Exam 1z0-1067-20: IT Certification Guaranteed, The Easy Way!

IT Certification Guaranteed, The Easy Way!
Exam : 1z0-1067-20
Title : Oracle Cloud Infrastructure

2020 Cloud Operations
Associate
Vendor : Oracle
Version : V13.25
1
NO.1 A subscriber of on Oracle Cloud Infrastructure (OCI) Notifications service topic complained
about not receiving messages from the service. Which of the following options can help you debug
this issue?
A. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint,
the service tries to redeliver messages for up to two hours. Configure an alarm on the
NumberofNotificationFailed metric through the OCI Monitoring service to help debug the issue.
B. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint,
the service drops the message. Confirm that the subscriber is always online to receive messages to
help debug the issue.
C. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint,
the service tries to redeliver messages for up to one day. Make sure that the subscriber is online at
least once a day to help debug the Issue.
D. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint,
check the NumberofNotificationFailed metric through the OCI Monitoring service for failed messages.
Copy these messages to an OCI Object Storage bucket. Make sure the subscriber has the required
credentials to access this bucket to help debug the Issue
Answer: A
Explanation
The Oracle Cloud Infrastructure Notifications service broadcasts messages to distributed components
through a publish-subscribe pattern, delivering secure, highly reliable, low latency and durable
messages for applications hosted on Oracle Cloud Infrastructure and externally. Use Notifications to
get notified when event rules are triggered or alarms are breached, or to directly publish a message.
If Notifications doesn't receive an acknowledgement from a subscription endpoint, the service tries
to redeliver messages for up to two hours. This situation can occur when the endpoint is offline.
You can configure an alarm on the NumberOfNotificationFailed metric through the Monitoring
service
NO.2 One of the compute Instances that you have deployed Is malfunctioning. You have created a
console connection to remotely troubleshoot.
Which two statements about console connections are true?
A. If you do not disconnect from the session, your serial console connection will automatically be
terminated after 24 hours.
B. For security purpose, the console connection will not let you edit system configuration files.
C. It is not possible to connect to the serial console to an Instance running Microsoft Windows,
however VNC console connection can be used.
D. VNC console connection uses SSH port forwarding to create a secure connection from your local
system to the VNC server attached to your instance's console.
E. It is not possible to use VNC console connections to connect to Bare Metal Instances.
Answer: A D
Explanation
The Oracle Cloud Infrastructure Compute service provides console connections that enable you to
remotely troubleshoot malfunctioning instances, such as:
- An imported or customized image that does not complete a successful boot.
- A previously working instance that stops responding.
2
There are two types of instance console connections:

- Serial console connections
- VNC console connections
After you have created the console connection for the instance, you can then connect to the serial
console by using a Secure Shell (SSH) connection. When you are finished with the serial console and
have terminated the SSH connection, you should delete the serial console connection. If you do not
disconnect from the session, Oracle Cloud Infrastructure terminates the serial console session after
24 hours and you must reauthenticate to connect again.
The VNC console connection uses SSH port forwarding to create a secure connection from your local
system to the VNC server attached to your instance's console.
Windows does not include an SSH client by default, so you need to install one. You can use PuTTY, or
there are options that include a version of OpenSSH VNC console connections only work for bare
metal instances launched on February 21, 2019, or later After you are connected with an instance
console connection, you can perform various tasks, such as:
- Edit system configuration files.
- Add or reset the SSH keys for the opc user.
NO.3 Several development teams in your company have each been provided with a budget and a
dedicated compartment to be used for testing purpose u are asked to help them to control the costs
and avoid any overspending.
What should you do?
A. Associate a Budget Tag to each resource with monthly budget amount and use that Information to
prepare a weekly report to send to each team.
B. Contact Oracle support and ask them to associate the monthly budget with the Service Limits In
every region for which your tenancy is subscribed. The tenancy administrator will receive an alert
email from Oracle when the limit Is reached.
C. Associate a Budget Tag to each compartment with the monthly budget amount and set an alert
rule to notify the developers' teams when they reached a specific percentage of the budget
D. Configure a Quota for each compartment to prevent provisioning of any bare metal instances.
Answer: C
Explanation
Budgets are set on cost-tracking tags or on compartments (including the root compartment) to track
all spending in that cost-tracking tag or for that compartment and its children.
The following concepts are essential to working with budgets:
BUDGET
A monthly threshold you define for your Oracle Cloud Infrastructure spending. Budgets are set on
cost-tracking tags or compartments and track all spending in the cost-tracking tag or compartment
and any child compartments. Note: the budget tracks spending in the specified target compartment,
but you need to have permissions to manage budgets in the root compartment of the tenancy to
create and use budgets.
ALERT
You can define email alerts that get sent out for your budget. You can send a customized email
message body with these alerts. Alerts are evaluated every 15 minutes, and can be triggered when
your actual or your forecasted spending hits either a percentage of your budget or a specified set
amount.
Using Cost-Tracking Tags
3
You can use cost-tracking tags to help manage costs in your tenancy. Use cost-tracking tags to do any
of the following:
- Filter projected costs
- Set budgets
You can only use cost-tracking tag with defined tags. You cannot specify free-form tags as cost-
tracking tags.
You can set email alerts on your budgets. You can set alerts that are based on a percentage of your
budget or an absolute amount, and on your actual spending or your forecast spending.
NO.4 Your company recently adopted a hybrid cloud architecture which requires them to migrate
some of their on-premises web applications to Oracle Cloud Infrastructure OCI). You created a
Terraform template which automatically provisions OCI resources such as compute instances, load
balancer, and a database instance.
After running the stack using the terraform apply command, it successfully launched the compute
Instances and the load balancer, but it failed to create a new database Instance with the following
error:
Service error:NotAuthorizedOrNotFound. shape VM.Standard2.4 not found, http status code: 404
You discovered that the resource quotas assigned to your compartment prevent you from using
VM.Standard2.4 instance shapes available in your tenancy. You edit the Terraform script and replace
the shape with VM.Standard2.2.
Which option would you recommend to re-run the terraform command to have required OCI
resources provisioned with the least effort?
A. terraform plan -target=oci_database_db_system.db_system
B. terraform apply -target=ocl_database_db_system.db_system
C. terraform apply -auto-approve
D. terraform refresh -target=oci_database_db_system.db_system
Answer: C
NO.5 You launched a Linux compute Instance to host the new version of your company website via
Apache HTTPS server on HTTPS (port 443).
The Instance is created in a public subnet along with other Instances. The default security list
associated to the subnet is:
You want to allow access to the company website from public Internet without exposing websites
eventually hosted on the other instances in the public subnet.
Which actions should you take to accomplish the task?
A. Create a new security list with a stateful rule to allow ingress access on port 443 and associate it to
the public subnet.
B. In default security list, add a stateful rule to allow ingress access on port 443.
C. Create a network security group, add a stateful rule to allow ingress access on port 443 and
associate It to the public subnet that host the company website.
4
D. Create a network security group, add a stateful rule to allow ingress access on port 443 and
associate it to the instance that host the company website.
Answer: D
Explanation
The NSG is created and then displayed on the Network Security Group page in the compartment you
chose.
You can specify this NSG when creating or managing instances or other types of parent resources.
NO.6 Which two statements accurately describe Ansible Modules for Oracle Cloud Infrastructure
(OCI)?
A. OCI Ansible Modules represent discrete provisioning tasks or operations that you can not invoke
individually from the command line, or else run individually or In sequence from a playbook.
B. OCI Ansible Modules are units of organization that allows you to abstract configuration,
orchestration, and provisioning tasks into roles that you can save and share among playbooks and
other users.
C. OCI Ansible Modules represent discrete provisioning tasks or operations that you can invoke
individually from the command line, or else run Individually or in sequence from a playbook.
D. OCI Ansible Modules enable orchestrating, provisioning, and configuration management tasks on
Oracle Cloud Infrastructure.
E. OCI Ansible Modules is not able to provide you state control of resources.
Answer: A D
Explanation
Oracle supports the use of Ansible for cloud infrastructure provisioning, orchestration, and
configuration management. Ansible allows you to automate configuring and provisioning your cloud
infrastructure, deploying and updating software assets, and orchestrating your complex operational
processes.
What enables orchestrating, provisioning, and configuration management tasks are the Ansible
modules for Oracle Cloud Infrastructure. Ansible provides a library of these Ansible modules "out of
the box" for managing common tasks, and libraries of custom modules from cloud providers like AWS
and Azure. Oracle also provides a library of Ansible cloud modules that support provisioning and
managing Oracle Cloud Infrastructure service Ansible Modules represent discrete provisioning tasks
or operations that you can invoke individually from the command line, or else run individually or in
sequence from a playbook Ansible roles are units of organization that allows you to abstract
configuration, orchestration, and provisioning tasks into roles that you can save and share among
playbooks and other users, and that are useful for organizing functionality in playbooks
https://docs.cloud.oracle.com/en-us/iaas/Content/API/SDKDocs/ansible.htm
NO.7 Your company has restructured its HR departments. As part of this change, you also need to re-
organize compartments within Oracle Cloud Infrastructure (OCI) to align them to the company's new
organizational structure. The following change is required:
Comportment Team_x needs to be moved under a new parent compartment, Project_B
5
The tenancy has the following policies defined for compartments Project_A and Project_B:
Policy1 Allow group G1 to manage instance-family in compartment HR:Project_A Policy2 Allow group
G2 to manage instance-family in compartment HR:Project_B Which two statements describe the
impacts after the compartment Team_x is moved?
A. Group G2 can now manage instance-families in compartment Project_B compartment Project_A
and compartment Team_x
B. Group G1 can now manage instance-families in compartment Project_A but not in compartment
Team_x
C. Group G1 can now manage instance-families in compartment project_A,compartment project_B
and compartment Team_x
D. Group G2 can now manage instance-families in compartment Project_B and compartment
Team_x
E. Group G2 can now manage instance-families in compartment Project_A but not in compartment
Team_x
Answer: B D
Explanation
Understanding the Policy Implications When You Move a Compartment
After you move a compartment to a new parent compartment, the access policies of the new parent
take effect and the policies of the previous parent no longer apply. Before you move a compartment,
ensure that:
- You are aware of the policies that govern access to the compartment in its current position.
- You are aware of the polices in the new parent compartment that will take effect when you move
the compartment.
Groups with Permissions in the Current Compartment Lose Access; Groups with Permissions in the
Destination Compartment Gain Access
NO.8 You have deployed a three-tier web application inside an Oracle Cloud Infrastructure (OCI) VCN
with a CIDR block of 10.0.0.0/28. You Initially deploy three web servers (VM.Standard2.2), two
application servers (VM.Standard2.4), and two servers (VM.Standard2.8) running Oracle database.
The web, application and database servers are deployed across two availability domains in the us-
6
ashburn-1 region.
You also deployed a Public Load Balancer In front of the two web servers. The web traffic gradually
Increases In the first few days following the deployment, so you attempt to double the number of
instances in each tier of the application to handle the new load. Unfortunately, some of these new
Instances fail to launch.
Your tenancy comes with the following set of predefined services limits for the availability domain
and compartment where the application is deployed.
What is a possible reason for this deployment to fail?

A. You do not have enough private IP addresses left to launch all of the new compute instances.
B. You do not have sufficient public IP addresses required by the web, application and database
servers.
C. You do not have sufficient quotas for number of VM.Standard2.2, VM.Standard2.4 and
VM.Standard2.8 shapes in the Production compartment in the us-ashburn-1 region.
D. You do not have sufficient quotas for number of VM.Standard2.2, VM.Standard2.4 and
VM.Standard2.8 shapes in each availability domain in the us-ashburn-1 region.
Answer: A
Explanation
Each subnet in a VCN consists of a contiguous range of IPv4 addresses that do not overlap with other
subnets in the VCN.
In our case the VPN is use 10.0.0.0/28 and by default The first two IPv4 addresses and the last in the
subnet's CIDR are reserved by the Networking service. so will have 13 free IPs should be used in this
VCN We have already 3 web + 2 app +2 DB (7 IPs used for instances). in addition to 2 Private IPs for
Load balance.
that will give us 4 IPs only available in the Subnet that not allow us to double the VMs
NO.9 Which command sample can be used to copy an object from Oracle Cloud Infrastructure (OCI)
Object Storage bucket in source region to a bucket in a destination region?
A)
B)
C)
D)
7
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Explanation
You can copy objects to other buckets in the same region and to buckets in other regions oci os
object copy --namespace-name <object_storage_namespace> --bucket-name
<source_bucket_name>
--source-object-name <source_object> --destination-namespace <destination_namespace_string>
--destination-region <destination_region> --destination-bucket <destination_bucket_name>
--destination-object-name <destination_object_name>
https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/copyingobjects.htm
https://docs.cloud.oracle.com/en-us/iaas/tools/oci-
cli/2.9.9/oci_cli_docs/cmdref/os/object/copy.html
NO.10 In order to manage Alarms In Oracle Cloud Infrastructure (OCI), which three actions can be
performed through the OCI Console?
A. View alarm history for last 3 months.
B. Manually fire an alarm.
C. Update the MQL expression of an alarm.
D. View all the firing alarms.
E. Move an alarm to a different compartment.
F. Add multiple suppressions for an alarm.
Answer: A D E
Explanation
The Oracle Cloud Infrastructure Monitoring service enables you to actively and passively monitor
your cloud resources using the Metrics and Alarms features.
Managing Alarms using OCI Console, you can,
- To view alarm history
Open the navigation menu. Under Solutions and Platform, go to Monitoring and click Alarm
Definitions.
On the Alarm Definitions page, click the alarm that you want to view history for.
The alarm detail page displays a chart showing data for the indicated time range and a list of
timestamped transitions, such as Firing to OK.
Alarm history is retained for 90 days.
- To see all firing alarms
Open the navigation menu. Under Solutions and Platform, go to Monitoring and click Alarm Status.
- To move an alarm to a different compartment
Open the navigation menu. Under Solutions and Platform, go to Monitoring and click Alarm
Definitions.
In the List Scope section, select a compartment.
Click the alarm that you want to move.
8
On the alarm detail page, click Move Resource.

Choose the destination compartment from the list.
Click Move Resource.
other actions can be performed through the OCI Console
To create an alarm
To disable or enable an alarm
To update an alarm
To update an alarm after moving a resource
To suppress alarms
To delete alarms
NO.11 Which two are true for achieving High Availability on Oracle Cloud Infrastructure? (Choose
two.)
A. Store your database across multiple regions so that half of the data resides in one region and the
other half resides in another region.
B. Distribute your application servers across all Availability Domains within a region.
C. Store your database files on Object Storage so that they are available in al Availability Domains in
all regions.
D. Configure your database to have Data Guard in another Availability Domain in Sync mode within a
region.
E. Attach your block volume form Availability Domain 1 to a compute instance in Availability Domain
2 (and vice versa) so that they are highly available.
Answer: B D
Explanation
To design a high availability architecture, three key elements should be considered- redundancy,
monitoring, and failover:
Redundancy means that multiple components can perform the same task. The problem of a single
point of failure is eliminated because redundant components can take over a task performed by a
component that has failed.
Monitoring means checking whether or not a component is working properly.
Failover is the process by which a secondary component becomes primary when the primary
component fails.
The best practices introduced here focus on these three key elements. Although high availability can
be achieved at many different levels, including the application level and the cloud infrastructure
level, here we will focus on the cloud infrastructure level.
NO.12 You have the following compartment structure within your company's Oracle Cloud
Infrastructure (OCI) tenancy:
9
You want to create a policy in the root compartment to allow SystemAdmins to manage VCNs only In
CompartmentC.
Which policy is correct?
A. Allow group SystemAdmins to manage virtual-network-family in compartment CompartmentC
B. Allow group SystemAdmins to manage virtual-network-family in compartment
CompartmentB:CompartmentC
C. Allow group SystemAdmins to manage virtual-network-family in compartment
CompartmentA:CompartmentB:CompartmentC
D. Allow group SystemAdmins to manage virtual-network-family in compartment Root
Answer: C
Explanation
a policy statement must specify the compartment for which access is being granted (or the tenancy).
Where you create the policy determines who can update the policy. If you attach the policy to the
compartment or its parent, you can simply specify the compartment name. If you attach the policy
further up the hierarchy, you must specify the path. The format of the path is each compartment
name (or OCID) in the path, separated by a colon:
<compartment_level_1>:<compartment_level_2>: . . . <compartment_level_n> For example, assume
you have a three-level compartment hierarchy, shown here:
You want to create a policy to allow NetworkAdmins to manage VCNs in CompartmentC. If you want
to attach this policy to CompartmentC or to its parent, CompartmentB, write this policy statement:
Allow group NewtworkAdmins to manage virtual-network-family in compartment CompartmentC
However, if you want to attach this policy to CompartmentA (so that only administrators of
CompartmentA can modify it), write this policy statement that specifies the path:
Allow group NewtworkAdmins to manage virtual-network-family in compartment
10
CompartmentB:CompartmentC To attach this policy to the tenancy, write this policy statement that
specifies the path from CompartmentA to CompartmentC:
Allow group NewtworkAdmins to manage virtual-network-family in compartment
CompartmentA:CompartmentB:CompartmentC
NO.13 You need to set up daily Incremental backups of your database In Oracle Cloud Infrastructure
(OCI) Database Service. The backups need to be retained for at least 50 days.
Which of the following method allows you do accomplish this Is an efficient and cost effective
manner?
A. Enable automatic backups and choose the preset retention period of 60 days.
B. Enable automatic backups and set the retention period to 50 days.
C. Set up a cron job with OCI Database Service CreateBackuP API call to take periodic full-backups to
OCI Object Store. Delete backups older than 50 days.
D. Use Recovery Manager (RMAN) to take backups to an OCI Object Store bucket. Delete backups
older than 50 days.
Answer: A
Explanation
When you enable the Automatic Backup feature, the service creates daily incremental backups of the
database to Object Storage. The first backup created is a level 0 backup. Then, level 1 backups are
created every day until the next weekend. Every weekend, the cycle repeats, starting with a new level
0 backup.
Backup Retention
If you choose to enable automatic backups, you can choose one of the following preset retention
periods: 7 days, 15 days, 30 days, 45 days, or 60 days. The system automatically deletes your
incremental backups at the end of your chosen retention period.
https://docs.cloud.oracle.com/en-us/iaas/Content/Database/Tasks/backingupOSrman.htm Also, you
can u se Recovery Manager (RMAN) to manage backups of your Bare Metal or Virtual Machine DB
system database to your own Object Storage
https://docs.cloud.oracle.com/en-us/iaas/Content/Database/Tasks/backingupOSrman.htm
NO.14 Which three statements ate true about Object Storage data security and encryption In Oracle
Cloud Infrastructure (OCI)?
A. OCI Key Management is used by default to provide data security.
B. Client-side encryption is managed by the customer.
C. A VPN connection to OCI is required to ensure secure data transfer to an object storage bucket.
D. All traffic to and from Object Storage service is encrypted using TLS.
E. Server side encryption uses per-object keys which are managed by Oracle.
Answer: B D E
Explanation
All data in Object Storage is encrypted at rest by using AES-256. Encryption is on by default and
cannot be turned off. Each object is encrypted with its encryption key, and the object encryption keys
are encrypted with a master encryption key. In addition, customers can use client-side encryption to
encrypt objects with their encryption keys before storing them in Object Storage buckets. An
available option for customers is to use the Amazon S3 Compatibility API, along with client-side
object encryption support available in AWS SDK for Java.
11
Data in transit between customer clients (for example, SDKs and CLIs) and Object Storage public
endpoints is encrypted with TLS 1.2 by default. FastConnect public peering allows on-premises access
to Object Storage to go over a private network, rather than the public internet.
Oracle Cloud Infrastructure Key Management is a managed service the enables you, the customer, to
manage and control AES symmetric keys used to encrypt your data-at-rest. Keys are stored in a FIPS
140-2, Level
3-certified, Hardware Security Module (HSM) that is durable and highly available. The Key
Management service is integrated with many Oracle Cloud Infrastructure services, including Block
Volumes, File Storage, Oracle Container Engine for Kubernetes, and Object Storage.
Use the Key Management service if you need to store your Master Encryption Keys in an HSM to
meet governance and regulatory compliance requirements or when you want more control over the
cryptoperiod of the encryption keys used for your data.
When you store your data with Oracle Cloud Infrastructure Block Volumes, File Storage Service, and
Object Storage and don't use Key Management, your data is protected using encryption keys that are
securely stored and controlled by Oracle.
NO.15 You have set up threshold alarm for CPU Utilization metric for a value greater than 80
percent. You get a notification email about this alarm.
Which of the following action will help you respond to this notification?
A. Modify the alarm to route notifications to Oracle Cloud Infrastructure Streaming Service (OSS) for
later Investigation.
B. Modify the alarm to route notifications to an Oracle Cloud Infrastructure Object Storage bucket for
later investigation.
C. Change at-risk threshold for the CPU utilization metric to a lower number.
D. Suppress the alarm notifications temporarily.
Answer: D
Explanation
A typical at-risk threshold for the CpuUtilization metric is any value greater than 80 percent. A
Compute instance breaching this threshold is at risk of becoming inoperable. Often the cause of this
behavior is one or more applications consuming a high percentage of the CPU.
In this example, you decide to notify the operations team immediately, setting the severity of the
alarm as
"Critical" because repair is required to bring the instances back to optimal operational levels. You
configure alarm notifications to the responsible team by both PagerDuty and email, requesting an
investigation and appropriate fixes before the instances go into an inoperable state. You set repeat
notifications every minute.
When someone responds to the alarm notifications, you temporarily stop notifications using the best
practice of suppressing the alarm . Once metrics return to optimal values, you remove the
suppression Suppress Alarms During Investigations Once a team member responds to an alarm,
suppress notifications during the effort to investigate or mitigate the issue. Temporarily stopping
notifications helps to avoid distractions during the investigation and mitigation. Remove the
suppression when the issue has been resolved.
This topic describes best practices for working with alarms .
https://docs.cloud.oracle.com/en-us/iaas/Content/Monitoring/Concepts/alarmsbestpractices.htm
NO.16 You have set an alarm to be generated when the CPU usage of a specified instance is greater
12
than 10%. In the alarm behavior view below you not that the critical condition happened around
23:30. You were expecting a notification after 1 minute, however, the alarm firing state did not begin
until 23:23.
What should you change to fix It?

A. Change the alarm's metric interval to 1.
B. Change the alarm condition to be greater than 3%.
C. Change the alarm's trigger delay minutes value to 1.
D. Change the notification topic that you previously associated with the alarm.
Answer: C
Explanation
Trigger Delay Minutes: The number of minutes that the condition must be maintained before the
alarm is in firing state.
NO.17 An organization wants to extend their existing on-premises data centers to the Oracle Cloud
Infrastructure (OC1) us-phoenix-1 region. In order to achieve It, they have created an IPSec VPN
connection between their Customer-Premises Equipment(CPE) and Dynamic Routing Gateway(DRG)
on How can you make this connection highly available (HA)?
A. Add another Dynamic Routing gateway In a different Availability Domain and create another IPSec
VPN connection.
B. Add another Customer-Premises Equipment (CPE) and create second IPSec VPN connection with
the same Dynamic Routing Gateway (DRG).
C. Create a NAT Gateway and route all traffic through a NAT Gateway, which is highly available
component.
D. Add another Dynamic Routing Gateway in a different Availability Domain, and create another
IPSec VPN connection with another Customer Premises Equipment (CPE).
Answer: B
Explanation
IPSec VPN Best Practices
Configure all tunnels for every IPSec connection: Oracle deploys multiple IPSec headends for all your
connections to provide high availability for your mission-critical workloads. Configuring all the
available tunnels is a key part of the "Design for Failure" philosophy. (Exception: Cisco ASA policy-
based configuration, which uses a single tunnel.) Have redundant CPEs in your on-premises locations:
Each of your sites that connects with IPSec to Oracle Cloud Infrastructure should have redundant CPE
devices. You add each CPE to the Oracle Cloud Infrastructure Console and create a separate IPSec
connection between your dynamic routing gateway (DRG) and each CPE. For each IPSec connection,
Oracle provisions two tunnels on geographically redundant IPSec headends. Oracle may use any
tunnel that is "up" to send traffic back to your on-premises network. For more information, see
Routing for the Oracle IPSec VPN.
Consider backup aggregate routes: If you have multiple sites connected via IPSec VPNs to Oracle
13
Cloud Infrastructure, and those sites are connected to your on-premises backbone routers, consider
configuring your IPSec connection routes with both the local site aggregate route as well as a default
route.
Note that the DRG routes learned from the IPSec connections are only used by traffic you route from
your VCN to your DRG. The default route will only be used by traffic sent to your DRG whose
destination IP address does not match the more specific routes of any of your tunnels.
The following figure shows the basic layout of the IPSec VPN connection.
NO.18 You are working as a Cloud Operations Administrator for your company. They have different
Oracle Cloud Infrastructure (OCI) tenancies for development and production workloads. Each tenancy
has resources in two regions - uk-london-1 and eu-frankfurt-1. You are asked to manage all resources
and to automate all the tasks using OCI Command Line Interface (CLI).
Which is the most efficient method to manage multiple environments using OCI CLI?
A. Create environment variables for the sets of credentials that align to each combination of tenancy,
region, and environment.
B. Use OCI CLI profiles to create multiple set of credentials in your config file, and reference the
appropriate profile at runtime.
C. Use different bash terminals for each environment.
D. Run OCI setup config to create new credentials for each environment every time you want to
access the environment.
Answer: B
Explanation
The Oracle Cloud Infrastructure CLI configuration file can contain several profiles. and you can create
multiple profiles with different values, then you can specify which profile to load.
Example Configuration
[DEFAULT]
user=ocid1.user.oc1..<unique_ID>
fingerprint=<your_fingerprint>
key_file=~/.oci/oci_api_key.pem
tenancy=ocid1.tenancy.oc1..<unique_ID>
region=us-ashburn-1
[ADMIN_USER]
user=ocid1.user.oc1..<unique_ID>
fingerprint=<your_fingerprint>
key_file=keys/admin_key.pem
14
pass_phrase=<your_passphrase>
https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/sdkconfig.htm The Oracle Cloud
Infrastructure CLI supports the use of environment variables to specify default values for some
options and allows you to set environment variables to provide certain information. but the CLI
requires a configuration file, See CLI Environment Variables for more information.
NO.19 You want an instance in your compartment to make API calls to other services within Oracle
Cloud Infrastructure without storing credentials in a configuration file.
What do you need to do?
A. Create appropriate matching rules in the Dynamic Group to create an Instance Principal
B. Instances cannot access services outside their compartment
C. No action is required. By default, all VM instances are created with an Instance Principal
D. VM instances are treated as users. Create a user and assign the user to that VM instance
Answer: A
NO.20 You have shared your Oracle Cloud Infrastructure (OCI) tenancy with a group of developers in
your organization by creating a compartment called developer. You are an administrator in the
tenancy with privileges to modify IAM policies. Developers need privileges to configure Federation to
a Single Sign-On (SSO).
m would you give them permissions to complete their task In the most secure manner?
A. Create a new policy with the following statements:
Allow any-user to manage identity-providers in tenancy a-developer
Allow any-user to manage groups in tenancy
B. Create a group called Developers. Set up the following IAM policy:
Allow group Developers to manage identity-providers in compartment a-developer Allow group
Developers to manage groups in compartment
C. Create a group called IdPAdmins. Assign the following IAM policy statement:
Allow group IdPAdmins to manage identity-providers in compartment
Allow group IdPAdmins to manage groups in compartment
D. Create a group called IdPAdmins. Assign the following IAM policy statement:
Allow group IdPAdmins to manage identity-providers in tenancy
Allow group IdPAdmins to manage groups in tenancy
Answer: D
Explanation
Here's limited policy that restricts access to only the resources related to identity providers and
group mappings:
Allow group IdPAdmins to manage identity-providers in tenancy
Allow group IdPAdmins to manage groups in tenancy
NO.21 Which five are the required parameters to launch an instance in Oracle Cloud Infrastructure?
(Choose five.)
A. private IPaddress
B. Virtual Cloud Network
C. host name
D. instance shape
15
E. image operating system

F. subnet
G. Availability Domain
Answer: B D E F G
Explanation
https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/Concepts/computeoverview.htm
NO.22 At the end of a terraform apply operation, what is the default output?
A. nothing by default
B. the entire state file
C. statistics about what was added, changed, and destroyed, and the values of outputs
D. statistics about what was added, changed, and destroyed
Answer: C
Explanation
https://learn.hashicorp.com/terraform/getting-started/outputs.html
NO.23 You have created several block volumes in the us-phoenix-1 region in a specific compartment.
The compartment can be identified by the following Oracle Cloud Infrastructure (OCI) unique
identifier, or ocid1.compartment.oc1.phx..exampleuniquelD Your manager has asked you to leverage
the OCI monitoring service and write a metric query showing all read IOPS at a one-minute interval,
filtered to this compartment and aggregated for the maximum.
Which metric query will you create?
A. IopsWrite[lm]{compartmentId=Hocidl.compartment.ocl.phx..exampleuniquelD"}.mean()
B. IopsRead[lm]{compartmentId="ocldl.compartment.ocl.phx..exampleuniquelD"}.max()
C. IopsRead[lm]{compartmentId="ocidl.compartment.ocl.phx..exampleuniquelD"}.grouplng().max()
D. IopsRead[lm]{compartmentId = "odd
1.compartment.ocl.phx..exampleuniquelD"}.grouping().mean()
Answer: C
Explanation
Example, the following query returns the maximum (max()) IopsRead metric data at a one-minute
interval, filtered to a compartment, with all results aggregated.
IopsRead[1m]{compartmentID = "<compartment_OCID>"}.grouping().max()
https://docs.cloud.oracle.com/en-us/iaas/Content/Monitoring/Tasks/buildingqueries.htm
NO.24 Which two parameters are required in a back end set's HTTP health check? (Choose two.)
A. timeout
B. response body
C. port
D. status code
E. URL path
Answer: C E
Explanation
Enter the Health Check details.
Load Balancing automatically checks the health of the instances for your load balancer. If it detects
16
an unhealthy instance, it stops sending traffic to the instance and reroutes traffic to healthy
instances. In this step, you provide the information required to check the health of servers in the
backend set and ensure that they can receive data traffic.
Protocol: Select HTTP.
Port: Enter 80
URL Path (URI): Enter /
The rest of the fields are optional and can be left blank for this tutorial.
Click Create.
When the Backend Set is created, the Work Request shows a status of Succeeded. Close the Work
Request dialog box.
NO.25 You want an instance in your compartment to make API calls to other services within Oracle
Cloud Infrastructure without storing credentials in a configuration file.
What do you need to do?
A. Create appropriate matching rules in the Dynamic Group to create an Instance Principal
B. No action is required. By default, all VM instances are created with an Instance Principal
C. Instances cannot access services outside their compartment
D. VM instances are treated as users. Create a user and assign the user to that VM instance
Answer: A
Explanation
https://docs.cloud.oracle.com/en-us/iaas/Content/Identity/Tasks/managingdynamicgroups.htm
NO.26 Which three must be configured for a load balancer to accept incoming traffic? (Choose
three)
A. a back-end server
B. a back end set
C. a listener
D. a security list that is open on a listener port
E. a certificate
Answer: A B C
Explanation
The essential components for load balancing include:
* A load balancer with pre-provisioned bandwidth.
* A backend set with a health check policy. See Managing Backend Sets.
* Backend servers for your backend set. See Managing Backend Servers.
* One or more listeners . See Managing Load Balancer Listeners.
* Load balancer subnet security rules to allow the intended traffic. To learn more about these rules,
see Security Rules.
Optionally, youcanassociateyourlistenerswithSSLservercertificatebundlestomanagehowyour system
handles SSL traffic. See Managing SSLCertificates.
NO.27 Which two statements are true about the Bulk Export of Oracle Cloud Infrastructure Audit
Log Events?
A. You can specify only one region in your bulk export request.
B. It will be available immediately after the Bulk Export request.
17
C. Exported logs remain available indefinitely.

D. Exported log files list a single audit event per line using csv format.
E. Exported logs are available in the object storage buckets in your tenancy.
Answer: C E
Explanation
You can request a bulk export of audit logs, and within 3-4 business days Oracle support will begin
making copies of the logs and adding them to buckets in your tenancy. The export includes logs for
the specified regions, beginning after you make the request and continuing into the future Exported
logs remain available indefinitely.
Specify all the regions you want exported in your request. If you only request some regions, then
decide later you want to add other regions, you must make another request Files list a single audit
event per line. but in json format
https://docs.cloud.oracle.com/en-us/iaas/Content/Audit/Concepts/bulkexport.htm
https://docs.cloud.oracle.com/en-us/iaas/Content/Audit/Reference/logeventreference.htm
NO.28 You are configuring on alarm In Oracle Cloud Infrastructure (OCI) for a compute instance
named vision. The metric needs to be triggered when the ingress network rate is greater than 1MB.
Which statement will accomplish this?
A. NetworksBytesIn[1MB]{resourceDisplayName - "vision"}.rate() > 1
B. NetworksBytesIn[1m]{resourceDisplayName - "vision"}.rate() > 1024
C. {resourceDisplayName = "vision"}(NetworksBytesIn[lm]).rate() > 1024
D. {resourceDisplayName = Hvision"}(NetworksBytesIn[1MB]).rate() > 1
Answer: B
Explanation
NetworkBytesIn is aggregated across all the instance's attached VNICs
Example
The query components appear in the following order:
metric[interval]{dimensionname="dimensionvalue"}.groupingfunction.statistic
https://docs.cloud.oracle.com/en-us/iaas/Content/Monitoring/Reference/mql.htm
NO.29 As the operations administrator for your company's Oracle Cloud Infrastructure (OCI), you
have been entrusted the task of ensuring that data being accessed by the application is encrypted.
Your application portfolio Includes both Virtual Machine (VM) and Bare Metal (BM) database
systems.
Which method should you use to achieve encryption of data in-transit?
A. Configure backup encryption for RMAN backup sets before transferring data
B. Native Oracle Net Services encryption and integrity capabilities
C. Key Store/Wallet service for on the fly encryption of data in transit
D. Data is encrypted at rest using TDE and no additional encryption is needed
Answer: B
Explanation
In Oracle Database Cloud Service databases, data security is provided for data in transit and data at
rest.
Security of data in transit is achieved through network encryption. Security of data at rest is achieved
through encryption of data stored in database data files and backups.
18
To secure connections to your Oracle Database Cloud Service databases, you can use native Oracle
Net Services encryption and integrity capabilities.
Encryption of network data provides data privacy so that unauthorized parties are not able to view
data as it passes over the network. In addition, integrity algorithms protect against data modification
and illegitimate replay.
NO.30 Your company recently adopted a hybrid cloud architecture which requires them to migrate
some of their on-premises web applications to Oracle Cloud Infrastructure OCI). You created a
Terraform template which automatically provisions OCI resources such as compute instances, load
balancer, and a database instance.
After running the stack using the terraform apply command, it successfully launched the compute
Instances and the load balancer, but it failed to create a new database Instance with the following
error:
Service error:NotAuthorizedOrNotFound. shape VM.Standard2.4 not found, http status code: 404
You discovered that the resource quotas assigned to your compartment prevent you from using
VM.Standard2.4 instance shapes available in your tenancy. You edit the Terraform script and replace
the shape with VM.Standard2.2.
Which option would you recommend to re-run the terraform command to have required OCI
resources provisioned with the least effort?
A. terraform apply -target=ocl_database_db_system.db_system
B. terraform refresh -target=oci_database_db_system.db_system
C. terraform apply -auto-approve
D. terraform plan -target=oci_database_db_system.db_system
Answer: C
Explanation
Command: refresh
The terraform refresh command is used to reconcile the state Terraform knows about (via its state
file) with the real-world infrastructure. This can be used to detect any drift from the last-known state,
and to update the state file.
This does not modify infrastructure, but does modify the state file. If the state is changed, this may
cause changes to occur during the next plan or apply.
Command: plan
The terraform plan command is used to create an execution plan. Terraform performs a refresh,
unless explicitly disabled, and then determines what actions are necessary to achieve the desired
state specified in the configuration files.
This command is a convenient way to check whether the execution plan for a set of changes matches
your expectations without making any changes to real resources or to the state Command: apply The
terraform apply command is used to apply the changes required to reach the desired state of the
configuration, or the pre-determined set of actions generated by a terraform plan execution plan.
Adding the -auto-approve option avoids having to type 'yes' at a confirmation prompt Note:
Terraform will automatically refresh the state before running a command that would rely on it (such
as plan, apply, destroy)
NO.31 You have been asked to update the lifecycle policy for object storage using the Oracle Cloud
Infrastructure (OCI) Command Line Interface (CLI).
Which command can successfully update the policy?
19
A. oci os object-lifecycle-policy delete -ns <object_storage_namespace> -bn <bucket_name>

B. oci os object-lifecycle-policy put -ns <object_storage_namespace> -bn <bucket_name> -Items
<json_formated_lifecycle_policy>
C. oci os object-lifecycle-policy put -ns <object_storage_namespace> -bn <bucket_name> O
D. oci os object-lifecycle-policy get -ns <object_storage_namespace> -bn <bucket_name>
Answer: B
Explanation
To create or replace a lifecycle policy for a bucket
Open a command prompt and run oci os object-lifecycle-policy put to create or replace the object
lifecycle policy for a bucket. To edit individual rules, replace the bucket's existing policy with a new
version of the policy that includes the changes to your rules.
oci os object-lifecycle-policy put -ns <object_storage_namespace> -bn <bucket_name> --items
<json_formatted_lifecycle_policy>
The --items option requires that you provide key-value pair input as valid formatted JSON
https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/usinglifecyclepolicies.htm
NO.32 You are tasked with creating a group called volumeBackcupAdmins to manage only block
volume backups.
Which of the following set of policy/policies would you need to write to meet this requirement?
A)
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: A
Explanation
Let volume backup admins manage only backups
Type of access: Ability to do all things with volume backups, but not create and manage volumes
themselves.
This makes sense if you want to have a single set of volume backup admins manage all the volume
backups in all the compartments. The first statement gives the required access to the volume that is
20
being backed up; the second statement enables creation of the backup (and the ability to delete
backups). The third statement enables the creation and management of user defined backup policies;
the fourth statement enables assignment and removal of assignment of backup policies.
Where to create the policy: In the tenancy, so that the access is easily granted to all compartments by
way of policy inheritance. To reduce the scope of access to just the volumes and backups in a
particular compartment, specify that compartment instead of the tenancy.
Allow group VolumeBackupAdmins to use volumes in tenancy
Allow group VolumeBackupAdmins to manage volume-backups in tenancy
If the group will be using the Console, the following policy gives a better user experience:
Allow group VolumeBackupAdmins to use volumes in tenancy
Allow group VolumeBackupAdmins to manage volume-backups in tenancy
Allow group VolumeBackupAdmins to inspect volume-attachments in tenancy Allow group
VolumeBackupAdmins to inspect instances in tenancy
NO.33 Which technique does NOT help you get the optimal performance out of the Oracle Cloud
Infrastructure (OC1) File Storage service?
A. Serialize operations to the file system to access consecutive blocks as much as possible.
B. Limit access to the same Availability Domain (AD) as the File Storage service where possible.
C. Right size compute instances from where file system is accessed based on their network capacity.
D. Store files across multiple directories in the file system.
E. Increase concurrency by using multiple threads, multiple clients, and multiple mount targets.
Answer: A
Explanation
Oracle Cloud Infrastructure File Storage is a fully managed file storage service that can be accessed
concurrently by thousands of compute instances.
To optimize the performance of File Storage, consider the following guidelines:
- While it is possible to access mount targets from any availability domain in a region, for optimal
performance, place File Storage resources in the same availability domain as the Compute instances
that access them.
- File Storage performance increases with parallelism. Increase concurrency by using multiple threads,
multiple clients, and multiple mount targets. In particular, scalability will be greatest when clients and
threads are accessing independent portions of the file system
- Use tools to run file operations in parallel. The File Storage engineering team has developed parallel
tar and untar (puntar), parallel copy (parcp), and parallel remove (parrm) tools. These tools are
available in the fss-parallel-tools package in Oracle Linux.
- The available bandwidth to a file system can significantly impact its performance. In Oracle Cloud
Infrastructure, larger instances (more CPUs) are entitled to more network bandwidth. File Storage
performance is best with Oracle bare metal instances or large VM shapes
- To minimize latency, clients, mount targets, and file systems should be in the same availability
domain.
- For best performance, don't set any mount options such as rsize or wsize when mounting the file
system. In the absence of these options, the system automatically negotiates optimal window sizes.
- Due to the limitations of Oracle Cloud Infrastructure's VNICs, each mount target is limited to about
600 MB/s of read or write traffic. If you have bandwidth-heavy workloads, consider spreading your
workload across multiple mount targets after your file system exceeds 10 TB.
21
NO.34 You are system administrator at a retail company. You Just received a ticket stating that the
account team is unable to access an internal application. The application is running behind an Oracle
Cloud Infrastructure (OCI) Public Load Balancer and is using a compute instance pool with autoscaling
enabled. You noticed some deleted items In the Audit Log while troubleshooting.
Which resource deletion could have caused this Issue?
A. NAT Gateway and the Route Table associated with the Virtual Cloud Network (VCN)
B. Internet Gateway and the Route Table associated with the Virtual Cloud Network (VCN)
C. an Object Storage bucket containing transaction log backups
D. the Route Table rules associated with the subnet within the Virtual Cloud Network (VCN)
Answer: D
Explanation
To delete a route table
Prerequisite: To delete a route table, it must not be associated with a subnet yet. You can't delete the
default route table in a VCN.
To delete an internet gateway
Prerequisite: The internet gateway does not have to be disabled, but there must not be a route table
that lists it as a target.
Each VCN automatically comes with a default route table that has no rules. If you don't specify
otherwise, every subnet uses the VCN's default route table. When you add route rules to your VCN,
you can simply add them to the default table if that suits your needs. However, if you need both a
public subnet and a private subnet (for example, see Scenario C: Public and Private Subnets with a
VPN), you instead create a separate (custom) route table for each subnet.
Each subnet in a VCN uses a single route table. When you create the subnet, you specify which one to
use.
You can change which route table the subnet uses at any time. You can also edit a route table's rules,
or remove all the rules from the table.
NO.35 You are using the Oracle Cloud Infrastructure Command Line Interface to launch a Linux
virtual machine.
You enter the following command (with correct values for all parameters):
The command fails.

Which is NOT a valid parameter in this command?
A. --shape "<shape_name>"
B. -t <tenancy_id>
C. -c <compartment_id>
D. --image-id <image_id>
E. --subnet-id <subnet_id>
Answer: B
Explanation
There's no tenancy_id as a option in oci compute instance launch command.
oci compute instance launch [OPTIONS]
--availability-domain [text]
The availability domain of the instance.
22
--compartment-id, -c [text]
The OCID of the compartment.
--shape [text]
The shape of an instance. The shape determines the number of CPUs, amount of memory, and other
resources allocated to the instance.
--display-name [text]
A user-friendly name. Does not have to be unique, and it's changeable. Avoid entering confidential
information.
--image-id [text]
The OCID of the image used to boot the instance. This is a shortcut for specifying an image source via
the
--source-details complex JSON parameter. If this parameter is provided, you cannot provide the
--source-details or --source-boot-volume-id parameters.
--ssh-authorized-keys-file [filename]
A file containing one or more public SSH keys to be included in the ~/.ssh/authorized_keys file for the
default user on the instance.
--subnet-id [text]
The OCID of the subnet where the VNIC attached to this instance will be created.
and more options,
https://docs.cloud.oracle.com/en-us/iaas/tools/oci-
cli/2.10.1/oci_cli_docs/cmdref/compute/instance/launch.html
NO.36 You are a Cloud Operations administrator who has recently joined a new department. You
have created 10 Terraform stacks using Oracle Cloud Infrastructure (OCI) resource manager. Each
stack creates a different set of resources In OCI for your development team.
What determines the cost of these Terraform stacks?
A. The cost for each stack will be higher for pay as you go (PAYG) than for monthly flex billing.
B. The length of time It takes to build each resource using these Terraform stacks.
C. Resource manager stacks are free but you are charged for the resources they create.
D. The number of lines of text in your Terraform configuration files.
Answer: C
Explanation
There are no fees for installing and managing Resource Manager, you only pay for the infrastructure
you deploy and use for your applications.
https://www.oracle.com/cloud/systems-management/resource-manager/
NO.37 One of your development teams has asked for your help to standardize the creation of
several compute instances that must be provisioned each day of the week. You initially write several
Command Line Interface (CLI) commands with all appropriate configuration parameters to achieve
this task later determining this method lacks flexibility.
Which command generates a JSON-based template that Oracle Cloud Infrastructure (OCI) CLI can use
to provision these Instances on a regular basis?
A. oci compute provision-Instance - generate-full-command-Json-lnput
B. oci compute instance create --generate-cll-skeleton
C. oci compute instance launch --generate-cll-skeleton
23
D. oci compute instance launch --generate-full-command-json-input

Answer: D
Explanation
Use --generate-full-command-json-input. To generate the JSON for launching an instance, run the
following command.
oci compute instance launch --generate-full-command-json-input
https://docs.cloud.oracle.com/en-us/iaas/Content/API/SDKDocs/cliusing.htm
NO.38 You Saw created a group for several auditors. You assign the following policies to the group:
What actions are the auditors allowed to perform within your tenancy?
A. Auditors are able to view all resources in the compartment.
B. Auditors are able to create new instances in the tenancy.
C. The Auditors can view resources in the tenancy.
D. The Auditors are able to delete resources in the tenancy.
Answer: A
Explanation
Let auditors inspect your resources
Type of access: Ability to list the resources in all compartments. Be aware that:
The operation to list IAM policies includes the contents of the policies themselves The list operations
for Networking resource-types return all the information (for example, the contents of security lists
and route tables) The operation to list instances requires the read verb instead of inspect, and the
contents include the user-provided metadata.
The operation to view Audit service events requires the read verb instead of inspect.
Where to create the policy: In the tenancy. Because of the concept of policy inheritance, auditors can
then inspect both the tenancy and all compartments beneath it. Or you could choose to give auditors
access to only specific compartments if they don't need access to the entire tenancy.
Allow group Auditors to inspect all-resources in tenancy
Allow group Auditors to read instances in tenancy
Allow group Auditors to read audit-events in tenancy
NO.39 Security testing Policy describes when and how you may conduct certain types of security
testing of Oracle Cloud Services, Including vulnerability and penetration tests, as well as tests
Involving data scraping tools.
What does Oracle allow as part of this testing?
A. Customers can simulate DoS attack scenarios as long as Its restricted to the customer's own
environment.
B. Customers are allowed to test Oracle Cloud Infrastructure (OCI) hardware related to resources in
their tenancy.
C. Customers are allowed to use their own testing and monitoring tools.
D. Customers can validate that their network resources are isolated from other customer resources.
Answer: C
24
Explanation
Penetration and Vulnerability Testing
Oracle regularly performs penetration and vulnerability testing and security assessments against the
Oracle cloud infrastructure, platforms, and applications. These tests are intended to validate and
improve the overall security of Oracle Cloud Services.
However, Oracle does not assess or test any components (including, non-Oracle applications, non-
Oracle databases or other non-Oracle software, code or data, as may be applicable) that you manage
through or introduce into - including introduction through your development in or creation in - th
e Oracle Cloud Services (the "Customer Components"). This policy does not address or provide any
right to conduct testing of any third party materials included in the Customer Components.
Except as otherwise permitted or restricted in your Oracle Cloud Services agreements, your service
administrator who has system level access to your Oracle Cloud Services may run penetration and
vulnerability tests for the Customer Components included in certain of your Oracle Cloud Services in
accordance with the following rules and restrictions.
Permitted Cloud Penetration and Vulnerability Testing
The following explains where penetration and vulnerability testing of Customer Components is
permitted:
IaaS: Using your own monitoring and testing tools, you may conduct penetration and vulnerability
tests of your acquired single-tenant Oracle Infrastructure as a Service (IaaS) offerings. You must notify
Oracle prior to conducting any such penetration and vulnerability tests in accordance with the
process set forth below.
Pursuant to such penetration and vulnerability tests, you may assess the security of the Customer
Components; however, you may not assess any other aspects or components of these Oracle Cloud
Services including the facilities, hardware, software, and networks owned or managed by Oracle or
its agents and licensors.
PaaS: Using your own monitoring and testing tools, you may conduct penetration and vulnerability
tests of your acquired single-tenant PaaS offerings. You must notify Oracle prior to conducting any
such penetration and vulnerability tests in accordance with the process set forth below. Pursuant to
such penetration and vulnerability tests, you may assess the security of the Customer Components;
however, you may not assess any other aspects or components of these Oracle Cloud Services
including the facilities, hardware, networks, applications, and software owned or managed by Oracle
or its agents and licensors. To be clear, you may not assess any Oracle applications that are installed
on top of the PaaS service.
SaaS: Penetration and vulnerability testing is not permitted for Oracle Software as a Service (SaaS)
offerings.
Rules of Engagement
The following rules of engagement apply to cloud penetration and vulnerability testing:
Your testing must not target any other subscription or any other Oracle Cloud customer resources, or
any shared infrastructure components.
You must not conduct any tests that will exceed the bandwidth quota or any other subscribed
resource for your subscription.
You are strictly prohibited from utilizing any tools or services in a manner that perform Denial-of-
Service (DoS) attacks or simulations of such, or any "load testing" against any Oracle Cloud asset
including yours.
Any port scanning must be performed in a non-aggressive mode.
You are responsible for independently validating that the tools or services employed during
25
penetration and vulnerability testing do not perform DoS attacks, or simulations of such, prior to
assessment of your instances.
This responsibility includes ensuring any contracted third parties perform assessments in a manner
that does not violate this policy.
Social Engineering of Oracle employees and physical penetration and vulnerability testing of Oracle
facilities is prohibited.
You must not attempt to access another customer's environment or data, or to break out of any
container (for example, virtual machine).
Your testing will continue to be subject to terms and conditions of the agreement(s) under which you
purchased Oracle Cloud Services, and nothing in this policy shall be deemed to grant you additional
rights or privileges with respect to such Cloud Services.
NO.40 Your company will undergo a security audit in one week. Your manager has asked you to
download and review recent logs from an Object Storage bucket. The current log archive file is
approximately 19 GB In size.
Which command would you run to download the archive file as quickly as possible?
A)
oci os object get -ns my-namespace -bn my-bucket --name my-large-object --multipart-download-
threshold
2000 --part-size 120
B)
threshold
2000 --part-size 128
C)
oci os object put -ns my-namespace -bn my-bucket --name my-large-object --multipart-download-
threshold
20000 --part-size 128
D)
threshold
20000 --part-size 128
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Explanation
Large files can be downloaded from Object Storage in multiple parts to speed up the download.
You can configure the following options for the oci os object get command:
--multipart-download-threshold lets you specify the size, in MiB at which an object should be
downloaded in multiple parts. This size must be at least 128 MiB.
--part-size, in MiB, to use for a download part. This gives you the flexibility to use more (smaller size)
or fewer (larger size) parts as appropriate for your requirements. For example, compute power and
network bandwidth. The default minimum part size is 120 MiB.
--parallel-download-count lets you specify how many parts are downloaded at the same time. A
26
higher value may improve times but consume more system resources and network bandwidth. The
default value is 10.
The following example shows the command to download any object with a size greater than 500 MiB.
The object is downloaded in 128 MiB parts oci os object get -ns my-namespace -bn my-bucket --name
my-large-object --multipart-download-threshold
500 --part-size 128
--multipart-download-threshold [integer range]
Objects larger than this size (in MiB) will be downloaded in multiple parts. The minimum allowable
threshold is 128 MiB.
https://docs.cloud.oracle.com/en-us/iaas/tools/oci-cli/2.9.1/oci_cli_docs/cmdref/os/object/get.html
NO.41 You launched a Linux compute Instance to host the new version of your company website via
Apache HTTPS server on HTTPS (port 443).
The Instance is created in a public subnet along with other Instances. The default security list
associated to the subnet is:
You want to allow access to the company website from public Internet without exposing websites
eventually hosted on the other instances In the public subnet.
Which two actions should you do?
A. Access the Linux instance via SSH and configure Iptables to allow HTTPS access on port 443.
B. Create a new security list with a stateful rule to allow ingress access on port 443 and associate it to
the public subnet.
C. In default security list, add a stateful rule to allow ingress access on port 443.
D. Create a network security group, add a stateful rule to allow ingress access on port 443 and
associate It to the public subnet that host the company website.
E. Create a network security group, add a stateful rule to allow ingress access on port 443 and
associate it to the instance that host the company website.
Answer: A D
Explanation
The NSG is created and then displayed on the Network Security Group page in the compartment you
chose.
You can specify this NSG when creating or managing instances or other types of parent resources.
NO.42 You set up a bastion host in your VCN to only allow your IP address (140.19.2.140) to
establish SSH connections to your Compute instances that are deployed private subnet. The Compute
instances have an attached Network Security Group with a Source Type: Network security Group
(NSG) , Source NSG:
-050504. To secure the bastion host, you added the following ingress rules to its Network Security
Group:
27
However, after checking the bastion host logs, you discovered that there are IP addresses other than
your own that can access your bastion host.
What is the root cause of this issue?
A. A netmask of /32 allows all IP address in the 140.19.2.0 network, other than your IP 110.19.2.140
B. The port 22 provides unrestricted access to 140.19.2.140 and to other IP address
C. All compute instances associated with NSG-050504 are also able to connect to the bastion host.
D. The Security List allows access to all IP address which overrides the Network Security Group
ingress rules.
Answer: D
Explanation
As per security rules that allow ssh on port 22 and source will be NSG-050504, so any compute
instance that attached to this NSG will able to access the bastion host as it includes in the same NSG
NO.43 You have been asked to investigate a potential security risk on your company's Oracle Cloud
Infrastructure (OCI) tenancy. You decide to start by looking through the audit logs for suspicious
activity.
How can you retrieve the audit logs using the OCI Command Line Interface (CLI)?
A. oci audit event list --start-time $start-time --end-time $end-time --compartment-id
$compartment-id
B. oci audit event list --start-time $start-time --end-time $end-time --tenancy-id $tenancy-id
C. oci audit event list --start-time $start-time --compartment-id $compartment-id
D. oci audit event list --end-time $end-time --compartment-id $compartment-id
Answer: A
Explanation
Retrieving Audit events
In order to make use of audit events, the first step is to retrieve and store audit events. Let's take a
look into the ways in which an Audit event can be retrieved:
Oracle Cloud Infrastructure Web Console - With user credentials, customers can log in to the web
console to access the Audit service. For example, when customers are trying the service for the first
time; this helps with a first look into a handful of events.
Oracle Cloud Infrastructure CLI [3] - With CLI customers can make use of the service to retrieve events
for a defined compartment and for a region specified as per CLI's config. The CLI command would
look like:
#oci audit event list --start-time $start-time --end-time $end-time --compartment-id
28
$compartment-id Oracle Cloud Infrastructure SDKs [4][5] - With SDKs customers can choose a
supported language and retrieve Audit events with the ListEvents API [6]. For production use cases,
this would be the best suitable option.
https://blogs.oracle.com/cloud-infrastructure/operating-oracle-cloud-infrastructure-tenancies-
retrieving-audit-log
NO.44 You are asked to Implement the disaster recovery (DR) and business continuity requirements
for Oracle Cloud Infrastructure (OCI) Block Volumes. Two OCI regions being used: a primary/source
region and a DR/destination region.
The requirements are:
* There should be a copy of data in the destination region to use If a region-wide disaster occurs in
the source region
* Minimize costs
Which of the following design will help you meet these requirements?
A. Clone block volumes. Copy block volume clones from source region to destination region at
regular intervals.
B. Back up block volumes. Use Object Storage lifecycle management to automatically move backup
objects to Archive Storage. Copy Archive Storage buckets from source region to destination at regular
Intervals.
C. Back up block volumes. Copy block volume backups from source region to destination region at
regular intervals.
D. Clone block volumes. Use Object Storage lifecycle management to automatically move clone
object Archive Storage. Copy Archive Storage buckets from source region to destination at regular
intervals.
Answer: C
Explanation
You can copy block volume backups between regions using the Console, command line interface
(CLI), SDKs, or REST APIs. For steps, see Copying a Volume Backup Between Regions. This capability
enhances the following scenarios:
Disaster recovery and business continuity: By copying block volume backups to another region at
regular intervals, it makes it easier for you to rebuild applications and data in the destination region if
a region-wide disaster occurs in the source region.
Migration and expansion: You can easily migrate and expand your applications to another region.
You can also enable scheduled cross-region automated backups with user defined policies, To copy
volume backups between regions, you must have permission to read and copy volume backups in the
source region, and permission to create volume backups in the destination region.
NO.45 You have created the following JSON file to specify a lifecycle policy for one of your object
storage buckets:
29
How will this policy affect the objects that are stored in the bucket?
A. Objects containing the name prefix LOGS will be automatically migrated from standard Storage to
Archive storage 30 days after the creation date. The objects will be deleted 120 days after creation.
B. Objects containing the name prefix LOGS will automatically be migrated from standard Storage to
Archive storage 30 days after the creation date. The objects will be migrated back to standard
Storage
120 days after creation.
C. The objects with prefix "LOGS" will be deleted 30 days after creation date.
D. Objects with the prefix "LOGS" will be retained for 120 days and then deleted permanently.
Answer: A
Explanation
Using Object Lifecycle Management
Object Lifecycle Management lets you automatically manage the archiving and deletion of objects. By
using Object Lifecycle Management to manage your Object Storage and Archive Storage data, you
30
can reduce your storage costs and the amount of time you spend managing data.
Object Lifecycle Management works by defining rules that instruct Object Storage to archive or
delete objects on your behalf within a given bucket. A bucket's lifecycle rules are collectively known
as an object lifecycle policy.
This lifecycle policy archives objects after 30 days and deletes them after 120 days. for objects
containing the name prefix LOGS
https://docs.cloud.oracle.com/en-
us/iaas/Content/Identity/Reference/objectstoragepolicyreference.htm
NO.46 To take advantage of cloud agility and burst computing capability, ABC Automobiles have
extended their data center to a Virtual Cloud Network (VCN). In Oracle Cloud Infrastructure's (OCI)
us-phoenlx-1 region. They have several members in their Cloud Operations (CloudOps) team that
need I access the OCI management console. The security administrator does not want to create new
IAM users and credentials that would then need to be distributed to each CloudOps member.
Which option will help solution architect meet the needs for CloudOps?
A. Use an existing SAMAL 2.0 compliant identity provider(IdP) to grant CloudOps members federated
access to OCI Console via the OCI single sign-on (SSO) endpoint.
B. Use Web Identity Federation to retrieve an AuthToken to enable CloudOps members to sign in to
the OCI Console.
C. Use OAuth 2.0 to retrieve temporary credentials to enable your CloudOps members to sign in to
the OCI Console.
D. Use on-premises SAML2.0 compliant identity provider(IdP) to retrieve an AuthToken to enable
CloudOps members to sign in to the OCI Console.
Answer: A
Explanation
Oracle Cloud Infrastructure supports federation with Oracle Identity Cloud Service,and Microsoft
Active Directory (via Active Directory Federation Services (AD FS)), Microsoft Azure Active Directory,
Okta, and other identity providers that supports the Security Assertion Markup Language (SAML) 2.0
protocol.
Federated users choose which identity provider to use for sign-in, and then they're redirected to that
identity provider's sign-in experience for authentication. After entering their login and password,
they are authenticated by the IdP and redirected back to the Oracle Cloud Infrastructure Console. by
this way, you don't need to create IAM user in OCI console for each operation user and can use their
credentials in identity provider and user SSO to login to OCI console For instructions for federating
with other identity providers, see the following:
Federating with SAML 2.0 Identity Providers
NO.47 You are using Oracle Cloud Infrastructure (OCI) console to set up an alarm on a budget to
track your OCI spending. Which two are valid targets for creating a budget In OCI?
A. Select Tenancy as the type of target for your budget.
B. Select Cost-Tracking Tags as the type of target for your budget.
C. Select Compartment as the type of target for your budget.
D. Select group as the type of target for your budget.
E. Select user as the type of target for your budget.
Answer: B C
31
Explanation
The following concepts are essential to working with budgets:
BUDGET
A monthly threshold you define for your Oracle Cloud Infrastructure spending. Budgets are set on
cost-tracking tags or compartments and track all spending in the cost-tracking tag or compartment
and any child compartments. Note: the budget tracks spending in the specified target compartment,
but you need to have permissions to manage budgets in the root compartment of the tenancy to
create and use budgets.
ALERT
You can define email alerts that get sent out for your budget. You can send a customized email
message body with these alerts. Alerts are evaluated every 15 minutes, and can be triggered when
your actual or your forecasted spending hits either a percentage of your budget or a specified set
amount Select the target for your budget For budgets targeting a compartment: Select a target
compartment for your budget from the Target Compartment drop-down list. Note that while the
budget tracks spending in the specified target compartment, but you need to have permissions to
manage budgets in the root compartment of the tenancy to create and use budgets.
For budgets targeting a cost-tracking tag: Select a tag namespaceSelect a target cost-tracking tag
key.Enter a value for the cost-tracking tag.
NO.48 You are using Oracle Cloud Infrastructure (0C1) services across several regions: us-phoenlx-1,
us-ashburn-1, uk-london-1 and ap-tokyo-1. You have created a separate administrator group for each
region: PHX-Admins, ASH-Admins, LHR-Admins and NRT-Admins, respectively.
u want to restrict admin access to a specific region. E.g., PHX-Admins should be able to manage all
resources in the us-phoenlx-1 region only and riot any other OCI regions.
What IAM policy syntax is required to restrict PHX-Admins to manage OCI resources in the us-
phoenix-1 region only?
A)
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Explanation
Restrict admin access to a specific region
Type of access: Ability to manage resources in a specific region. Remember that IAM resources must
be managed in the home region. If the specified region is not the home region, then the Admin will
not be able to manage IAM resources. For more information about the home region, see Managing
32
Regions.
Where to create the policy: In the tenancy.
Allow group PHX-Admins to manage all-resources in tenancy where request.region='phx' The
preceding policy allows PHX-Admins to manage all aspects of all resources in US West (Phoenix).
Members of the PHX-Admins group can only manage IAM resources if the tenancy's home region is
US West (Phoenix).
NO.49 Which three statements are true about Object Storage data security and encryption in Oracle
Cloud Infrastructure (OCI)?
A. OCI Key Management is used by default to provide data security.
B. Server side encryption uses per-object keys which are managed by Oracle.
C. All traffic to and from Object Storage service is encrypted using TLS.
D. A VPN connection to OCI is required to ensure security data transfer to an object storage bucket.
E. Client-side encryption is managed by the customer.
Answer: B C E
Explanation
All data in Object Storage is encrypted at rest by using AES-256. Encryption is on by default and
cannot be turned off. Each object is encrypted with its encryption key, and the object encryption keys
are encrypted with a master encryption key. In addition, customers can use client-side encryption to
encrypt objects with their encryption keys before storing them in Object Storage buckets. An
available option for customers is to use the Amazon S3 Compatibility API, along with client-side
object encryption support available in AWS SDK for Java.
Data in transit between customer clients (for example, SDKs and CLIs) and Object Storage public
endpoints is encrypted with TLS 1.2 by default. FastConnect public peering allows on-premises access
to Object Storage to go over a private network, rather than the public internet.
Oracle Cloud Infrastructure Key Management is a managed service the enables you, the customer, to
manage and control AES symmetric keys used to encrypt your data-at-rest. Keys are stored in a FIPS
140-2, Level
3-certified, Hardware Security Module (HSM) that is durable and highly available. The Key
Management service is integrated with many Oracle Cloud Infrastructure services, including Block
Volumes, File Storage, Oracle Container Engine for Kubernetes, and Object Storage.
Use the Key Management service if you need to store your Master Encryption Keys in an HSM to
meet governance and regulatory compliance requirements or when you want more control over the
cryptoperiod of the encryption keys used for your data.
When you store your data with Oracle Cloud Infrastructure Block Volumes, File Storage Service, and
Object Storage and don't use Key Management, your data is protected using encryption keys that are
securely stored and controlled by Oracle.
NO.50 You have created an Autonomous Data Warehouse (ADW) service in your company's Oracle
Cloud Infrastructure (OCI) tenancy and you now have to load historical data Into It. You have already
extracted this historical data from multiple data marts and data warehouses. This data is stored in
multiple CSV text files and these file are ranging in size from 25 MB to 20 GB.
Which step Is most efficient and error tolerant method for loading data Into ADW?
A. Create Auth token, use it to create an object storage credential by executing
DBMS_CLOUD.CREATE_CREDENTIAL, using OCI CLI upload the CSV files to an OCI object storage
33
bucket, create the tables in the ADW database and then execute DBMS_CLOUD.COPY_DATA for each
CSV file to copy the contents into the corresponding ADW database table.
B. Create Auth token, use It to create an object storage credential by executing
DBMS_CLOUD.CREATE_CREDENTIAL, using the web console upload the CSV files to an OCI object
storage bucket, create the tables in the ADW database and then execute DBMS_CLOUD.COPY_DATA
for each CSV file to copy the contents into the corresponding ADW database table.
C. Create the tables In the ADW database and then execute SQL*Loader for each CSV file to load the
contents Into the corresponding ADW database table.
D. Create Auth token, use it to create an object storage credential by executing
DBMS_CLOUD.CREATE_CREDENTIAL, using OCI CLI upload the CSV files to an OCI object storage
bucket, create the tables In the ADW database and then execute Data Pump Import for each CSV file
to copy the contents into the corresponding ADW database table.
Answer: A
Explanation
You can load data into Autonomous Data Warehouse using Oracle Database tools, and Oracle and
3rd party data integration tools. You can load data:
- from files local to your client computer, or
- from files stored in a cloud-based object store
For the fastest data loading experience Oracle recommends uploading the source files to a cloud-
based object store, such as Oracle Cloud Infrastructure Object Storage, before loading the data into
your Autonomous Data Warehouse.
To load data from files in the cloud into your Autonomous Data Warehouse database, use the new
PL/SQL DBMS_CLOUD package. The DBMS_CLOUD package supports loading data files from the
following Cloud sources: Oracle Cloud Infrastructure Object Storage, Oracle Cloud Infrastructure
Object Storage Classic, and Amazon AWS S3
https://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/adwc/OBE_Loading%20Your%
20Data/load
NO.51 Which two configuration formats does Terraform support? (Choose two.)
A. JSON
B. XML
C. YAML
D. HCL
Answer: A D
Explanation
Terraform configuration files can use either of two formats: Terraform domain-specific language
(HashiCorp Configuration Language format [HCL]), which is the recommended approach, or JSON
format if the files need to be machine-readable.
NO.52 You have created a geolocation steering policy in the Traffic Management service, with this
configuration.
34
What happens to requests that originate in Africa?

A. The traffic will be forwarded randomly to any of the pools mentioned in the rules.
B. The traffic will be dropped.
C. The traffic will be forwarded to Pool 1. If Pool 1 is not available, then will be forwarded to Pool 2.
D. The traffic will be forwarded at the same time to both Pool 1 and Pool 2.
Answer: B
Explanation
The Oracle Cloud Infrastructure Traffic Management Steering Policies service is a critical component
of DNS.
Traffic Management Steering Policies enables you to configure policies to serve intelligent responses
to DNS queries, meaning different answers (endpoints) may be served for the query depending on
the logic the customer defines in the policy. Traffic Management Steering Policies can account for
health of answers to provide failover capabilities, provide the ability to load balance traffic across
multiple resources, and account for the location where the query was initiated to provide a simple,
flexible and powerful mechanism to efficiently steer DNS traffic.
WORLDWIDE GEOLOCATION TREATMENT
You can divide your global users into geographically defined regions (for example, state/province
level in NA, country level for rest of world) and steer customers to specified resources based on their
location. This helps to ensure global, high performing internet resolution, and supports functions
such as ring fencing. For example, keeping traffic from China in China and block traffic outside of
China into China.
NO.53 You deployment platform within Oracle Cloud Infrastructure (OCI) leverages a compute
instance with multiple block volumes attached. There are multiple teams that use the same compute
instance and have access to these block volumes. You want to ensure that no one accidentally
deletes of these block volumes. You have started to construct the following IAM policy but need to
determine which permissions should be used.
A. ERASE_VOLUME, ERASE_VOLUME_ATTACHMENT, ERASE_VOLUME_BACKUP

B. DELETE.VOLUME, DELETE_VOLUME_ATTACHMENT, DELETE_VOLUME_BACKUP
C. VOLUME_ERASE, VOLUME_ATTACHMENT_ERASE, VOLUME_BACKUP_ERASE
35
D. VOLUME_DELETE, VOLUME_ATTACHMENT_DELETE, VOLUME_BACKUP_DELETE

Answer: D
Explanation
To minimize loss of data due to inadvertent deletes by an authorized user or malicious deletes,
Oracle recommends to giving VOLUME_DELETE, VOLUME_ATTACHMENT_DELETE and
VOLUME_BACKUP_DELETE permissions to a minimum possible set of IAM users and groups. DELETE
permissions should be given only to tenancy and compartment administrators
NO.54 Recently your e-commerce web application has been receiving significantly more traffic than
usual. Users are reporting they often encounter a 903 i when trying to access your site. Sometimes
the site is very slow.
You check your instance pool configuration to confirm that the maximum number of instances Is
configured to allow 20 compute instances. Currently 14 compute instances have been provisioned by
the Instance pool. You also confirm that current CPU utilization across all hosts exceeds the scale-
threshold you set in your auto-scaling policy. However, the Instance pool is not provisioning any new
instances.
What can you check to determine why the application is NOT functioning properly?
A. Verify that the Quality Assurance team is not currently performing load-testing against production
.
B. Verify that the compute resource quota has not been exceeded.
C. Verify that the new offer feature code did not introduce any performance bugs.
D. Verify that the database is accessible.
Answer: B
Explanation
The instance pool supports the maximum number of instances that you want to scale to. This limit is
determined by your tenancy's service limits.
it might be because the number of instances that were requested has exceeded your tenancy's
service limits for that shape and availability domain.
Also, In a high availability scenario, you can require that the instances in a pool are evenly distributed
across each of the fault domains that you specify. When sufficient capacity isn't available in one of
the fault domains, the instance pool will not launch or scale successfully
NO.55 You have been brought In to help secure an existing application that leverages Object Storage
buckets to distribute content. The data is currently being shared from public buckets and the security
team Is not satisfied with this approach. They have stated that all data must be stored In storage
buckets. Your application should be able to provide secure access to the data. The URL that is
provided for access to the data must be rotated every 30 days.
Which design option will meet these requirements?
A. Use Pre-Authenticated request, even though there will be multiple URLs this will provide better
security.
B. Create a private bucket only to share the data.
C. Create a new group and map users to this group, create a IAM policy providing access to Object
Storage service only to this group. Users can then simply login to OCI console and retrieve needed
flies.
D. Create multiple bucket and classify them as Public and Private. Use public bucket for non-sensitive
36
data and private bucket for sensitive data.

Answer: A
Explanation
Pre-authenticated request has expiration date and can generate new unique URL every 30 days
NO.56 Which two statements about the Oracle Cloud Infrastructure (OCI) Command Line Interface
(CLI) are true?
A. You can filter CLI output using the JMESPath query option for JSON.
B. The CLI provides the same core functionality as the Console, plus additional commands.
C. The CLI allows you to use the Python language to Interact with OCI APIs.
D. The CLI provides an automatic way to connect with Instances provisioned on OCI.
E. You can run CLI commands from Inside OCI Regions only.
Answer: A B
Explanation
The CLI is a small footprint tool that you can use on its own or with the Console to complete Oracle
Cloud Infrastructure tasks. The CLI provides the same core functionality as the Console, plus
additional commands.
Some of these, such as the ability to run scripts, extend the Console's functionality.
You can filter output using the JMESPath query option for JSON. Filtering is very useful when dealing
with large amounts of output
https://docs.cloud.oracle.com/en-us/iaas/Content/API/Concepts/cliconcepts.htm
https://docs.cloud.oracle.com/en-us/iaas/Content/API/SDKDocs/cliusing.htm
NO.57 Multiple teams are sharing a tenancy in Oracle Cloud Infrastructure (OCI). You are asked to
figure out an appropriate method to manage OC1 costs.
NOT a valid technique to accurately attribute costs to resources used by each team?
A. Create separate compartment for each team. Use the OCI cost analysis tools to filter costs by
compartments.
B. Create a Cost-Tracking tag. Apply this tag to all resources with team Information. Use the OCI cost
analysis tools to filter costs by tags.
C. Create an Identity and Access Management (IAM) group for each team. Create an OCI budget for
each group to track spending.
D. Define and use tags for resources used by each team. Analyze usage data from the OCI Usage
Report which has detailed Information about resources and tags.
Answer: C
Explanation
Budgets are set on cost-tracking tags or on compartments (including the root compartment) to track
all spending in that cost-tracking tag or for that compartment and its children.
Using Cost-Tracking Tags
You can use cost-tracking tags to help manage costs in your tenancy. Use cost-tracking tags to do any
of the following:
- Filter projected costs
- Set budgets
You can only use cost-tracking tag with defined tags. You cannot specify free-form tags as cost-
tracking tags.
37
You can set email alerts on your budgets. You can set alerts that are based on a percentage of your
budget or an absolute amount, and on your actual spending or your forecast spending.
NO.58 You have recently Joined a startup company and quickly find that nobody is tracking the
amount of money spent on Oracle Cloud Infrastructure (OCI). Seeing an opportunity to help save
money you begin creating a solution to better track the cost of resources provisioned by each
individual on the team.
Which option allows you to identify excessive spend across all resources in your tenancy?
A. Use the Python SDK to write a custom application that will monitor the Audit Log. Look for CREATE
events and configure the application to send you an email each time a new resource is created.
B. Create a budget for each compartment that will send a notification when monthly spend reaches a
pre-defined amount.
C. Create a tag namespace named BILLING with a Tag Key named CostCenter. Tag each of your
resources with this Tag Key and the correct value.
D. Use the Events Service and create rules that will act when a new Object Storage bucket or
Compute Instance has been created. Have the rule email you each time one of these events occurs.
Answer: C
Explanation
tag can be used to filter out the most expensive spend on particular resource
NO.59 Which of the following are essential components of the Oracle Cloud Infrastructure
Notifications service?
A. An alarm with a name unique across the tenancy, a subscription, and a metric with the
measurement of interest.
B. A topic with a name unique across the compartment, a subscription, and a message where
content Is published.
C. A topic with a name unique across the tenancy, a subscription, and a message where content is
published.
D. An alarm with a name unique across the compartment, a subscription, and a metric with the
measurement of interest.
Answer: C
Explanation
The Oracle Cloud Infrastructure Notifications service broadcasts messages to distributed components
through a publish-subscribe pattern, delivering secure, highly reliable, low latency and durable
messages for applications hosted on Oracle Cloud Infrastructure and externally. Use Notifications to
get notified when event rules are triggered or alarms are breached, or to directly publish a message.
MESSAGE
The content that is published to a topic. Each message is delivered at least once per subscription.
Every message sent out as email contains a link to unsubscribe from the related topic.
SUBSCRIPTION
An endpoint for a topic. Published messages are sent to each subscription for a topic. For supported
subscription protocols.
TOPIC
A communication channel for sending messages to the subscriptions in the topic. Each topic name is
unique across the tenancy.
38
NO.60 What is a key benefit of using Oracle Cloud Infrastructure's Resource Manager for your
Terraform provisioning and management activities?
A. Resource Manager has administrative privileges by design. Even if your IAM user does not have
access, you can leverage Resource Manage provision new resources to any compartment in the
Tenancy.
B. You can use Resource Manager to identify and maintain an Inventory of all Compute and Database
Instances across your tenancy.
C. You can use Resource Manager to apply patches to all existing Oracle Linux Instances In a specified
compartment.
D. Resource Manager manages the Terraform state file for your infrastructure and locks the file so
that only one Job at a time can run on a given stack.
Answer: D
Explanation
Resource Manager is an Oracle Cloud Infrastructure service that allows you to automate the process
of provisioning your Oracle Cloud Infrastructure resources. Using Terraform, Resource Manager helps
you install, configure, and manage resources through the "infrastructure-as-code" model.
A Terraform configuration codifies your infrastructure in declarative configuration files. Resource
Manager allows you to share and manage infrastructure configurations and state files across multiple
teams and platforms. This infrastructure management can't be done with local Terraform
installations and Oracle Terraform modules alone.
JOB: Instructions to perform the actions defined in your configuration. Only one job at a time can run
on a given stack; further, you can have only one set of Oracle Cloud Infrastructure resources on a
given stack. To provision a different set of resources, you must create a separate stack and use a
different configuration.
The following image represents a generalized view of the Resource Manager workflow.
39
NO.61 You have a Linux compute Instance located in a public subnet in a VCN which hosts a web
application. The security list attached to subnet containing the compute Instance has the following
stateful Ingress rule.
Which step will resolve the issue?

A. In the route table, add a rule for your default traffic to be routed to service gateway.
B. In the security list, add an ingress rule for port 80 (http).
C. In the security list, remove the ssh rule.
40
D. In the route table, add a rule for your default traffic to be routed to NAT gateway.
Answer: B
Explanation
Add stateful ingress rule to receive and respond to HTTP traffic.
Example: Instance A and Host B are communicating (Host B could be any host, whether an instance or
not).
The stateful ingress rule allows traffic from any source IP address (0.0.0.0/0) to destination port 80
only (TCP protocol). No egress rule is required to allow the response traffic.
NO.62 Which two statements are true about Oracle Cloud Infrastructure Compute Service? (Choose
two.)
A. You cannot launch a bare metal server in Oracle Cloud Infrastructure Compute Service
B. You can attach a block volume in an Availability Domain other than your compute instance
C. You can share custom images across tenancies and regions
D. You can launch a virtual or bare metal instance by using the same Launchlnstance API
Answer: C D
Explanation
Regions and Availability Domains Volumes are only accessible to instances in the same availability
domain .
You cannot move a volume between availability domains or regions.
NO.63 You have created a public subnet in a VCN, and your public subnet has a Route Table, a
Security List, and an Internet Gateway. However, none of the compute instances can connect to the
Internet.
Which two are possible reasons for the connectivity issue? (Choose two.)
A. The Route Table has no default route for routing traffic to the Internet Gateway
B. There is no stateful ingress rule in the Security List associated with the public subnet
41
C. There is no Dynamic Routing Gateway (DRG) associated with the VCN

D. There is no stateful egress rule in the Security List associated with the public subnet
Answer: A D
Explanation
An internet gateway as an optional virtual router that connects the edge of the VCN with the
internet. To use the gateway, the hosts on both ends of the connection must have public IP addresses
for routing. Connections that originate in your VCN and are destined for a public IP address (either
inside or outside the VCN) go through the internet gateway. Connections that originate outside the
VCN and are destined for a public IP address inside the VCN go through the internet gateway.
Working with Internet Gateways
You create an internet gateway in the context of a specific VCN. In other words, the internet gateway
is automatically attached to a VCN. However, you can disable and re-enable the internet gateway at
any time.
Compare this with a dynamic routing gateway (DRG), which you create as a standalone object that
you then attach to a particular VCN. DRGs use a different model because they're intended to be
modular building blocks for privately connecting VCNs to your on-premises network.
For traffic to flow between a subnet and an internet gateway, you must create a route rule
accordingly in the subnet's route table (for example, destination CIDR = 0.0.0.0/0 and target =
internet gateway). If the internet gateway is disabled, that means no traffic will flow to or from the
internet even if there's a route rule that enables that traffic. For more information, see Route Tables.
For the purposes of access control, you must specify the compartment where you want the internet
gateway to reside. If you're not sure which compartment to use, put the internet gateway in the
same compartment as the cloud network. For more information, see Access Control.
You may optionally assign a friendly name to the internet gateway. It doesn't have to be unique, and
you can change it later. Oracle automatically assigns the internet gateway a unique identifier called
an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.
To delete an internet gateway, it does not have to be disabled, but there must not be a route table
that lists it as a target.
AS per compute instances can connect to the Internet so you use egress no ingress
NO.64 The boot volume on your Oracle Linux instance has run out of space. Your application has
crashed due to a lack of swap space, forcing you to Increase the size of the boot volume.
Which step should NOT be Included In the process used to solve the Issue?
A. Resize the boot volume by specifying a larger value than the boot volume's current size.
B. Create a RAID 0 configuration to extend the boot volume file system onto another block volume.
C. Attach the resized boot volume to a second instance as a data volume; Extend the partition and
grow the file system on the resized boot volume.
D. Reattach the boot volume and restart the instance.
E. Stop the instance and detach the boot volume.
Answer: B
Explanation
The Oracle Cloud Infrastructure Block Volume service lets you expand the size of block volumes and
boot volumes. You have three options to increase the size of your volumes:
- Expand an existing volume in place with offline resizing. See Resizing a Volume Using the Console for
the steps to do this.
42
- Restore from a volume backup to a larger volume. See Restoring a Backup to a New Volume and
Restoring a Boot Volume.
- Clone an existing volume to a new, larger volume. See Cloning a Volume and Cloning a Boot Volume
.
NO.65 Your team Implemented a SaaS application that requires a whole system deployment for
each new customer.
The Infrastructure provisioning is already automated via Terraform, and now you have been asked to
develop an Ansible playbook to centralize configuration file management and deployment.
What Is the most effective way to ensure your playbooks are utilizing up-to-date and accurate
Inventory?
A. Implement a Command Line Interface script to list all the resources and run it within Ansible to
generate a dynamic inventory list.
B. Export an inventory list using Terraform apply command.
C. Export an inventory list from the Oracle Cloud Infrastructure Web console.
D. Download the dynamic inventory script provided by Oracle Cloud Infrastructure and include It in
the playbook Invocation command.
Answer: D
Explanation
Ansible tracks configuration resources by preserving lists, called inventory lists. These inventory files
can be either simple static lists, or they can be dynamic lists that automatically update when
inventory resources are added, deleted, or moved.
When using Ansible to work with hosts that you have provisioned in Oracle Cloud Infrastructure,
static inventory lists can cause problems because Compute instances are added and deleted over
time. They can also be affected by external tools such as Terraform, or by the Oracle Cloud
Infrastructure SDKs.
Oracle Cloud Infrastructure provides two tools for working with Ansible inventory: a dynamic
inventory plugin (recommended) and a dynamic inventory script.
Using the Dynamic Inventory Script
Having up-to-date and accurate inventory lists is essential for running Ansible playbooks. Oracle
Cloud Infrastructure provides you with a script that you can download and run to ensure that your
instance inventory list is always up-to-date. The script ensures that you always have the current set of
Oracle Cloud Infrastructure compute instances available to your playbooks
https://docs.cloud.oracle.com/en-us/iaas/Content/API/SDKDocs/ansibleinventoryscript.htm
NO.66 You created an Oracle Linux compute Instance through the Oracle Cloud Infrastructure (OCI)
management console then immediately realize you add an SSH key file. You notice that OCI compute
service provides instance console connections that supports adding SSH keys for a running Instance.
Hence, you created the console connection for your Linux server and activated it using the
connection string provided. However, now you get' prompted for a username and password to login.
What option should you recommend to add the SSH key to your running Instance, while minimizing
the administrative overhead?
A. You need to configure the boot loader to use ttyS0 as a console terminal on the VM.
B. You need to terminate the running instance and recreate it by providing the SSH key file.
C. You need to reboot the instance from the console, boot into the bash shell In maintenance mode,
43
and add SSH keys for the open user.

D. You need to modify the serial console connection string to include the identity file flag, -i to
specify the SSH key to use.
Answer: D
Explanation
The Oracle Cloud Infrastructure Compute service provides console connections that enable you to
remotely troubleshoot malfunctioning instances.
There are two types of instance console connections:
- Serial console connections
- VNC console connections
Before you can connect to the serial console or VNC console, you need to create the instance console
connection.
After you have created the console connection for the instance, you can then connect to the serial
console by using a Secure Shell (SSH) connection. When you are finished with the serial console and
have terminated the SSH connection, you should delete the serial console connection. If you do not
disconnect from the session, Oracle Cloud Infrastructure terminates the serial console session after
24 hours and you must reauthenticate to connect again If you are not using the default SSH key or
ssh-agent, you can modify the serial console connection string to include the identity file flag, -i, to
specify the SSH key to use. You must specify this for both the SSH connection and the SSH
ProxyCommand, as shown in the following line:
ssh -i /<path>/<ssh_key> -o ProxyCommand='ssh -i /<path>/<ssh_key> -W %h:%p -p 443
NO.67 You have recently been asked to take over management of your company's infrastructure
provisioning efforts, utilizing Terraform v0.12 to provision and manage infrastructure resources in
Oracle Cloud Infrastructure (OCI). For the past few days the development environments have been
failing to Provision. Teraform returns the following error:
Which correction should you make to solve this issue?

A. Replace the curly braces '{ }' in lines 11 and 16 with square braces '[ ]'
B. Modify line 15 to be the following:
tcp_options = {min = "22", max = "22)
C. Modify line 15 to be the following:
tcp_options { min = "22" max = "22"}
D. Place a command at the end of line 16
Answer: C
Explanation
terraform script creates a virtual cloud network, example
44
https://raw.githubusercontent.com/jamalarif/oci/master/terraform/allinone/webserver.tf
NO.68 You are asked to deploy a new application that has been designed to scale horizontally. The
business stakeholders have asked that the application be deployed In us-phoenlx-1.
Normal usage requires 2 OCPUs. You expect to have few spikes during the week, that will require up
to 4 OCPUs, and a major usage uptick at the end of each month that will require 8 OCPUs.
What is the most cost-effective approach to implement a highly available and scalable solution?
A. Create an instance pool with a VM.Standard2.2 shape instance configuration. Setup the
autoscaling configuration to use 2 availability domains and have a minimum of 2 instances, to handle
the weekly spikes, and a maximum of 4 Instances.
B. Create an instance with 1 OCPU shape. Use a CLI script to clone It when more resources are
needed.
C. Create an instance pool with a VM.Standard2.1 shape instance configuration. Setup the
autoscaling configuration to use 2 availability domains and have a minimum of 2 instances and a
maximum of 8 instances.
D. Create an instance with 1 OCPU shape. Use the Resize Instance action to scale up to a larger shape
when more resources are needed.
Answer: A
Explanation
Instance pools let you provision and create multiple Compute instances based off the same instance
configuration, within the same region. They also enable integration with other services, such as the
Load Balancing service and IAM service, making it easier to manage groups of instances You create an
instance pool using an existing instance configuration.
You can automatically adjust the number of instances in an instance pool based on performance
metrics such as CPU utilization.
Autoscaling lets you automatically adjust the number of Compute instances in an instance pool based
on performance metrics such as CPU utilization. This helps you provide consistent performance for
your end users during periods of high demand, and helps you reduce your costs during periods of low
demand.
https://docs.cloud.oracle.com/en-us/iaas/Content/Compute/Tasks/creatinginstancepool.htm
https://blogs.oracle.com/cloud-infrastructure/autoscaling-a-load-balanced-web-application
NO.69 You have been contracted by a local e-commerce company to assist with enhancing their
online shopping application. The application is currently deployed In a single Oracle Cloud
Infrastructure (OCI) region. The application utilizes a public load balancer, application servers in a
private subnet and a database in a separate, private subnet.
The company would like to deploy another set of similar Infrastructure In a different OCI region that
will act as standby site. In the event of a failure at the primary site, all customers should be routed to
the failover site automatically.
After deploying the additional infrastructure within the second region, how should you configure
automated failover requirements?
A. Create a new A record in DNS that points to the public load balancer at the secondary site. Create
a CNAME for the sub-domain failover that will resolve to the new A record. Inform customers to
prepend the website URL with failover If the primary site Is unavailable.
B. Create a load balancer policy in the Traffic Management service. Configure one answer for each
45
site.
Set the answer for the primary site with a weight of 10 and the answer for the secondary site with a
weight of 100.
C. Create a failover policy in the Traffic Management service. Set the IP address of the public load
balancer for the primary site in answer pool 1 Set the IP address of the public load balancer for the
secondary site in answer pool 2. Define a health check to monitor both sites.
D. Deploy a new load balancer in the primary region. Create one backend set for the primary
application servers and a second backend set for the standby application servers. Create a listener for
the primary backend set with a timeout of 3 minutes. Create a listener for the secondary backend set
with a timeout of 10 minutes.
Answer: C
Explanation
You can leverage Traffic Management Steering Policies to provide automated failover between
primary and secondary servers.
NO.70 Your application is using Object Storage bucket named app-data In the namespace vision, to
store both persistent and temporary date. Every week all the temporary data should be deleted to
limit the storage consumption.
Currently you need to navigate to the Object Storage page using the web console, select the
appropriate bucket to view all the objects and delete the temporary ones.
To simplify the task you have configured the application to save all the temporary data with /temp
prefix. You have also decided to use the Command Line Interface (CLI) to perform this operation.
What is the command you should use to speed up the data cleanup?
A)
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: D
Explanation
bulk-delete : Deletes all objects in a bucket which match the provided criteria.
delete : Deletes an object.
# Delete all the objects.
oci os object bulk-delete -ns mynamespace -bn mybucket
# Delete objects that match the specified prefix.
oci os object bulk-delete -ns mynamespace -bn mybucket --prefix myprefix By default, the bulk-
46
delete command will prompt you prior to deleting objects. To suppress this prompt, pass the --force
option.
NO.71 You have been asked to provision a new production environment on Oracle Cloud
Infrastructure (OCI). After working with the solution architect you dockte that you are going to
automate this process.
Which OCI service can help automate the provisioning of this new environment?
A. OCI Resource Manager
B. Oracle Container Engine for Kubernetes
C. Oracle Functions
D. OCI Streaming Service
Answer: A
Explanation
us/iaas/Content/ResourceManager/Concepts/resourcemanager.htm
NO.72 You have been tasked with allocating an identity to one of your compute instances that needs
to retrieve and process static files that are stored in an Object Storage bucket. After creating a
dynamic group with a matching rule that specifies the OCID of the compute instance, you discover
the that API calls are failing.
Which step should you take to resolve this issue?
A. Create IAM policies to permit users in these groups to make API calls against Oracle Cloud
Infrastructure services.
B. Initial credentials must be initialized using OCI console for the Instance in dynamic group. This can
be a bulk operation.
C. Create IAM policies to permit instances in these groups to make API calls against Oracle Cloud
Infrastructure services.
D. Once instances are in dynamic group no additional steps are required.
Answer: A
Explanation
Dynamic groups allow you to group Oracle Cloud Infrastructure computer instances as "principal"
actors (similar to user groups). You can then create policies to permit instances to make API calls
against Oracle Cloud Infrastructure services. When you create a dynamic group, rather than adding
members explicitly to the group, you instead define a set of matching rules to define the group
members.
NO.73 You have a group of developers who launch multiple VM.Standard2.2 compute Instances
every day into the compartment Dev. As a result your OCI tenancy quickly hit the service limit for this
shape. Other groups can no longer create new instances using VM.Standard2.2 shape.
of this, your company has Issued a new mandate that the Dev compartment must include a quota to
allow for use of only 20 VM.Standar2.2 shapes per Availability Domain. Your solution should not
affect any other compartment In the tenancy.
Which quota statement should be used to implement this new requirement?
A)
47
B)
C)
D)
E)
A. Option A
B. Option B
C. Option C
D. Option D
E. Option E
Answer: C
Explanation
Compartment quotas give tenant and compartment administrators better control over how
resources are consumed in Oracle Cloud Infrastructure.
There are three types of quota policy statements:
- set - sets the maximum number of a cloud resource that can be used for a compartment
- unset - resets quotas back to the default service limits
- zero - removes access to a cloud resource for a compartment
The quota policy statements look like this:
To sets the quota for VM.Standard2.2 Compute instances to 20 on compartment Dev set compute
quota vm-standard2-2-count to 20 in compartment dev No need to make a whitelist, by setting every
quota in a family to zero zero compute quotas in tenancy
NO.74 An Insurance company has contracted you to help automate their application business
continuity plan. They have the application running in eu-frankfurt-1 as the primary site and uk-
48
london-1 as a disaster recovery site.

Normally they have a DNS A record associated with the IP address of the primary endpoint In eu-
frankfurt-1.
In the event of a disaster, they use OCI DNS Zone Management to update the A record and replace it
with the IP address of the endpoint In uk-london-1.
How can you automate the failover process?
A. Create a Health Check that evaluates both regional endpoints. Create a Traffic Management
Steering policy with Failover type and associate it with the Health Check.
B. Create a Traffic Management Steering policy and attach it to a backend set with the backend
servers from both eu-frankfurt-1 and uk-london-1 regions.
C. Create a Traffic Management Steering policy with Load Balancer type and add both eu-frankfurt-1
and uk-london-1 endpoints. Attach the Traffic Management Steering policy to the A record.
D. Provision a Load Balancer in Frankfurt and associate it with the A record in DNS. Create a backend
set with backend servers from both eu-frankfurt-1 and uk-london-1 regions.
Answer: A
Explanation
Traffic Management Steering Policies:
Policy Types
FAILOVER
Failover policies allow you to prioritize the order in which you want answers served in a policy (for
example, Primary and Secondary). Oracle Cloud Infrastructure Health Checks are leveraged to
determine the health of answers in the policy. If the Primary Answer is determined to be unhealthy,
DNS traffic will automatically be steered to the Secondary Answer.
LOAD BALANCER
Load Balancer policies allow distribution of traffic across multiple endpoints. Endpoints can be
assigned equal weights to distribute traffic evenly across the endpoints or custom weights may be
assigned for ratio load balancing. Oracle Cloud Infrastructure Health Checks are leveraged to
determine the health of the endpoint.
DNS traffic will be automatically distributed to the other endpoints, if an endpoint is determined to
be unhealthy.
GEOLOCATION STEERING
Geolocation steering policies distribute DNS traffic to different endpoints based on the location of
the end user. Customers can define geographic regions composed of originating continent, countries
or states/provinces (North America) and define a separate endpoint or set of endpoints for each
region.
ASN STEERING
ASN steering policies enable you to steer DNS traffic based on Autonomous System Numbers (ASN).
DNS queries originating from a specific ASN or set of ASNs can be steered to a specified endpoint.
IP PREFIX STEERING
IP Prefix steering policies enable customers to steer DNS traffic based on the IP Prefix of the
originating query.
NO.75 You have received an email from your manager to provision new resources on Oracle Cloud
Infrastructure (OCI). When researching OCI y detect that you should use OCI Resource Manager.
Since this is a task that will be done multiple times for development, test, and production need to
create a command that can be re-used.
49
Which CLI command can be used In this situation?

A)
B)
C)
D)
A. Option A
B. Option B
C. Option C
D. Option D
Answer: B
Explanation
On Windows, be sure the .zip file and variables.json files are in the same directory from which you're
running the CLI. The CLI currently has a limitation on Windows that prevents correct handling of the
files if either one is in a subdirectory.
Open a command prompt and run oci resource-manager stack create to create a stack:
oci resource-manager stack create --compartment-id <compartment_OCID> --config-source
<config_file_name> --variables <var_file_path> --display-name "<friendly_name>" --description
"<description>" --working-directory ""
us/iaas/Content/ResourceManager/Tasks/managingstacksandjobs.htm#CreateSt
50

Exam 1z0-1067-20: IT Certification Guaranteed, The Easy Way!

Uploaded by

Copyright:

Available Formats

You might also like

Exam 1z0-1067-20: IT Certification Guaranteed, The Easy Way!

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Exam 1z0-1067-20: IT Certification Guaranteed, The Easy Way!

Uploaded by

Copyright:

Available Formats

IT Certification Guaranteed, The Easy Way!

Title : Oracle Cloud Infrastructure

There are two types of instance console connections:

What is a possible reason for this deployment to fail?

On the alarm detail page, click Move Resource.

What should you change to fix It?

E. image operating system

C. Exported logs remain available indefinitely.

A. oci os object-lifecycle-policy delete -ns <object_storage_namespace> -bn <bucket_name>

The command fails.

D. oci compute instance launch --generate-full-command-json-input

What happens to requests that originate in Africa?

A. ERASE_VOLUME, ERASE_VOLUME_ATTACHMENT, ERASE_VOLUME_BACKUP

D. VOLUME_DELETE, VOLUME_ATTACHMENT_DELETE, VOLUME_BACKUP_DELETE

data and private bucket for sensitive data.

Which step will resolve the issue?

C. There is no Dynamic Routing Gateway (DRG) associated with the VCN

and add SSH keys for the open user.

Which correction should you make to solve this issue?

london-1 as a disaster recovery site.

Which CLI command can be used In this situation?

You might also like