Oracle 1z0-1104-23 today updated questions - Verified by Oracle Experts

Oracle Cloud Infrastructure 2023 Security Professional Questions and Answers

Question 1

Which three Oracle Cloud Infrastructure (OCI) services are covered by Cloud Guard? (Choose three.)

Options:

Oracle Integration Osud (OIC)

Blockchain

Object Storage

Database Cloud Service

Identity and Access Management (IAM)

Question 2

Which components are a part of the OCI Identity and Access Management service?

Options:

Policies

Regional subnets

Compute instances

VCN

Question 3

Oracle Object Storage achieves data durability by which of the mechanisms ? Select TWO correct answers

Options:

Service Gateway

Redundant Storage across availability domains

Redundant Array of IndependentDisks

Object Versioning

Question 4

Which statements are CORRECT about Multi-Factor Authentication in OCI ? Select TWO correct answers

Options:

Members of the Administrators group can disable MFA for other users

Users cannot enable MFA for themselves

A user can registermultiple devices to use for MFA.

Members of the Administrators group cannot enable MFA for another user

Question 5

A company plans to use Oracle Cloud services for their production and development environments, but they have different security requirements. Their security policy forbids development environment users from having access to the production environment and requires separate administrators to manage each environment. The company has only one tenancy in Oracle Cloud. How can they ensure that their security requirements are met in Oracle Cloud? (Choose the best Answer.)

Options:

Create multiple identity domains, one for the production environment and another for the development environment.

Use a single identity domain for both production and development environments to simplify administration.

Assign the same identity domain administrator to both the production and development environments.

Create a separate tenancy for the production environment to isolate administrative control.

Question 6

An HTTP Web Server hosted on an Oracle Cloud Infrastructure (OCI) compute instance in a public subnet of the VCN1 Virtual Cloud Network has a: • Stateless security ingress rule for port 80 access through Internet Gateway • Stateful Network Security Group notification for port 80 How will the OCI VCN handle request/response traffic to the compute instance for a web page from the HTTP server with port 80? (Choose the best Answer.)

Options:

Because there is no egress rule defined in Security List, the response would not pass through Internet Gateway.

The union of both configurations would happen and allow both inbound and outbound traffic.

Due to the conflict in security configuration, inbound request traffic would not be al-lowed.

Network Security Group would supersede the Security List and allow both inbound and outbound traffic.

Question 7

An e-commerce company needs to authenticate with third-party API that don't support

OCI's signature-based authentication.

What can be the solution for the above scenario?

Options:

Security Token

API Key Authentication

Asymmetric keys

Auth Token/Swift Password

Question 8

You configured the events service for your Cloud Guard problems to send email notifications, but you do not see any, which three things should you check to resolve this? (Choose three.)

Options:

Ensure that you have the Cloud Guard retention policy configured,

Ensure that your Cloud Guard targets have the Cloud Event responder recipe attached with the notification rule enabled.

Ensure that the Event rule is created in the same compartment (or parent of it) where your problem resource exists.

Ensure that the event is configured in the Cloud Guard reporting region.

Ensure that Cloud Guard is enabled in every single region individually

Question 9

Where is sensitive configuration data (like certificates, and credentials) is stored by Kubernetes cluster control plane?

Options:

Block Volume

ETCD

Oracle Functions

Boot Volume

Question 10

With regard to WAF in OCI, which of the following statements are NOT customer's responsibility? Select TWO answers.

Options:

Configure WAF policies for websites

WAF edge nodes with High Availability

Configure Bot Managementstrategies for a website traffic

Import latest OWASP Core Rule Sets

Question 11

You are a cloud Security administrator for a company. You are trying to create a dynamic rule that will match all instances in compartment "Test", with the OCID 'ocidl.compartment.ocl.lksnvkjnfbvrkblskivrIvruincbvbeidcbwvvyrsvi and a "Dev" compartment with OCID 'ocidl.compartment.ocl.kjsnfjkvskjfbvsbvsgljvndbblgjdnurvswrjnvljjeeft. What is the correct dynamic policy that will fulfill this request? (Choose the best Answer.)

Options:

Any {instance.compartment.id = 'ocidl.compartment.ocl.lksnvkjnfbvrkblskjvrIvruincbvbeidcbwvvyrsvi, in-stance.compartment.id = 'ocidl.compartment.ocl.kjsnfjkvskjfbvsbvsgljvndbblgjdnurvswrjnvijjeee}

All {Instance.id=tocidtinstance.ocl.eu-frankfurt-Lnsvwradccnksvkkdumcsnvurlsnvnuw"}

All {Instances in Compartment "Test" and Compartment "Dev"}

All {compartment. name="Test", compartment.name="Dev"}

Question 12

You know that a few buckets in your compartment should stay public, and you do not want Cloud Guard to detect these as problems. In which two ways would you address this? (Choose two.)

Options:

Dismiss problems associated those resources

Resolve or remediate those problems and you should not see Cloud Guand triggering on these resources ever again.

Fix the baseline by configuring the Conditional groups for the detector.

A public bucket is a security risk, so Cloud Guard will keep detecting it

Question 13

What do the features of OS Management Service do?

Options:

Add complexity in using multiple tools tomanage mixed-OS environments.

Provide paid service and support to OCI subscribers for fixes on priority.

Increase security and reliability by regular bug fixes.

Encourage manual setup to avoid machine-induced errors.

Question 14

A company has OCI tenancy which has mount target associated with two 1 punto File Systems, CG_1 and CG_2. These File Systems are accessed by IPbased clients AB_1 and AB_2 respectively. As a security administrator, how can you provide access to both clients such that CGI has Read only access on AB1 and CG_2 has Read/Write access on AB_2? OR In your Oracle Cloud Infrastructure (OCI) tenancy, you have a mount target that is associated with two file systems, IS A and rsa. These file systems are being accessed by two IP-based clients, CT_A and CT_B respectively. You need to provide access to both clients, such that CT_A has Read and Write access on FS _A and CT_B has Read Only access on FS_B. Which option would you use? (Choose the best Answer.)

Options:

NFS Export Options

IAM Service

Security List

NFS Unix Security

Question 15

You are the first responder of a security incident for ABC Org. You have identified sever-al IP addresses and URLs in the logs that you suspect may be related to the incident. However, you need more information to confidently determine whether they are indeed malicious or not. Which OCI service can you use to obtain a more refined information and confidence score for these identified indicators? (Choose the best Answer.)

Options:

OCI Web Application Firewall

OCI Security Zones

OCI Incidence Responder

OCI Threat Intelligence

Question 16

You have created several Oracle Cloud Infrastructure Groups with the prefix of 'Test' in your tenancy. For example TestECommerce, TestCatalog, and TestAdministration. You want to create another group called TestGroupsAdmin to manage all the groups that start with "Test" except for the group TestAdministration.? (Choose the best Answer.)

Options:

allow group TestGroupsAdmin to manage groups in tenancy where any {tar-get.group.name = / Test* /,target.group.name 1= Li 'TestAdministration}

allow group TestGroupsAdmin to manage groups in tenancy where tar-get.group.name%D/Test*/ && !(target.group.name = `--1 'TestAdministration')

allow group TestGroupsAdmin to manage groups in tenancy where target.group.name = /Test*/ and = 'TestAdministration')

allow group TestGroupsAdmin to manage groups in tenancy where all {tar-get.group.name = / Test*/.target.group.name != 'TestAdministration'}

Question 17

You have three compartments: ProjectA, ProjectB, and ProjectC. For each compartment, there is an admin group set up: A-Admins, B-Admins, and C-Admins. Each admin group has full access over their respective compartments as shown in the graphic below. Your organization has set up a tag namespace, EmployeeGroup.Role and all your admin groups are tagged with a value of 'Admin'.

You want to set up a "Test" compartment for members of the three projects to share, and need to give admin aress to all three of your existing admin groups. Which policy should you write to accomplish this task? (Choose the best Answer.)

Options:

Allow any-group to manage all-resources in compartment Test where re-quest.principal.group.tag.EmployeeGroup.Role=Admin

Allow any-users to manage all-resources in compartment Test where re-quest.principal.group.tag.EmployeeGroup.Role=Admin

Allow group any-group to manage all-resources in compartment Test where re-quest.principal.group.tag.EmployeeGroup.Role=Admin

Allow all-group to manage all-resources in compartment Test where re-quest.principal.group.tag.EmployeeGroup.Role=Admin

Question 18

Which IAM policy should be created to give XYZ the ability to list contents of a resource excluding the fneeds to authenticatein prod compartment ? Principle of least priviledge should be used.

Options:

Allow group XYZ to manage all resources in compartment != prod

Allow group XYZ to use all resources in compartment != prod

Allow group XYZ to inspect all resources in tenancy where target.compartment.name != prod

Allow group XYZ to read all resources in tenancy where target.compartment.name != prod

Question 19

A number of malicious requests for a web application is coming from a set of IP addresses

originating from Antartica.

Which of the following statement will help to reduce these types of unauthorized requests ?

Options:

Delete NAT Gateway from Virtual Cloud Network

Use WAF policy using Access Control Rules

List specific set of IP addresses then deny rules in Virtual Cloud Network Security Lists

Change your home region in which your resources are currently deployed

Question 20

What must be configured for a load balancer to accept incoming traffic?

Options:

Service Gateway

SSL certificate

Listener

Route table entry pointing to the listener IP address

Question 21

In Oracle Cloud Infrastructure (OCI) Secret management within OCI Vault, you have created a secret and rotated the secret one time. The current version state shows: Version Number | Status 2 (latest) | current 1 | Previous In order to rollback to version 1, What should the Administrator do? (Choose the best Answer.)

Options:

From the version 2 (latest) menu, select "Rollback and choose version 1 when given the option

Create a new secret version 3 and set to Pending. Copy the contents of version 1 into version

Deprecate version 2 (test). Create new Secret Version 3. Create soft link from version 3 to version 1.

from the version 1 menu, select "Promote to Current"

Question 22

You create a new compartment, “apps,” to host some production apps and you create an apps_group and added users to it.

What would you do to ensure the users have access to the apps compartment?

Options:

Add an IAM policy for the individual users to access the apps compartment.

Add an IAM policy for apps_group granting access to the apps compartment.

Add an lAM policy to attach tenancy to the apps group.

No action is required.

Question 23

As a Security Admin you want to inspect the metadata and actual data in your Oracle databases to discover sensitive data and provide comprehensive results listing the sensitive columns and related information. Which Data Safe feature will help you to achieve the above requirement ?

Options:

Data Masking

Data Discovery

Security Assessment

User Assessment

Question 24

What are the two items required to create a rule for the Oracle Cloud Infrastructure (OCI) Events Service? (Choose two.)

Options:

Management Agent Cloud Service

Service Connector

Rule Conditions

Install key

Actions

Question 25

Which statement is true about Oracle Cloud Infrastructure (OCI) Object Storage server-side encryption?

Options:

All the traffic to and from object storage is encrypted by using Transport Layer Security.

Encryption is not enabled by default.

Customer-provided encryption keys are never stored in OCI Vault service.

Each object in a bucket is always encrypted with the same data encryption key.

Question 26

Challenge 1 - Task 4 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured

To complete this requirement, you are provided with:

An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
Access to Cloud Shell.
Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following tasks in the OCI environment provisioned:

Create a Linux Instance with the name [Provide Name Here] within the compartment.

Provide your own public key to SSH the instance.

Options:

Question 27

Challenge 1 - Task 5 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

Preconfigured

To complete this requirement, you are provided with:

An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
Access to Cloud Shell.
Permissions to perform only the tasks within the challenge.

Options:

Question 28

Challenge 2

Least-Privileged Model Enforcement Leveraging Custom Security Zones

Scenario

In deploying a new application, a cloud customer needs to reflect different security postures. If a security zone is enabled with the Maximum Security Zone recipe, the customer will be unable to create or update a resource in the Security Zone if the action violates the attached Maximum Security Zone policy.

As an application requirement, the customer requires a compute instance in the public subnet. You, therefore, need to configure Custom Security Zones that allow the creation of compute instances in the public subnet.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Create a Custom Security Zone recipe to allow compute instances in the public subnet.

• Create a Security Zone using the Custom Security Zone recipe.

• Configure a Virtual Cloud Network (VCN) and Public Subnet.

• Provision a Compute Instance in the public subnet.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

Create a Custom Recipe with the name
Create a Security Zone with the name
Create a VCN with the name IAD-SP-PBT-VCN-01
Create a Public Subnet with the name IAD-SP-PBT-PUBSNET-01
Create a Compute Instance with the name IAD-SP-PBT-1-VM-01, using the "Oracle Linux 8" image and "VM.Standard2.1" as shape

Options:

Answer:

See the solution below in Explanation.

Explanation:

SOLUTION:Task 1: Create a Custom Security Zone recipe that permits the creation of a VCN with a public subnet, Internet Gateway, and a public bucket.

Sign into your Oracle Cloud Infrastructure (OCI) account.
From the navigation menu, click Identity & Security. Navigate to Security Zones and click Recipes.
In the left navigation pane, under Scope, select from the drop-down menu.
Click Create Recipe.
On Create Recipe page, enter the following values: a. Recipe name: [Your Recipe Name] b. Description: My custom security zone recipe. c. Create for compartment: Select your compartment from the drop-down list. d. Click Next e. Policy type: All f. Resource type: VIRTUALNETWORK g. Uncheck
Click create.

Task 2: Use the Custom Security Zone recipe created in Task 1 to create a Security Zone for your assigned compartment.

From the navigation menu, select Identity & Security. Navigate to Security Zones and click Overview.
In the left navigation pane, under Scope, select from the drop-down menu.
Click Create Security Zone.
On the Create Security Zone page, enter the following values: a. Security Zone Recipe: Select Customer-managed to use Custom Security Zone Recipe. b. Select Security Zone Recipe [Your Recipe Name] in the working compartment. c. Name: [Your Security Zone Name] d. Description: My Custom Security Zone. e. Create for compartment: Select the working compartment from the drop-down list.
Click Create Security Zone. The new security zone is in the Creating state. It can take several minutes to associate the working compartment with the security zone. When finished, the security zone is in the Active state.
On the Security Zone information tab, you can view the attached [Your Recipe Name] recipe.

Task 3: Use the VCN wizard to create a VCN and ensure that the Custom Security Zone recipe allows for the creation of a public subnet and Internet Gateway.

From the navigation menu, select Networking, then click Virtual Cloud Network.
In the left navigation pane, under List Scope, select from the drop-down menu.
Click Create VCN.
On the Configuration page, enter the following: a. Name: IAD-SP-PBT-VCN-01 b. IPv4 CIDR Blocks: 10.0.0.0/16 c. Note: Leave all the other options in their default setting.
Click Create VNC.
After Create VNC, click in Create Subnet
On the Configuration page, enter the following: a. Name: IAD-SP-PBT-PUBSNET-01 b. Subnet Type: Regional c. IPv4 CIDR Blocks: 10.0.1.0/24 d. Subnet Access: Public Subnet e. Leave all the other options in their default setting.
Click Create Subnet.

Task 4: Create a Computer Instance

From the navigation menu, select Compute and then click Instances.
Click Create Instance. In the Create Instance dialog box, provide the following details:
Click create.

Note: After a couple of minutes, you can see that the instance has been successfully created and the status Running.

Question 29

Challenge 4 - Task 3 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script: [http:// /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

Configure a Virtual Cloud Network (VCN)
Create a Compute Instance and install the Web Server
Create a Load Balancer and update Security List
Create a WAF policy
Configure Protection Rules against XSS attacks
Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

Go to the VCN IAD-WAF-PBT-VCN-01.
Create a Security List with the name IAD-SP-PBT-LB-SL-01.
Create a Public subnet named LB-Subnet-IAD-SP-PBT-SNET-02 and attach the above-created security list.
Create a Load Balancer with the name IAD-SP-PBT-LB-01.
Create a Listener Name with the name IAD_SP_PBT_LB_LISN_01.
Add appropriate Ingress and Egress rules to IAD-SP-PBT-LB-SL-01, to allow http traffic to the Load Balancer subnet.

Options:

Question 30

Challenge 4 - Task 4 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

To ensure that the configured WAF blocks the XSS attack, run the following script: [http:// /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

Configure a Virtual Cloud Network (VCN)
Create a Compute Instance and install the Web Server
Create a Load Balancer and update Security List
Create a WAF policy
Configure Protection Rules against XSS attacks
Verify the created environment against XSS attacks

Complete the following task in the provisioned OCI environment:

Create a WAF policy with the name IAD-SP-PBT-WAF-01_99233424-lab.user01

Eg: IAD-SP-PBT-WAF-01_99232403-lab.user02

Options:

Question 31

Challenge 1 - Task 1 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario:

Preconfigured:

To complete this requirement, you are provided with:

An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
Access to Cloud Shell.
Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following tasks in the OCI environment provisioned:

Create Master Encryption Key with the name my_pbt_msk with 256 bits shape.
Create a Secret with the name my-pbt-secret_99234021-lab.user01 and secret content.

For example: If your user name is 99346163-lab.user02, then the secret should be named as my-pbt-secret_99346163-lab.user02.

Options:

Question 32

Challenge 1 - Task 3 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

Preconfigured

To complete this requirement, you are provided with:

An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
Access to Cloud Shell.
Permissions to perform only the tasks within the challenge.

Complete the following task in the OCI environment provisioned:

Create a new VCN with the name PBT_SECRET_VCN01 and public subnet within your assigned compartment.

Options:

Question 33

Challenge 4 - Task 1 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

To ensure that the configured WAF blocks the XSS attack, run the following script: [http:// /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

Configure a Virtual Cloud Network (VCN)
Create a Compute Instance and install the Web Server
Create a Load Balancer and update Security List
Create a WAF policy
Configure Protection Rules against XSS attacks
Verify the created environment against XSS attacks

Complete the following task in the provisioned OCI environment:

Create a VCN using wizard with the name IAD-WAF-PBT-VCN-01

Options:

Question 34

Challenge 3 - Task 2 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

Create a Compute Instance with the name PBT-BAS-VM-01, using the "Oracle Linux 8" image and shape "VM.Standard2.1", without SSH key and enable Bastion plugin.

Options:

Question 35

Challenge 3 - Task 3 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

1. Create a Bastion with the name SPPBTBASTION99233424-lab.user01

[Eliminate Specical Characters] Eg:SPPBTBASTION992831403labuser13

2. Create a Session with the name PBT-1-Session-01, for compute instance in private subnet, with default username as "opc"

Options:

Question 36

Challenge 3 - Task 1 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

Create a Virtual Cloud Network (VCN) with the name PBT-BAS-VCN-01
Create a Private Subnet with the name PBT-BAS-SNET-01
Create a Service Gateway with the name PBT-BAS-SG-01, using the service "All IAD Services in Oracle Services Network"
Add Route Rules for Service Gateway

Options:

Question 37

Challenge 4 - Task 2 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

To ensure that the configured WAF blocks the XSS attack, run the following script: [http:// /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

Configure a Virtual Cloud Network (VCN)
Create a Compute Instance and install the Web Server
Create a Load Balancer and update Security List
Create a WAF policy
Configure Protection Rules against XSS attacks
Verify the created environment against XSS attacks

Complete the following task in the provisioned OCI environment:

Create a Compute Instance with the name IAD-SP-PBT-VM-01, using the Oracle Linux 8 image and VM.Standard2.1 shape.
SSH to the compute instance using Cloud Shell.
Install and configure Apache web server:a. Install Apache server:

sudo yum -y install httpd

b. Enable Apache and start Apache server:

bash

sudo systemctl enable httpd
sudo systemctl restart httpd

c. Create a firewall rule to enable HTTP connection through port 80 and reload the firewall:

sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --reload

d. Create an index file for your web server:

vbnet

sudo bash -c 'echo You are visiting Web Server 1 >>
/var/www/html/index.html'

Options:

Answer:

See the solution below in Explanation.

Explanation:

SOLUTION:

From the navigation menu, select Compute and then click Instances.
In the left navigation pane, under List Scope, select from the drop-down menu.
Click Create Instance. In the Create Instance dialogue box, provide the following details:a) Name: IAD-SP-PBT-VM-01b) Placement: ADIc) Note: If the Service Limit error is displayed, choose a different availability domain.d) Image: Oracle Linux 8e) Shape: Click Change shape; then select Ampere shape series and select VM.Standard2.1.f) Networking: IAD-WAF-PBT-VCN-01 and Public Subnetg) Public Address: Assign a Public IPv4 address.h) Generate (or upload) SSH Keys:i) Click Generate a key pair for me.j) Click Save private key. This will save the private key to your local workstation.k) Click Save public key. This will save the public key to your local workstation.l) Click Create.Note: After a few minutes, you can see that the instance has been successfully created and the state is Running.
Under instance access, copy the Public IP address value to a Notepad file. We refer to it as the VM-O1-Public IP address.
Click the Developer Tools icon at the right of the OCI console header and click Cloud Shell to launch your Cloud Shell and use SSH to log in to your instance, IAD-SP-PBT-VM-01, by using the following command:

Reminders: a) Upload the private key to the Cloud Shell you downloaded to your workstation earlier. Change the permission of the private key file by executing chmod 400 . Reference to upload file to cloud shell b) is the full path and name of the file that contains the private key associated with the instance you want to access. c) is the default user opc. d) is the Public IP address of the instance. In our case, we refer to it as VM-01-Public IP. Note: Enter yes in response to “Are you sure you want to continue connecting (yes/no)?" e) You are now connected to the instance IAD-SP-PBT-VM-01.

While connected to your compute instance via SSH, run the following commands to install and configure the Apache web server: a) Install Apache Server:

sudo yum -y install httpd.

b) Enable Apache and start Apache server:

bash

sudo systemctl enable httpd.sudo systemctl restart httpd

c) Create a firewall rule to enable HTTP connection through port 80 and reload the firewall:

sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --reload

d) Create an index file for your web server:

sudo bash -c 'echo You are visiting Web Server 1 >> /var/www/html/index.html'

e) Exit the SSH connection:

bash

After executing all the commands successfully, open a browser in your local system and enter the URL http://.Note: Your browser will not return anything because port 80 is not opened yet for the instance subnet.

Question 38

Challenge 1 - Task 2 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a good security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured:

To complete this requirement, you are provided with:

An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
Access to Cloud Shell.
Permissions to perform only the tasks within the challenge.

Complete the following task:

In the field below, write the IAM policy, which allows a program running on a computer instance (principal instance) to retrieve a secret from the OCI Vault.

Options:

Question 39

Challenge 4 - Task 6 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

To ensure that the configured WAF blocks the XSS attack, run the following script: [http:// /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

Configure a Virtual Cloud Network (VCN)
Create a Compute Instance and install the Web Server
Create a Load Balancer and update Security List
Create a WAF policy
Configure Protection Rules against XSS attacks
Verify the created environment against XSS attacks

Complete the following task in the provisioned OCI environment:

You will connect to the web server and append an XSS script. The protection rule will evaluate the requests and respond accordingly.

Options:

Question 40

Challenge 4 - Task 5 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

To ensure that the configured WAF blocks the XSS attack, run the following script: [http:// /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

Configure a Virtual Cloud Network (VCN)
Create a Compute Instance and install the Web Server
Create a Load Balancer and update Security List
Create a WAF policy
Configure Protection Rules against XSS attacks
Verify the created environment against XSS attacks

Complete the following task in the provisioned OCI environment:

1. Create a Protection Rule with name WAF-PBT-XSS-Protection against XSS attack. for protecting web server

2. Create a New Rule Action with name WAF-PBT-XSS-Action where http response code will be 503 (Service Unavailable).

Options:

Question 41

Challenge 3 - Task 4 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

Connect to a compute instance using a Managed SSH Bastion session from your local machine terminal or Cloud shell.

Options:

Load More 1z0-1104-23 Questions

Weekend Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Oracle 1z0-1104-23 Oracle Cloud Infrastructure 2023 Security Professional Exam Practice Test

Oracle Cloud Infrastructure 2023 Security Professional Questions and Answers

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer: