Summer Special Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 60certs

Oracle 1z0-1104-23 Dumps

Page: 1 / 10
Total 167 questions

Oracle Cloud Infrastructure 2023 Security Professional Questions and Answers

Question 1

An automobile company needs to configure Bastion Managed SSH session to a compute

instance in a private subnet. What are the TWO prerequisites to configure successfully?

Options:

A.

NAT or Service Gateway should be attached to the private subnet

B.

There is no need for any gateway in private subnet

C.

SSH port forwarding should be enabled

D.

Route rule to a NAT or Service Gateway should be associated with the subnet of the route table

Question 2

You know that a few buckets in your compartment should stay public, and you do not want Cloud Guard to detect these as problems. In which two ways would you address this? (Choose two.)

Options:

A.

Dismiss problems associated those resources

B.

Resolve or remediate those problems and you should not see Cloud Guand triggering on these resources ever again.

C.

Fix the baseline by configuring the Conditional groups for the detector.

D.

A public bucket is a security risk, so Cloud Guard will keep detecting it

Question 3

You are using a custom application with third-party APIs to manage application and data hosted in an Oracle Cloud Infrastructure(OCI) tenancy. Although your third-party APIs don't support OCI's signature-based authentication, you want them to communicate with OCI resources. Which authentication option must you use to ensure this?

Options:

A.

OCI username and Password

B.

API Signing Key

C.

SSH Key Pair with 2048-bit algorithm

D.

Auth Token

Question 4

You need to create matching rules for a conditional policy. Which TWO matching rules syntax can be used? (Choose two.)

Options:

A.

namespace =| !='value'

B.

any/all {, ,…}

C.

variable =|!="value"

D.

Key =| !='value'

Question 5

A company has OCI tenancy which has mount target associated with two File Systems, CG_1 and CG_2. These FileSystems are accessed by IP-based clients AB_1 and AB_2 respectively. As a security administrator, how can you provide access to both clients such that CGI has Read only access on AB1 and CG_2 has Read/Write access on AB_2?

Options:

A.

NFS Export Option

B.

Access Control Lists

C.

NFS v3 Unix Security

D.

Vault

Question 6

Which storage type is most effective when you want to move some unstructured data, consisting of images and videos, to cloud storage?

Options:

A.

Standard storage

B.

File storage

C.

Archivestorage

D.

Block volume

Question 7

When doesCloud Guard re-open an issue and update the history?

Options:

A.

If it detects an issue again for an Open (unresolved) problem

B.

If it detects an issue for a previously resolved/dismissed activity problem

C.

If it detects an issue for a previously resolved configuration problem

D.

If it detects an issue for a previously dismissed configuration problem

Question 8

You have subscribed to a tenancy, in which you want to isolate the OCI resources from different users logically for governance. Which OCI resource will help you achieve logical separation? (Choose the best Answer.)

Options:

A.

Compartment

B.

Dynamic Group

C.

Fault Domain

D.

Availability Domain

Question 9

You are using a custom application with third-party APIs to manage application and data hosted in an Oracle Cloud Infrastructure (OCI) tenancy. Although your third-party APIs do not support OCI's signature-based authentication, you want them to communicate with OCI resources Which authentication option should you use to ensure this? (Choose the best Answer.)

Options:

A.

Auth Tokens

B.

At Signing Key

C.

OCI Username and password

D.

SSH Kay Par with 2048-bit algorithm

Question 10

Which statement about Oracle Cloud Infrastructure Multi-Factor Authentication (MFA)is NOT valid?

Options:

A.

Users cannot disable MFA for themselves.

B.

A user can register only one device to use for MFA.

C.

Users must install a supported authenticator app on the mobile device they intend to register for MFA.

D.

An administrator can disable MFA for another user.

Question 11

your company has hired a consulting firm to audit your oracle cloud infrastructure activity and configuration you have created a set of users who will be performing the audit, you assigned these user to the orgauditgrp group. the auditor required the ability to see the configuration of all resources within tenant and you have agreed to exempt the dev compartment from the audit.

which IAM policy should be created to grant the orgauditgrp the ability to look at configuration for all resources except for those resources inside the dev compartment?

Options:

A.

allow group orgauditgrp to read all-resources in tenancy where target.compartment.name !=dev

B.

allow group orgauditgrp to read all-resources in compartment !=dev

C.

allow group orgauditgrp to inspect all-resources in tenancy where target compartment.name !=dev

D.

allow group orgauditgrp to inspect all-resources in compartment !=dev

Question 12

In Oracle Cloud Infrastructure (OCI) Secret management within OCI Vault, you have created a secret and rotated the secret one time. The current version state shows: Version Number | Status 2 (latest) | current 1 | Previous In order to rollback to version 1, What should the Administrator do? (Choose the best Answer.)

Options:

A.

From the version 2 (latest) menu, select "Rollback and choose version 1 when given the option

B.

Create a new secret version 3 and set to Pending. Copy the contents of version 1 into version

C.

Deprecate version 2 (test). Create new Secret Version 3. Create soft link from version 3 to version 1.

from the version 1 menu, select "Promote to Current"

Question 13

What must be configured for a load balancer to accept incoming traffic?

Options:

A.

Service Gateway

B.

SSL certificate

C.

Listener

D.

Route table entry pointing to the listener IP address

Question 14

How can you establish private connectivity over two VCN within same OCI region without traversing the traffic over public internet ?

Options:

A.

NAT Gateway

B.

Data Guard

C.

Remote VCN Peering

D.

Local VCN Peering

Question 15

How can you restrict access to OCI console from unknown IP addresses?

Options:

A.

Create tenancy's authentication policy and create WAF rules

B.

Create tenancy's authentication policy and add a network source

C.

Make OCI resources private instead of public

D.

Create PAR to restrict access the access

Question 16

Which VCNconfiguration is CORRECT with regard to VCN peering within a same region ?

Options:

A.

12.0.0.0/16 and 194.168.0.0/16

B.

12.0.0.0/16 and 12.0.0.0/16C 194.168.0.0/24 and 194.168.0.0/24

C.

194.168.0.0/24 and 194.168.0.0/16

Question 17

A http web server hosted on an Oracle cloud infrastructure compute instance in a public subnet of the vcsl virtual cloudnetwork has a stateless security ingress rule for port 80 access through internet gateway

stateful network security group notification for port 80 how will the Oci vcn handle request response traffic to the compute instance for a web page from the http server with port 80?

Options:

A.

network security group would supersede the security utility list and allow both inbound and outbound traffic

B.

the union of both configuration would happen and allow both inbound and outbound traffic

C.

due to the conflict in security configuration inbound request traffic would not be allowed

D.

Because there is no Egress ruled defined in Security List, The Response would not pass through Internet Gateway.

Question 18

Which tasks can you perform on a dedicated virtual machine host?

Options:

A.

Manual scaling

B.

Creating instance pools

C.

Instance configurations

D.

Capacity reservations

Question 19

With regard to vulnerability and cloud penetration testing, which rules of engagement apply? Select TWO correct answers.

Options:

A.

Any port scanning must be performed in an aggressive mode

B.

Physical penetration and vulnerability testing of Oraclefacilities is prohibited

C.

Testing should target any other subscription or any other Oracle Cloud customer resources

D.

You are responsible for any damages to Oracle Cloud customers that are caused by your testing activities

Question 20

You are tasked with building a highly available, fault tolerant web application for your current employer. The security team is concerned about an increase in malicious web-based attacks across the Internet and therefore wants to add a higher level of security to the website. How would you architect the solution in Oracle Cloud Infrastructure (OCI) to meet the security requirements defined by your organization? (Choose the best Answer.)

Options:

A.

Deploy at least three web servers, each in different faut domain using a regional private subnet. Place a public load balancer in a regional public subnet and create a backend set for all the web servers. \

B.

Deploy Web Application Firewall (WAF) and configure the load balancer public IP address as the origin.

C.

Deploy at least three web servers, each in a different fault domain in a public subnet. Ensure that each web server is assigned a public IP address. Depley Web Application Firewall (WAS) and configure one origin for each public P address.

D.

Deploy at least three web servers, each in a different faut domain in a private subnet. Place a public load balancer in a public subnet and create a backend set for all the web servers Create Geolocation steering policy in OCI Traffic Management and add an answer pool that directs to the public IP address of the load balancer.

E.

Deploy at least three web servers, each in a different fault domain in a public subnet. Use OCI Traffic Management service to create a load balancing policy to resolve DNS evenly between all web servers.

Question 21

As a Security Admin you want to inspect the metadata and actual data in your Oracle databases to discover sensitive data and provide comprehensive results listing the sensitive columns and related information. Which Data Safe feature will help you to achieve the above requirement ?

Options:

A.

Data Masking

B.

Data Discovery

C.

Security Assessment

D.

User Assessment

Question 22

Which is NOT a compliance document?

Options:

A.

Certificate

B.

Penetration test report

C.

Attestation

D.

Bridge letter

Question 23

Which type of FastConnect supports configuring Oracle Cloud Infrastructure (OCI) Site-to-Site VPN for encryption? (Choose the best Answer.)

Options:

A.

FastConnect Public Peering

B.

FastConnect Cross-Connect group

C.

FastConnect Privat Peering

D.

FastConnect Partner

Question 24

You are the first responder of a security incident for ABC Org. You have identified sever-al IP addresses and URLs in the logs that you suspect may be related to the incident. However, you need more information to confidently determine whether they are indeed malicious or not. Which OCI service can you use to obtain a more refined information and confidence score for these identified indicators? (Choose the best Answer.)

Options:

A.

OCI Web Application Firewall

B.

OCI Security Zones

C.

OCI Incidence Responder

D.

OCI Threat Intelligence

Question 25

"Jazz Clothing" is an e-commerce company that wants to secure their in-transit communication to online store's hosted on Oracle Cloud Infrastructure (OCI) by ensuring secure Transport Layer Security (TLS) connections. They plan to automate the process of creating and rotating certificates using the OCI Certificates service to avoid outages due to expired certificates. What is a key benefit that Jazz Clothing will gain by automating their certificate management for TLS connections in OCI? (Choose the best Answer.)

Options:

A.

Automated certificate management eliminates the need for traffic monitoring and auditing.

B.

Automated certificate management reduces the risk of human error in the certificate creation and rotation process.

C.

Automated certificate management guarantees 100% protection against all security threats.

D.

Automated certificate management improves network performance by reducing the amount of processing required for each request

Question 26

Challenge 1 - Task 2 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a good security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured:

To complete this requirement, you are provided with:

  • An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
  • An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
  • A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
  • Access to Cloud Shell.
  • Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following task:

In the field below, write the IAM policy, which allows a program running on a computer instance (principal instance) to retrieve a secret from the OCI Vault.

Options:

Question 27

Challenge 4 - Task 1 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

Create a VCN using wizard with the name IAD-WAF-PBT-VCN-01

Options:

Question 28

Challenge 3 - Task 4 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

 

Connect to a compute instance using a Managed SSH Bastion session from your local machine terminal or Cloud shell.

Options:

Question 29

Challenge 3 - Task 3 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

1.      Create a Bastion with the name SPPBTBASTION99233424-lab.user01

[Eliminate Specical Characters] Eg:SPPBTBASTION992831403labuser13

2.      Create a Session with the name PBT-1-Session-01, for compute instance in private subnet, with default username as "opc"

Options:

Question 30

Challenge 3 - Task 2 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

 

Create a Compute Instance with the name PBT-BAS-VM-01, using the "Oracle Linux 8" image and shape "VM.Standard2.1", without SSH key and enable Bastion plugin.

Options:

Question 31

Challenge 1 - Task 3 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured

To complete this requirement, you are provided with:

  • An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
  • An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
  • A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
  • Access to Cloud Shell.
  • Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following task in the OCI environment provisioned:

Create a new VCN with the name PBT_SECRET_VCN01 and public subnet within your assigned compartment.

Options:

Question 32

Challenge 1 - Task 4 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured

To complete this requirement, you are provided with:

  • An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
  • An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
  • A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
  • Access to Cloud Shell.
  • Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following tasks in the OCI environment provisioned:

  • Create a Linux Instance with the name [Provide Name Here] within the compartment.

Provide your own public key to SSH the instance.

Options:

Question 33

Challenge 4 - Task 6 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

You will connect to the web server and append an XSS script. The protection rule will evaluate the requests and respond accordingly.

Options:

Question 34

Challenge 4 - Task 5 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

1. Create a Protection Rule with name WAF-PBT-XSS-Protection against XSS attack. for protecting web server

2. Create a New Rule Action with name WAF-PBT-XSS-Action where http response code will be 503 (Service Unavailable).

Options:

Question 35

Challenge 3 - Task 1 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

  • Create a Virtual Cloud Network (VCN) with the name PBT-BAS-VCN-01
  • Create a Private Subnet with the name PBT-BAS-SNET-01
  • Create a Service Gateway with the name PBT-BAS-SG-01, using the service "All IAD Services in Oracle Services Network"
  • Add Route Rules for Service Gateway

Options:

Question 36

Challenge 1 - Task 5 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured

To complete this requirement, you are provided with:

  • An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
  • An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
  • A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
  • Access to Cloud Shell.
  • Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Options:

Question 37

Challenge 4 - Task 3 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

  • Go to the VCN IAD-WAF-PBT-VCN-01.
  • Create a Security List with the name IAD-SP-PBT-LB-SL-01.
  • Create a Public subnet named LB-Subnet-IAD-SP-PBT-SNET-02 and attach the above-created security list.
  • Create a Load Balancer with the name IAD-SP-PBT-LB-01.
  • Create a Listener Name with the name IAD_SP_PBT_LB_LISN_01.
  • Add appropriate Ingress and Egress rules to IAD-SP-PBT-LB-SL-01, to allow http traffic to the Load Balancer subnet.

Options:

Question 38

Challenge 4 - Task 2 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

  • Create a Compute Instance with the name IAD-SP-PBT-VM-01, using the Oracle Linux 8 image and VM.Standard2.1 shape.
  • SSH to the compute instance using Cloud Shell.
  • Install and configure Apache web server:a. Install Apache server:
  • sudo yum -y install httpd

b. Enable Apache and start Apache server:

  • bash
  • sudo systemctl enable httpd
  • sudo systemctl restart httpd

c. Create a firewall rule to enable HTTP connection through port 80 and reload the firewall:

  • css
  • sudo firewall-cmd --permanent --add-port=80/tcp
  • sudo firewall-cmd --reload

d. Create an index file for your web server:

  • vbnet
  • sudo bash -c 'echo You are visiting Web Server 1 >>
  • /var/www/html/index.html'

Options:

Question 39

Challenge 2

Least-Privileged Model Enforcement Leveraging Custom Security Zones

Scenario

In deploying a new application, a cloud customer needs to reflect different security postures. If a security zone is enabled with the Maximum Security Zone recipe, the customer will be unable to create or update a resource in the Security Zone if the action violates the attached Maximum Security Zone policy.

As an application requirement, the customer requires a compute instance in the public subnet. You, therefore, need to configure Custom Security Zones that allow the creation of compute instances in the public subnet.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Create a Custom Security Zone recipe to allow compute instances in the public subnet.

• Create a Security Zone using the Custom Security Zone recipe.

• Configure a Virtual Cloud Network (VCN) and Public Subnet.

• Provision a Compute Instance in the public subnet.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

  • Create a Custom Recipe with the name
  • Create a Security Zone with the name
  • Create a VCN with the name IAD-SP-PBT-VCN-01
  • Create a Public Subnet with the name IAD-SP-PBT-PUBSNET-01
  • Create a Compute Instance with the name IAD-SP-PBT-1-VM-01, using the "Oracle Linux 8" image and "VM.Standard2.1" as shape

Options:

Question 40

Challenge 1 - Task 1 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario:

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured:

To complete this requirement, you are provided with:

  • An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
  • An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
  • A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
  • Access to Cloud Shell.
  • Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following tasks in the OCI environment provisioned:

  • Create Master Encryption Key with the name my_pbt_msk with 256 bits shape.
  • Create a Secret with the name my-pbt-secret_99234021-lab.user01 and secret content.

For example: If your user name is 99346163-lab.user02, then the secret should be named as my-pbt-secret_99346163-lab.user02.

Options:

Question 41

Challenge 4 - Task 4 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script:  /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

  • Configure a Virtual Cloud Network (VCN)
  • Create a Compute Instance and install the Web Server
  • Create a Load Balancer and update Security List
  • Create a WAF policy
  • Configure Protection Rules against XSS attacks
  • Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

Create a WAF policy with the name IAD-SP-PBT-WAF-01_99233424-lab.user01

Eg: IAD-SP-PBT-WAF-01_99232403-lab.user02

Options:

Page: 1 / 10
Total 167 questions