ACE - Google Cloud Associate Cloud Engineer Cheat Sheet

The Google Cloud Associate Cloud Engineer (ACE) certification validates your ability to deploy, secure, monitor, and maintain applications, services, and infrastructure on Google Cloud. The exam runs 2 hours with 50 to 60 multiple choice and multiple select questions across four areas: setting up a cloud solution environment (20%), planning and implementing a solution (30%), ensuring successful operation (30%), and configuring access and security (20%). Google recommends 6+ months of hands-on experience, and the current exam guide leans heavily on AI-assisted tooling like Gemini Cloud Assist, Gemini CLI, and Active Assist alongside the core console and gcloud skills. Unlike an architecture exam, ACE grades whether you can perform day-to-day platform tasks correctly, so the right answer is usually the Google-recommended way to accomplish a concrete task, not the most elaborate design.

What This Cheat Sheet Covers

This topic spans 38 focused tables and 338 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Resource Hierarchy and Organization PoliciesTable 2: Cloud Identity and Workforce Identity FederationTable 3: Project Configuration, APIs, Quotas, and Region AvailabilityTable 4: Cloud Asset Inventory and Gemini Cloud AssistTable 5: Billing Configuration, Budgets, and ExportsTable 6: Choosing Compute Platforms and GPUs vs TPUsTable 7: Compute Engine Instances, Machine Types, and VM ManagementTable 8: Compute Engine Storage: Persistent Disk and HyperdiskTable 9: Managed Instance Groups and Instance TemplatesTable 10: GKE Cluster Deployment and kubectlTable 11: Serverless and Event-Driven Compute (Cloud Run, Eventarc)Table 12: Choosing Database and Data ProductsTable 13: Storage Products and Cloud Storage ClassesTable 14: Loading Data and Multi-Region RedundancyTable 15: VPC Networks, Subnets, and PeeringTable 16: Firewall Rules and Cloud NGFW PoliciesTable 17: Network Connectivity, Load Balancers, and Service TiersTable 18: Infrastructure as Code Tooling (Terraform, Config Connector, Helm)Table 19: AI-Assisted Planning and Implementation ToolingTable 20: Managing Compute Engine: Connect, View, Snapshots and ImagesTable 21: Managing GKE Clusters, Node Pools, and Artifact RegistryTable 22: Managing Kubernetes Workloads and Pod AutoscalingTable 23: Managing Cloud Run: Deployments, Traffic Splitting, AutoscalingTable 24: Managing AI/ML Compute, Agents, Notebooks, and Dev EnvironmentsTable 25: Managing Cloud Storage Objects and LifecycleTable 26: Querying, Backing Up, and Managing Database InstancesTable 27: Data Cost Estimation and Customer-Managed Encryption KeysTable 28: Managing IP Addresses, Subnet Ranges, and Static RoutesTable 29: Cloud DNS and Cloud NATTable 30: Cloud Monitoring: Alerts, Custom Metrics, Cloud HubTable 31: Cloud Logging: Routing, Buckets, Analytics, and ExportsTable 32: Audit Logs, VPC Flow Logs, and Firewall LogsTable 33: Cloud Diagnostics and Service HealthTable 34: Ops Agent, Managed Prometheus, and Active AssistTable 35: IAM Policies, Roles, and InheritanceTable 36: Creating, Assigning, and Permissioning Service AccountsTable 37: Service Account Impersonation and Short-Lived CredentialsTable 38: Workload Identity for GKE and Workload Identity Federation

Table 1: Resource Hierarchy and Organization Policies

ACE Exam Domain 1.1 (Setting up cloud projects and accounts): create a resource hierarchy of organization, folders, and projects; apply organization policies as guardrails across that hierarchy; and stand up a standalone organization. The hierarchy is the attachment point through which IAM roles and organization policies are inherited top-down.

Concept	Example	Description
Resource Hierarchy	`Organization` → `Folders` → `Projects` → `Resources` (VMs, buckets)	Structured tree that organizes all Google Cloud resources. Every resource except the root has exactly ONE parent. It binds a resource's lifecycle to its parent (ownership) and is the attachment point for IAM and org policies (inheritance). • Not just for billing: it drives IAM inheritance and policy too.
Organization Resource	One root per company, e.g. `organizations/34739118321`	Root node of the hierarchy, representing the company. IAM roles and org policies set here are inherited by every folder and project below. A project's lifecycle follows the org, not the employee who created it, so projects survive employee departure.
Folder Resource	First-level folders = departments; subfolders = teams or apps	Optional grouping layer between the organization and projects; requires an organization to exist. Provides isolation boundaries and lets you delegate admin rights per department. Folders can nest inside folders. A role granted on a folder applies to all projects within it.
Project Resource	`projectId` (chosen, unique) + `projectNumber` (auto, read-only)	The core organizing and billing unit; you need a project to use any service, enable APIs, or manage permissions. Identified by a mutable display name, a globally unique project ID, and an auto-generated project number. The creator gets the Owner role.
Policy Inheritance	Grant `Network Admin` at the org → team manages networks in every project	IAM roles AND organization policies flow DOWN the hierarchy. The effective policy at any node combines policies set directly on it with those inherited from ancestors. Grant high (org or folder) to avoid per-project setup; you cannot revoke an inherited role at a lower level.
Organization Policy Service	Restrict resource locations; disable service account key creation	Centralized, programmatic guardrails on HOW resources can be configured, set on an org, folder, or project and inherited by children. Each policy enforces exactly one constraint. Guardrails apply even to a project Owner, enforcing compliance regardless of IAM.

Table 1: Resource Hierarchy and Organization Policies

Concept	Example	Description
Resource Hierarchy	`Organization` → `Folders` → `Projects` → `Resources` (VMs, buckets)	Structured tree that organizes all Google Cloud resources. Every resource except the root has exactly ONE parent. It binds a resource's lifecycle to its parent (ownership) and is the attachment point for IAM and org policies (inheritance). • Not just for billing: it drives IAM inheritance and policy too.
Organization Resource	One root per company, e.g. `organizations/34739118321`	Root node of the hierarchy, representing the company. IAM roles and org policies set here are inherited by every folder and project below. A project's lifecycle follows the org, not the employee who created it, so projects survive employee departure.
Folder Resource	First-level folders = departments; subfolders = teams or apps	Optional grouping layer between the organization and projects; requires an organization to exist. Provides isolation boundaries and lets you delegate admin rights per department. Folders can nest inside folders. A role granted on a folder applies to all projects within it.
Project Resource	`projectId` (chosen, unique) + `projectNumber` (auto, read-only)	The core organizing and billing unit; you need a project to use any service, enable APIs, or manage permissions. Identified by a mutable display name, a globally unique project ID, and an auto-generated project number. The creator gets the Owner role.
Policy Inheritance	Grant `Network Admin` at the org → team manages networks in every project	IAM roles AND organization policies flow DOWN the hierarchy. The effective policy at any node combines policies set directly on it with those inherited from ancestors. Grant high (org or folder) to avoid per-project setup; you cannot revoke an inherited role at a lower level.
Organization Policy Service	Restrict resource locations; disable service account key creation	Centralized, programmatic guardrails on HOW resources can be configured, set on an org, folder, or project and inherited by children. Each policy enforces exactly one constraint. Guardrails apply even to a project Owner, enforcing compliance regardless of IAM.