no up-front purchase. It is what makes the OpEx model work and is the right fit when usage is unpredictable or a team cannot commit to a term. Sustained-use and committed-use discounts then reduce the rate on top of this baseline.
7 questions test this
- A startup must launch a new application quickly but has limited capital and cannot afford to buy and provision its own servers. Which…
- A newly founded startup has limited funding and wants to launch its product quickly without purchasing or provisioning any physical…
- A development team deployed Cloud Functions to process messages from Pub/Sub. The function experiences variable traffic with periods of…
- A logistics company is comparing running workloads in its own data center against modernizing on Google Cloud. Which financial benefit best…
- An organization wants to understand how cloud elasticity differs from traditional on-premises infrastructure when using Compute Engine.…
- A manufacturing company has traditionally purchased physical servers every few years, requiring large upfront investments before any…
- A startup with very limited capital wants to launch its application without building or owning any data center hardware, paying only for…
- Committed-use discounts require a 1- or 3-year commitment; sustained-use discounts are automatic
A committed-use discount gives a lower price in exchange for committing to a one- or three-year term of usage, so it fits steady, predictable workloads you know will run for years. A sustained-use discount is applied automatically and grows the longer a resource runs within a month, requiring no commitment at all. The exam hinges on this contrast: 'we want a lower rate but cannot commit' points to sustained-use, while 'we will run this steadily for years and want the best rate' points to committed-use.
Trap Treating sustained-use discounts as something you sign up and commit to: they apply automatically with no commitment; only committed-use requires a 1- or 3-year term.
- Public cloud uses a provider's shared infrastructure for lowest TCO and most agility
Public cloud runs your workloads on a provider's shared, on-demand infrastructure such as Google Cloud, AWS, or Azure. It maximizes the OpEx model, elasticity, and agility and usually delivers the lowest TCO, with the trade-off of less low-level control over the underlying hardware. It is the default choice when scale, speed, and cost matter more than owning the hardware.
4 questions test this
- A startup must launch a new application quickly but has limited capital and cannot afford to buy and provision its own servers. Which…
- A newly founded startup has limited funding and wants to launch its product quickly without purchasing or provisioning any physical…
- An online media company expects highly unpredictable and occasionally viral traffic, and it does not want to own or operate any physical…
- A startup with very limited capital wants to launch its application without building or owning any data center hardware, paying only for…
- Private cloud is chosen for residency, control, or legacy, not for cost
A private cloud dedicates infrastructure to a single organization, often on-premises, and is chosen for data-residency rules, regulatory control, or legacy systems that cannot move. Its trade-off is mostly CapEx and limited elasticity because you still own and size the hardware. When a scenario cites a legal requirement that data stay in-country with no cloud option, private (or hybrid) is the conceptual answer.
- Hybrid cloud connects on-prem/private with public cloud so workloads span both
Hybrid cloud links a private or on-premises environment with a public cloud so workloads can run across both. It is the answer when part of the estate is constrained (say a regulated database that must stay private) while the rest moves to cloud-native services. The cost is the added network and integration complexity between the two environments.
4 questions test this
- An organization keeps its primary production systems running in its own on-premises data center but wants a cost-effective standby…
- A retailer already runs a critical legacy application in its own data center but wants to gradually extend specific workloads into a public…
- A manufacturer runs a latency-sensitive control system that must remain on the factory floor next to its production equipment, but it also…
- A financial services company wants to deploy new customer-facing applications in the cloud for scalability, but regulatory rules require…
- Multicloud uses two or more public providers, and needs a concrete reason
Multicloud means running on two or more public-cloud providers at once, justified by a concrete need such as avoiding vendor lock-in or using a best-of-breed service only one provider offers. It carries the most integration and skills overhead of any model, so it should be tied to a stated business reason rather than adopted by default. Note the distinction from hybrid: hybrid mixes private/on-prem with public, while multicloud mixes multiple public clouds.
Trap Choosing multicloud 'to be safer' with no stated reason: each extra provider multiplies integration and operational cost, so it must serve a concrete need like lock-in avoidance or a best-of-breed service.
4 questions test this
- An organization wants to avoid being locked into a single cloud vendor and intends to select best-in-class services from more than one…
- An organization wants to reduce its dependency on the availability of any single cloud provider by running comparable workloads across two…
- Two companies have merged, and each previously ran comparable production workloads on a different public cloud provider. Leadership decides…
- A large enterprise wants to run workloads across more than one public cloud provider to avoid dependence on a single vendor and to select…
- A region is an independent geographic area; a zone is a deployment area inside it
A Google Cloud region is an independent geographic area, and a zone is a deployment area for resources within a region. Each region contains three or more zones, each housed in a separate physical data center, and a zone should be treated as a single failure domain. You choose a region close to your users for lower latency and spread resources across zones so a single-zone failure does not take the workload down.
Trap Treating a zone as a whole region or assuming one zone gives high availability: a zone is a single failure domain, so resilience comes from spreading across multiple zones (or regions).
7 questions test this
- An organization needs to understand the relationship between Google Cloud regions and zones when planning their Compute Engine deployment.…
- A company is launching a new mobile application aimed at customers in a part of the world where it currently has no infrastructure. To…
- An organization needs to choose a Google Cloud region for deploying Compute Engine workloads. What is the primary benefit of selecting a…
- A company is explaining Google Cloud's infrastructure to its leadership team. How should the relationship between regions and zones be…
- An organization is selecting a Google Cloud region to deploy their Compute Engine workloads. They need to protect against hardware,…
- An organization is using Cloud Load Balancing with Compute Engine managed instance groups. A zone experiences an outage. What happens to…
- A retail company wants to reduce latency for customers accessing their e-commerce application. Their customer base is primarily located on…
- Multi-region services survive the loss of an entire region
Multi-region services such as Cloud Storage and Spanner replicate data across more than one region and are designed to keep working after losing a whole region. This is a stronger guarantee than multi-zone, which only protects against a single data-center failure within one region. Reach for a multi-region configuration when the requirement is to survive a full regional outage.
- Latency is delay; bandwidth is capacity: both describe network performance
Latency is the time it takes a packet to travel from source to destination, while bandwidth is how much data can move per second. They are independent: a link can have high bandwidth but high latency and still feel slow for interactive use. Placing resources in a region near users primarily reduces latency, which is why proximity matters for responsiveness.
Trap Assuming more bandwidth fixes a latency problem: bandwidth is throughput capacity, latency is delay, so a high-bandwidth but far-away region can still feel slow for interactive traffic.
5 questions test this
- A company is launching a new mobile application aimed at customers in a part of the world where it currently has no infrastructure. To…
- An organization needs to choose a Google Cloud region for deploying Compute Engine workloads. What is the primary benefit of selecting a…
- A global media company wants to reduce buffering and load times for users who stream video from many different countries. Which…
- An organization is describing its network needs and wants to identify the term for the amount of data that can be transmitted over a…
- A retail company wants to reduce latency for customers accessing their e-commerce application. Their customer base is primarily located on…
- Know the basic network terms: IP address, DNS, and ISP
An IP address is the numeric address that identifies a device on a network, DNS (Domain Name System) translates human-readable names like example.com into IP addresses, and an ISP (Internet Service Provider) is the company that connects you to the internet. The Cloud Digital Leader exam expects you to recognize these foundational terms rather than configure them.
- Google owns a global private fiber network so traffic largely avoids the public internet
Google operates a global, privately owned fiber-optic network (including subsea cables) that connects its regions, plus a worldwide set of edge points of presence (PoPs) in over 200 locations. Because Google owns this backbone end to end, user traffic enters Google's network close to the user and stays on Google's private fiber for most of its journey rather than crossing the open public internet, which lowers latency, raises throughput, and improves security. The business takeaway is that customers get global, low-latency reach without building any of this network themselves.
4 questions test this
- A global media company wants to reduce buffering and load times for users who stream video from many different countries. Which…
- A company wants user requests to enter Google's network as physically close to the user as possible so traffic can travel over Google's…
- A financial services firm is evaluating how Google Cloud transfers large volumes of data quickly and reliably between continents. Which…
- A company is concerned about inconsistent performance when routing traffic between its global offices over the public internet. How does…
- Pre-trained AI APIs add AI capabilities with no ML expertise or model training
Google Cloud's pre-trained APIs let you add AI to an application with a simple API call, requiring no data science team and no custom model training. Match the modality to the API: Vision API for images, Video Intelligence API for video, Speech-to-Text for audio transcription, and the Natural Language API for text analysis such as sentiment.
Trap Pre-trained APIs are for standard tasks out of the box; building a custom model on your own data without coding is AutoML on Vertex AI instead.
6 questions test this
- An organization wants to quickly add the ability to analyze customer sentiment from support emails without hiring machine learning…
- A global media company wants to add speech transcription capabilities to their video platform, supporting multiple languages. They want to…
- An organization wants to add image recognition capabilities to their mobile application to detect objects in photos. They have no data…
- A media company needs to automatically detect and tag content in videos for their digital archive. They have no machine learning expertise…
- A global company needs to transcribe customer support calls in multiple languages for quality analysis. They want to implement this quickly…
- An organization wants to add AI capabilities to their applications and needs to choose between pre-trained APIs and custom models. What is…
- BigQuery is a serverless data warehouse that decouples storage from compute
BigQuery is serverless: there are no clusters to provision, deploy, or manage, so analysts query large datasets with standard SQL and focus on data instead of infrastructure. Its architecture scales storage and compute independently for flexibility and cost control, supports streaming ingestion for near-real-time querying, and connects to BI tools like Looker, Tableau, and Power BI.
Trap Treating BigQuery as a provisioned warehouse that needs cluster sizing or capacity planning before you can query.
7 questions test this
- A retail company needs to make business decisions based on real-time customer transactions and market events. They want to respond…
- A company currently operates a traditional on-premises data warehouse with growing data volumes and escalating infrastructure costs. What…
- An organization wants to enable data analysts to focus on uncovering insights rather than managing database infrastructure. Which…
- An organization wants to analyze data from multiple sources without managing infrastructure or provisioning clusters. They need to enable…
- An organization wants to empower business users to analyze large datasets without requiring IT to manage infrastructure. Which BigQuery…
- A healthcare organization wants to integrate BigQuery data with business intelligence tools to enable self-service reporting across…
- An organization wants to analyze large datasets and make data-driven decisions without hiring specialized database administrators to manage…
- BigQuery ML and AutoML let teams build ML models without data science expertise
BigQuery ML lets SQL practitioners create and run machine learning models using familiar SQL, with no Python or specialized ML framework needed, democratizing predictive analytics for data analysts. AutoML on Vertex AI builds a custom model from your own training data code-free, automating data prep, model selection, and tuning.
Trap Reaching for custom-trained Vertex AI models and ML engineers when BigQuery ML or AutoML already meets the need.
4 questions test this
- An organization's leadership wants to enable business analysts who understand SQL to generate predictive insights without relying on data…
- A data analyst at a company wants to build machine learning models to predict customer behavior but has no experience with Python or…
- An organization needs to build custom machine learning models for their unique business data but lacks experienced data scientists. Which…
- An organization needs to build a custom image classification model to identify their specific product defects, but they lack ML expertise.…
- Cloud Billing reports visualize cost history, trends, and forecasts by project and service
Cloud Billing reports are the built-in dashboard for understanding spend: they break costs down by project, service, and SKU, show trends over time, and project likely future spend with a cost-trend forecast for budget planning. They also show savings from credits such as committed-use and sustained-use discounts, supporting departmental accountability and chargeback.
Trap Expecting Cloud Billing reports to alert you when spend crosses a threshold, which is the job of Budgets and alerts.
6 questions test this
- An organization wants to track its Google Cloud spending trends and understand which projects and services cost the most. They need to…
- A financial operations team wants to estimate their organization's future Google Cloud spending based on recent usage patterns so they can…
- An IT manager wants to drill into Google Cloud spend at the granular SKU level within a built-in dashboard to understand exactly which…
- A company's leadership wants a visual breakdown of cloud costs by project and by service so that each department can be held accountable…
- A finance team wants to understand how their organization's Google Cloud spending has trended over the past several months and identify…
- An organization wants to track its Google Cloud spending trends and understand how discounts are saving money on invoices. Which tool…
- The organization resource is the root of the hierarchy, and folders require it
The organization resource sits at the top of the Google Cloud resource hierarchy and gives central visibility and control over every project and resource a company owns. It is created via Google Workspace or Cloud Identity (and is provisioned automatically the first time such an account creates a project). Folders are an optional grouping layer between the organization and projects, so an organization resource is a prerequisite for using folders; IAM policies set on a folder are inherited by the projects inside it.
6 questions test this
- An organization wants to use folders to group projects by department and environment in Google Cloud. What is required before they can…
- A startup is new to Google Cloud and wants to understand the benefits of using the resource hierarchy with an organization node. Which…
- A company has multiple departments that each require their own set of Google Cloud resources with different access permissions. The company…
- A company is setting up its Google Cloud environment and wants centralized visibility and control over all cloud resources across multiple…
- A company has set up Cloud Identity for their domain. Which capability does this automatically provide for their Google Cloud environment?
- An organization wants to group projects into logical departments and environments such as development, testing, and production in Google…
- TCO comparisons must include the costs that get overlooked
A fair on-premises-versus-cloud TCO comparison counts all direct and indirect costs, not just hardware and software. Commonly overlooked items include the operational costs of running a data center (power, cooling, maintenance, and support) on the on-prem side, and ongoing, usage-based network egress charges on the cloud side, which replace what used to be a one-time cabling and network-hardware purchase.
Trap Reducing a TCO comparison to hardware and software prices while omitting power, cooling, staffing, and other indirect costs.
Data Transformation
The Value of Data
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Data has no value until it reaches a decision
Raw data is a cost until analysis turns it into an insight that changes a decision; the value comes from the journey, not the volume. That journey is the data value chain: collect, then store and organize, then process and analyze, then act on the insight. The Cloud Digital Leader lens is to ask where a tool sits on this chain rather than which tool is newest.
- Structured data fits rows and columns; unstructured data does not
Structured data has a fixed schema of rows and columns (transactions in a spreadsheet or a relational database) and is what organizations have always reported on. Unstructured data is everything without a fixed schema: text, images, audio, video, and sensor logs. Semi-structured data sits between them, with attributes that can vary per record, such as JSON event logs.
2 questions test this
- Most enterprise data is unstructured and largely untapped
The volume of unstructured data far exceeds structured data, yet historically most of it went unanalyzed because traditional reporting tools could not read images, audio, or free text. The business opportunity in data transformation is unlocking that untapped majority. This is the bridge to AI and machine learning, which can read unstructured content and extract value from it.
- A database answers what is true right now
A database is an operational store for live, structured records, built to run an application's many small reads and writes in real time. It answers "what is true right now" for the application, not "what happened over the last year." Pushing large analytical reporting onto it competes with the application's transactions, which is why analysis belongs in a data warehouse instead.
Trap Running heavy analytics or BI reporting directly on the live operational database: it is tuned for small real-time transactions, not large analytical scans.
- A data warehouse holds cleaned, structured data for reporting
A data warehouse stores data that has already been cleaned and processed and organized to a defined schema, which makes queries fast and reports trustworthy. It is built for analysis and reporting over structured (and semi-structured) historical data, answering "what happened and why." Reach for it when the business questions are known and analysts need repeatable, reliable reports.
- A data lake stores all raw data with no schema up front
A data lake is a central place to store all data at any scale in its raw form (structured, semi-structured, or unstructured) without defining its purpose first. That makes it the natural home for the unstructured majority and the feedstock for machine learning, answering "what might we discover later." Reach for it when you have lots of raw data and want to keep everything to explore or train models on later.
4 questions test this
- An organization wants to build a data lake to store structured, semi-structured, and unstructured data in its native format for future…
- An organization is evaluating whether to use a data lake or a data warehouse for incoming data of varying formats. Which characteristic…
- An organization is building a data lake to store raw data from multiple sources including log files, images, and sensor data in their…
- A media company needs to store large volumes of raw video files, images, and application logs in their original native format for later…
- Schema-on-write vs schema-on-read is the real warehouse/lake fork
The deepest difference is when structure is imposed: a warehouse uses schema-on-write, shaping data to a defined schema before saving, while a lake uses schema-on-read, landing data raw and applying structure only at query time. Paying the cleanup cost up front buys query speed and trust but is rigid; deferring it buys cheap, flexible storage of any data at the price of cleanup at query time. "Decide first, query fast" is the warehouse; "store now, decide later" is the lake.
Trap Treating schema-on-read as merely "slower": its real trade is flexibility and low cost for any raw data, paid back as cleanup work when you query.
- A data lakehouse converges lake and warehouse
A data lakehouse is a modern architecture that combines the raw-data storage of a lake with the organized, queryable structure of a warehouse on one platform. For the Cloud Digital Leader exam, recognize the term and that it blends both worlds (cheap raw storage plus fast structured analytics) so you no longer have to choose strictly between siloed lake and warehouse systems.
- Cloud Storage is the data lake on Google Cloud
Cloud Storage serves as the data lake on Google Cloud: object storage that holds any raw data (structured, semi-structured, or unstructured) at any scale without a schema defined first. It is the landing zone when a scenario describes dumping raw events, IoT/sensor streams, images, or files to explore or process later. Analytics and ML tools then read from it when a question finally needs answering.
4 questions test this
- An organization wants to build a data lake to store structured, semi-structured, and unstructured data in its native format for future…
- A media company needs to store large volumes of unstructured data such as videos, images, and audio files in their native format at low…
- An organization is building a data lake to store raw data from multiple sources including log files, images, and sensor data in their…
- A media company needs to store large volumes of raw video files, images, and application logs in their original native format for later…
- Create value from current, new, and external data
Value is not limited to data you already hold: leaders create it by analyzing current internal data more deeply, capturing new data such as sensor or app-event streams that was previously discarded, and combining in external third-party data like weather or market feeds to enrich the picture. Each source extends the value chain's collect step; the store-analyze-act steps that follow are unchanged.
- Governance is the trust gate on the data value chain
Data governance is the set of policies and controls over how data is collected, stored, accessed, used, and retained: who may see what, whether the data is accurate, and how privacy and compliance obligations are met. Its business value is trust: a leader can only bet a decision on an insight if the underlying data is governed for quality and access. Without governance, more data means more risk rather than more value.
Trap Answering a "the data is wrong / who may see this / compliance" problem with a specific storage product: the issue is governance policy over the data, not where it is stored.
2 questions test this
Data Management Solutions
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Data Insights & Analytics
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
AI & ML Innovation
AI & ML Fundamentals
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- ML is a subset of AI: every ML system is AI, but not all AI is ML
Artificial intelligence is the broad field of building systems that reason, learn, and act like humans; machine learning is the subset of AI in which a system learns rules from data rather than having them explicitly programmed. Google defines ML as a subset of AI that learns autonomously by being fed large amounts of data. Hold the nesting straight: AI is the umbrella, ML is an application of AI, and deep learning is a further subset of ML.
- The line between ML and ordinary software is who writes the logic
In traditional programming a developer hand-codes explicit if-then rules; in machine learning you supply examples and the training process derives the rule itself. That is why ML fits problems whose rules are too varied or too subtle to enumerate by hand, like recognising what is in an image or scoring fraud. If a short, stable set of deterministic rules already solves the problem, plain logic is cheaper and clearer than a model.
Trap Reaching for ML when a handful of fixed business rules would solve the problem reliably: the model adds cost and opacity for no gain.
- Analytics and BI explain the past; ML predicts and decides on new cases
Business intelligence and data analytics aggregate historical data so a person can read what happened and why: dashboards, reports, and aggregates. ML instead produces a model that generalises to data it has never seen, giving a per-case prediction or classification. The signal to move from BI to ML is a team that already reports on history and now wants to predict or act on each new record.
Trap Treating analytics/BI and ML as interchangeable: one is descriptive and backward-looking, the other predicts unseen cases.
4 questions test this
- An organization uses business intelligence dashboards to report on historical structured sales data, but now wants a system that…
- An organization wants a report showing the total revenue generated by each store during the previous fiscal year. Which approach is most…
- A data analytics team uses dashboards to report on last quarter's sales figures. The business now wants to predict which customers are…
- An organization currently uses business intelligence dashboards to summarize and visualize what happened during past sales periods. The…
- Match the business question to an ML problem type
Most business ML maps to a few problem shapes: classification assigns a category (spam-or-not), regression predicts a number (next month's sales), clustering groups similar items with no labels, recommendation suggests the next item, and forecasting projects a time series forward. Naming the shape of the question is the first decision; if it does not reduce to one of these, ML is probably not the right tool.
Trap Calling a 'how many will we sell' question classification: predicting a numeric value is regression, while classification assigns a discrete category.
- Classification and regression need labelled data; clustering does not
Supervised learning trains on labelled examples to map inputs to a known output, which is how classification and regression work: you must already have correctly-labelled historical data. Unsupervised learning finds structure in unlabelled data, which is how clustering groups items with no predefined categories. The practical implication: if you have no labels and cannot get them, supervised approaches are off the table.
Trap Assuming clustering needs labelled training data: it is unsupervised and works precisely because no labels exist.
3 questions test this
- An organization has years of historical records in which each past outcome is already labeled as 'paid' or 'defaulted'. It wants to use…
- A logistics company is preparing a labeled dataset to train an AutoML classification model in Vertex AI. Why is the accuracy of the labels…
- An e-commerce company wants to group its customers into segments based on shared purchasing behavior, without any predefined labels…
- ML adds value when good decisions must be made many times, fast
ML earns its place where the volume, size, or kind of data defeats manual analysis. It scales one learned decision rule consistently across millions of cases, far beyond what analysts could review by hand. Reach for ML for high-frequency, repeated decisions like fraud scoring, content moderation, or demand prediction; reach for analytics when a one-off human-read report is the goal.
- ML finds patterns in datasets too large for humans to inspect
As the rate of data generation accelerates, ML makes it possible to analyse and find value in volumes of data no person could review. The business value is surfacing patterns and correlations hidden in very large datasets, turning raw scale from a liability into an asset. This is distinct from reporting: BI summarises data a human still reads, whereas ML extracts signal from data at a scale beyond human reading.
- ML unlocks unstructured data that analytics cannot easily query
Images, audio, video, and free text carry enormous value but do not fit the rows and columns that traditional analytics and BI query. ML extracts meaning from this unstructured data (image recognition, transcription, translation) turning previously untapped data into usable signal. When a scenario describes value locked in documents, photos, or call recordings, that points to ML over a dashboard.
Trap Expecting a BI dashboard to extract insight from images or free text: analytics is built for structured data, so unstructured sources call for ML.
3 questions test this
- A logistics company analyzes years of structured shipment records with business intelligence dashboards, but now receives millions of…
- An organization uses business intelligence dashboards to report on historical structured sales data, but now wants a system that…
- An organization has long relied on business intelligence dashboards built from structured sales records, but now wants to gain insights…
- A model is only as good as its data: quality and representativeness set the ceiling
A model learns whatever its training data teaches it, so incomplete, inaccurate, or unrepresentative data produces an unreliable model regardless of the algorithm. Google notes that model accuracy improves with more samples only on the precondition that the training data is high quality. High-quality data is accurate, complete, consistent, and representative of the real population the model will serve, which is why data preparation usually decides whether an ML project succeeds.
Trap Assuming a more powerful algorithm or more compute will rescue a model trained on poor or scarce data: fix the data first, because it caps model quality.
4 questions test this
- A manufacturer is training an AutoML defect-detection model in Vertex AI using product photos captured only under bright daytime lighting,…
- A media company is evaluating whether to invest time in improving its labeled training data before building a custom model with Vertex AI.…
- A logistics company is preparing a labeled dataset to train an AutoML classification model in Vertex AI. Why is the accuracy of the labels…
- An online retailer plans to train a custom AutoML model in Vertex AI to predict customer churn, but their historical records contain many…
- Biased or unrepresentative training data produces a biased model at scale
Because the model reflects its training data, data that under-represents a group or encodes a past prejudice teaches the model to reproduce that bias on every prediction. The harm is then applied automatically across many cases, amplifying it. This is why representativeness, not just volume, matters, and why fairness checks on the data and the model are part of responsible ML.
Trap Believing an ML model is automatically objective because it is mathematical: it inherits whatever bias lives in its training data.
3 questions test this
- An organization plans to train a recruiting model on Vertex AI using historical hiring data that reflects past biased decisions. According…
- A company plans to build a recruiting model with AutoML in Vertex AI using past hiring decisions that historically favored one demographic…
- A manufacturer is training an AutoML defect-detection model in Vertex AI using product photos captured only under bright daytime lighting,…
- Explainable AI means people can understand why a model made a prediction
Explainable AI is the property that a model's outputs can be interpreted by people: knowing the reason behind a prediction, not just the prediction. It matters for trust, debugging, detecting unfair bias, and meeting regulations that require a decision to be justified. When a scenario stresses transparency, auditability, or having to explain why a decision was made, explainability is the concept being tested.
6 questions test this
- A bank deployed a custom TensorFlow credit-scoring model on Vertex AI, and regulators now require the bank to explain which factors…
- A bank uses a custom model trained in Vertex AI to assess loan applications and must be able to tell applicants which factors most…
- An insurance company uses a model deployed on Vertex AI to assess claims, and regulators require the company to explain why individual…
- A telecommunications company has deployed a customer-churn model in Vertex AI and wants its business analysts to understand which customer…
- A logistics company's leadership is hesitant to adopt a custom model deployed on Vertex AI because they do not understand how it reaches…
- Which statement best describes the relationship between explainable AI and responsible AI when deploying models on Vertex AI?
- Responsible AI is the umbrella; explainability is one pillar of it
Responsible AI is the broader practice of building and operating AI that is fair, accountable, safe, and privacy-respecting, and explainability is one pillar within it rather than a synonym. Google frames responsible AI through its published AI Principles, which guide how AI should and should not be developed and used. Keep the relationship straight: fairness, accountability, safety, privacy, and explainability together make up responsible AI.
Trap Equating responsible AI with explainability alone: explainability is just one of several pillars under the responsible-AI umbrella.
- Build responsible AI in up front, not as an afterthought
Fairness, transparency, privacy, and human oversight are requirements to gather before a model is built, because retrofitting them after a model is in production is far harder. Treating governance as a launch checklist rather than a design input is how bias and opaque decisions ship to users. The exam favours answers that weigh explainability and fairness early in the AI decision.
The cloud provider supplies tools, safety filters, and AI Principles, but the customer remains responsible for testing models and adhering to acceptable-use and prohibited-use policies. Responsible AI is therefore a shared obligation, mirroring the shared-responsibility theme that runs across this exam, not something the platform fully handles on your behalf. Expect scenarios that test who is accountable for safe and compliant model use.
Trap Assuming the cloud provider's built-in safety features make the customer fully responsible-AI compliant: the customer still owns testing and policy adherence.
Google Cloud AI/ML Solutions
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Building AI/ML Solutions
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Infrastructure & App Modernization
Modernization & Migration
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Compute Options
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Read the compute options as one spectrum from control to fully managed
Google Cloud's compute products line up by degree of abstraction: Compute Engine (VMs, you manage the OS) is the most controllable, then GKE (managed Kubernetes for containers), then Cloud Run (serverless containers), then Cloud Run functions (serverless functions) is the most managed. Moving toward the managed end hands more operational work (patching, scaling, capacity) to Google in exchange for less low-level control. The whole compute decision is just picking the right point on this line for a workload.
- Default to the most managed option a workload allows
Start at the serverless end and step toward control only when a constraint forces it, because the less infrastructure you manage the less undifferentiated work your team carries. In practice that means try Cloud Run first, move to GKE when you genuinely need container orchestration or portability, and drop to Compute Engine VMs only for OS-level control or apps that can't be re-architected.
Trap Reaching for a VM or a Kubernetes cluster by habit when a managed serverless service would run the workload. That leaves your team operating servers Google would otherwise run.
- Compute Engine is the choice for OS-level control and legacy apps
Compute Engine gives virtual machines with operating-system-level control and custom machine types, so pick it when a workload needs a specific OS, custom or specialized hardware, GPUs with full control, or is a monolithic/legacy app like a packaged relational database or ERP. Unlike the serverless options it does not scale to zero: a running VM keeps billing until stopped. It is also the standard landing place for a rehosted (lift-and-shift) app because a VM most resembles the server the app already ran on.
Trap Assuming a serverless service can satisfy a hard OS-level or custom-hardware requirement. Those layers are deliberately hidden by Cloud Run and Cloud Run functions.
7 questions test this
- A manufacturing firm needs to run a specialized legacy application that requires custom operating system configurations and licensed…
- An organization is migrating an on-premises application that currently runs on virtual machines. They want to move it to Google Cloud…
- An organization's cloud migration plan repeatedly refers to using a 'lift and shift' approach when moving its legacy servers onto Compute…
- An organization runs a specialized legacy application that depends on a specific operating system version and cannot be modified, yet it…
- A logistics company wants to move a specialized legacy application to the cloud as quickly as possible without rewriting any of its code,…
- An enterprise must move a legacy financial application to Google Cloud, but the application requires full control of the operating system,…
- An organization is adopting a phased hybrid migration and wants to move a legacy application to Google Cloud quickly, with minimal changes…
- Spot VMs trade reclaim risk for a deep discount
Spot VMs are Compute Engine instances sold from Google's spare capacity at a steep discount (up to roughly 90% off on-demand), but Google can reclaim them at any time after a brief, best-effort shutdown notice. They fit fault-tolerant, interruption-tolerant work such as batch processing, rendering, or CI fleets, where a reclaimed instance simply reruns. Spot VMs are the current generation of what Google previously called preemptible VMs.
Trap Putting a steady, always-on production workload on Spot VMs. Reclaimable capacity is wrong for anything that must stay up; use on-demand or committed-use capacity instead.
3 questions test this
- A media company runs batch video rendering jobs that can tolerate interruptions and needs to significantly reduce compute costs. The…
- An organization runs nightly batch processing jobs that can be safely interrupted and restarted at any time. They want to minimize the cost…
- A media company needs to run large-scale video rendering jobs that can tolerate interruptions. Cost optimization is their primary concern.…
- GKE is managed Kubernetes for container orchestration
Google Kubernetes Engine is a managed implementation of Kubernetes, the open-source container-orchestration system Google originally created, where orchestration means scheduling containers, restarting failed ones, and scaling them. Choose GKE when you run many containers needing orchestration, want microservices at scale, or need the same Kubernetes platform across multiple environments for portability. It does not scale to zero: its nodes keep running.
Trap Choosing GKE for a single stateless web service just to run a container. The orchestration and node management is overhead Cloud Run removes for that case.
- GKE Autopilot manages the nodes for you; Standard leaves them to you
In GKE Autopilot mode (the recommended default) Google also manages the worker nodes and you pay only for the resources your running workloads request; in Standard mode you manage the node pools yourself when a workload needs that level of control. The split matters at decision level: Autopilot is less operational work, Standard trades that for finer control over the underlying machines.
Trap Assuming Standard mode is the normal way to run GKE. Autopilot is the recommended default and offloads node management to Google.
- Cloud Run is the serverless default for HTTP services and APIs
Cloud Run is a fully managed platform that runs your container without you managing clusters or infrastructure, and it is the default for HTTP services, web apps, and REST/GraphQL/gRPC APIs. Its two defining behaviors are scaling to zero when idle and billing only for the CPU and memory used while serving requests. It can also handle event-driven and asynchronous workloads.
5 questions test this
- An e-commerce company is experiencing variable traffic patterns with peaks during sales events and minimal traffic overnight. They want to…
- A startup wants to deploy containerized web applications without managing servers. They need a solution that scales automatically with…
- An organization wants to deploy a containerized web application that receives variable traffic throughout the day. They want to minimize…
- A company wants to modernize their application by deploying it to Cloud Run. What type of container workload must the application be?
- A media company wants to deploy a stateless image processing service that experiences traffic spikes during marketing campaigns. They need…
- Scale-to-zero means no cost while idle but watch cold starts
Cloud Run scales to zero: if no requests arrive, even the last instance is removed, so you pay nothing while idle. The flip side is that a request arriving against zero instances incurs a cold start, and a workload needing a persistent always-running background process is a poor fit for scale-to-zero. For those, a VM or a GKE workload that keeps running is the better match.
Trap Putting a workload that must keep a long-lived process always running on a scale-to-zero serverless service. It gets torn down when idle.
- Cloud Run functions runs event-driven snippets of code
Cloud Run functions (formerly named Cloud Functions) runs an individual piece of code in response to an event such as an HTTP request, a file landing in storage, or a published message, the most abstracted compute rung, where you supply only the function body. Reach for it for small event-driven logic, not whole applications, which belong on Cloud Run, GKE, or a VM.
Trap Standing up a VM or a GKE cluster to host a single event-triggered snippet. That is far more infrastructure than the task needs.
- Containers package an app to run identically anywhere
A container bundles an application with its libraries and dependencies so it runs the same on a laptop, in a data center, or in any cloud, which is what makes container-based apps portable. This is the deployment unit GKE and Cloud Run both run, and it pairs with microservices: splitting one large application into small, independently deployable services usually shipped as separate containers.
4 questions test this
- During seasonal peaks, an online retailer normally runs its containerized application on-premises but needs to add extra capacity in a…
- A startup is building a new REST API service and wants to use any programming language and framework without managing infrastructure. They…
- An organization values open source technologies and wants its container platform to use open APIs so that workloads are not tied to a…
- An organization wants to deploy applications packaged as standard container images and avoid being locked into a single vendor, so they can…
- Autoscaling matches capacity to demand automatically
Autoscaling adds compute when load rises and removes it when load falls so you pay for what a workload actually uses instead of provisioning for peak. On Compute Engine this works through a managed instance group (identical VMs from one template) that the autoscaler grows or shrinks on signals like CPU utilization or load-balancing capacity; serverless products autoscale per request, including down to zero. This automatic elasticity is a core reason cloud compute costs less than a fixed on-premises fleet sized for the yearly peak.
4 questions test this
- An organization has refactored its monolith into containerized microservices. During holiday sales, only its payment-processing service…
- An organization wants to automatically adjust the number of virtual machines in their web application based on CPU utilization. What is a…
- A development team has containerized their application into multiple microservices and wants the cluster to automatically add and remove…
- A retailer's web application running on Compute Engine experiences unpredictable spikes in traffic during promotions and quiet periods…
- Load balancing spreads traffic across instances for availability
A load balancer distributes user traffic across multiple instances of an application so no single instance is overwhelmed, which raises availability and lets the app absorb spikes. It works hand in hand with autoscaling: the load balancer spreads requests across the current instances while autoscaling changes how many instances exist to keep up with that traffic.
- Rehost (lift and shift) onto a VM for apps you can't re-architect
Rehosting moves a workload to the cloud with little or no modification, and it is the right path when an app is legacy or specialized, when there is no business case to change it, or when you simply cannot refactor it. The natural target is a Compute Engine VM, because it most resembles the on-premises server the app already ran on, letting the app operate as-is while still gaining cloud elasticity and reliability.
Trap Choosing rehost-to-VM when the business actually wants the app modernized. That is a replatform or refactor decision, not lift and shift.
7 questions test this
- A manufacturing firm needs to run a specialized legacy application that requires custom operating system configurations and licensed…
- An organization is migrating an on-premises application that currently runs on virtual machines. They want to move it to Google Cloud…
- An organization's cloud migration plan repeatedly refers to using a 'lift and shift' approach when moving its legacy servers onto Compute…
- An organization runs a specialized legacy application that depends on a specific operating system version and cannot be modified, yet it…
- A logistics company wants to move a specialized legacy application to the cloud as quickly as possible without rewriting any of its code,…
- An enterprise must move a legacy financial application to Google Cloud, but the application requires full control of the operating system,…
- An organization is adopting a phased hybrid migration and wants to move a legacy application to Google Cloud quickly, with minimal changes…
- Cloud compute replaces buying for peak with paying for use
On-premises you buy hardware for the yearly peak and pay for it even when idle; cloud compute instead scales capacity up and down with demand and bills accordingly, turning a large fixed capital cost into a variable operating cost. That elasticity, delivered by autoscaling and the pay-per-use serverless model, is the central business value of cloud compute the exam expects you to articulate.
Serverless Computing
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Containers
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
API Management
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Hybrid & Multicloud
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Trust & Security
Cloud Security Concepts
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Map every security goal to the CIA triad
The CIA triad names the three goals all security serves: confidentiality (only authorized parties can read data), integrity (data is accurate and untampered), and availability (data and services are reachable when needed). On the exam, classifying an incident by the property it violated is usually the answer: leaked data is confidentiality, altered records are integrity, an outage is availability.
- Confidentiality is about disclosure, not change or uptime
Confidentiality fails when data is disclosed to someone unauthorized: a leaked customer list, a misdirected email, a stolen laptop. It is protected by encryption, access management, and authentication. Keep it distinct from integrity (which is about unauthorized change) so you pick the right CIA property when a scenario describes exposed data.
Trap Calling a silent data alteration a confidentiality breach: changing data without disclosing it is an integrity failure, not confidentiality.
- Integrity is about unauthorized change, detected by signatures and logs
Integrity means data and systems are accurate and have not been altered by anyone unauthorized; the failure mode is tampering, such as a payment amount silently changed or a record deleted. It is protected by checksums, digital signatures, and audit logs that reveal whether something was modified. Read the scenario for whether data was changed (integrity) versus merely seen (confidentiality).
- Availability is about access when needed, the target of DDoS and ransomware
Availability means authorized users can reach the data and services when they need them; the failure mode is denial, whether from a DDoS flood, a hardware failure with no backup, or a ransomware lockout. It is protected by redundancy, backups, and DDoS defense. An attack that knocks a site offline during a sale is an availability incident, even if no data was stolen.
3 questions test this
- An online retailer needs to guarantee that its customer-facing services stay accessible even during hardware failures or traffic spikes.…
- A streaming media platform must remain accessible and fully operational for its viewers even during periods of unusually high demand. Which…
- A financial services company experiences a distributed denial-of-service attack. What is the most significant business implication if the…
- One incident can break more than one CIA property
The CIA properties are not mutually exclusive: ransomware that both exfiltrates and encrypts data breaks confidentiality and availability at once. When classifying an incident, read what actually happened to the data rather than assuming exactly one property applies.
- The most common attack vector is a person, not a firewall gap
Phishing and social engineering (tricking someone into revealing credentials or clicking a malicious link by impersonating a trusted party) are the single most common entry point, because they target human judgment rather than a technical weakness. The leadership consequence is that security awareness and least-privilege access matter as much as technical controls, since buying more perimeter hardware does not address the human vector.
Trap Treating phishing as a purely technical problem solved by firewalls: it exploits human judgment, so awareness training and least privilege are the real mitigations.
- Know the common threats: phishing, malware/ransomware, insiders, DDoS
The threats the exam expects you to recognize are phishing/social engineering, malware and ransomware (which steal or encrypt data for payment), insider threats (misuse of legitimate access, malicious or accidental), and DDoS (flooding a service so users can't reach it). Each maps back to the CIA triad: ransomware hits confidentiality and availability, DDoS hits availability, an insider can hit any of the three.
- Frame a breach by its business impact, not just the technical event
A Cloud Digital Leader describes security risk in business terms: financial loss (theft, fraud, ransom, recovery cost), regulatory penalties (fines for violating GDPR, HIPAA, and similar), operational downtime (lost productivity and sales), and reputational damage (eroded customer trust and churn). The reputational and trust damage is frequently the costliest and longest-lasting consequence, often outweighing the immediate financial hit.
Trap Assuming the direct financial loss is always the biggest cost: reputational and customer-trust damage often outlasts and outweighs it.
The shared responsibility model splits security tasks between provider and customer: Google secures the infrastructure (data centers, hardware, the global network) while the customer secures what they run on it (their data, access, and configuration). It does not make security less important: it changes who is responsible for which part. On-premises, by contrast, the organization owns the entire stack and every control.
Trap Reading shared responsibility as outsourcing all security to the provider: the customer is always responsible for their own data, access, and configuration.
7 questions test this
- Under the Google Cloud shared responsibility model, which security task remains the responsibility of the customer rather than Google?
- An organization wants a cloud provider that goes beyond dividing responsibilities and actively helps it achieve a secure posture through…
- An organization wants to clarify its obligations versus those of Google Cloud under the cloud shared responsibility model. Which statement…
- A company is moving from a traditional on-premises data center to Google Cloud and wants to understand how security obligations change.…
- An organization plans to run its Security Operations (SecOps) on Google's trusted infrastructure. How does this align with the shared…
- An organization assumes that because Google Cloud holds many compliance certifications, it has no further compliance obligations of its own…
- Under the cloud shared responsibility model, which task always remains the customer's responsibility regardless of whether they adopt IaaS,…
- The responsibility line moves toward the provider from IaaS to PaaS to SaaS
Where the shared-responsibility dividing line sits depends on the service model: in IaaS the bulk of security tasks are the customer's, and the provider's share grows through PaaS until, in SaaS, the provider owns most of it and the customer mainly secures their access and the data they choose to store. The customer is responsible for their data and access in every model: only the rest of the line shifts.
Google frames shared fate as an ongoing partnership to improve security: rather than handing the customer a checklist of their responsibilities and stepping back, Google provides secure defaults, vetted blueprints, and guidance so the customer's side of the line is easier to get right. It is the cooperative complement to the shared responsibility model, which only divides the tasks.
- Cloud can be more secure than on-prem because controls are on by default
Moving to the cloud is not inherently riskier; a hyperscale provider affords controls most organizations cannot and enables many by default. Google encrypts all customer data at rest automatically with AES-256 and no action required, encrypts data in transit, and runs zero trust, whereas on-premises those protections are something the organization must design, fund, and enable itself.
Trap Assuming on-premises is automatically safer because the data is physically in-house: providers turn on encryption and zero trust by default that most on-prem estates lack.
- Most cloud incidents come from customer misconfiguration, not provider breach
Secure-by-default does not make the cloud automatically safe, because the customer still owns their side of the shared-responsibility line. The majority of real-world cloud security incidents trace to customer misconfiguration (an over-permissive access rule, a publicly exposed storage bucket) rather than a breach of the provider's infrastructure. The cloud raises the security floor, but the customer still has to configure their part correctly.
- Zero trust means never trust, always verify: no implied network trust
Zero trust grants access based on continuous verification of identity and context rather than trusting a device just because it sits inside the network perimeter. It is the structural answer to insider and phishing threats, which defeat perimeter-based trust by operating from inside or with stolen credentials. Every access is authenticated and authorized regardless of where it originates.
Trap Believing a trusted internal network removes the need to verify internal traffic: zero trust verifies every access precisely because insiders and stolen credentials bypass the perimeter.
- A control reduces risk; compliance proves the controls exist
A security control is a safeguard that reduces risk; compliance is demonstrating to an outside party (regulator, auditor, customer) that the required controls are in place and working against a standard. Controls are what you do to be secure; compliance is how you prove it. The two are distinct: a system can have strong controls before it is certified, and certification alone does not guarantee real-world security.
Trap Treating passing an audit as proof the system is actually secure: compliance shows controls exist on paper but is evidence, not a substitute for the controls working.
- Controls come in three families: technical, administrative, physical
Security controls fall into three categories the exam may ask you to recognize: technical (or logical) controls enforced by technology such as encryption, access management, and logging; administrative controls that are policy and process such as training and access-review procedures; and physical controls that protect the premises such as badge access and cameras. A complete security posture uses all three, not just technical tools.
- In the cloud you inherit the provider's audited compliance for its layer
Because Google's infrastructure is independently audited and certified against standards like ISO 27001, SOC 2, GDPR, and HIPAA, the customer inherits that coverage for the provider's layer and only has to demonstrate compliance for their own layer. This narrows the scope and cost of an audit compared with proving every certification yourself on-premises: a concrete business benefit of the cloud.
- Authentication proves who you are; authorization decides what you can do
Authentication verifies identity (proving who a user or system is) while authorization determines what that authenticated identity is permitted to do. They run in that order: you authenticate first, then the system authorizes specific actions. Confusing the two is a common error, so anchor on who (authentication) versus what (authorization).
Trap Using authentication and authorization interchangeably: verifying identity is separate from granting permissions, and a valid login still needs authorization for each action.
4 questions test this
- After a user has successfully signed in to Google Cloud, the system determines which actions that user is permitted to perform on a…
- A new engineer asks how authentication differs from authorization within Google Cloud's access control model. Which statement correctly…
- An organization needs to confirm that every user is who they claim to be before they are allowed to sign in to its Google Cloud…
- A retailer is mapping their Google Cloud controls to the three pillars of access management: authentication, authorization, and auditing.…
- Least privilege grants only the minimum access a task needs
Least privilege means granting an identity only the access required to do its job and nothing more, which limits the blast radius if an account is compromised or misused. It is a core defense against both insider threats and stolen-credential attacks, since a tightly scoped account can do far less damage than an over-permissive one.
6 questions test this
- An organization needs to grant a team of developers access to Cloud Storage resources without giving them broader permissions they do not…
- An organization wants its employees to have only the minimum permissions they need to perform their jobs, and nothing more. Which approach…
- An organization has a unique job function that needs a specific set of permissions, but no predefined IAM role matches that set without…
- A security administrator wants to ensure that principals in the organization have only the minimum permissions necessary to perform their…
- A bank must ensure that only authorized analysts can access sensitive customer datasets in its serverless data warehouse, in line with data…
- A security architect explains that Google Cloud's defense-in-depth model relies on granting each identity only the permissions required for…
- Encryption protects confidentiality at rest and in transit
Encryption encodes data so only a party holding the key can read it, protecting confidentiality both at rest (stored data) and in transit (data crossing a network). In Google Cloud both are provided by default, so even a stolen disk or intercepted packet yields unreadable data without the key, which is why encryption is a primary confidentiality control.
3 questions test this
- An organization is concerned that data exchanged between its users and Google Cloud services could be intercepted while it moves across the…
- An organization wants to ensure that data moving between its users and Google Cloud services cannot be read if it is intercepted on the…
- An organization is deploying a new application on Google Cloud and wants to ensure their data stored in Cloud Storage is encrypted. What…
Trusted Infrastructure
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Trust Principles & Compliance
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Cloud Operations & Scaling
Financial Governance
Read full chapterCheat sheet
Sharp facts the exam loves — scan these before test day.
- Financial governance keeps cloud spend predictable and controlled
Cloud financial governance is the discipline of keeping pay-as-you-go spending predictable and accountable, not just cheaper. It matters because anyone can launch billable resources without a purchase order, so cost can grow unnoticed. Google frames good governance as a repeating loop of visibility (see the spend), control (cap and alert on it), and optimization (remove waste), and the exam rewards answers that improve process and accountability over answers that just buy less.
3 questions test this
- A company's leadership wants to understand the strategic relationship between cloud financial governance and sustainability. Which…
- By combining the resource hierarchy, resource quota policies, and budget threshold rules, what primary business benefit does an…
- An enterprise wants to gain greater visibility, accountability, and control over its cloud spending so that future costs become more…
- TCO is the full cost of a workload, not just the hardware price
Total cost of ownership (TCO) is the complete cost of running a workload, including power, cooling, data-center space, staff, and hardware refresh, not only the sticker price of equipment. Cloud typically lowers TCO by folding those hidden on-premises costs into one usage-based bill and removing the over-provisioning needed to cover peak demand. "Reduce TCO" is the right answer when a scenario complains about idle or over-bought hardware.
- The resource hierarchy goes organization, folders, projects, resources
Google Cloud organizes everything into four levels: an organization at the root (the company), optional folders that group by department or environment, projects that hold workloads, and the resources (VMs, buckets, databases) inside each project. Every resource except the organization has exactly one parent, forming a single tree. This structure is the backbone of governance because both access control and cost reporting roll up along it.
4 questions test this
- A company wants to understand the hierarchical structure of Google Cloud for managing costs and access. Which correctly describes the…
- By combining the resource hierarchy, resource quota policies, and budget threshold rules, what primary business benefit does an…
- A large enterprise wants to define a governance policy once and have it automatically apply to all projects belonging to a particular…
- Why does applying access control policies at higher levels of the Google Cloud resource hierarchy benefit a large organization's cost…
- IAM policies are inherited downward through the hierarchy
Identity and Access Management (IAM) policies set high in the resource hierarchy are inherited by everything beneath them, so a role granted on a folder applies to every project and resource inside it. This lets you grant access once at the right level instead of repeating it resource by resource, which is how least-privilege is enforced at scale. Set policy as high as is appropriate, and it cascades down automatically.
Trap Assuming a permission granted on one project also covers a sibling project: inheritance flows downward from a shared parent, not sideways between projects.
4 questions test this
- A large enterprise needs to organize Google Cloud resources to represent different departments for cost reporting purposes. They also want…
- A multinational company wants to organize its Google Cloud resources so that each department's spending can be attributed separately and…
- A large enterprise wants to define a governance policy once and have it automatically apply to all projects belonging to a particular…
- Why does applying access control policies at higher levels of the Google Cloud resource hierarchy benefit a large organization's cost…
- Use the hierarchy to attribute and report cost per team
Because billing rolls up the same organization-folders-projects tree used for access, the resource hierarchy is also how you answer "which team or environment spent what." Designing folders to mirror how the business is organized lets you budget and report spending per department or per environment. The same structure that controls who can do what also attributes the cost of what they do.
- Quotas are hard limits that block excess usage
Resource quotas cap how much of a resource a project can consume, such as API calls per minute or CPUs in a region. When a request would exceed a quota, the system blocks it and the operation fails, which protects both the shared platform and your own bill from runaway consumption. Quotas are the control to reach for when the goal is to actually prevent excess usage rather than merely be warned about it.
Trap Reaching for a budget when the requirement is to physically stop usage: budgets only notify; a quota is what enforces a hard cap.
15 questions test this
- An organization wants to prevent developers from creating more than a specified number of virtual machines in a Google Cloud project. Which…
- A startup creates a brand-new Google Cloud project and is worried that a misconfigured script could provision an enormous amount of…
- An organization wants to place a hard limit on the amount of a specific Google Cloud resource that its teams can consume, in order to…
- An organization wants to ensure that no one in their development team can accidentally create more than 50 virtual machines in a single…
- What is the key difference between resource quotas and budgets when managing Google Cloud costs?
- What happens when a Google Cloud project attempts to consume more of a resource than its quota allows?
- An organization wants to limit the maximum amount of resources that teams can consume within a project to prevent unexpected usage spikes…
- By combining the resource hierarchy, resource quota policies, and budget threshold rules, what primary business benefit does an…
- An organization wants both ongoing visibility into where its cloud money is being spent and a reliable way to prevent any single team from…
- An organization runs separate projects for production and experimentation. Leadership wants experimental projects to be unable to consume…
- An online service experiences sudden traffic spikes, and leadership is concerned that uncontrolled resource usage during these spikes could…
- An organization is scaling rapidly and is concerned that a misconfigured or runaway service could automatically consume excessive…
- An organization's leadership wants an automatic, preventative control that caps how many resources any single project can consume,…
- A growing organization is concerned that a misconfigured workload could provision far more resources than intended, leading to a large…
- A business leader assumes that setting a Cloud Billing budget will automatically stop spending once the planned amount is reached. Which…
- Budgets alert on spending but never cap it
A Cloud Billing budget tracks spending against a planned amount and sends notifications as threshold rules are crossed, but setting a budget does not automatically cap or stop usage or billing. It is a smoke detector, not a circuit breaker: it tells people spending is climbing so they can act. To turn an alert into an actual stop, route it to automation (for example via Pub/Sub) that takes action; the budget alone will not.
Trap Assuming a budget will halt spending once exceeded: it only fires notifications; usage and billing continue unless something else acts.
18 questions test this
- An organization has configured a Cloud Billing budget with threshold rules set at 50%, 75%, and 100% of their monthly budget amount. What…
- An organization sets up a budget in Google Cloud with a threshold of 100%. What happens when spending reaches the budget amount?
- A business leader assumes that setting a budget in Cloud Billing will automatically halt all spending once the budget amount is reached.…
- What is the key difference between resource quotas and budgets when managing Google Cloud costs?
- A growing organization wants to be automatically notified when its cloud spending reaches a defined percentage of the amount it planned to…
- By combining the resource hierarchy, resource quota policies, and budget threshold rules, what primary business benefit does an…
- A company has configured a Cloud Billing budget with threshold rules and is surprised when their services continue running after exceeding…
- An organization has set up a Google Cloud budget with multiple threshold alert rules at 50%, 75%, and 100% of their monthly spending…
- An organization wants to be notified when their Google Cloud spending approaches their monthly limit. However, they want to ensure that…
- An organization has set up a budget in Google Cloud Billing. Which statement accurately describes how budgets affect Google Cloud spending?
- A business leader assumes that setting a Cloud Billing budget will automatically stop spending once the planned amount is reached. Which…
- An organization wants to receive email alerts when their Google Cloud spending approaches a specified target amount. Which Google Cloud…
- A finance team relies on Cloud Billing budget alerts and assumes the alerts will automatically stop spending once the budget amount is…
- An organization has configured a Cloud Billing budget with threshold rules set at 50%, 90%, and 100% of the budgeted amount. What happens…
- An organization wants budget threshold alerts to trigger automated cost-management workflows in addition to sending emails to stakeholders.…
- An organization wants their Cloud Billing budget to do more than send email alerts; they want spending events to automatically trigger a…
- An organization sets a Cloud Billing budget with a $10,000 target amount and 100% threshold rule. A project team is concerned about what…
- An organization has configured a budget with threshold alerts on their Google Cloud Billing account. What happens when the budget threshold…
- Budget threshold rules default to 50%, 90%, and 100%
Budget threshold rules define the points at which alerts fire, and a new budget defaults to notifying at 50%, 90%, and 100% of the planned amount. Thresholds can be evaluated against actual cost already accrued or against forecasted cost projected to the end of the billing period. Notifications go to Billing Account Administrators and Users by default and can be widened to other channels.
12 questions test this
- An organization wants an email notification sent to its billing administrators as soon as the cumulative costs accrued during the month…
- An organization wants to receive early notifications when their Google Cloud costs are trending toward exceeding their monthly budget.…
- A growing organization wants to be automatically notified when its cloud spending reaches a defined percentage of the amount it planned to…
- An organization wants to receive an early warning about potential budget overruns before actual costs exceed their budget. Which budget…
- A finance team wants to be notified automatically when their monthly cloud spending reaches certain percentages of an allocated amount, so…
- A company's finance team wants to be alerted early enough to take action before the actual monthly bill exceeds the planned amount. Which…
- An organization wants to be proactively alerted before its monthly Google Cloud spend is projected to exceed its planned amount by the end…
- An organization wants to receive early warnings about potential cost overruns before their actual spending reaches the budget limit. Which…
- An organization wants to receive email alerts when their Google Cloud spending approaches a specified target amount. Which Google Cloud…
- An organization has configured a Cloud Billing budget with threshold rules set at 50%, 90%, and 100% of the budgeted amount. What happens…
- An organization wants budget threshold alerts to trigger automated cost-management workflows in addition to sending emails to stakeholders.…
- An organization has configured a budget with threshold alerts on their Google Cloud Billing account. What happens when the budget threshold…
- Quota vs budget: one enforces, the other warns
Quotas and budgets are easy to confuse because both relate to limits, but they act oppositely. A quota is a hard limit that blocks the request and fails the operation when exceeded, so it can prevent spend. A budget is notification-only: it alerts at thresholds but lets usage and billing continue. Match the verb in a question: "prevent/cap usage" points to a quota, "notify/alert when approaching" points to a budget.
Trap Treating quota and budget as interchangeable cost controls: only the quota stops usage; the budget merely sends alerts.
8 questions test this
- What is the key difference between resource quotas and budgets when managing Google Cloud costs?
- An organization wants to limit the maximum amount of resources that teams can consume within a project to prevent unexpected usage spikes…
- A company has configured a Cloud Billing budget with threshold rules and is surprised when their services continue running after exceeding…
- An organization wants both ongoing visibility into where its cloud money is being spent and a reliable way to prevent any single team from…
- An organization has set up a Google Cloud budget with multiple threshold alert rules at 50%, 75%, and 100% of their monthly spending…
- An organization wants to be notified when their Google Cloud spending approaches their monthly limit. However, they want to ensure that…
- An organization has set up a budget in Google Cloud Billing. Which statement accurately describes how budgets affect Google Cloud spending?
- A business leader assumes that setting a Cloud Billing budget will automatically stop spending once the planned amount is reached. Which…
- Cloud Billing Reports visualize and break down spend
Cloud Billing Reports is the built-in tool for viewing and analyzing Google Cloud cost and cost trends. It breaks spending down by project, service, SKU, location, label, and time period, and shows forecasted alongside actual cost, answering questions like which project cost the most last month. It supplies the visibility half of governance, which budgets and the hierarchy then act on.
24 questions test this
- A non-technical executive wants an at-a-glance visual view of cloud cost trends directly in the Google Cloud console, without exporting…
- A retailer wants to show stakeholders that its efforts to control cloud costs are also improving its environmental performance. How can…
- Cloud Billing reports allow leaders to break down cloud costs by project and service. How can this visibility help advance an…
- An operations team observes an unexpected spike in last month's Google Cloud costs and wants to investigate which project caused it using…
- A company's leadership wants to anticipate how much the organization is likely to spend by the end of the current month, based on the…
- An organization adopting cloud financial governance wants greater predictability and control over its cloud spend. How do Cloud Billing…
- Using Cloud Billing reports, an engineering team finds that several development and test environments run continuously, including overnight…
- A finance team wants to anticipate next month's Google Cloud spend so they can plan budgets with greater predictability. While reviewing…
- An organization wants to understand which Google Cloud services are costing them the most and how their spending is trending over time.…
- A large organization with many teams wants to understand which individual projects and services are driving the majority of its cloud costs…
- An organization wants both ongoing visibility into where its cloud money is being spent and a reliable way to prevent any single team from…
- An organization wants to understand which Google Cloud services are contributing most to their monthly spending and how costs are trending…
- A finance team wants to understand which Google Cloud services and projects are driving the most spend each month so they can have informed…
- A leader assumes that Cloud Billing reports directly measure the organization's carbon emissions. Which statement best describes how Cloud…
- A retail organization has noticed that its monthly Google Cloud bill is rising and wants to determine which Google Cloud service is…
- An organization wants an at-a-glance, configurable view of its cost trends and to identify which projects and services have cost the most…
- A cloud leader wants a simple, chart-based way to discover and analyze trends in cloud spend and to identify which Google Cloud services…
- A company runs many projects under a single Cloud Billing account and wants to analyze the costs of only its production projects within…
- An organization wants to understand how their Google Cloud spending is tracking over time and receive insights to help optimize their…
- An organization's finance team wants to anticipate its Google Cloud costs for the upcoming months based on recent usage patterns. Which…
- A FinOps analyst is reviewing the Cloud Billing Reports chart and notices a steady increase in spend over the previous quarter. What is the…
- An organization's finance leaders want to review how cloud spending has trended across projects and services over the past several months…
- An organization reduces its monthly cloud bill by using Cloud Billing reports to find and shut down underused virtual machines. How does…
- Why is visualizing cloud spending trends over time in Cloud Billing reports valuable for an organization pursuing cost optimization?
- Sustained-use discounts apply automatically with no commitment
Sustained-use discounts lower the rate automatically the longer an eligible resource runs within a billing month, with no commitment and no action required from you. They are the right optimization lever when you run resources often but cannot promise a fixed term. Because they are automatic, the correct answer to "we want a lower rate but cannot commit" is sustained-use (or plain pay-as-you-go), not a contract.
Trap Assuming you must sign up or configure something to get sustained-use discounts: they are applied automatically based on usage.
- Committed-use discounts trade a 1- or 3-year commitment for a lower rate
Committed-use discounts give a reduced price in exchange for committing to a one- or three-year term of usage, and they typically beat sustained-use discounts for spend you can predict. They fit steady, always-on workloads you are confident will keep running. The decision contrast: pick committed-use when usage is predictable and long-running, and sustained-use or pay-as-you-go when it is not.
Trap Choosing committed-use discounts for spiky or short-lived workloads: the multi-year commitment is wasted if the usage does not actually persist.
- A billing account pays for many projects; each project links to one at a time
A Cloud Billing account defines who pays for a set of Google Cloud resources. One billing account can be linked to multiple projects, but each project is linked to exactly one billing account at a time. Organizations may use multiple billing accounts when they must split charges for legal or accounting reasons.
Trap A project links to only ONE billing account at a time, not several
5 questions test this
- An organization has multiple Google Cloud projects that need to be paid for by the same payment method. What defines who pays for a given…
- In the Google Cloud resource hierarchy, what is the relationship between billing accounts and projects?
- An organization has multiple projects running workloads across Google Cloud. What is the relationship between Cloud Billing accounts and…
- An organization is setting up its Google Cloud environment and wants to understand how billing accounts relate to projects. Which statement…
- An organization needs to split cloud charges for legal or accounting reasons across different business units. Which approach should the…
- Labels tag resources so you can break down spend by team or cost center
Labels are key-value pairs attached to resources (such as team:engineering or a cost-center identifier). Label information is forwarded to the billing system, letting you categorize and report spend by department, environment, or application without creating separate billing accounts or restructuring the project hierarchy.
Trap Labels enable internal chargeback reporting; you do NOT need a separate billing account per team
5 questions test this
- An organization wants to understand how much each of their internal departments is spending on Google Cloud resources without creating…
- An organization has multiple teams that share Google Cloud resources and wants to track spending by team for internal chargeback purposes.…
- An organization wants to understand how much they are spending on resources for each of their internal departments. Which Google Cloud…
- An organization wants to track cloud spending by department, environment, and application without restructuring their project hierarchy.…
- A large organization with many teams wants to understand which individual projects and services are driving the majority of its cloud costs…
- Recommender uses machine learning to flag idle and over-provisioned resources
Recommender (part of Active Assist) analyzes usage data with machine learning to identify waste such as idle VMs and over-provisioned resources, then generates cost-saving recommendations to stop, delete, or right-size them.
Trap Recommender is the proactive ML cost-optimizer; Billing Reports only show what you already spent
4 questions test this
- An organization wants to identify virtual machines that have not been used for an extended period and are contributing to unnecessary cloud…
- An organization wants to proactively identify virtual machines that are not being used and are generating unnecessary costs. Which Google…
- An organization wants to use AI-driven intelligence to identify idle virtual machines and over-provisioned resources to reduce cloud costs.…
- An organization notices their Google Cloud bill is increasing but lacks visibility into which resources might be underutilized. They want…
Operational Excellence & Reliability
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.
Sustainability
Read full chapterUnlock with Premium — includes all practice exams and the complete study guide.