Google Cloud ACE Sample Questions with Explanations

These original sample questions are designed to help you check how the exam topics appear in decision-style prompts. They are not taken from the live exam.

Use these sample questions as a guided self-assessment for Google Cloud Associate Cloud Engineer (ACE) topics such as projects, IAM, service accounts, Compute Engine, Cloud Run, GKE, storage, VPC networking, logging, monitoring, backups, deployment, and operations. The prompts emphasize control-boundary decisions rather than isolated product definitions.

Where these questions fit in the ACE guide

The sample set below is part of the Google Cloud ACE guide path:

• Google Cloud certification hub
• ACE exam guide
• ACE cheat sheet
• ACE study plan
• ACE FAQ
• ACE resources
• ACE glossary

ACE Google Cloud sample questions

Work through each prompt before opening the explanation. ACE questions usually reward the answer that identifies the real scope first: project, IAM member, service account, subnet, route, runtime, or operational signal.

---

Question 1

Topic: Project and billing boundary

A new product team needs its own quota visibility, billing accountability, API enablement, and IAM boundary. The company still wants the team grouped under the same organization for governance. What should the cloud engineer create first?

• A. A new VM inside an existing shared project and a spreadsheet to track costs.
• B. A separate Google Cloud project under the appropriate folder, linked to the correct billing account.
• C. A new service account only, because service accounts replace project boundaries.
• D. A new firewall rule at the organization level for every future workload.

Best answer: B

Explanation: ACE setup questions often begin with scope. A project is the normal boundary for API enablement, billing attribution, quota visibility, and many IAM decisions.

Why the other choices are weaker:

• A hides the team inside an existing boundary and weakens accountability.
• C creates an identity, not a full resource, billing, and API boundary.
• D starts with networking before the resource scope exists.

What this tests: Resource hierarchy, projects, folders, billing accounts, API enablement, and IAM scope.

Related topics: Projects; Billing; Resource hierarchy; IAM scope

---

Question 2

Topic: Secretless workload access

A Cloud Run service needs to read objects from a Cloud Storage bucket. The team wants to avoid embedding keys in the container image or environment variables. What should the engineer configure?

• A. Download a service account key into the container image during build.
• B. Grant all users project Owner so the application never has permission errors.
• C. Assign the Cloud Run service a service account with the minimum required bucket permission.
• D. Make the bucket public and rely on an obscure object name.

Best answer: C

Explanation: Google Cloud workloads should use attached service accounts and IAM permissions where possible. This keeps credentials out of code and aligns access to the workload identity.

Why the other choices are weaker:

• A creates a long-lived key management and leakage risk.
• B violates least privilege and grants broad administrative access.
• D exposes data instead of solving workload identity.

What this tests: Service accounts, Cloud Run identity, Cloud Storage IAM, key avoidance, and least privilege.

Related topics: Service accounts; Cloud Run; Cloud Storage; Least privilege

---

Question 3

Topic: Private VM outbound access

Several Compute Engine VMs in a private subnet need outbound access to download updates. They must not receive public IP addresses. Which network service best satisfies the requirement?

• A. External IP addresses on every VM, because updates require inbound public access.
• B. A firewall rule that allows all inbound internet traffic to the private subnet.
• C. Cloud CDN, because it accelerates package downloads for private VMs.
• D. Cloud NAT configured for the subnet or region path used by the private VMs.

Best answer: D

Explanation: Cloud NAT gives private VMs outbound internet access without assigning public IP addresses to the instances.

Why the other choices are weaker:

• A violates the no-public-IP requirement.
• B opens inbound exposure and does not create the intended outbound NAT path.
• C is a content delivery service, not the private subnet egress control.

What this tests: Cloud NAT, private subnets, outbound access, public IP avoidance, and VPC routing.

Related topics: Cloud NAT; VPC; Compute Engine; Networking

---

Question 4

Topic: Choosing the operations signal

A web application deployed on Google Cloud is returning intermittent errors. The operations team needs request-level error messages, structured application events, and supporting context before changing infrastructure. Where should they look first?

• A. The billing export, because most intermittent errors are cost anomalies.
• B. The domain registration record, because application errors usually come from expired domains.
• C. Cloud Logging entries for the application and related resources, then correlate with metrics if needed.
• D. A new production deployment, because redeploying before inspecting logs is fastest.

Best answer: C

Explanation: ACE operations questions reward evidence-first troubleshooting. Cloud Logging is the natural place for application events, errors, and context before remediation.

Why the other choices are weaker:

• A may help cost analysis but does not provide request-level error evidence.
• B is unrelated unless the symptom points to DNS or domain failure.
• D changes production before understanding the failure mode.

What this tests: Cloud Logging, Cloud Monitoring, troubleshooting sequence, and evidence-based operations.

Related topics: Cloud Logging; Monitoring; Operations; Troubleshooting

Independent study note

Tech Exam Lexicon and IT Mastery are independent study tools. They are not affiliated with, endorsed by, or sponsored by Google Cloud or any certification body.