Oracle Cloud Infrastructure 2025 Security Professional (1z0-1104-25) Free Practice Test
Question 1
Challenge 2 -Task 1
In deploying a new application, a cloud customer needs to reflect different security postures. If a security zone is enabled with the Maximum Security Zone recipe, the customer will be unable to create or update a resource in the security zone if the action violates the attached Maximum Security Zone policy.
As an application requirement, the customer requires a compute instance in the public subnet. You therefore, need to configure Custom Security Zones that allow the creation of compute instances in the public subnet.
Review the architecture diagram, which outlines the resoures you'll need to address the requirement:
Preconfigured
To complete this requirement, you are provided with the following:
Access to an OCI tenancy, an assigned compartment, and OCI credentials
Required IAM policies
Task 4: Create a Public Subnet
Create a public subnet named IAD-SP-PBT-PUBSNET-01, within the VCN IAD-SP-PBT-VCN-01 use a CIDR block of 10.0.1.0/24 and configure the subnet to use the internet Gateway See the solution below in Explanation.
In deploying a new application, a cloud customer needs to reflect different security postures. If a security zone is enabled with the Maximum Security Zone recipe, the customer will be unable to create or update a resource in the security zone if the action violates the attached Maximum Security Zone policy.
As an application requirement, the customer requires a compute instance in the public subnet. You therefore, need to configure Custom Security Zones that allow the creation of compute instances in the public subnet.
Review the architecture diagram, which outlines the resoures you'll need to address the requirement:
Preconfigured
To complete this requirement, you are provided with the following:
Access to an OCI tenancy, an assigned compartment, and OCI credentials
Required IAM policies
Task 4: Create a Public Subnet
Create a public subnet named IAD-SP-PBT-PUBSNET-01, within the VCN IAD-SP-PBT-VCN-01 use a CIDR block of 10.0.1.0/24 and configure the subnet to use the internet Gateway See the solution below in Explanation.
Correct Answer:
To create a public subnet named IAD-SP-PBT-PUBSNET-01 within the VCN IAD-SP-PBT-VCN-01 using a CIDR block of 10.0.1.0/24 and configure it to use the Internet Gateway, follow these steps based on the Oracle Cloud Infrastructure (OCI) Networking documentation.
Step-by-Step Solution for Task 4: Create a Public Subnet
* Log in to the OCI Console:
* Use your OCI credentials to log in to the OCI Console (https://console.us-ashburn-1.oraclecloud.
com).
* Ensure you have access to the assigned compartment.
* Navigate to Virtual Cloud Networks:
* From the OCI Console, click the navigation menu (hamburger icon) on the top left.
* UnderNetworking, selectVirtual Cloud Networks.
* Select the VCN:
* Locate and click on the VCN named IAD-SP-PBT-VCN-01 created in Task 3.
* UnderResources, selectSubnets.
* Create a New Subnet:
* Click theCreate Subnetbutton.
* Configure the Subnet Details:
* Name:Enter IAD-SP-PBT-PUBSNET-01.
* Compartment:Ensure it is set to the assigned compartment.
* Subnet Type:SelectPublic Subnet.
* CIDR Block:Enter 10.0.1.0/24.
* Route Table:Select the default route table associated with the VCN (ensure it includes a route to the Internet Gateway with destination 0.0.0.0/0).
* Subnet Access:SelectPublic Subnetand ensure the Internet Gateway is associated.
* DHCP Options:Leave as default or customize if required.
* Security List:Use the default security list or create a new one with appropriate ingress/egress rules (e.g., allow TCP port 22 for SSH and all egress traffic).
* Associate the Internet Gateway:
* Verify that the subnet is configured to route traffic through the Internet Gateway. This is automatically handled if you selected the public subnet option and the VCN's route table is correctly set (as configured in Task 3).
* If needed, edit the route table for the subnet to ensure a rule exists:
* Destination CIDR Block:0.0.0.0/0
* Target Type:Internet Gateway
* Target:Select the Internet Gateway associated with IAD-SP-PBT-VCN-01.
* Create the Subnet:
* ClickCreateto provision the subnet.
* Once created, the subnet will be listed under the VCN's subnets.
* Verify the Configuration:
* Go to the subnet details page for IAD-SP-PBT-PUBSNET-01.
* Confirm the CIDR block is 10.0.1.0/24 and that it is a public subnet with Internet Gateway access.
Notes
* Ensure the CIDR block 10.0.1.0/24 does not overlap with existing subnets in the VCN (10.0.0.0/16, including 10.0.10.0/24 from Task 3).
* The Internet Gateway association relies on the route table configuration from Task 3. If it's missing, update the route table as described in Step 6.
Step-by-Step Solution for Task 4: Create a Public Subnet
* Log in to the OCI Console:
* Use your OCI credentials to log in to the OCI Console (https://console.us-ashburn-1.oraclecloud.
com).
* Ensure you have access to the assigned compartment.
* Navigate to Virtual Cloud Networks:
* From the OCI Console, click the navigation menu (hamburger icon) on the top left.
* UnderNetworking, selectVirtual Cloud Networks.
* Select the VCN:
* Locate and click on the VCN named IAD-SP-PBT-VCN-01 created in Task 3.
* UnderResources, selectSubnets.
* Create a New Subnet:
* Click theCreate Subnetbutton.
* Configure the Subnet Details:
* Name:Enter IAD-SP-PBT-PUBSNET-01.
* Compartment:Ensure it is set to the assigned compartment.
* Subnet Type:SelectPublic Subnet.
* CIDR Block:Enter 10.0.1.0/24.
* Route Table:Select the default route table associated with the VCN (ensure it includes a route to the Internet Gateway with destination 0.0.0.0/0).
* Subnet Access:SelectPublic Subnetand ensure the Internet Gateway is associated.
* DHCP Options:Leave as default or customize if required.
* Security List:Use the default security list or create a new one with appropriate ingress/egress rules (e.g., allow TCP port 22 for SSH and all egress traffic).
* Associate the Internet Gateway:
* Verify that the subnet is configured to route traffic through the Internet Gateway. This is automatically handled if you selected the public subnet option and the VCN's route table is correctly set (as configured in Task 3).
* If needed, edit the route table for the subnet to ensure a rule exists:
* Destination CIDR Block:0.0.0.0/0
* Target Type:Internet Gateway
* Target:Select the Internet Gateway associated with IAD-SP-PBT-VCN-01.
* Create the Subnet:
* ClickCreateto provision the subnet.
* Once created, the subnet will be listed under the VCN's subnets.
* Verify the Configuration:
* Go to the subnet details page for IAD-SP-PBT-PUBSNET-01.
* Confirm the CIDR block is 10.0.1.0/24 and that it is a public subnet with Internet Gateway access.
Notes
* Ensure the CIDR block 10.0.1.0/24 does not overlap with existing subnets in the VCN (10.0.0.0/16, including 10.0.10.0/24 from Task 3).
* The Internet Gateway association relies on the route table configuration from Task 3. If it's missing, update the route table as described in Step 6.
Question 2
Task 3: Create a Master Encryption Key
Note: OCI Vault to store the key required by this task is created in the root compartment as PBI_Vault_SP Create an RSA Master Encryption Key (MEK), where:
Key name: PBT-CERT-MEK-01-<username>
For example, if your username is 99008677-lab.user01, then the MEK name should be PBT-CERT-MEK-
01990086771abuser01
Ensure you eliminate special characters from the user name.
Key shape: 4096 bits
Enter the OCID of the Master Encryption Key created in the provided text box:
Note: OCI Vault to store the key required by this task is created in the root compartment as PBI_Vault_SP Create an RSA Master Encryption Key (MEK), where:
Key name: PBT-CERT-MEK-01-<username>
For example, if your username is 99008677-lab.user01, then the MEK name should be PBT-CERT-MEK-
01990086771abuser01
Ensure you eliminate special characters from the user name.
Key shape: 4096 bits
Enter the OCID of the Master Encryption Key created in the provided text box:
Correct Answer:
See the solution below in Explanation.
Explanation:
Task 3: Create a Master Encryption Key
Step 1: Access the OCI Vault
* Log in to the OCI Console.
* Navigate toIdentity & Security>Vault.
* Select the root compartment.
* Locate and click on the vault named PBI_Vault_SP.
Step 2: Create the Master Encryption Key
* In the PBI_Vault_SP vault details page, underResources, clickKeys.
* ClickCreate Key.
* Enter the following details:
* Name: Replace <username> with your username (e.g., if your username is 99008677-lab.user01, remove special characters like - and . to get 99008677labuser01, then use PBT-CERT-MEK-
0199008677labuser01).
* Key Shape: SelectRSAwith4096 bits.
* Protection Mode: SelectHSM(Hardware Security Module) if available, orSoftwareif HSM is not required (based on vault capabilities).
* Compartment: Ensure it's set to the root compartment (where PBI_Vault_SP resides).
* Leave other settings (e.g., key usage) as default unless specified.
* ClickCreate Keyand wait for the key to be generated.
Step 3: Retrieve and Enter the OCID
* After the key is created, go to theKeyssection under PBI_Vault_SP.
* Click on the key named PBT-CERT-MEK-01<username> (e.g., PBT-CERT-MEK-
0199008677labuser01).
* Copy theOCID(a long string starting with ocid1.key., unique to your tenancy) from the key details page.
* Enter the copied OCID exactly as it appears into the provided text box.
Explanation:
Task 3: Create a Master Encryption Key
Step 1: Access the OCI Vault
* Log in to the OCI Console.
* Navigate toIdentity & Security>Vault.
* Select the root compartment.
* Locate and click on the vault named PBI_Vault_SP.
Step 2: Create the Master Encryption Key
* In the PBI_Vault_SP vault details page, underResources, clickKeys.
* ClickCreate Key.
* Enter the following details:
* Name: Replace <username> with your username (e.g., if your username is 99008677-lab.user01, remove special characters like - and . to get 99008677labuser01, then use PBT-CERT-MEK-
0199008677labuser01).
* Key Shape: SelectRSAwith4096 bits.
* Protection Mode: SelectHSM(Hardware Security Module) if available, orSoftwareif HSM is not required (based on vault capabilities).
* Compartment: Ensure it's set to the root compartment (where PBI_Vault_SP resides).
* Leave other settings (e.g., key usage) as default unless specified.
* ClickCreate Keyand wait for the key to be generated.
Step 3: Retrieve and Enter the OCID
* After the key is created, go to theKeyssection under PBI_Vault_SP.
* Click on the key named PBT-CERT-MEK-01<username> (e.g., PBT-CERT-MEK-
0199008677labuser01).
* Copy theOCID(a long string starting with ocid1.key., unique to your tenancy) from the key details page.
* Enter the copied OCID exactly as it appears into the provided text box.
Question 3
"You are designing a secure access strategy for compute instances deployed within a private subnet of an OCI Virtual Cloud Network (VCN). Your security policy requires that no compute instances in the private subnet should have direct Internet access, and administrative access should be controlled.
Which statement best describes the role of an OCI Bastion in securing access to these private compute instances?
Which statement best describes the role of an OCI Bastion in securing access to these private compute instances?
Correct Answer: A
Question 4
You're managing an Oracle Cloud Infrastructure (OCI) environment where a public website hosts downloadable assets stored in Object Storage buckets. These buckets need to be publicly accessible for website visitors, but Cloud Guard keeps flagging them as security risks.
How can Cloud Guard be configured to ignore problems specific to public buckets while still ensuring security checks are applied to other resources that require them?
How can Cloud Guard be configured to ignore problems specific to public buckets while still ensuring security checks are applied to other resources that require them?
Correct Answer: C