1z0-1104-25 Exam Dumps - Oracle Cloud Infrastructure 2025 Security Professional

Go to page:

Question # 4

Challenge 2 -Task 1

In deploying a new application, a cloud customer needs to reflect different security postures. If a security zone is enabled with the Maximum Security Zone recipe, the customer will be unable to create or update a resource in the security zone if the action violates the attached Maximum Security Zone policy.

As an application requirement, the customer requires a compute instance in the public subnet. You therefore, need to configure Custom Security Zones that allow the creation of compute instances in the public subnet.

Review the architecture diagram, which outlines the resoures you'll need to address the requirement:

Preconfigured

To complete this requirement, you are provided with the following:

Access to an OCI tenancy, an assigned compartment, and OCI credentials

Required IAM policies

Task 2: Create a Security Zone

Create a security Zone named IAD_SAP-PBT-CSZ-01 in your assigned compartement and associate it with the Custom Security Zone Recipe (IAD-SAP-PBT-CSP-01) created in the previous task.

Enter the OCID of the created Security zone in the box below.

Full Access

Answer:

Explanation:

To create a Security Zone named IAD_SAP-PBT-CSZ-01 in your assigned compartment and associate it with the Custom Security Zone Recipe IAD-SP-PBT-CSP-01 created in the previous task, follow these steps based on the Oracle Cloud Infrastructure (OCI) Security Zones documentation.

Step-by-Step Solution for Task 2: Create a Security Zone

Log in to the OCI Console:

Use your OCI credentials to log in to the OCI Console (https://console.us-ashburn-1.oraclecloud.com ).

Ensure you have access to the assigned compartment.

Navigate to Security Zones:

From the OCI Console, click the navigation menu (hamburger icon) on the top left.

UnderGovernance and Administration, selectSecurity Zones.

Create a New Security Zone:

In the Security Zones dashboard, click theCreate Security Zonebutton.

Configure the Security Zone Details:

Name:Enter IAD_SAP-PBT-CSZ-01.

Compartment:Select the assigned compartment provided.

Description:(Optional) Add a description, e.g., "Security Zone for public subnet compute instances."

Associate the Custom Security Zone Recipe:

In theRecipesection, select the custom recipe IAD-SP-PBT-CSP-01 created in Task 1 from the dropdown list.

Ensure the recipe is correctly associated to enforce the policy allowing compute instances in the public subnet.

Define the Security Zone Scope:

UnderResources to Protect, select the compartment or specific resources (e.g., the VCN with CIDR 10.0.0.0/16 and public subnet 10.0.10.0/24) to apply the security zone.

Check the box to include all resources in the selected compartment if applicable.

Create the Security Zone:

ClickCreateto finalize the security zone creation.

Once created, note theOCIDof the security zone from the security zone details page. The OCID will be a unique identifier starting with ocid1.securityzone.

Verify the Security Zone:

Go to theSecurity Zonestab and locate IAD_SAP-PBT-CSZ-01.

Confirm the associated recipe (IAD-SP-PBT-CSP-01) and the applied policies.

OCID of the Created Security Zone

The exact OCID will be generated upon creation (e.g., ocid1.securityzone.oc1..). Please enter the OCID displayed in the OCI Console after completing Step 7.

Question # 5

Task 6: Create Load Balancer and Attach Certificate

Create a Load Balancer with the name PBT-CERT-LB-01 in subnet LB-Subnet-PBT-CERT-SNET-02

Create a Listener for the load balancer, where:

Name: PBT-CERT-LB_LTSN_01

Protocol: HTTPS

Port: 443

Attach the certificate PBT-CERT-01- to the load balancer

Attach the security list PBT-CERT-LB-SL-01 to subnet LB-Subnet-PBT-CERT-SNET-02

Full Access

Answer:

Explanation:

Task 6: Create Load Balancer and Attach Certificate

Step 1: Create the Load Balancer

Navigate toNetworking>Load Balancers.

ClickCreate Load Balancer.

Enter the following details:

Name: PBT-CERT-LB-01

Compartment: Select your assigned compartment.

Load Balancer Type: SelectPublic.

Virtual Cloud Network: Select PBT-CERT-VCN-01.

Subnet: Select LB-Subnet-PBT-CERT-SNET-02.

Shape: Choose a shape (e.g., 10 Mbps, adjust based on needs).

ClickNext.

Leave backend sets and listeners as default for now (weâ€™ll configure the listener next).

ClickCreate Load Balancerand wait for it to be provisioned.

Step 2: Create a Listener

Once the load balancer is created, go to theLoad Balancerspage and click on PBT-CERT-LB-01.

UnderResources, clickListeners.

ClickCreate Listener.

Enter the following details:

Name: PBT-CERT-LB_LTSN_01

Protocol: SelectHTTPS.

Port: Enter 443.

Certificate: ClickAdd Certificate, then select the PBT-CERT-01 certificate (e.g., PBT-CERT-0199008677labuser01) created in Task 5.

Leave other settings (e.g., SSL handling) as default unless specified.

ClickCreate.

Step 3: Configure the Backend Set

In the PBT-CERT-LB-01 details page, underResources, clickBackend Sets.

ClickCreate Backend Set(if not already created).

Enter basic details (e.g., name like PBT-CERT-BS-01).

Add a backend server:

IP Address: Use the private IP of PBT-CERT-VM-01 (find this in the instance details underCompute>Instances).

Port: 80 (HTTP, as configured on the web server).

Protocol: HTTP.

ClickCreate.

Step 4: Attach the Security List to the Subnet

Navigate toNetworking>Virtual Cloud Networks.

Select PBT-CERT-VCN-01 and clickSubnets.

Click on LB-Subnet-PBT-CERT-SNET-02.

UnderSecurity Lists, ensure PBT-CERT-LB-SL-01 is attached. If not:

ClickEdit.

Remove the default security list and add PBT-CERT-LB-SL-01.

ClickSave Changes.

Step 5: Verify the Configuration

Ensure the load balancer health status is OK (check underBackend Sets>Health).

Test by accessing https:// in a browser (replace with the public IP from the load balancer details).

Question # 6

You have created a compartment TEST in your subscribed tenancy. Then, you created two groups, test1 and test2, and want the users in these groups to be able to manage all the resources in the TEST compartment.

Which policy would you use to achieve this?

Allow group/test*/to manage all resources in compartment test.

Allow group test1, test2 to manage all resources in compartment test.

Allow any-user to manage all resources in compartment test where any {request.groups.test1, test2}

Allow any-user to manage all resources in compartment test where request.group='test*'

Full Access

Question # 7

A company has implemented OCI IAM policies with multiple levels of compartments. A policy attached to a parent compartment grants "manage virtual-network-family" permissions. A policy attached to a child compartment grants "use virtual-network-family" permissions.

According to OCI IAM policy inheritance, how does the OCI IAM policy engine resolve the permissions for a user attempting to perform an operation that requires 'manage' permissions in the child compartment?

The operation is denied due to conflicting policies.

The policy in the parent compartment takes precedence, and the user is granted "manage" permissions.

The policy in the child compartment takes precedence, and the user is granted "use" permissions only.

Full Access

Question # 8

Which Oracle Data Safe feature enables the Internal test, development, and analytics teams to operate effectively while minimizing their exposure to sensitive data?

Security assessment

Data encryption

Data auditing

Sensitive data discovery

Full Access

Go to page: