Study Guide · CDL

CDL Cheat Sheet

314 entries · 21 chapters · 6 domains

Digital Transformation

Cloud Transformation Drivers

Read full chapter
  • Digital transformation is a business change, not just a tech migration
  • Cloud delivers IT resources on demand instead of owning the hardware
  • Memorize the six cloud benefits Google lists for transformation
  • Google's five transformation benefits: intelligence, freedom, collaboration, trust, sustainability
  • The transformation cloud accelerates change through four pillars
  • Cloud-native means built for the cloud and portable via containers
  • Open source and open standards are what let workloads avoid lock-in
  • Public, private, hybrid, and multicloud differ by who runs it and where
  • Hybrid mixes private with public; multicloud means multiple public providers
  • Workloads that must stay local point to on-premises, private, or hybrid
  • Not adopting cloud is the cloud benefits stated as their absence
  • Drivers of transformation are business pressures, not the technology itself
  • Common transformation challenges are legacy, skills, security, and culture

Unlock with Premium — includes all practice exams and the complete study guide.

Cloud Concepts

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Scalability means capacity can grow; elasticity means it grows and shrinks automatically

Scalability is the ability to add or remove capacity to meet demand, while elasticity is doing that scaling automatically and quickly in both directions as load rises and falls. Every elastic system is scalable, but a system can be scalable (you can add capacity) without being elastic (it does not adjust on its own). When a scenario describes capacity following traffic up and back down without anyone placing an order, the answer is elasticity, not just scalability.

Trap Answering 'scalability' when the scenario specifically describes capacity expanding and contracting automatically: that automatic, two-way behavior is elasticity.

7 questions test this
Reliability is staying up and recovering through failures, achieved by spreading across failure domains

Reliability is a system's ability to keep performing its function and to recover when something fails. In the cloud it is achieved by running across independent failure domains so that one fault does not take everything down, which is why workloads are spread across multiple zones. It is a property of the system, distinct from flexibility and agility, which are about the organization.

2 questions test this
Flexibility is freedom to change tech; agility is the business speed it unlocks

Flexibility is the freedom to choose, combine, and change technologies, regions, and providers without buying new hardware first. Agility is the business outcome that flexibility enables: teams ship and change products faster because they no longer wait weeks for servers to arrive. A question about launching features in days rather than quarters is describing agility; one about freely swapping technologies is describing flexibility.

2 questions test this
Cloud shifts spending from CapEx to OpEx

Capital expenditure (CapEx) is money spent up front on assets you own and depreciate, such as buying servers sized for peak demand; operating expenditure (OpEx) is money spent on ongoing consumption. In the cloud most resource costs are treated as OpEx: you pay as you consume, with no up-front hardware purchase. This CapEx-to-OpEx shift is the most-tested cost concept, and 'move from CapEx to OpEx' is usually the right answer when a scenario complains about large up-front hardware spend.

Trap Calling pay-as-you-go cloud spending CapEx: owned, up-front, depreciated hardware is CapEx; consumption-based cloud billing is OpEx.

4 questions test this
Pay-as-you-go is the default: pay only for what you consume

Pay-as-you-go is the baseline cloud pricing model, where you pay only for the resources you actually consume with no commitment and no up-front purchase. It is what makes the OpEx model work and is the right fit when usage is unpredictable or a team cannot commit to a term. Sustained-use and committed-use discounts then reduce the rate on top of this baseline.

7 questions test this
Committed-use discounts require a 1- or 3-year commitment; sustained-use discounts are automatic

A committed-use discount gives a lower price in exchange for committing to a one- or three-year term of usage, so it fits steady, predictable workloads you know will run for years. A sustained-use discount is applied automatically and grows the longer a resource runs within a month, requiring no commitment at all. The exam hinges on this contrast: 'we want a lower rate but cannot commit' points to sustained-use, while 'we will run this steadily for years and want the best rate' points to committed-use.

Trap Treating sustained-use discounts as something you sign up and commit to: they apply automatically with no commitment; only committed-use requires a 1- or 3-year term.

1 question tests this
Public cloud uses a provider's shared infrastructure for lowest TCO and most agility

Public cloud runs your workloads on a provider's shared, on-demand infrastructure such as Google Cloud, AWS, or Azure. It maximizes the OpEx model, elasticity, and agility and usually delivers the lowest TCO, with the trade-off of less low-level control over the underlying hardware. It is the default choice when scale, speed, and cost matter more than owning the hardware.

4 questions test this
Private cloud is chosen for residency, control, or legacy, not for cost

A private cloud dedicates infrastructure to a single organization, often on-premises, and is chosen for data-residency rules, regulatory control, or legacy systems that cannot move. Its trade-off is mostly CapEx and limited elasticity because you still own and size the hardware. When a scenario cites a legal requirement that data stay in-country with no cloud option, private (or hybrid) is the conceptual answer.

2 questions test this
Hybrid cloud connects on-prem/private with public cloud so workloads span both

Hybrid cloud links a private or on-premises environment with a public cloud so workloads can run across both. It is the answer when part of the estate is constrained (say a regulated database that must stay private) while the rest moves to cloud-native services. The cost is the added network and integration complexity between the two environments.

4 questions test this
Multicloud uses two or more public providers, and needs a concrete reason

Multicloud means running on two or more public-cloud providers at once, justified by a concrete need such as avoiding vendor lock-in or using a best-of-breed service only one provider offers. It carries the most integration and skills overhead of any model, so it should be tied to a stated business reason rather than adopted by default. Note the distinction from hybrid: hybrid mixes private/on-prem with public, while multicloud mixes multiple public clouds.

Trap Choosing multicloud 'to be safer' with no stated reason: each extra provider multiplies integration and operational cost, so it must serve a concrete need like lock-in avoidance or a best-of-breed service.

4 questions test this
A region is an independent geographic area; a zone is a deployment area inside it

A Google Cloud region is an independent geographic area, and a zone is a deployment area for resources within a region. Each region contains three or more zones, each housed in a separate physical data center, and a zone should be treated as a single failure domain. You choose a region close to your users for lower latency and spread resources across zones so a single-zone failure does not take the workload down.

Trap Treating a zone as a whole region or assuming one zone gives high availability: a zone is a single failure domain, so resilience comes from spreading across multiple zones (or regions).

7 questions test this
Multi-region services survive the loss of an entire region

Multi-region services such as Cloud Storage and Spanner replicate data across more than one region and are designed to keep working after losing a whole region. This is a stronger guarantee than multi-zone, which only protects against a single data-center failure within one region. Reach for a multi-region configuration when the requirement is to survive a full regional outage.

2 questions test this
Latency is delay; bandwidth is capacity: both describe network performance

Latency is the time it takes a packet to travel from source to destination, while bandwidth is how much data can move per second. They are independent: a link can have high bandwidth but high latency and still feel slow for interactive use. Placing resources in a region near users primarily reduces latency, which is why proximity matters for responsiveness.

Trap Assuming more bandwidth fixes a latency problem: bandwidth is throughput capacity, latency is delay, so a high-bandwidth but far-away region can still feel slow for interactive traffic.

5 questions test this
Know the basic network terms: IP address, DNS, and ISP

An IP address is the numeric address that identifies a device on a network, DNS (Domain Name System) translates human-readable names like example.com into IP addresses, and an ISP (Internet Service Provider) is the company that connects you to the internet. The Cloud Digital Leader exam expects you to recognize these foundational terms rather than configure them.

Google owns a global private fiber network so traffic largely avoids the public internet

Google operates a global, privately owned fiber-optic network (including subsea cables) that connects its regions, plus a worldwide set of edge points of presence (PoPs) in over 200 locations. Because Google owns this backbone end to end, user traffic enters Google's network close to the user and stays on Google's private fiber for most of its journey rather than crossing the open public internet, which lowers latency, raises throughput, and improves security. The business takeaway is that customers get global, low-latency reach without building any of this network themselves.

4 questions test this
Pre-trained AI APIs add AI capabilities with no ML expertise or model training

Google Cloud's pre-trained APIs let you add AI to an application with a simple API call, requiring no data science team and no custom model training. Match the modality to the API: Vision API for images, Video Intelligence API for video, Speech-to-Text for audio transcription, and the Natural Language API for text analysis such as sentiment.

Trap Pre-trained APIs are for standard tasks out of the box; building a custom model on your own data without coding is AutoML on Vertex AI instead.

6 questions test this
BigQuery is a serverless data warehouse that decouples storage from compute

BigQuery is serverless: there are no clusters to provision, deploy, or manage, so analysts query large datasets with standard SQL and focus on data instead of infrastructure. Its architecture scales storage and compute independently for flexibility and cost control, supports streaming ingestion for near-real-time querying, and connects to BI tools like Looker, Tableau, and Power BI.

Trap Treating BigQuery as a provisioned warehouse that needs cluster sizing or capacity planning before you can query.

7 questions test this
BigQuery ML and AutoML let teams build ML models without data science expertise

BigQuery ML lets SQL practitioners create and run machine learning models using familiar SQL, with no Python or specialized ML framework needed, democratizing predictive analytics for data analysts. AutoML on Vertex AI builds a custom model from your own training data code-free, automating data prep, model selection, and tuning.

Trap Reaching for custom-trained Vertex AI models and ML engineers when BigQuery ML or AutoML already meets the need.

4 questions test this
Cloud Billing reports visualize cost history, trends, and forecasts by project and service

Cloud Billing reports are the built-in dashboard for understanding spend: they break costs down by project, service, and SKU, show trends over time, and project likely future spend with a cost-trend forecast for budget planning. They also show savings from credits such as committed-use and sustained-use discounts, supporting departmental accountability and chargeback.

Trap Expecting Cloud Billing reports to alert you when spend crosses a threshold, which is the job of Budgets and alerts.

6 questions test this
The organization resource is the root of the hierarchy, and folders require it

The organization resource sits at the top of the Google Cloud resource hierarchy and gives central visibility and control over every project and resource a company owns. It is created via Google Workspace or Cloud Identity (and is provisioned automatically the first time such an account creates a project). Folders are an optional grouping layer between the organization and projects, so an organization resource is a prerequisite for using folders; IAM policies set on a folder are inherited by the projects inside it.

6 questions test this
TCO comparisons must include the costs that get overlooked

A fair on-premises-versus-cloud TCO comparison counts all direct and indirect costs, not just hardware and software. Commonly overlooked items include the operational costs of running a data center (power, cooling, maintenance, and support) on the on-prem side, and ongoing, usage-based network egress charges on the cloud side, which replace what used to be a one-time cabling and network-hardware purchase.

Trap Reducing a TCO comparison to hardware and software prices while omitting power, cooling, staffing, and other indirect costs.

2 questions test this

Service Models & Shared Responsibility

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

The three cloud service models differ by how much of the stack you hand off

IaaS, PaaS, and SaaS are not separate products but three points where the provider takes over the lower layers of a computing stack and leaves the rest to you. The single question behind all three is how much of the stack you want to manage yourself, which is why Google describes them as differing in "the degree of management you're responsible for."

Control and operational effort move in opposite directions across the models

As you move from IaaS toward SaaS you hand off more layers, so you do less operational work and need fewer specialist staff, but you also lose control and customization over the layers the provider now owns. IaaS gives the highest control over infrastructure at the cost of hands-on management; SaaS is the fastest to adopt but offers little to no control.

Trap Assuming a more-managed model like SaaS is strictly better, when the requirement is maximum control or customization of the OS or runtime, which points to IaaS instead.

3 questions test this
IaaS rents you the infrastructure but leaves you the OS and up

Infrastructure as a Service delivers on-demand compute, storage, networking, and virtualization, so you no longer run a data center, but you remain responsible for the operating system, runtime, scaling, and all data and apps. It suits teams that need a specific OS or are lift-and-shifting a legacy or specialized application. Google's example is Compute Engine.

13 questions test this
PaaS manages the platform so you only bring your code

Platform as a Service delivers and manages all the hardware and software needed to develop and run applications, so developers deploy their own code while the provider handles server management, patching, and scaling. You still write the code and manage your data and apps. Google's examples are App Engine and Cloud Run.

29 questions test this
SaaS delivers a finished application, you only manage your data

Software as a Service provides the entire application stack as a ready-to-use, fully managed application, including all updates, bug fixes, and maintenance, usually reached through a web browser with nothing to install. The customer's remaining job is taking care of their own data and user accounts. Google's example is Google Workspace.

6 questions test this
Match the model to how much the customer wants to avoid managing

Pick the model by the layers the scenario says the customer does not want to manage: needing OS or runtime control, or migrating a legacy app as-is, points to IaaS; wanting to deploy code without managing servers or scaling points to PaaS; needing a ready-to-use app with no infrastructure to manage points to SaaS.

Trap Choosing SaaS when the scenario requires running a specialized or legacy app that needs OS-level control, which only IaaS provides.

24 questions test this
All cloud models shift spending from CapEx to OpEx

Every cloud service model replaces the up-front capital expense (CapEx) of buying and refreshing data-center hardware with an operating expense (OpEx) paid as pay-as-you-go or subscription. This shift applies across IaaS, PaaS, and SaaS alike, so a stem about avoiding large up-front hardware purchases is testing the model category in general, not one specific model.

3 questions test this
TCO includes staffing, not just the cloud bill

Total cost of ownership counts the people needed to operate each layer, not only the invoice, so the more layers you hand off the lower the operational staffing cost. A goal of minimizing management effort or specialist headcount trends toward the more managed models (SaaS, then PaaS), because the provider absorbs the patching and operations toil.

Trap Reading "lowest cost" as "cheapest hourly rate" and picking IaaS, when a goal of fewest staff and least operational overhead favors a more managed model.

1 question tests this
PaaS and SaaS carry a real vendor lock-in risk

Because PaaS and SaaS run on provider-specific platforms and applications, moving away later can be hard, which Google lists as a stated disadvantage of both. PaaS can also constrain you with a limited application stack and reduced customization. IaaS keeps more portability at the cost of more hands-on management.

The models are not mutually exclusive

An organization can combine IaaS, PaaS, and SaaS, and mix them with traditional on-premises IT, rather than committing to a single model. A scenario describing different workloads on different models is therefore normal, not a mistake to correct.

The shared responsibility model splits security at the management line

The cloud shared responsibility model divides security duties between the provider and the customer, and the split follows the same line as management: wherever the provider stops managing a layer, the customer becomes responsible for securing it. The exact division therefore depends on which service model is in use.

6 questions test this
Google always secures the hardware and network, no matter the model

Across every service model the cloud provider always remains responsible for the underlying network and physical infrastructure, including data centers and hardware. This part of the split never shifts, so any answer claiming the customer secures the physical servers or the provider network is wrong.

1 question tests this
You always own your data and access policies

In every service model the customer always remains responsible for their own data and their access and identity policies, meaning who can sign in and what they can do. Even under SaaS, where Google manages the whole application, your data and access controls stay yours.

Trap Believing the provider secures your data under SaaS because it manages the application; data protection and access control are always the customer's responsibility.

13 questions test this
The OS and runtime layer is what actually shifts between IaaS and SaaS

The middle of the stack, the OS, runtime, and middleware, is the part of the security split that moves with the model: it is the customer's responsibility under IaaS but the provider's under SaaS, with PaaS in between. Under IaaS the bulk of security responsibilities are the customer's; under SaaS they reverse to the provider.

9 questions test this
Shared fate is Google partnering across the responsibility line, not redrawing it

Shared fate is Google's posture of taking a more active role in helping customers secure their side of the shared responsibility split, through secure-by-default blueprints, governance tooling, and a Risk Protection Program that connects customers with cyber-insurance partners. It does not remove the customer's responsibilities; it adds provider partnership on top of the existing division.

Trap Treating shared fate as moving all security responsibility to Google; it is a partnership layered on top of shared responsibility, not a replacement for it.

FaaS (Cloud Functions) runs single-purpose event-driven code with no servers to manage

Function as a Service runs small, single-purpose pieces of code in response to events such as a Pub/Sub message or a file landing in Cloud Storage, with zero server or runtime management. Cloud Functions is Google's FaaS: it provisions and scales the infrastructure automatically, scales to zero when idle, and bills only while your code runs, so you pay nothing during quiet periods.

Trap App Engine is PaaS for whole apps; FaaS/Cloud Functions is the answer specifically for single-purpose, event-triggered code.

16 questions test this
Container orchestration (GKE) automates deploying, scaling, and managing containers

Container orchestration automatically deploys, scales, and manages containerized applications, which is what makes breaking a monolith into independently deployable microservices practical. Google Kubernetes Engine provides this managed Kubernetes, with Google running the control plane; GKE Autopilot goes further and fully manages the nodes too (provisioning, scaling, maintenance, and security patches) so teams without deep Kubernetes expertise can run containers at scale.

Trap Autopilot mode (not Standard) is the pick when the scenario stresses minimal operational burden and no in-house Kubernetes expertise.

8 questions test this
Google provides the capability, but the customer must configure and enable it

Across the shared responsibility model the customer is responsible for configuring the services they use: enabling high availability and disaster recovery on Cloud SQL, setting VPC firewall rules, and securing application code and container images on services like Cloud Run. Google supplies and secures the underlying capability and infrastructure, but turning it on and configuring it correctly is the customer's job.

Trap "Google provides it" does not mean Google enables it for you: features like Cloud SQL HA or firewall rules stay off until the customer configures them.

7 questions test this

Data Transformation

The Value of Data

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Data has no value until it reaches a decision

Raw data is a cost until analysis turns it into an insight that changes a decision; the value comes from the journey, not the volume. That journey is the data value chain: collect, then store and organize, then process and analyze, then act on the insight. The Cloud Digital Leader lens is to ask where a tool sits on this chain rather than which tool is newest.

Structured data fits rows and columns; unstructured data does not

Structured data has a fixed schema of rows and columns (transactions in a spreadsheet or a relational database) and is what organizations have always reported on. Unstructured data is everything without a fixed schema: text, images, audio, video, and sensor logs. Semi-structured data sits between them, with attributes that can vary per record, such as JSON event logs.

2 questions test this
Most enterprise data is unstructured and largely untapped

The volume of unstructured data far exceeds structured data, yet historically most of it went unanalyzed because traditional reporting tools could not read images, audio, or free text. The business opportunity in data transformation is unlocking that untapped majority. This is the bridge to AI and machine learning, which can read unstructured content and extract value from it.

1 question tests this
A database answers what is true right now

A database is an operational store for live, structured records, built to run an application's many small reads and writes in real time. It answers "what is true right now" for the application, not "what happened over the last year." Pushing large analytical reporting onto it competes with the application's transactions, which is why analysis belongs in a data warehouse instead.

Trap Running heavy analytics or BI reporting directly on the live operational database: it is tuned for small real-time transactions, not large analytical scans.

A data warehouse holds cleaned, structured data for reporting

A data warehouse stores data that has already been cleaned and processed and organized to a defined schema, which makes queries fast and reports trustworthy. It is built for analysis and reporting over structured (and semi-structured) historical data, answering "what happened and why." Reach for it when the business questions are known and analysts need repeatable, reliable reports.

2 questions test this
A data lake stores all raw data with no schema up front

A data lake is a central place to store all data at any scale in its raw form (structured, semi-structured, or unstructured) without defining its purpose first. That makes it the natural home for the unstructured majority and the feedstock for machine learning, answering "what might we discover later." Reach for it when you have lots of raw data and want to keep everything to explore or train models on later.

4 questions test this
Schema-on-write vs schema-on-read is the real warehouse/lake fork

The deepest difference is when structure is imposed: a warehouse uses schema-on-write, shaping data to a defined schema before saving, while a lake uses schema-on-read, landing data raw and applying structure only at query time. Paying the cleanup cost up front buys query speed and trust but is rigid; deferring it buys cheap, flexible storage of any data at the price of cleanup at query time. "Decide first, query fast" is the warehouse; "store now, decide later" is the lake.

Trap Treating schema-on-read as merely "slower": its real trade is flexibility and low cost for any raw data, paid back as cleanup work when you query.

1 question tests this
A data lakehouse converges lake and warehouse

A data lakehouse is a modern architecture that combines the raw-data storage of a lake with the organized, queryable structure of a warehouse on one platform. For the Cloud Digital Leader exam, recognize the term and that it blends both worlds (cheap raw storage plus fast structured analytics) so you no longer have to choose strictly between siloed lake and warehouse systems.

Cloud Storage is the data lake on Google Cloud

Cloud Storage serves as the data lake on Google Cloud: object storage that holds any raw data (structured, semi-structured, or unstructured) at any scale without a schema defined first. It is the landing zone when a scenario describes dumping raw events, IoT/sensor streams, images, or files to explore or process later. Analytics and ML tools then read from it when a question finally needs answering.

4 questions test this
Create value from current, new, and external data

Value is not limited to data you already hold: leaders create it by analyzing current internal data more deeply, capturing new data such as sensor or app-event streams that was previously discarded, and combining in external third-party data like weather or market feeds to enrich the picture. Each source extends the value chain's collect step; the store-analyze-act steps that follow are unchanged.

Governance is the trust gate on the data value chain

Data governance is the set of policies and controls over how data is collected, stored, accessed, used, and retained: who may see what, whether the data is accurate, and how privacy and compliance obligations are met. Its business value is trust: a leader can only bet a decision on an insight if the underlying data is governed for quality and access. Without governance, more data means more risk rather than more value.

Trap Answering a "the data is wrong / who may see this / compliance" problem with a specific storage product: the issue is governance policy over the data, not where it is stored.

2 questions test this

Data Management Solutions

Read full chapter
  • Pick the data product by data shape first
  • Separate transactional workloads from analytical ones
  • Use Cloud Storage for unstructured object data
  • Use Cloud SQL for standard regional relational apps
  • Use Spanner when relational data needs global scale
  • Use Firestore for app data with real-time sync
  • Use Bigtable for massive high-throughput key-value data
  • Use BigQuery for analytics over large historical data
  • BigQuery ML brings machine learning into SQL
  • BigQuery Omni analyzes data in other clouds
  • Cloud Storage classes differ only in cost profile
  • Match the storage class to access frequency
  • BigQuery is a warehouse, not an application backend
  • Relational scale is what splits Cloud SQL from Spanner
  • Managed services shift effort from running to using data
  • BigQuery public datasets are free to store, pay only to query

Unlock with Premium — includes all practice exams and the complete study guide.

Data Insights & Analytics

Read full chapter
  • Stored data creates no value until it is analyzed and visualized
  • Looker is Google Cloud's business intelligence and visualization platform
  • Looker democratizes data through self-service exploration
  • LookML defines each metric once as a single source of truth
  • Looker queries the warehouse live instead of copying data out
  • BigQuery is the analytics engine; Looker is the layer on top
  • Looker can embed analytics inside other applications
  • Batch processes data in scheduled groups; streaming processes it as it arrives
  • Choose streaming analytics when decisions cannot wait for the next batch
  • Pub/Sub is the serverless ingestion front door for event streams
  • Pub/Sub decouples publishers from subscribers asynchronously
  • Dataflow is the serverless engine that processes and transforms the data
  • Dataflow handles both streaming and batch with one model
  • Pub/Sub and Dataflow are the paired data-pipeline products
  • The streaming pipeline flows ingest to process to store to visualize

Unlock with Premium — includes all practice exams and the complete study guide.

AI & ML Innovation

AI & ML Fundamentals

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

ML is a subset of AI: every ML system is AI, but not all AI is ML

Artificial intelligence is the broad field of building systems that reason, learn, and act like humans; machine learning is the subset of AI in which a system learns rules from data rather than having them explicitly programmed. Google defines ML as a subset of AI that learns autonomously by being fed large amounts of data. Hold the nesting straight: AI is the umbrella, ML is an application of AI, and deep learning is a further subset of ML.

1 question tests this
The line between ML and ordinary software is who writes the logic

In traditional programming a developer hand-codes explicit if-then rules; in machine learning you supply examples and the training process derives the rule itself. That is why ML fits problems whose rules are too varied or too subtle to enumerate by hand, like recognising what is in an image or scoring fraud. If a short, stable set of deterministic rules already solves the problem, plain logic is cheaper and clearer than a model.

Trap Reaching for ML when a handful of fixed business rules would solve the problem reliably: the model adds cost and opacity for no gain.

1 question tests this
Analytics and BI explain the past; ML predicts and decides on new cases

Business intelligence and data analytics aggregate historical data so a person can read what happened and why: dashboards, reports, and aggregates. ML instead produces a model that generalises to data it has never seen, giving a per-case prediction or classification. The signal to move from BI to ML is a team that already reports on history and now wants to predict or act on each new record.

Trap Treating analytics/BI and ML as interchangeable: one is descriptive and backward-looking, the other predicts unseen cases.

4 questions test this
Match the business question to an ML problem type

Most business ML maps to a few problem shapes: classification assigns a category (spam-or-not), regression predicts a number (next month's sales), clustering groups similar items with no labels, recommendation suggests the next item, and forecasting projects a time series forward. Naming the shape of the question is the first decision; if it does not reduce to one of these, ML is probably not the right tool.

Trap Calling a 'how many will we sell' question classification: predicting a numeric value is regression, while classification assigns a discrete category.

1 question tests this
Classification and regression need labelled data; clustering does not

Supervised learning trains on labelled examples to map inputs to a known output, which is how classification and regression work: you must already have correctly-labelled historical data. Unsupervised learning finds structure in unlabelled data, which is how clustering groups items with no predefined categories. The practical implication: if you have no labels and cannot get them, supervised approaches are off the table.

Trap Assuming clustering needs labelled training data: it is unsupervised and works precisely because no labels exist.

3 questions test this
ML adds value when good decisions must be made many times, fast

ML earns its place where the volume, size, or kind of data defeats manual analysis. It scales one learned decision rule consistently across millions of cases, far beyond what analysts could review by hand. Reach for ML for high-frequency, repeated decisions like fraud scoring, content moderation, or demand prediction; reach for analytics when a one-off human-read report is the goal.

2 questions test this
ML finds patterns in datasets too large for humans to inspect

As the rate of data generation accelerates, ML makes it possible to analyse and find value in volumes of data no person could review. The business value is surfacing patterns and correlations hidden in very large datasets, turning raw scale from a liability into an asset. This is distinct from reporting: BI summarises data a human still reads, whereas ML extracts signal from data at a scale beyond human reading.

2 questions test this
ML unlocks unstructured data that analytics cannot easily query

Images, audio, video, and free text carry enormous value but do not fit the rows and columns that traditional analytics and BI query. ML extracts meaning from this unstructured data (image recognition, transcription, translation) turning previously untapped data into usable signal. When a scenario describes value locked in documents, photos, or call recordings, that points to ML over a dashboard.

Trap Expecting a BI dashboard to extract insight from images or free text: analytics is built for structured data, so unstructured sources call for ML.

3 questions test this
A model is only as good as its data: quality and representativeness set the ceiling

A model learns whatever its training data teaches it, so incomplete, inaccurate, or unrepresentative data produces an unreliable model regardless of the algorithm. Google notes that model accuracy improves with more samples only on the precondition that the training data is high quality. High-quality data is accurate, complete, consistent, and representative of the real population the model will serve, which is why data preparation usually decides whether an ML project succeeds.

Trap Assuming a more powerful algorithm or more compute will rescue a model trained on poor or scarce data: fix the data first, because it caps model quality.

4 questions test this
Biased or unrepresentative training data produces a biased model at scale

Because the model reflects its training data, data that under-represents a group or encodes a past prejudice teaches the model to reproduce that bias on every prediction. The harm is then applied automatically across many cases, amplifying it. This is why representativeness, not just volume, matters, and why fairness checks on the data and the model are part of responsible ML.

Trap Believing an ML model is automatically objective because it is mathematical: it inherits whatever bias lives in its training data.

3 questions test this
Explainable AI means people can understand why a model made a prediction

Explainable AI is the property that a model's outputs can be interpreted by people: knowing the reason behind a prediction, not just the prediction. It matters for trust, debugging, detecting unfair bias, and meeting regulations that require a decision to be justified. When a scenario stresses transparency, auditability, or having to explain why a decision was made, explainability is the concept being tested.

6 questions test this
Responsible AI is the umbrella; explainability is one pillar of it

Responsible AI is the broader practice of building and operating AI that is fair, accountable, safe, and privacy-respecting, and explainability is one pillar within it rather than a synonym. Google frames responsible AI through its published AI Principles, which guide how AI should and should not be developed and used. Keep the relationship straight: fairness, accountability, safety, privacy, and explainability together make up responsible AI.

Trap Equating responsible AI with explainability alone: explainability is just one of several pillars under the responsible-AI umbrella.

1 question tests this
Build responsible AI in up front, not as an afterthought

Fairness, transparency, privacy, and human oversight are requirements to gather before a model is built, because retrofitting them after a model is in production is far harder. Treating governance as a launch checklist rather than a design input is how bias and opaque decisions ship to users. The exam favours answers that weigh explainability and fairness early in the AI decision.

1 question tests this
Responsible AI is a shared responsibility between provider and customer

The cloud provider supplies tools, safety filters, and AI Principles, but the customer remains responsible for testing models and adhering to acceptable-use and prohibited-use policies. Responsible AI is therefore a shared obligation, mirroring the shared-responsibility theme that runs across this exam, not something the platform fully handles on your behalf. Expect scenarios that test who is accountable for safe and compliant model use.

Trap Assuming the cloud provider's built-in safety features make the customer fully responsible-AI compliant: the customer still owns testing and policy adherence.

Google Cloud AI/ML Solutions

Read full chapter
  • Google Cloud's AI/ML products form an option ladder, not a flat menu
  • Choose the lowest rung on the ladder that still meets the need
  • Four tradeoffs drive the choice: speed, effort, differentiation, required expertise
  • Differentiation runs opposite to speed, effort, and expertise on the ladder
  • A pre-trained API is Google's model called as-is, with no training
  • Pre-trained APIs offer zero differentiation because everyone shares the model
  • AutoML trains a custom model on your own data with minimal ML expertise
  • The AutoML signal is 'our own data' plus 'limited ML experience'
  • Custom models on Vertex AI are the rung you climb for differentiation
  • Custom models need substantial high-quality data and ML staff; AutoML needs much less
  • Match the use-case signal words to a rung
  • Each rung up the ladder is slower and higher-effort to a working result
  • BigQuery ML is the right call when data is in BigQuery and the team writes SQL

Unlock with Premium — includes all practice exams and the complete study guide.

Building AI/ML Solutions

Read full chapter
  • Climb the build ladder only as high as the problem needs
  • BigQuery ML lets analysts train models in SQL, where the data already lives
  • BigQuery ML covers the everyday model types in SQL
  • Pre-trained APIs need no training data and no ML skill
  • Match the pre-trained API to the data type
  • The Vision API reads text in images with OCR. No custom model needed
  • The Natural Language API gauges sentiment and entities in text
  • Speech-to-Text and Text-to-Speech are inverses. Watch the direction
  • Cloud Translation converts text between languages with no training
  • AutoML trains a custom model on your data without you building the model
  • AutoML still needs your own labelled data
  • Vertex AI is Google Cloud's single unified ML platform
  • Build a custom model only when the model is your competitive edge
  • TensorFlow is open-source software; a Cloud TPU is Google's proprietary hardware
  • A Cloud TPU is a custom ASIC built to accelerate ML
  • Dialogflow is Google Cloud's product for building virtual agents and chatbots
  • Vertex AI manages models after training: evaluate, deploy/version, and monitor for drift

Unlock with Premium — includes all practice exams and the complete study guide.

Infrastructure & App Modernization

Modernization & Migration

Read full chapter
  • A workload is the unit you migrate: an app plus the infrastructure it needs
  • Migration moves a workload; modernization changes it to exploit the cloud
  • Organizations modernize for agility, lower cost, less maintenance, and innovation
  • Each application gets its own migration path. There is no one-size-fits-all
  • Application rationalization decides each app's path before the migration
  • The migration paths form a ladder: more effort buys more cloud benefit
  • Retire means decommission the app and remove its cost and technical debt
  • Retain means leave the workload where it is, a deliberate no-move
  • Rehost (lift and shift) moves a workload with minimal change, the fastest path
  • Replatform (move and improve) lifts then makes targeted cloud optimizations
  • Refactor modifies a workload to adopt cloud-native traits
  • Reimagine re-architects and rewrites the app for the largest transformation
  • Match the path to the constraint in the stem
  • Google Cloud has a purpose-built migration tool for each kind of workload

Unlock with Premium — includes all practice exams and the complete study guide.

Compute Options

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Read the compute options as one spectrum from control to fully managed

Google Cloud's compute products line up by degree of abstraction: Compute Engine (VMs, you manage the OS) is the most controllable, then GKE (managed Kubernetes for containers), then Cloud Run (serverless containers), then Cloud Run functions (serverless functions) is the most managed. Moving toward the managed end hands more operational work (patching, scaling, capacity) to Google in exchange for less low-level control. The whole compute decision is just picking the right point on this line for a workload.

Default to the most managed option a workload allows

Start at the serverless end and step toward control only when a constraint forces it, because the less infrastructure you manage the less undifferentiated work your team carries. In practice that means try Cloud Run first, move to GKE when you genuinely need container orchestration or portability, and drop to Compute Engine VMs only for OS-level control or apps that can't be re-architected.

Trap Reaching for a VM or a Kubernetes cluster by habit when a managed serverless service would run the workload. That leaves your team operating servers Google would otherwise run.

Compute Engine is the choice for OS-level control and legacy apps

Compute Engine gives virtual machines with operating-system-level control and custom machine types, so pick it when a workload needs a specific OS, custom or specialized hardware, GPUs with full control, or is a monolithic/legacy app like a packaged relational database or ERP. Unlike the serverless options it does not scale to zero: a running VM keeps billing until stopped. It is also the standard landing place for a rehosted (lift-and-shift) app because a VM most resembles the server the app already ran on.

Trap Assuming a serverless service can satisfy a hard OS-level or custom-hardware requirement. Those layers are deliberately hidden by Cloud Run and Cloud Run functions.

7 questions test this
Spot VMs trade reclaim risk for a deep discount

Spot VMs are Compute Engine instances sold from Google's spare capacity at a steep discount (up to roughly 90% off on-demand), but Google can reclaim them at any time after a brief, best-effort shutdown notice. They fit fault-tolerant, interruption-tolerant work such as batch processing, rendering, or CI fleets, where a reclaimed instance simply reruns. Spot VMs are the current generation of what Google previously called preemptible VMs.

Trap Putting a steady, always-on production workload on Spot VMs. Reclaimable capacity is wrong for anything that must stay up; use on-demand or committed-use capacity instead.

3 questions test this
GKE is managed Kubernetes for container orchestration

Google Kubernetes Engine is a managed implementation of Kubernetes, the open-source container-orchestration system Google originally created, where orchestration means scheduling containers, restarting failed ones, and scaling them. Choose GKE when you run many containers needing orchestration, want microservices at scale, or need the same Kubernetes platform across multiple environments for portability. It does not scale to zero: its nodes keep running.

Trap Choosing GKE for a single stateless web service just to run a container. The orchestration and node management is overhead Cloud Run removes for that case.

GKE Autopilot manages the nodes for you; Standard leaves them to you

In GKE Autopilot mode (the recommended default) Google also manages the worker nodes and you pay only for the resources your running workloads request; in Standard mode you manage the node pools yourself when a workload needs that level of control. The split matters at decision level: Autopilot is less operational work, Standard trades that for finer control over the underlying machines.

Trap Assuming Standard mode is the normal way to run GKE. Autopilot is the recommended default and offloads node management to Google.

Cloud Run is the serverless default for HTTP services and APIs

Cloud Run is a fully managed platform that runs your container without you managing clusters or infrastructure, and it is the default for HTTP services, web apps, and REST/GraphQL/gRPC APIs. Its two defining behaviors are scaling to zero when idle and billing only for the CPU and memory used while serving requests. It can also handle event-driven and asynchronous workloads.

5 questions test this
Scale-to-zero means no cost while idle but watch cold starts

Cloud Run scales to zero: if no requests arrive, even the last instance is removed, so you pay nothing while idle. The flip side is that a request arriving against zero instances incurs a cold start, and a workload needing a persistent always-running background process is a poor fit for scale-to-zero. For those, a VM or a GKE workload that keeps running is the better match.

Trap Putting a workload that must keep a long-lived process always running on a scale-to-zero serverless service. It gets torn down when idle.

2 questions test this
Cloud Run functions runs event-driven snippets of code

Cloud Run functions (formerly named Cloud Functions) runs an individual piece of code in response to an event such as an HTTP request, a file landing in storage, or a published message, the most abstracted compute rung, where you supply only the function body. Reach for it for small event-driven logic, not whole applications, which belong on Cloud Run, GKE, or a VM.

Trap Standing up a VM or a GKE cluster to host a single event-triggered snippet. That is far more infrastructure than the task needs.

1 question tests this
Containers package an app to run identically anywhere

A container bundles an application with its libraries and dependencies so it runs the same on a laptop, in a data center, or in any cloud, which is what makes container-based apps portable. This is the deployment unit GKE and Cloud Run both run, and it pairs with microservices: splitting one large application into small, independently deployable services usually shipped as separate containers.

4 questions test this
Autoscaling matches capacity to demand automatically

Autoscaling adds compute when load rises and removes it when load falls so you pay for what a workload actually uses instead of provisioning for peak. On Compute Engine this works through a managed instance group (identical VMs from one template) that the autoscaler grows or shrinks on signals like CPU utilization or load-balancing capacity; serverless products autoscale per request, including down to zero. This automatic elasticity is a core reason cloud compute costs less than a fixed on-premises fleet sized for the yearly peak.

4 questions test this
Load balancing spreads traffic across instances for availability

A load balancer distributes user traffic across multiple instances of an application so no single instance is overwhelmed, which raises availability and lets the app absorb spikes. It works hand in hand with autoscaling: the load balancer spreads requests across the current instances while autoscaling changes how many instances exist to keep up with that traffic.

1 question tests this
Rehost (lift and shift) onto a VM for apps you can't re-architect

Rehosting moves a workload to the cloud with little or no modification, and it is the right path when an app is legacy or specialized, when there is no business case to change it, or when you simply cannot refactor it. The natural target is a Compute Engine VM, because it most resembles the on-premises server the app already ran on, letting the app operate as-is while still gaining cloud elasticity and reliability.

Trap Choosing rehost-to-VM when the business actually wants the app modernized. That is a replatform or refactor decision, not lift and shift.

7 questions test this
Cloud compute replaces buying for peak with paying for use

On-premises you buy hardware for the yearly peak and pay for it even when idle; cloud compute instead scales capacity up and down with demand and bills accordingly, turning a large fixed capital cost into a variable operating cost. That elasticity, delivered by autoscaling and the pay-per-use serverless model, is the central business value of cloud compute the exam expects you to articulate.

2 questions test this

Serverless Computing

Read full chapter
  • Serverless means you ship code and Google runs the servers
  • The three serverless properties: no infrastructure, scale-to-zero, pay-for-use
  • Choose the serverless product by the unit you deploy
  • Cloud Functions runs a single-purpose function triggered by an event
  • Cloud Run runs any container, serverlessly
  • App Engine is platform-as-a-service for whole applications
  • App Engine Standard scales to zero; Flexible keeps a minimum instance
  • Cloud Run's container unit means any language or framework
  • Serverless is the wrong fit when you need control of the machine
  • Serverless compute runs application logic, not databases
  • Cloud Functions is event-driven glue between services
  • Cloud Run is the default for web apps, APIs, and microservices
  • Serverless makes teams ship faster and pay only for use
  • Cloud Build is the serverless CI/CD that builds container images with no infrastructure to manage

Unlock with Premium — includes all practice exams and the complete study guide.

Containers

Read full chapter
  • A container packages an app with its dependencies so it runs the same anywhere
  • Containers virtualize the OS; VMs virtualize the hardware
  • Containers are lighter than VMs because they ship no guest OS
  • Containers still isolate applications, just at the OS layer
  • Portability is the container benefit that drives modernization
  • Containerize to modernize a legacy app instead of rewriting it
  • Containers are the natural unit for microservices
  • GKE is Google's managed Kubernetes for orchestrating containers
  • GKE Autopilot manages the nodes; Standard leaves them to you
  • Cloud Run runs a container with no cluster or infrastructure to manage
  • Cloud Run scales to zero and bills only for use
  • Choose GKE vs. Cloud Run by operational control vs. burden
  • If an app can't be containerized, rehost it on a VM

Unlock with Premium — includes all practice exams and the complete study guide.

API Management

Read full chapter
  • An API is software that lets two applications talk to each other
  • An API is the interface, not the data or compute behind it
  • Exposing data and services as APIs opens new business channels
  • API monetization charges developers directly for using your API
  • Apigee is Google Cloud's API management platform
  • API management runs APIs across their whole life cycle
  • Apigee secures APIs and controls their traffic with rate limits and quotas
  • Apigee gives analytics and a developer portal to run an API program
  • Apigee fronts a backend with an API proxy, leaving the service unchanged
  • API management is not where the application runs

Unlock with Premium — includes all practice exams and the complete study guide.

Hybrid & Multicloud

Read full chapter
  • Hybrid cloud combines a private environment with a public cloud
  • Multicloud means using two or more public cloud providers
  • The hybrid-vs-multicloud test is whether a private environment is involved
  • Choose hybrid to keep regulated data on-premises while using the cloud
  • Hybrid lets you migrate to the cloud gradually
  • Hybrid keeps latency-sensitive compute close to users
  • Choose multicloud to avoid vendor lock-in and pick best-of-breed services
  • Multicloud adds resilience against a single provider's outage
  • GKE Enterprise is the new name for Anthos
  • GKE Enterprise is the single control plane for hybrid and multicloud clusters
  • The fleet is how GKE Enterprise groups clusters to manage them together
  • Don't use GKE Enterprise for a single cluster on one platform

Unlock with Premium — includes all practice exams and the complete study guide.

Trust & Security

Cloud Security Concepts

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Map every security goal to the CIA triad

The CIA triad names the three goals all security serves: confidentiality (only authorized parties can read data), integrity (data is accurate and untampered), and availability (data and services are reachable when needed). On the exam, classifying an incident by the property it violated is usually the answer: leaked data is confidentiality, altered records are integrity, an outage is availability.

Confidentiality is about disclosure, not change or uptime

Confidentiality fails when data is disclosed to someone unauthorized: a leaked customer list, a misdirected email, a stolen laptop. It is protected by encryption, access management, and authentication. Keep it distinct from integrity (which is about unauthorized change) so you pick the right CIA property when a scenario describes exposed data.

Trap Calling a silent data alteration a confidentiality breach: changing data without disclosing it is an integrity failure, not confidentiality.

Integrity is about unauthorized change, detected by signatures and logs

Integrity means data and systems are accurate and have not been altered by anyone unauthorized; the failure mode is tampering, such as a payment amount silently changed or a record deleted. It is protected by checksums, digital signatures, and audit logs that reveal whether something was modified. Read the scenario for whether data was changed (integrity) versus merely seen (confidentiality).

Availability is about access when needed, the target of DDoS and ransomware

Availability means authorized users can reach the data and services when they need them; the failure mode is denial, whether from a DDoS flood, a hardware failure with no backup, or a ransomware lockout. It is protected by redundancy, backups, and DDoS defense. An attack that knocks a site offline during a sale is an availability incident, even if no data was stolen.

3 questions test this
One incident can break more than one CIA property

The CIA properties are not mutually exclusive: ransomware that both exfiltrates and encrypts data breaks confidentiality and availability at once. When classifying an incident, read what actually happened to the data rather than assuming exactly one property applies.

The most common attack vector is a person, not a firewall gap

Phishing and social engineering (tricking someone into revealing credentials or clicking a malicious link by impersonating a trusted party) are the single most common entry point, because they target human judgment rather than a technical weakness. The leadership consequence is that security awareness and least-privilege access matter as much as technical controls, since buying more perimeter hardware does not address the human vector.

Trap Treating phishing as a purely technical problem solved by firewalls: it exploits human judgment, so awareness training and least privilege are the real mitigations.

1 question tests this
Know the common threats: phishing, malware/ransomware, insiders, DDoS

The threats the exam expects you to recognize are phishing/social engineering, malware and ransomware (which steal or encrypt data for payment), insider threats (misuse of legitimate access, malicious or accidental), and DDoS (flooding a service so users can't reach it). Each maps back to the CIA triad: ransomware hits confidentiality and availability, DDoS hits availability, an insider can hit any of the three.

Frame a breach by its business impact, not just the technical event

A Cloud Digital Leader describes security risk in business terms: financial loss (theft, fraud, ransom, recovery cost), regulatory penalties (fines for violating GDPR, HIPAA, and similar), operational downtime (lost productivity and sales), and reputational damage (eroded customer trust and churn). The reputational and trust damage is frequently the costliest and longest-lasting consequence, often outweighing the immediate financial hit.

Trap Assuming the direct financial loss is always the biggest cost: reputational and customer-trust damage often outlasts and outweighs it.

1 question tests this
Security in the cloud is a shared responsibility

The shared responsibility model splits security tasks between provider and customer: Google secures the infrastructure (data centers, hardware, the global network) while the customer secures what they run on it (their data, access, and configuration). It does not make security less important: it changes who is responsible for which part. On-premises, by contrast, the organization owns the entire stack and every control.

Trap Reading shared responsibility as outsourcing all security to the provider: the customer is always responsible for their own data, access, and configuration.

7 questions test this
The responsibility line moves toward the provider from IaaS to PaaS to SaaS

Where the shared-responsibility dividing line sits depends on the service model: in IaaS the bulk of security tasks are the customer's, and the provider's share grows through PaaS until, in SaaS, the provider owns most of it and the customer mainly secures their access and the data they choose to store. The customer is responsible for their data and access in every model: only the rest of the line shifts.

2 questions test this
Shared fate goes beyond shared responsibility to active partnership

Google frames shared fate as an ongoing partnership to improve security: rather than handing the customer a checklist of their responsibilities and stepping back, Google provides secure defaults, vetted blueprints, and guidance so the customer's side of the line is easier to get right. It is the cooperative complement to the shared responsibility model, which only divides the tasks.

1 question tests this
Cloud can be more secure than on-prem because controls are on by default

Moving to the cloud is not inherently riskier; a hyperscale provider affords controls most organizations cannot and enables many by default. Google encrypts all customer data at rest automatically with AES-256 and no action required, encrypts data in transit, and runs zero trust, whereas on-premises those protections are something the organization must design, fund, and enable itself.

Trap Assuming on-premises is automatically safer because the data is physically in-house: providers turn on encryption and zero trust by default that most on-prem estates lack.

Most cloud incidents come from customer misconfiguration, not provider breach

Secure-by-default does not make the cloud automatically safe, because the customer still owns their side of the shared-responsibility line. The majority of real-world cloud security incidents trace to customer misconfiguration (an over-permissive access rule, a publicly exposed storage bucket) rather than a breach of the provider's infrastructure. The cloud raises the security floor, but the customer still has to configure their part correctly.

Zero trust means never trust, always verify: no implied network trust

Zero trust grants access based on continuous verification of identity and context rather than trusting a device just because it sits inside the network perimeter. It is the structural answer to insider and phishing threats, which defeat perimeter-based trust by operating from inside or with stolen credentials. Every access is authenticated and authorized regardless of where it originates.

Trap Believing a trusted internal network removes the need to verify internal traffic: zero trust verifies every access precisely because insiders and stolen credentials bypass the perimeter.

A control reduces risk; compliance proves the controls exist

A security control is a safeguard that reduces risk; compliance is demonstrating to an outside party (regulator, auditor, customer) that the required controls are in place and working against a standard. Controls are what you do to be secure; compliance is how you prove it. The two are distinct: a system can have strong controls before it is certified, and certification alone does not guarantee real-world security.

Trap Treating passing an audit as proof the system is actually secure: compliance shows controls exist on paper but is evidence, not a substitute for the controls working.

1 question tests this
Controls come in three families: technical, administrative, physical

Security controls fall into three categories the exam may ask you to recognize: technical (or logical) controls enforced by technology such as encryption, access management, and logging; administrative controls that are policy and process such as training and access-review procedures; and physical controls that protect the premises such as badge access and cameras. A complete security posture uses all three, not just technical tools.

In the cloud you inherit the provider's audited compliance for its layer

Because Google's infrastructure is independently audited and certified against standards like ISO 27001, SOC 2, GDPR, and HIPAA, the customer inherits that coverage for the provider's layer and only has to demonstrate compliance for their own layer. This narrows the scope and cost of an audit compared with proving every certification yourself on-premises: a concrete business benefit of the cloud.

2 questions test this
Authentication proves who you are; authorization decides what you can do

Authentication verifies identity (proving who a user or system is) while authorization determines what that authenticated identity is permitted to do. They run in that order: you authenticate first, then the system authorizes specific actions. Confusing the two is a common error, so anchor on who (authentication) versus what (authorization).

Trap Using authentication and authorization interchangeably: verifying identity is separate from granting permissions, and a valid login still needs authorization for each action.

4 questions test this
Least privilege grants only the minimum access a task needs

Least privilege means granting an identity only the access required to do its job and nothing more, which limits the blast radius if an account is compromised or misused. It is a core defense against both insider threats and stolen-credential attacks, since a tightly scoped account can do far less damage than an over-permissive one.

6 questions test this
Encryption protects confidentiality at rest and in transit

Encryption encodes data so only a party holding the key can read it, protecting confidentiality both at rest (stored data) and in transit (data crossing a network). In Google Cloud both are provided by default, so even a stolen disk or intercepted packet yields unreadable data without the key, which is why encryption is a primary confidentiality control.

3 questions test this

Trusted Infrastructure

Read full chapter
  • Google designs its own infrastructure, so security is built in at every layer
  • Titan is Google's custom security chip and hardware root of trust
  • Data has three states (at rest, in transit, and in use) and a full security story covers all three
  • Data at rest is encrypted by default with AES-256, no customer action required
  • Data in transit is encrypted by default across Google's network
  • Confidential VMs encrypt data in use, and you opt into them
  • Authentication, authorization, and auditing are three distinct controls, never interchangeable
  • 2-Step Verification adds a second factor so a stolen password isn't enough
  • IAM grants roles to principals on resources: it controls what you may do
  • Cloud Audit Logs record who did what, where, and when
  • Cloud Armor defends availability at the network edge with DDoS and WAF protection
  • A DDoS attack threatens availability by flooding a service
  • Google Security Operations (formerly Chronicle) runs detection and response in the cloud
  • Defense in depth means no single safeguard is a single point of failure
  • Cloud Armor protects an external load balancer with security policies: IP/geo filtering, rate limiting, bot management, and Adaptive Protection
  • Cloud KMS lets you own and control the keys; Cloud HSM and External Key Manager extend where they live
  • Google's data centers control physical access and securely destroy retired drives

Unlock with Premium — includes all practice exams and the complete study guide.

Trust Principles & Compliance

Read full chapter
  • You own your Customer Data; Google is the processor
  • Google does not use Customer Data for advertising or sell it
  • Access Transparency logs Google's access to your data; Cloud Audit Logs logs yours
  • Access Transparency entries record the reason for each access
  • Google publishes a public Transparency Report on government data requests
  • Google's compliance is verified by independent third-party audits
  • Get audit reports and certificates from the Compliance Reports Manager
  • Google's certifications give a compliant foundation, not blanket workload compliance
  • Data residency is about where data is stored at rest
  • Data sovereignty is about who can access data, not where it lives
  • Residency does not give you sovereignty
  • Operational sovereignty assures the provider can't compromise your workload
  • Assured Workloads bundles residency, access, and personnel controls for a regulation
  • Trust principles are the data view of the shared responsibility model
  • The Compliance Resource Center is the hub for exploring Google's certifications by industry and region

Unlock with Premium — includes all practice exams and the complete study guide.

Cloud Operations & Scaling

Financial Governance

Read full chapter

Cheat sheet

Sharp facts the exam loves — scan these before test day.

Financial governance keeps cloud spend predictable and controlled

Cloud financial governance is the discipline of keeping pay-as-you-go spending predictable and accountable, not just cheaper. It matters because anyone can launch billable resources without a purchase order, so cost can grow unnoticed. Google frames good governance as a repeating loop of visibility (see the spend), control (cap and alert on it), and optimization (remove waste), and the exam rewards answers that improve process and accountability over answers that just buy less.

3 questions test this
TCO is the full cost of a workload, not just the hardware price

Total cost of ownership (TCO) is the complete cost of running a workload, including power, cooling, data-center space, staff, and hardware refresh, not only the sticker price of equipment. Cloud typically lowers TCO by folding those hidden on-premises costs into one usage-based bill and removing the over-provisioning needed to cover peak demand. "Reduce TCO" is the right answer when a scenario complains about idle or over-bought hardware.

The resource hierarchy goes organization, folders, projects, resources

Google Cloud organizes everything into four levels: an organization at the root (the company), optional folders that group by department or environment, projects that hold workloads, and the resources (VMs, buckets, databases) inside each project. Every resource except the organization has exactly one parent, forming a single tree. This structure is the backbone of governance because both access control and cost reporting roll up along it.

4 questions test this
IAM policies are inherited downward through the hierarchy

Identity and Access Management (IAM) policies set high in the resource hierarchy are inherited by everything beneath them, so a role granted on a folder applies to every project and resource inside it. This lets you grant access once at the right level instead of repeating it resource by resource, which is how least-privilege is enforced at scale. Set policy as high as is appropriate, and it cascades down automatically.

Trap Assuming a permission granted on one project also covers a sibling project: inheritance flows downward from a shared parent, not sideways between projects.

4 questions test this
Use the hierarchy to attribute and report cost per team

Because billing rolls up the same organization-folders-projects tree used for access, the resource hierarchy is also how you answer "which team or environment spent what." Designing folders to mirror how the business is organized lets you budget and report spending per department or per environment. The same structure that controls who can do what also attributes the cost of what they do.

2 questions test this
Quotas are hard limits that block excess usage

Resource quotas cap how much of a resource a project can consume, such as API calls per minute or CPUs in a region. When a request would exceed a quota, the system blocks it and the operation fails, which protects both the shared platform and your own bill from runaway consumption. Quotas are the control to reach for when the goal is to actually prevent excess usage rather than merely be warned about it.

Trap Reaching for a budget when the requirement is to physically stop usage: budgets only notify; a quota is what enforces a hard cap.

15 questions test this
Budgets alert on spending but never cap it

A Cloud Billing budget tracks spending against a planned amount and sends notifications as threshold rules are crossed, but setting a budget does not automatically cap or stop usage or billing. It is a smoke detector, not a circuit breaker: it tells people spending is climbing so they can act. To turn an alert into an actual stop, route it to automation (for example via Pub/Sub) that takes action; the budget alone will not.

Trap Assuming a budget will halt spending once exceeded: it only fires notifications; usage and billing continue unless something else acts.

18 questions test this
Budget threshold rules default to 50%, 90%, and 100%

Budget threshold rules define the points at which alerts fire, and a new budget defaults to notifying at 50%, 90%, and 100% of the planned amount. Thresholds can be evaluated against actual cost already accrued or against forecasted cost projected to the end of the billing period. Notifications go to Billing Account Administrators and Users by default and can be widened to other channels.

12 questions test this
Quota vs budget: one enforces, the other warns

Quotas and budgets are easy to confuse because both relate to limits, but they act oppositely. A quota is a hard limit that blocks the request and fails the operation when exceeded, so it can prevent spend. A budget is notification-only: it alerts at thresholds but lets usage and billing continue. Match the verb in a question: "prevent/cap usage" points to a quota, "notify/alert when approaching" points to a budget.

Trap Treating quota and budget as interchangeable cost controls: only the quota stops usage; the budget merely sends alerts.

8 questions test this
Cloud Billing Reports visualize and break down spend

Cloud Billing Reports is the built-in tool for viewing and analyzing Google Cloud cost and cost trends. It breaks spending down by project, service, SKU, location, label, and time period, and shows forecasted alongside actual cost, answering questions like which project cost the most last month. It supplies the visibility half of governance, which budgets and the hierarchy then act on.

24 questions test this
Sustained-use discounts apply automatically with no commitment

Sustained-use discounts lower the rate automatically the longer an eligible resource runs within a billing month, with no commitment and no action required from you. They are the right optimization lever when you run resources often but cannot promise a fixed term. Because they are automatic, the correct answer to "we want a lower rate but cannot commit" is sustained-use (or plain pay-as-you-go), not a contract.

Trap Assuming you must sign up or configure something to get sustained-use discounts: they are applied automatically based on usage.

Committed-use discounts trade a 1- or 3-year commitment for a lower rate

Committed-use discounts give a reduced price in exchange for committing to a one- or three-year term of usage, and they typically beat sustained-use discounts for spend you can predict. They fit steady, always-on workloads you are confident will keep running. The decision contrast: pick committed-use when usage is predictable and long-running, and sustained-use or pay-as-you-go when it is not.

Trap Choosing committed-use discounts for spiky or short-lived workloads: the multi-year commitment is wasted if the usage does not actually persist.

A Cloud Billing account defines who pays for a set of Google Cloud resources. One billing account can be linked to multiple projects, but each project is linked to exactly one billing account at a time. Organizations may use multiple billing accounts when they must split charges for legal or accounting reasons.

Trap A project links to only ONE billing account at a time, not several

5 questions test this
Labels tag resources so you can break down spend by team or cost center

Labels are key-value pairs attached to resources (such as team:engineering or a cost-center identifier). Label information is forwarded to the billing system, letting you categorize and report spend by department, environment, or application without creating separate billing accounts or restructuring the project hierarchy.

Trap Labels enable internal chargeback reporting; you do NOT need a separate billing account per team

5 questions test this
Recommender uses machine learning to flag idle and over-provisioned resources

Recommender (part of Active Assist) analyzes usage data with machine learning to identify waste such as idle VMs and over-provisioned resources, then generates cost-saving recommendations to stop, delete, or right-size them.

Trap Recommender is the proactive ML cost-optimizer; Billing Reports only show what you already spent

4 questions test this

Operational Excellence & Reliability

Read full chapter
  • Reliability is consistent intended service; resilience is what survives failure
  • Build for failure with redundancy, fault tolerance, and graceful degradation
  • HA keeps you running through routine failures; DR recovers you from a disaster
  • RTO is tolerable downtime; RPO is tolerable data loss
  • An SLI is the measurement of one aspect of service
  • An SLO is the target you set for an SLI
  • An SLA is an SLO with a contractual consequence
  • SLI measures, SLO targets, SLA contracts: in that chain
  • An error budget makes less-than-100% reliability the deliberate goal
  • Toil is manual, repetitive, automatable operational work that scales with the service
  • SRE is Google's specific implementation of the broader DevOps philosophy
  • Customer Care has four tiers; Basic is free with every account
  • Standard is business-hours support; Enhanced and Premium are 24/7
  • Premium gives the fastest P1 response and a dedicated TAM
  • Case priority P1 to P4 reflects business impact, not personal urgency
  • Modernizing operations means automation and observability replace manual toil
  • Serverless platforms auto-scale and can scale to zero when idle
  • Error Reporting automatically groups errors by root cause across services

Unlock with Premium — includes all practice exams and the complete study guide.

Sustainability

Read full chapter
  • Google has been carbon neutral since 2007
  • Google matched 100% of its energy use with renewable energy in 2017
  • Google's goal is 24/7 carbon-free energy by 2030
  • Carbon neutral is not the same as zero emissions
  • Carbon Footprint measures the emissions of your Google Cloud usage
  • Carbon Footprint reports Scope 1, 2, and 3 emissions at no extra charge
  • Export Carbon Footprint data to BigQuery for custom reporting
  • A region's carbon-free energy percentage (CFE%) shows how clean it is
  • Pick a higher-CFE% region for latency-tolerant workloads to cut carbon
  • Active Assist estimates carbon saved by reclaiming idle projects
  • Moving off inefficient on-prem hardware can support a sustainability goal
  • BigQuery is a serverless data warehouse for SQL analytics over large datasets
  • Google Cloud Region Picker balances carbon footprint, price, and latency
  • Reducing idle resources lowers both cost and carbon together

Unlock with Premium — includes all practice exams and the complete study guide.