Diagnostic questions: Designing for Security and Compliance :Preparing for your Professional Cloud Architect Journey (Preparing for Google Cloud Certification: Cloud Architect Professional Certificate) Answers 2025
β Q1
Which IAM resource hierarchy is recommended?
π© Use multiple projects with established trust boundaries, and change the resource hierarchy to reflect company organization.
β Keep all resources in one project
β Keep all resources in one project but change hierarchy
β Flat hierarchy with multiple projects
Explanation:
Google best practice =
β Multiple projects
β Clear trust boundaries
β Org β Folders β Projects matching company structure
β Q2
IAM setup for multiple separated components?
π© Use separate service accounts for each component with predefined/custom roles.
β Basic roles
β One service account per component
β Basic roles with single SA
Explanation:
Predefined/custom roles = least privilege.
Each component = dedicated service account.
β Q3
Which is a correct user story?
π© As a shoe retailer, Michael wants to send Cymbal Direct custom purchase orders so that batches of custom shoes are sent to his customers.
β Persona description
β Needs description
β Company bio
Explanation:
User story = As a <role> β¦ I want β¦ so that <benefit>.
β Q4
How to allow a VM to access Google Cloud services safely?
π© Create a service account with predefined/custom roles for needed services.
β Project owner
β Multiple service accounts per service
β Access scopes
Explanation:
Use one VM service account with least privilege roles.
β Q5
Best IAM setup for scalable access control?
π© Grant predefined roles to groups, with access as low in the hierarchy as possible.
β Custom roles only
β Direct individual assignment
β Higher-level inheritance advice incorrect
Explanation:
Groups + predefined roles = scalable + secure.
β Q6
Block brute force IP attack?
π© Use Cloud Armor with Allow default and Deny rule for the attacking IP, applied to backend service.
β Deny default β blocks everything
β Local firewall + Armor mix
β Enable Armor on VM (Armor works on LB only)
β Q7
Block public access but allow API calls?
π© Remove external IPs, use private VPC behind Cloud NAT, and manage SSH via IAP/bastion.
β Firewall only
β Restricting external IP but still using them
β Blocking all outbound traffic (breaks APIs)
β Q8
Cloud Run function secured for employees only?
π© Use Google Group + IAP + βIAP-secured Web App Userβ role.
β Armor
β Project Owner
β VPN
Explanation:
IAP is the best solution for authenticating users to Cloud Run or HTTPS services.
β Q9
Ensure developers use Cloud Run instead of old manual SQL dump process?
π© Create a custom role restricting abilities, remove cloudsql.instances.export.
β ACL only
β Disabling VPN
β Predefined role cannot remove export ability
β Q10
PCI-DSS continuous compliance?
π© Enable SCC Premium + Asset Discovery + Security Health Analytics β View PCI-DSS in Compliance tab.
β Vulnerabilities tab
β Standard tier
β Standard + Vulnerabilities
π§Ύ Summary Table
| Q# | Correct Answer | Key Concept |
|---|---|---|
| 1 | Multi-project hierarchy | Best practice org design |
| 2 | Separate SAs + predefined roles | Least privilege |
| 3 | User story with role + goal + value | UX design |
| 4 | SA + predefined/custom roles | Secure VM access |
| 5 | Predefined roles to groups | Scalable IAM |
| 6 | Cloud Armor deny rule | Block attack IP |
| 7 | Private VPC + NAT + IAP | Private service access |
| 8 | IAP with Google Groups | Secure Cloud Run |
| 9 | Custom role removing export | Enforce workflow |
| 10 | SCC Premium + Compliance tab | PCI continuous compliance |