New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Oracle 1z0-1104-23 Oracle Cloud Infrastructure 2023 Security Professional Exam Practice Test

Page: 1 / 17
Total 167 questions

Oracle Cloud Infrastructure 2023 Security Professional Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

Pods running in your Oracle Container Engine for Kubernetes (OKE) cluster often need to communicate with other pods in the cluster or with services outside the cluster. As the OKE cluster administrator, you have been tasked with configuring permissions to restrict pod-to-pod communications except as explicitly allowed. Where can you define these permissions? (Choose the best Answer.)

Options:

A.

Security List

B.

Network Policies

C.

IAM Policies

D.

RBAC Roles

Question 2

Which Oracle Data Safe feature enables the internal test, development, and analytics teams to operate effectively while minimizing their exposure to sensitive data? (Choose the best Answer.)

Options:

A.

Data encryption

B.

Data Auditing

C.

Data masking

D.

Data discovery

E.

Security assessment

Question 3

Which component helps move logging data to other services, such as archiving log data in object storage?

Options:

A.

Agent Configuration

B.

Unified Monitoring Agent

C.

Service Connector Hub

D.

Service Log Category

Question 4

Which statement about Oracle Cloud Infrastructure Multi-Factor Authentication (MFA)is NOT valid?

Options:

A.

Users cannot disable MFA for themselves.

B.

A user can register only one device to use for MFA.

C.

Users must install a supported authenticator app on the mobile device they intend to register for MFA.

D.

An administrator can disable MFA for another user.

Question 5

You are responsible for managing a large number of compute instances running in Oracle Cloud Infrastructure. You need to ensure that all operating systems and software running on these instances are patched regularly to prevent security vulnerabilities. Which feature of Oracle Cloud Infrastructure would you use to accomplish this? (Choose the best Answer.)

Options:

A.

OCI Threat Intelligence Service

B.

OCI Security Advisor Service

C.

OCI OS Management Service

D.

OCI Vulnerability Scanning Service

Question 6

What are the two items required to create a rule for the Oracle Cloud Infrastructure (OCI) Events Service? (Choose two.)

Options:

A.

Management Agent Cloud Service

B.

Service Connector

C.

Rule Conditions

D.

Install key

E.

Actions

Question 7

Which volume type contains the image used to boot a compute instance?

Options:

A.

Init 6 volume

B.

Boot volume

C.

Startup volume

D.

Block volume

Question 8

Which Cloud Guard component identifies issues with resources or user actions and alerts you when an issue is found?

Options:

A.

Problems

B.

Targets

C.

Detectors

D.

Responders

Question 9

your company has hired a consulting firm to audit your oracle cloud infrastructure activity and configuration you have created a set of users who will be performing the audit, you assigned these user to the orgauditgrp group. the auditor required the ability to see the configuration of all resources within tenant and you have agreed to exempt the dev compartment from the audit.

which IAM policy should be created to grant the orgauditgrp the ability to look at configuration for all resources except for those resources inside the dev compartment?

Options:

A.

allow group orgauditgrp to read all-resources in tenancy where target.compartment.name !=dev

B.

allow group orgauditgrp to read all-resources in compartment !=dev

C.

allow group orgauditgrp to inspect all-resources in tenancy where target compartment.name !=dev

D.

allow group orgauditgrp to inspect all-resources in compartment !=dev

Question 10

Which type of file system does file storage use?

Options:

A.

NFSv3

B.

iSCSI

C.

Paravirtualized

D.

NVMe

E.

SSD

Question 11

You have subscribed to a tenancy, in which you want to isolate the OCI resources from different users logically for governance. Which OCI resource will help you achieve logical separation? (Choose the best Answer.)

Options:

A.

Compartment

B.

Dynamic Group

C.

Fault Domain

D.

Availability Domain

Question 12

Logical isolation for resources is provided by which OCI feature?

Options:

A.

Tenancy

B.

Availability Zone

C.

Region

D.

Compartments

Question 13

Your company will transfer a fleet of 12 servers from on-premises to Oracle Cloud Infra-structure (OCI). The fleet will include two webservers. All 12 servers will be in the same sub-net, and share the exact same security permissions, with the only exception being the two web servers. In addition to the same permissions of the other 10 servers, they will have ports 80 and 443 enabled. The security policy must be hardened to ensure that only those two servers have those ports open. What should your configuration actions be for this scenario? (Choose the best Answer.)

Options:

A.

Configure a Network Security Group that includes all necessary permissions for all 12 servers Then configure the Security List that grants access to ports 80 and 443. Assign the Security List to the VNICS of the web servers.

B.

Configure a Security List that includes all necessary permissions for all 12 servers. Then configure a Network Security Group that grants access to ports 80 and 443. As-sign the. Network Security Group to the VNICs of the two web servers.

C.

Configure an OCI Load Balancer that has the two web servers as the backend servers with a health check policy that constantly monitors port 80 and port 443.

D.

In the OCI Web Application Firewall, configure a traffic steering policy that grants access to ports 80 and 443 to the two web servers.

Question 14

You need to set up instance principals so that an application running on an Oracle Cloud Infrastructure (OCI) instance can call public OCI services, without the need to configure user credentials. A developer in your team has already configured the application to authenticate using the instance principals provider. Which is NOT a necessary step to complete this set up? (Choose the best Answer.)

Options:

A.

Create a dynamic group with matching rules to specify which instances you want to al-low to make API calls against services.

B.

Generate Auth Tokens to enable instances in the dynamic group to authenticate with APIs.

C.

Create a policy granting permissions to the dynamic group to access services in your compartment or tenancy

D.

Deploy the application to all the instances that belong to the dynamic group

Question 15

A company has OCI tenancy which has mount target associated with two 1 punto File Systems, CG_1 and CG_2. These File Systems are accessed by IPbased clients AB_1 and AB_2 respectively. As a security administrator, how can you provide access to both clients such that CGI has Read only access on AB1 and CG_2 has Read/Write access on AB_2? OR In your Oracle Cloud Infrastructure (OCI) tenancy, you have a mount target that is associated with two file systems, IS A and rsa. These file systems are being accessed by two IP-based clients, CT_A and CT_B respectively. You need to provide access to both clients, such that CT_A has Read and Write access on FS _A and CT_B has Read Only access on FS_B. Which option would you use? (Choose the best Answer.)

Options:

A.

NFS Export Options

B.

IAM Service

C.

Security List

D.

NFS Unix Security

Question 16

Which type of FastConnect supports configuring Oracle Cloud Infrastructure (OCI) Site-to-Site VPN for encryption? (Choose the best Answer.)

Options:

A.

FastConnect Public Peering

B.

FastConnect Cross-Connect group

C.

FastConnect Privat Peering

D.

FastConnect Partner

Question 17

You have configured Management Agent on an Oracle Cloud Infrastructure (OCI) Linux instance for log Ingestion purposes. OR When using Management Agent to collect logs continuously. Which is required configuration for OCI Logging Analytics service to collect data from multiple logs of this Instance? (Choose the best Answer.)

Options:

A.

Entity Log Association

B.

Log-Log Group Association

C.

Source-Entity Association

D.

Log Group-Source Association

Question 18

You are the first responder of a security incident for ABC Org. You have identified sever-al IP addresses and URLs in the logs that you suspect may be related to the incident. However, you need more information to confidently determine whether they are indeed malicious or not. Which OCI service can you use to obtain a more refined information and confidence score for these identified indicators? (Choose the best Answer.)

Options:

A.

OCI Web Application Firewall

B.

OCI Security Zones

C.

OCI Incidence Responder

D.

OCI Threat Intelligence

Question 19

Cloud Guard detected a risk score of zeroin the dashboard, what does this mean ?

Options:

A.

Risk score doesn't say anything. These are just numbers

B.

LOW or MINOR issues

C.

Larger number of problems that have high risk levels ( HIGH or CRITICAL )

D.

No problem detected for any resource

Question 20

Which statement is not true about Cloud Security Posture?

Options:

A.

Problems contain data about the specific type of issue that was found.

B.

Problems can be resolved, dismissed, or remediated.

C.

Problems are defined by the type of detector that creates them: activity or configuration.

D.

Problems are created when Cloud Guard discovers a deviation from a responder rule.

Question 21

What is the matching rule syntax for a single condition?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 22

Which parameters customers need to configure while reading secrets by name

using CL1 or API? Select TWO correct answers.

Options:

A.

Certificates

B.

Secret Name

C.

ASCII Value

D.

Vault Id

Question 23

Which statement is true about standards?

Options:

A.

They may be audited.

B.

They are result of a regulation or contractual requirement or an industry requirement.

C.

They are methods and instructions on how to maintain or accomplish the directives of the policy.

D.

They are the foundation of corporate governance.

Question 24

Which Oracle Data Safe feature minimizes the amount of personal data and allows internal test, development, and analytics teams to operate with reduced risk?

Options:

A.

data auditing

B.

data encryption

C.

security assessment

D.

data masking

E.

data discovery

Question 25

As a security architect, how can you preventunwanted bots while desirable bots are allowed to enter?

Options:

A.

Data Guard

B.

Vault

C.

Compartments

D.

Web Application Firewall (WAF)

Question 26

Challenge 2

Least-Privileged Model Enforcement Leveraging Custom Security Zones

Scenario

In deploying a new application, a cloud customer needs to reflect different security postures. If a security zone is enabled with the Maximum Security Zone recipe, the customer will be unable to create or update a resource in the Security Zone if the action violates the attached Maximum Security Zone policy.

As an application requirement, the customer requires a compute instance in the public subnet. You, therefore, need to configure Custom Security Zones that allow the creation of compute instances in the public subnet.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Create a Custom Security Zone recipe to allow compute instances in the public subnet.

• Create a Security Zone using the Custom Security Zone recipe.

• Configure a Virtual Cloud Network (VCN) and Public Subnet.

• Provision a Compute Instance in the public subnet.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

  • Create a Custom Recipe with the name
  • Create a Security Zone with the name
  • Create a VCN with the name IAD-SP-PBT-VCN-01
  • Create a Public Subnet with the name IAD-SP-PBT-PUBSNET-01
  • Create a Compute Instance with the name IAD-SP-PBT-1-VM-01, using the "Oracle Linux 8" image and "VM.Standard2.1" as shape

Options:

Question 27

Challenge 3 - Task 3 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

1.      Create a Bastion with the name SPPBTBASTION99233424-lab.user01

[Eliminate Specical Characters] Eg:SPPBTBASTION992831403labuser13

2.      Create a Session with the name PBT-1-Session-01, for compute instance in private subnet, with default username as "opc"

Options:

Question 28

Challenge 3 - Task 2 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

 

Create a Compute Instance with the name PBT-BAS-VM-01, using the "Oracle Linux 8" image and shape "VM.Standard2.1", without SSH key and enable Bastion plugin.

Options:

Question 29

Challenge 1 - Task 5 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured

To complete this requirement, you are provided with:

  • An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
  • An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
  • A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
  • Access to Cloud Shell.
  • Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Options:

Question 30

Challenge 4 - Task 5 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

1. Create a Protection Rule with name WAF-PBT-XSS-Protection against XSS attack. for protecting web server

2. Create a New Rule Action with name WAF-PBT-XSS-Action where http response code will be 503 (Service Unavailable).

Options:

Question 31

Challenge 4 - Task 2 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

  • Create a Compute Instance with the name IAD-SP-PBT-VM-01, using the Oracle Linux 8 image and VM.Standard2.1 shape.
  • SSH to the compute instance using Cloud Shell.
  • Install and configure Apache web server:a. Install Apache server:
  • sudo yum -y install httpd

b. Enable Apache and start Apache server:

  • bash
  • sudo systemctl enable httpd
  • sudo systemctl restart httpd

c. Create a firewall rule to enable HTTP connection through port 80 and reload the firewall:

  • css
  • sudo firewall-cmd --permanent --add-port=80/tcp
  • sudo firewall-cmd --reload

d. Create an index file for your web server:

  • vbnet
  • sudo bash -c 'echo You are visiting Web Server 1 >>
  • /var/www/html/index.html'

Options:

Question 32

Challenge 3 - Task 1 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

  • Create a Virtual Cloud Network (VCN) with the name PBT-BAS-VCN-01
  • Create a Private Subnet with the name PBT-BAS-SNET-01
  • Create a Service Gateway with the name PBT-BAS-SG-01, using the service "All IAD Services in Oracle Services Network"
  • Add Route Rules for Service Gateway

Options:

Question 33

Challenge 4 - Task 4 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

Create a WAF policy with the name IAD-SP-PBT-WAF-01_99233424-lab.user01

Eg: IAD-SP-PBT-WAF-01_99232403-lab.user02

Options:

Question 34

Challenge 1 - Task 3 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured

To complete this requirement, you are provided with:

  • An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
  • An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
  • A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
  • Access to Cloud Shell.
  • Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following task in the OCI environment provisioned:

Create a new VCN with the name PBT_SECRET_VCN01 and public subnet within your assigned compartment.

Options:

Question 35

Challenge 1 - Task 1 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario:

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured:

To complete this requirement, you are provided with:

  • An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
  • An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
  • A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
  • Access to Cloud Shell.
  • Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following tasks in the OCI environment provisioned:

  • Create Master Encryption Key with the name my_pbt_msk with 256 bits shape.
  • Create a Secret with the name my-pbt-secret_99234021-lab.user01 and secret content.

For example: If your user name is 99346163-lab.user02, then the secret should be named as my-pbt-secret_99346163-lab.user02.

Options:

Question 36

Challenge 3 - Task 4 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

 

Connect to a compute instance using a Managed SSH Bastion session from your local machine terminal or Cloud shell.

Options:

Question 37

Challenge 4 - Task 1 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

Create a VCN using wizard with the name IAD-WAF-PBT-VCN-01

Options:

Question 38

Challenge 1 - Task 2 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a good security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured:

To complete this requirement, you are provided with:

  • An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
  • An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
  • A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
  • Access to Cloud Shell.
  • Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following task:

In the field below, write the IAM policy, which allows a program running on a computer instance (principal instance) to retrieve a secret from the OCI Vault.

Options:

Question 39

Challenge 4 - Task 6 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

You will connect to the web server and append an XSS script. The protection rule will evaluate the requests and respond accordingly.

Options:

Question 40

Challenge 4 - Task 3 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

  • Go to the VCN IAD-WAF-PBT-VCN-01.
  • Create a Security List with the name IAD-SP-PBT-LB-SL-01.
  • Create a Public subnet named LB-Subnet-IAD-SP-PBT-SNET-02 and attach the above-created security list.
  • Create a Load Balancer with the name IAD-SP-PBT-LB-01.
  • Create a Listener Name with the name IAD_SP_PBT_LB_LISN_01.
  • Add appropriate Ingress and Egress rules to IAD-SP-PBT-LB-SL-01, to allow http traffic to the Load Balancer subnet.

Options:

Question 41

Challenge 1 - Task 4 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured

To complete this requirement, you are provided with:

  • An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
  • An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
  • A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
  • Access to Cloud Shell.
  • Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following tasks in the OCI environment provisioned:

  • Create a Linux Instance with the name [Provide Name Here] within the compartment.

Provide your own public key to SSH the instance.

Options:

Page: 1 / 17
Total 167 questions