Operations Certification

You are using the OCI CLI to launch a Linux virtual machine. You enter the following command (with correct values for all parameters): oci compute instance launch --availability-domain "<AD Name>" -t <tenancy id> -c <compartment id> --shape "<shape name>" --display-name "<instance display name>" --image-id <image id> --ssh-authorized-keys-file "<path to authorized keys file>" --subnet-id <subnet id> The command fails. Which is NOT a valid parameter in this command? --image-id <image id> -c <compartment id> --subnet-id <subnet id> -t <tenancy id> --shape "<shape name>"

-t <tenancy id>

Which of the following are essential components of the OCI Notifications Service? An alarm with a name unique across the compartment, a subscription, and a metric with the measurement of interest A topic with a name across the tenancy, a subscription, and a message where content is published An alarm with a name unique across the tenancy, a subscription, and a metric with the measurement of interest A topic with a name unique across the compartment, a subscription, and a message where content is published

A topic with a name across the tenancy, a subscription, and a message where content is published

You launched a Linux compute instance to host the new version of your company website via Apache HTTPS server on HTTPS (port 443). The instance is created in a public subnet along with other instances. The default security list associated to the subnet is: Ingress:CIDR. IP Protocol. Source Port. Destination Port. State0.0.0.0/0 TCP All 22 Stateful0.0.0.0/0 ICMP. Stateful Egress:CIDR. IP Protocol. Source Port. Destination Port. State0.0.0.0/0 All. Stateful You want to allow access to the company website from public internet without exposing websites eventually hosted on the other instances in the public subnet. Which 2 actions should you do? In default security list, add a stateful rule to allow ingress access on port 443. Create a new security list with a stateful rule to allow access on port 443 and associate it to the public subnet. Create a network security group, add a stateful rule to allow ingress access on port 443 and associate it to the public subnet that host the company's website. Access the Linux instance via SSH and configure IP tables to allow HTTPS access on port 443. Create a network security group, add a stateful rule to allow ingress access on port 443 and associate it to the instance that hosts the company's website.

Access the Linux instance via SSH and configure IP tables to allow HTTPS access on port 443. Create a network security group, add a stateful rule to allow ingress access on port 443 and associate it to the instance that hosts the company's website.

An organization wants to extend their existing on-premises data centers to the OCI us-phoenix-1 region. In order to achieve it, they have created an IPSec VPN connection between their Customer Premises Equipment (CPE) and Dynamic Routing Gateway (DRG). How can you make this connection highly available (HA)? Add another CPE and create a second IPSec VPN connection with the same DRG. Create a NAT Gateway and route all traffic through a NAT Gateway, which is a highly available component. Add another DRG in a different AD and create another IPSec VPN connection with another CPE. Add another DRG in a different AD and create another IPSec VPN connection.

Add another CPE and create a second IPSec VPN connection with the same DRG.

You set up a bastion host in your VCN to only allow your IP address (140.19.2.140) to establish SSH connections to your compute instances that are deployed in a private subnet. The compute instances have an attached Network Security Group with a Source Type: Network Security Group, Source NSH: -050504. To secure the bastion host, you added the following ingress rules to its NSG: Type: All TCP Protocol: TCP Port Range: 22 Source: 140.19.2.140/32 Type: All TCP Protocol: TCP Port Range: 22 Source: NSG-050504 However, after checking the bastion host logs, you discovered that there are IP addresses other than your own that can access your bastion host. What is the root cause of this issue? All compute instances associated with NSG-050504 are also able to connect to the bastion host. The port 22 provides unrestricted access to 140.19.2.140 and to other IP addresses. The Security List allows access to all IP addresses which overrides the NSG ingress rules. A netmask of /32 allows all IP addresses in the 140.19.2.0 network, other than your IP 110.19.2.140.

All compute instances associated with NSG-050504 are also able to connect to the bastion host.

You are using OCI services across several regions: us-phoenix-1, us-ashburn-1, uk-london-1, and ap-tokyo-1. You have created a separate administrator group for each region: PHX-Admins, ASH-Admins, LHR-Admins, and NRT-Admins, respectively. You want to restrict admin access to a specific region, e.g. PHX-Admins should be able to manage all resources in the us-phoenix-1 region only and not in any other OCI regions. What IAM policy syntax is required to restrict PHX-Admins to manage OCI resources in the us-phoenix-1 region only? Allow group PHX-Admins to manage all resources in tenancy where request.tenancy = 'phx' Allow group PHX-Admins to manage all-resources in tenancy where request.permission = 'phx' Allow group PHX-Admins to manage all-resources in tenancy where request.target = 'phx' Allow group PHX-Admin to manage all-resources in tenancy where request.region = 'phx'

Allow group PHX-Admin to manage all-resources in tenancy where request.region = 'phx'

You have the following compartment structure within your company's OCI tenancy: (root) -> CompartmentA -> CompartmentB -> CompartmentC You want to create a policy in the root compartment to allow SystemAdmins to manage VCNs only in CompartmentC. Which policy is correct? Allow group SystemAdmins to manage virtual-network-family in compartment CompartmentB:CompartmentC Allow group SystemAdmins to manage virtual-network-family in compartment CompartmentC Allow group SystemAdmins to manage virtual-network-family in compartment root Allow group SystemAdmins to manage virtual-network-family in compartment CompartmentA:CompartmentB:CompartmentC

Allow group SystemAdmins to manage virtual-network-family in compartment CompartmentA:CompartmentB:CompartmentC

1 point You are tasked with creating a group called volumeBackupAdmins to manage only block volume backups. Which of the following set of policy/policies would you need to write to meet this requirement? -Allow group volumeBackupAdmins to use volumes in tenancy Allow group volumeBackupAdmins to manage volume-backups in tenancy -Allow group volumeBackupAdmins to manage volume-backups in tenancy -Allow group volumeBackupAdmins to use volumes in tenancy Allow group volumeBackupAdmins to manage volume-backups in tenancy Allow group volumeBackupAdmins to use volume-attachments in tenancy Allow group volumeBackupAdmins to use instances in tenancy -Allow group volumeBackupAdmins to use volumes in tenancy Allow group volumeBackupAdmins to manage volume-backups in tenancy Allow group volumeBackupAdmins to use volume-attachments in tenancy

Allow group volumeBackupAdmins to use volumes in tenancy Allow group volumeBackupAdmins to manage volume-backups in tenancy

Several development teams in your company have each been provided with a budget and a dedicated compartment to be used for testing purposes. You are asked to help them to control the costs and avoid any overspending. What should you do? Configure a quota for each compartment to prevent provisioning of any bare metal instances. Contact Oracle support and ask them associate the monthly budget with the Service Limits in every region for which your tenancy is subscribed. The tenancy administrator will receive an alert email from Oracle when the limits are reached. Associate a budget tag to each compartment with the monthly budget amount and set an alert rule to notify the developer's teams when they reached a specific percentage of budget. Associate a budget tag to each resource with monthly budget amount and use that information to prepare a weekly report to send to each team.

Associate a budget tag to each compartment with the monthly budget amount and set an alert rule to notify the developer's teams when they reached a specific percentage of budget.

You are asked to implement disaster recovery (DR) and business continuity requirements for OCI block volumes. Two OCI regions are being used: a primary/source region and a DR/destination region. The requirements are: There should be a copy of data in the destination region to use if a region-wide disaster occurs in the source region Minimize costs Which of the following designs will help you meet these requirements? Backup block volumes. Use Object Storage lifecycle management to automatically move backup objects to Archive Storage. Copy Archive Storage buckets from source region to destination at regular intervals. Clone block volumes. Copy block volume clones from source region to destination region at regular intervals. Clone block volumes. Use Object Storage lifecycle management to automatically move cloned objects to Archive Storage. Copy Archive Storage buckets from source region to destination at regular intervals. Backup block volumes. Copy block volumes from the source region to the destination region at regular intervals.

Backup block volumes. Copy block volumes from the source region to the destination region at regular intervals.

You have set an alarm to be generated when the CPU usage of a specified instance is greater than 10%. In the alarm behavior view below, you notice that the critical condition happened around 23:30. You were expecting a notification after 1 minute, however, the alarm firing state did not begin until 23:23. {graph} What should you change to fix it? Change the alarm's trigger delay minutes value to 1. Change the notification topic that you previously associated with the alarm. Change the alarm's metric interval to 1. Change the alarm condition to be greater than 3%.

Change the alarm's trigger delay minutes value to 1.

Which 3 statements are true about Object Storage data security and encryption in OCI? OCI Key Management is used by default to provide data security Client-side encryption is managed by the customer All traffic to and from Object Storage service is encrypted using TLS A VPN connection to OCI is required to ensure security data transfer to an Object Storage bucket Server-side encryption uses per-object keys which are managed by Oracle

Client-side encryption is managed by the customer All traffic to and from Object Storage service is encrypted using TLS Server-side encryption uses per-object keys which are managed by Oracle

You have created an ADW service in your company's OCI tenancy and you now have to load historical data into it. You have already extracted this historical data from multiple data marts and data warehouses. This data is stored in multiple CSV text files and these files are ranging in size from 25MB to 20GB. Which step is most efficient and error tolerant method for loading data into ADW? Create the tables in the ADW database and then execute SQL*Loader for each CSV file to load the contents into the corresponding ADW database table. Create Auth Token, use it to create an Object Storage credential by executing DBMS_CLOUD.CREATE_CREDENTIAL. Using OCI CLI, upload the CSV files to an OCI Object Storage bucket, create the tables in the ADW database, and then execute DBMS_CLOUD.COPY_DATA for each CSV file to copy the contents into the corresponding ADW database table. Create Auth Token, use it to create an Object Storage credential by executing DBMS_CLOUD.CREATE CREDENTIAL. Using OCI CLI, upload the CSV files to an OCI Object Storage bucket, create the tables in the ADW database, and then execute Data Pump Import for each CSV file to copy the contents into the corresponding ADW database table. Create Auth Token, use it to create an Object Storage credential by executing DBMS_CLOUD.CREATE_CREDENTIAL. Using the web console, upload the CSV files to an OCI Object Storage bucket, create the tables in the ADW database, and then execute DBMS_CLOUD.COPY_DATA for each CSV file to copy the contents to the corresponding ADW database table.

Create Auth Token, use it to create an Object Storage credential by executing DBMS_CLOUD.CREATE_CREDENTIAL. Using OCI CLI, upload the CSV files to an OCI Object Storage bucket, create the tables in the ADW database, and then execute DBMS_CLOUD.COPY_DATA for each CSV file to copy the contents into the corresponding ADW database table.

You have been tasked with allocating an identity to one of your compute instances that needs to retrieve and process static files that are stored in an Object Storage bucket. After creating a dynamic group with a matching rule that specifies the OCID of the compute instance, you discover that the API calls are failing. Which step should you take to resolve this issue? Create IAM policies to permit users in these groups to make API calls against OCI services Create IAM policies to permit instances in these groups to make API calls against OCI services. Initial credentials must be initialized using OCI console for the instances in dynamic group. This can be a bulk operation. One instances are in a dynamic group, no additional steps are required.

Create IAM policies to permit instances in these groups to make API calls against OCI services.

The boot volume on your Oracle Linux instance has run out of space. Your application has crashed due to a lack of swapspace, forcing you to increase the size of the boot volume. Which step should NOT be included in the process used to solve the issue? Resize the boot volume by specifying a larger value than the boot volume's current size. Reattach the boot volume and restart the instance. Create a RAID0 configuration to extend the boot volume file system onto another block volume. Stop the instance and detach the boot volume. Attach the resized boot volume to a second instance as a data volume; extend the partition and grow the file system on the resized boot volume.

Create a RAID0 configuration to extend the boot volume file system onto another block volume.

You have recently joined a startup company and quickly find that nobody is tracking the amount of money spent on OCI. Seeing an opportunity to help save money, you begin creating a solution to better track the cost of resources provisioned by each individual on the team. Which option allows you to identify excessive spend across all resources in your tenancy? Use the Events Service and create rules that will act when a new Object Storage bucket or Compute Instance has been created. Have the rule email you each time one of these events occurs. Create a budget for each compartment that will send a notification when monthly spend reaches a pre-defined amount. Use the Python SDK to write a custom application that will monitor the Audit Log. Look for CREATE events and configure the application to send you an email each time a new resource is created. Create a tag namespace named BILLING with a Tag Key named CostCenter. Tag each of your resources with this Tag Key and the correct value.

Create a budget for each compartment that will send a notification when monthly spend reaches a pre-defined amount.

You have been contracted by a local e-commerce company to assist with enhancing their online shopping application. The application is currently deployed in a single OCI region. The application utilizes a public load balancer, application servers in a private subnet, and a database in a separate, private subnet. The company would like to deploy another set of similar infrastructure in a different OCI region that will act as standby site. In the event of a failover at the primary site, all customers should be routed to the failover site automatically. After deploying the additional infrastructure within the second region, how should you configure automated failover requirements? Create a failover policy in the Traffic Management service. Set the IP address of the public load balancer for the primary site in answer pool 1. Set the IP address of the public load balancer for the secondary site in answer pool 2. Define a health check to monitor both sites. Create a new A record in DNS that points to the public load balancer at the secondary site. Create a CNAME for the sub-domain failover that will resolve to the new A record. Inform customers to prepend the website URL with failover if the primary site is unavailable. Create a load balancer policy in the Traffic Management service. Configure one answer for each site. Set the answer for the primary site with a weight of 10 and the answer for the secondary site with a weight of 100. Deploy a new load balancer in the primary region. Create one backend set for the primary application servers and a second backend set for the standby application servers. Create a listener for the primary backend set with a timeout of 3 minutes. Create a listener for the secondary backend set with a timeout of 10 minutes.

Create a failover policy in the Traffic Management service. Set the IP address of the public load balancer for the primary site in answer pool 1. Set the IP address of the public load balancer for the secondary site in answer pool 2. Define a health check to monitor both sites.

You have shared your OCI tenancy with a group of developers in your organization by creating a compartment called developer. You are an administrator in the tenancy with privileges to modify IAM policies. Developers need privileges to configure Federation to a SSO. How would you give them permissions to complete their task in the most secure manner? Create a group called IdPAdmins. Assign the following IAM policy statement:Allow group IdPAdmins to manage identity-providers in compartmentAllow group IdPAdmins to manage groups in compartment Create a group called IdPAdmins. Assign the following IAM policy statement:Allow group IdPAdmins to manage identity-providers in tenancyAllow group IdPAdmins to manage groups in tenancy Create a new policy with the following statements:Allow any-user to manage identity-providers in tenancy a-developerAllow any-user to manage groups in tenancy Create a group called Developers. Set up the following IAM policy:Allow group Developers to manage identity-providers in compartment a-developerAllow group Developers to manage groups in compartment

Create a group called IdPAdmins. Assign the following IAM policy statement:Allow group IdPAdmins to manage identity-providers in tenancyAllow group IdPAdmins to manage groups in tenancy

An insurance company has contracted you to help automate their application business continuity plan. They have the application running in eu-frankfort-1 as the primary site and uk-london-1 as a disaster recovery site. Normally they have a DNS A record associated with the IP address of the primary endpoint in eu-frankfort-1. In the event of a disaster, they use OCI DNS Zone Management to update the A record and replace it with the IP address of the endpoint in uk-london-1. How can you automate the failover process? Create a Traffic Management steering policy with load balancer type and add both eu-frankfort-1 and uk-london-1 endpoints. Attach the Traffic Management steering policy to the A record. Create a health check that evaluates both regional endpoints. Create a Traffic Management steering policy with failover type and associate it with the Health Check. Provision a load balancer in Frankfurt and associate it with the A record in DNS. Create a backend set with backend servers from both eu-frankfurt-1 and uk-london-1 regions. Create a Traffic Management steering policy and attach it to a backend set with the backend servers from both eu-frankfort-1 and uk-london-1 regions.

Create a health check that evaluates both regional endpoints. Create a Traffic Management steering policy with failover type and associate it with the Health Check.

Multiple teams are sharing a tenancy in OCI. You are asked to figure out an appropriate method to manage OCI costs. Which is NOT a valid technique to accurately attribute costs to resources used by each team? Define and use tags for resources used by each team. Analyze usage data from the OCI Usage Report which has detailed information about resources and tags. Create a cost-tracking tag. Apply this tag to all resources with team information. Use the OCI cost analysis tools to filter costs by tags. Create separate compartment for each team. Use the OCI cost analysis tools to filter costs by compartments Create an Identity and Access Management (IAM) group for each team. Create an OCI budget for each group to track spending.

Create an Identity and Access Management (IAM) group for each team. Create an OCI budget for each group to track spending.

You are asked to deploy a new application that has been designed to scale horizontally. The business stakeholders have asked that the application be deployed in us-phoenix-1. Normal usage requires 2 OCPUs. You expect to have few spikes during the week, that will require up to 4 OCPUs, and a major uptick at the end of the month that will require 8 OCPUs. What is the most cost-effective approach to implement a highly available and scalable solution? Create an instance with 1 OCPU shape. Use a CLI script to clone it when more resources are needed. Create an instance with 1 OCPU shape. Use the Resize Instance action to scale up to a larger shape when more resources are needed. Create an instance pool with a VM.Standard2.1 shape instance configuration. Setup the autoscaling configuration to use 2 ADs and a have a minimum of 2 instances and a maximum of 8 instances. Create an instance pool with a VM.Standard2.2 shape instance configuration. Setup the autoscaling configuration to use 2 ADs and have a minimum of 2 instances to handle the weekly spikes and a maximum of 4 instances.

Create an instance pool with a VM.Standard2.2 shape instance configuration. Setup the autoscaling configuration to use 2 ADs and have a minimum of 2 instances to handle the weekly spikes and a maximum of 4 instances.

Security testing policy describes when and how you may conduct certain types of security testing of OCI services, including vulnerability and penetration tests, as well as involving data scraping tools. What does Oracle allow as part of this testing? Customers are allowed to use their own testing and monitoring tools. Customers are allowed to test OCI hardware related to resources in their tenancy. Customers can simulate DoS attack scenarios as long as it's restricted to the customer's own environment. Customers can validate that their network resources are isolated from other customer resources.

Customers are allowed to use their own testing and monitoring tools.

Your team implemeted a SaaS application that requires a whole system deployment for each new customer. The infrastructure provisioning is already automated via Terraform, and now you have been asked to develop an Ansible playbook to centralize configuration file management and deployment. What is the most effective way to ensure your playbooks are utilizing up-to-date and accurate inventory? Download the dynamic inventory script provided by OCI and include it in the playbook invocation command. Implement a CLI script to list all the resources and run it within Ansible to generate a dynamic inventory list. Export an inventory list using Terraform apply command. Export an inventory list from the OCI web console.

Download the dynamic inventory script provided by OCI and include it in the playbook invocation command.

You need to set up daily incremental backups of your database in OCI Database Service. The backups need to be retained for at least 50 days. Which of the following methods allow you to accomplish this is an efficient and cost effective manner? Enable automatic backups and set the retention period to 50 days. Use Recovery Manager (RMAN) to take backups to an OCI Object Storage bucket. Delete backups older than 50 days. Set up a cron job with OCI Database Service CreateBackup API call to take periodic full backups to OCI Object Store. Delete backups older than 50 days. Enable automatic backups and choose the preset retention period of 60 days.

Enable automatic backups and choose the preset retention period of 60 days.

Which 2 statements are true about the Bulk Export of OCI Audit Log Events? Exported logs are available in the Object Storage buckets in your tenancy. You can specify only one region in your bulk export request Exported logs remain available indefinitely Exported log files list a single audit event per line using csv format It will be available immediately after the Bulk Export request

Exported logs are available in the Object Storage buckets in your tenancy. Exported logs remain available indefinitely

Your company has restructured its HR departments. As part of this change, you also need to re-organize compartments within OCI to align to the company's new organizational structure. The following change is required: Compartment Team_X needs to be moved under a new parent compartment, Project_B The tenancy has the following policies defined for compartments Project_A and Project_B: Policy 1: Allow group G1 to manage instance-family in compartment HR:Project_A Policy 2: Allow group G2 to manage instance-family in compartment HR:Project_B Which 2 statements describe the impacts after the compartment Team_X is moved? Group G1 can now manage instance-families in compartment Project_A compartment Project_B and compartment Team_X Group G2 can now manage instance-families in compartment Project_B compartment Project_A and compartment Team_X Group G1 can now manage instance-families in compartment Project_A but not in compartment Team_X Group G2 can now manage instance-families in compartment Project_A but not in compartment Team_X Group G2 can now manage instance-families in compartment Project_B and compartment Team_X

Group G1 can now manage instance-families in compartment Project_A but not in compartment Team_X Group G2 can now manage instance-families in compartment Project_B and compartment Team_X

A subscriber of an OCI Notifications Service topic complained about not receiving messages from the service. Which of the following options can help you debug this issue? If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, the service drops the message. Confirm that the subscriber is always online to receive messages to help debug the issue. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, the service tries to redeliver messages for up to 1 day. Make sure that the subscriber is online at least once a day to help debug the issue. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, check the NumberofNotificationFailed metric through the OCI Monitoring service for failed messages. Copy these messages to an OCI Object Storage bucket. Make sure the subscriber has the required credentials to access this bucket to help debug the issue. If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, the service tries to redeliver messages for up to 2 hours. Configure an alarm on the NumberofNotificationFailed metric through the OCI Monitoring service to help debug the issue.

If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, the service tries to redeliver messages for up to 2 hours. Configure an alarm on the NumberofNotificationFailed metric through the OCI Monitoring service to help debug the issue.

You have a Linux compute instance located in a public subnet in a VCN which hosts a web application. The security list attached to subnet containing the compute instance has the following stateful ingress rule: Source: 0.0.0.0/0IP Protocol: TCP Source Port Range: All Destination Port Range:22 The route table attached to the public subnet is shown below. You can establish a SSH connection into a compute instance from the internet. However, you are not able to connect to the web server using your web browser. Destination: 0.0.0.0/0 Target Type: Internet Gateway Which step will resolve the issue? In the route table, add a rule for your default traffic to be routed to the service gateway. In the security list, remove the ssh rule In the security list, add an ingress rule for port 80 (http). In the route table, add a rule for your default traffic to be routed to the NAT Gateway.

In the security list, add an ingress rule for port 80 (http).

You have created several block volumes in the us-phoenix-1 region in a specified compartment. The compartment can be identified by the following OCI unique identifier, or ocid1.compartment.oc1.phx..exampleuniqueID Your manager has asked you to leverage the OCI monitoring service and write a metric query showing all read IOPS at one-minute intervals, filtered to this compartment and aggregated for the maximum. Which metric query will you create? Your Answer: IopsWrite[lm]{compartmentId="ocid1.compartment.oc1.phx..exampleuniqueID"}.mean() IopsRead[lm]{compartmentId="ocid1.compartment.oc1.phx..exampleuniqueID"}.grouping().mean() IopsRead[lm]{compartmentId="ocid1.compartment.oc1.phx..exampleuniqueID"}.max() IopsRead[lm]{compartmentId="ocid1.compartment.oc1.phx..exampleuniqueID"}.grouping().max()

IopsRead[lm]{compartmentId="ocid1.compartment.oc1.phx..exampleuniqueID"}.grouping().max()

You have recently been asked to take over management of your company's infrastructure provisioning efforts, utilizing Terraform v0.12 to provision and manage infrastructure resources in OCI. For the past few days, the development environments have been failing to provision. Terraform returns the following error: Error: Missing item separator on vcn_peer_lab.tf line 15, in resource "oci_core_security_list" "ManagementSecurityList":15: tcp_options = [min = "22", max = "22"] Expected a comma to mark the beginning of the next item. You locate the related code block in the Terraform config and find the following: (11) ingress_security_rules { (12) protocol = 6 (13) source = "0.0.0.0/0" (14) (15) tcp_options = [min = "22", max = "22"] (16) } Which correction should you make to solve this issue? Replace the curly brackets in lines 11 and 16 with square brackets Place a command at the end of line 16 Modify line 15 to be the following: tcp_options = {min >> "22", max = "22"} Modify line 15 to be the following: tcp_options {min = "22" max = "22"}

Modify line 15 to be the following: tcp_options {min = "22" max = "22"}

1 point As the operations administrator for your company's OCI, you have been entrusted the task of ensuring that data being accessed by the application is encrypted. Your application portfolio includes both VM and BM database systems. Which method should you use to achieve encryption of data in-transit? Native Oracle Net Services encryption and integrity capabilities Data is encrypted at rest using TDE and no additional encryption is needed Configure backup encryption for RMAN backup sets before transferring data. Key Store/Wallet service for on the fly encryption of data in transit

Native Oracle Net Services encryption and integrity capabilities

You are configuring an alarm in OCI for a compute instance named Vision. The metric needs to be triggered when the ingress network rate is greater than 1MB. Which statement will accomplish this? NetworksBytesIn[1m]{resourceDisplayName - "Vision"}.rate() > 1024 {resourceDisplayName = "Vision"}(NetworksBytesIn[lm]).rate() > 1024 NetworksBytesIn[1MB]{resourceDisplayName - "Vision"}.rate() > 1 {resourceDisplayName = "Vision"}(NetworksBytesIn[1MB]).rate() > 1

NetworksBytesIn[1m]{resourceDisplayName - "Vision"}.rate() > 1024

Which 2 statements accurately describe Ansible Modules for OCI? OCI Ansible Modules enable orchestrating, provisioning, and configuration management tasks on OCI. OCI Ansible Modules are not able to provide you state control of resources. OCI Ansible Modules represent discrete provisioning tasks or operations that you can invoke individually from the command line, or else run individually or in sequence from a playbook. OCI Ansible Modules are units of organization that allow you to abstract configuration, orchestration, and provisioning tasks into roles that you can save and share among playbooks and other users. OCI Ansible Modules represent discrete provisioning tasks or operations that you cannot invoke individually from the command line, or else run individually or in sequence from a playbook.

OCI Ansible Modules enable orchestrating, provisioning, and configuration management tasks on OCI. OCI Ansible Modules represent discrete provisioning tasks or operations that you can invoke individually from the command line, or else run individually or in sequence from a playbook.

You have been asked to provision a new production environment on OCI. After working with the solution architect you decide that you are going to automate this process. Which OCI service can help automate the provisioning of this new environment? Oracle Container Engine for Kubernetes Oracle Functions OCI Resource Manager OCI Streaming Service

OCI Resource Manager

1 point You have created the following JSON file to specify a lifecycle policy for one of your Object Storage buckets. ... How will this policy affect the objects that are stored in the bucket? Objects containing the same prefix LOGS will automatically be migrated from standard storage to archive storage 30 days after creation date. The objects will be migrated back to standard storage 120 days after creation. Objects containing the same prefix LOGS will be automatically migrated from standard storage to archive storage 30 days after the creation date. The objects will be deleted 120 days after creation. The objects with prefix LOGS will be deleted 30 days after creation date. Objects with the prefix LOGS will be retained for 120 days and then deleted permanently

Objects containing the same prefix LOGS will be automatically migrated from standard storage to archive storage 30 days after the creation date. The objects will be deleted 120 days after creation.

What is a key benefit of using OCI's Resource Manager for your Terraform provisioning and management activities? Resource Manager manages the Terraform state file for your infrastructure and locks the file so that only one job at a time can run on a given stack. You can use Resource Manager to identify and maintain an inventory of all compute and database instances across your tenancy. Resource Manager has administrative privileges by design. Even if your IAM user does not have access, you can leverage Resource Manager to provision new resources to any compartment in the tenancy. You can use Resource Manager to apply patches to all existing Oracle Linux instances in a specified compartment.

Resource Manager manages the Terraform state file for your infrastructure and locks the file so that only one job at a time can run on a given stack.

You are a Cloud Operations administrator who has recently joined a new department. You have created 10 Terraform stacks using OCI Resource Manager. Each stack creates a different set of resources in OCI for your development team. What determines the cost of these Terraform stacks? The number of lines of text in your Terraform configuration files. The length of time it takes to build each resource using these Terraform stacks. The cost for each stack will be higher for pay as you go (PAYG) than for monthly flex billing. Resource Manager stacks are free but you are charged for the resources they create.

Resource Manager stacks are free but you are charged for the resources they create.

You are using OCI console to set up an alarm on a budget to track your OCI spending. Which 2 are valid targets for creating a budget in OCI? Select Tenancy as the type of target for your budget Select group as the type of target for your budget Select user as the type of target for your budget Select compartment as the type of target for your budget Select cost-tracking tags as the type of target for your budget

Select compartment as the type of target for your budget Select cost-tracking tags as the type of target for your budget

Which technique does NOT help you get the optimal performance out of the OCI File Storage Service? Serialize operations to the file system to access consecutive blocks as much as possible Limit access to the same AD as the FSS where possible Increase concurrency by using multiple threads, multiple clients, and multiple mount targets. Right size compute instances from where file system is accessed based on their network capacity Store files across multiple directories in the file system

Serialize operations to the file system to access consecutive blocks as much as possible

Which 3 statements are true about Object Storage data security and encryption in OCI? Server-side encryption uses per-object keys which are managed by Oracle A VPN connection to OCI is required to ensure secure data transfer to an Object Storage bucket. All traffic to and from Object Storage service is encrypted using TLS Client-side encryption is managed by the customer OCI Key Management is used by default to provide data security

Server-side encryption uses per-object keys which are managed by Oracle All traffic to and from Object Storage service is encrypted using TLS Client-side encryption is managed by the customer

You have set up a threshold alarm for CPU utilization metric for a value greater than 80 percent. You get a notification email about this alarm. Which of the following action will help you respond to this notification? Change at-risk threshold for the CPU utilization metric to a lower number. Suppress the alarm notifications temporarily. Modify the alarm to route notifications to OCI Streaming Service for later investigation. Modify the alarm to route notifications to an OCI Object Storage bucket for later investigation.

Suppress the alarm notifications temporarily.

You created a group for several auditors. You assign the following policies to the group: -Allow group Auditors to inspect all-resources in tenancy -Allow group Auditors to read instances in tenancy -Allow group Auditors to read audit-events in tenancy What actions are the auditors allowed to perform within your tenancy? Auditors are able to create new instances in the tenancy Auditors are able to view all resources in the compartment The Auditors are able to delete resources in the tenancy The Auditors can view resources in the tenancy

The Auditors can view resources in the tenancy Auditors are able to view all resources in the compartment

Which 2 statements about the OCI CLI are true? The CLI provides an automatic way to connect with instances provisioned in OCI. The CLI provides the same core functionality as the console, plus additional commands. You can run CLI commands from inside OCI regions only. The CLI allows you to use Python language to interact with OCI APIs. You can filter CLI output using the JMESPath query option for JSON.

The CLI provides the same core functionality as the console, plus additional commands. You can filter CLI output using the JMESPath query option for JSON.

You are a system administrator at a retail company. You just received a ticket stating that the account team is unable to access an internal application. The application is running behind an OCI public load balancer and is using a compute instance pool with auto-scaling enabled. You noticed some deleted items in the Audit Log while troubleshooting. Which resource deletion could have caused this issue? NAT Gateway and the route table associated with the VCN Internet Gateway and the route table associated with the VCN An Object Storage bucket containing transaction log backups The route table rules associated with the subnet within the VCN

The route table rules associated with the subnet within the VCN

You have created a geolocation steering policy in the Traffic Management service with this configuration: Rule 1: GEOLOCATION: Asia, North AmericaPOOL PRIORITY: (1) Pool 1, (2) Pool 2 What happens to requests that originate in Africa? The traffic will be dropped. The traffic will be forwarded at the same time to both Pool 1 and Pool 2. The traffic will be forwarded to Pool 1. If Pool 1 is not available, then will be forwarded to Pool 2. The traffic will be forwarded randomly to any of the pools mentioned in the rules

The traffic will be forwarded randomly to any of the pools mentioned in the rules

You are working as a Cloud Operations Administrator for your company. They have different OCI tenancies for development and production workloads. Each tenancy has resources in 2 regions - uk-london-1 and eu-frankfort-1. You are asked to manage all resources and to automate all the tasks using OCI CLI. Which is the most efficient method to manage multiple environments using OCI CLI? Run OCI setup config to create new credentials for each environment every time you want to access the environment Create environment variables for the sets of credentials that align to each combination of tenancy, region, and environment Use different bash terminals for each environment Use OCI CLI profiles to create multiple sets of credentials in your config file and reference the appropriate profile at runtime

Use OCI CLI profiles to create multiple sets of credentials in your config file and reference the appropriate profile at runtime

You have been brought in to help secure an existing application that leverages Object Storage buckets to distribute content. The data is currently being shared from public buckets and the security team is not satisfied with this approach. They have stated that all data must be stored in storage buckets. Your application should be able to provide secure access to the data. The URL that is provided for access to the data must be rotated every 30 days. Which design option will meet these requirements? Create a new group and map users to this group, create an IAM policy providing access to Object Storage Service only to this group. Users can then simply login to OCI console and retrieve needed files. Use Pre-Authenticated Request, even though there will be multiple URLs, this will provide better security. Create multiple buckets and classify them as Public and Private. Use public bucket for non-sensitive data and private bucket for sensitive data. Create a private bucket only to share the data.

Use Pre-Authenticated Request, even though there will be multiple URLs, this will provide better security.

To take advantage of cloud agility and burst computing capability, ABC Automobiles have extended their data center to a VCN in OCI us-phoenix-1 region. They have several members in their CloudOps team that need access to the OCI management console. The security administrator does not want to create new IAM users and credentials that would then need to be distributed to each CloudOps member. Which option will help the solution architect meet the needs for CloudOps? Use on-premises SAML 2.0 compliant identity provider to retrieve an AuthToken to enable CloudOps members to sign into the OCI console. Use Web Identity Federation to retrieve an AuthToken to enable CloudOps members to sign into the OCI console Use an existing SAML 2.0 compliant identity provider to grant CloudOps members federated access to OCI console via the OCI single sign-on (SSO) endpoint. Use OAuth 2.0 to retrieve temporary credentials to enable your CloudOps members to sign in to the OCI console

Use an existing SAML 2.0 compliant identity provider to grant CloudOps members federated access to OCI console via the OCI single sign-on (SSO) endpoint.

One of the compute instances that you have deployed is malfunctioning. You have created a console connection to remotely troubleshoot. Which 2 statements about console connections are true? VNC console connection uses SSH port forwarding to create a secure connection from your local system to the VNC server attached to your instance's console. It is not possible to use VNC console connections to connect to Bare Metal instances. If you do not disconnect from the session, your serial console connection will automatically be terminated after 24 hours. It is not possible to connect to the serial console to an instance running Microsoft Windows, however VNC console connection can be used. For security purposes, the console connection will not let you edit system configuration files.

VNC console connection uses SSH port forwarding to create a secure connection from your local system to the VNC server attached to your instance's console. If you do not disconnect from the session, your serial console connection will automatically be terminated after 24 hours.

Your deployment platform within OCI leverages a compute instance with multiple block volumes attached. There are multiple teams that use the same compute instance and have access to these block volumes. You want to ensure that no one accidentally deletes any of these block volumes. You have started to construct the following IAM policy but need to determine which permissions should be used. Allow group DeploymentUsers to manage volume-family where ANY [ request permission != <???>, request.permission != <???>, request.permission != <???>] VOLUME_ERASE, VOLUME_ATTACHMENT_ERASE, VOLUME_BACKUP_ERASE VOLUME_DELETE, VOLUME_ATTACHMENT_DELETE, VOLUME_BACKUP_DELETE ERASE_VOLUME, ERASE_VOLUME_ATTACHMENT, ERASE_VOLUME_BACKUP DELETE.VOLUME, DELETE_VOLUME_ATTACHMENT, DELETE_VOLUME_BACKUP

VOLUME_DELETE, VOLUME_ATTACHMENT_DELETE, VOLUME_BACKUP_DELETE

Recently your e-commerce web application has been receiving significantly more traffic than usual. Users are reporting they often encounter a 903 when trying to access your site. Sometimes the site is very slow. You check your instance pool configuration to confirm that the maximum number of instances is configured to allow 20 compute instances. Currency 14 compute instances have been provisioned by the instance pool. You also confirm that current CPU utilization across all hosts exceeds the scale-threshold you set in your auto-scaling policy. However, the instance pool is not provisioning any new instances. What can you check to determine why the application is NOT functioning properly? Verify that the Quality Assurance team is not currently performing load-testing against production. Verify that the database is accessible. Verify that the new offer feature code did not introduce any performance bugs. Verify that the compute resource quota has not been exceeded.

Verify that the compute resource quota has not been exceeded.

In order to manage Alarms in OCI, which 3 actions can be performed through the OCI console? Manually fire an alarm View alarm history for the last 3 months View all the firing alarms Update the MQL expression of an alarm Move an alarm to a different compartment Add multiple suppressions for an alarm

View alarm history for the last 3 months View all the firing alarms Move an alarm to a different compartment

You have deployed a 3-tier web application inside an OCI VCN with a CIDR block of 10.0.0.0/28. You initially deploy 3 web servers (VM.Standard2.2), 2 application servers (VM.Standard2.4), and 2 servers (VM.Standard2.8) running Oracle database. The web, application, and database servers are deployed across 2 ADs in the us-ashburn-1 region. You also deployed a public load balancer in front of the two web servers. The web traffic gradually increases in the first few days following the deployment, so you attempt to double the number of instances in each tier of the application to handle the new load. Unfortunately, some of these new instances fail to launch. Your tenancy comes with the following set of predefined service limits for the AD and compartment where the application is deployed. ... What is a possible reason for this deployment to fail? You do not have sufficient public IP addresses required by the web, application, and database servers. You do not have enough private IP addresses to launch all of the new compute instances. You do not have sufficient quotas for number of VM.Standard2.2, VM.Standard2.4, and VM.Standard2.8 shapes in each AD in the us-ashburn-1 region. You do not have sufficient quotas for number of VM.Standard2.2, VM.Standard2.4, and VM.Standard2.8 shapes in the Production compartment in the us-ashburn-1 region.

You do not have enough private IP addresses to launch all of the new compute instances.

You created an Oracle Linux compute instance through the OCI management console then immediately realize you forgot to add an SSH key file. You notice that OCI compute service provides instance console connections that support adding SSH keys for running an instance. Hence, you created the console connection for your Linux server and activated it using the connection string provided. However, now you get prompted for a username and password to login. What option should you recommend to add the SSH key to your running instance, while minimizing the administrative overhead? You need to terminate the running instance and recreate it by providing the SSH key file You need to reboot the instance from the console, boot into the bash shell in maintenance mode, and add SSH keys for the open user. You need to modify the serial console connection string to include the identity file flag, -i, to specify the SSH key to use You need to configure the boot loader to use ttyS0 as a console terminal on the VM.

You need to modify the serial console connection string to include the identity file flag, -i, to specify the SSH key to use

You have been asked to investigate a potential security risk on your company's OCI tenancy. You decide to start by looking through the audit logs for suspicious activity. How can you retrieve the audit logs using the OCI CLI? oci audit event lsit --start-time $start-time --compartment-id $compartment-id oci audit event list --start-time $start-time --end-time $end-time --compartment-id $compartment-id oci audit event list --end-time $end-time --compartment-id $compartment-id oci audit event list --start-time $start-time --end-time $end-time --tenancy-id $tenancy-id

oci audit event list --start-time $start-time --end-time $end-time --compartment-id $compartment-id

One of your development teams has asked for your help to standardize the creation of several compute instances that must be provisioned each day of the week. You initially write several Command Line Interface commands with all appropriate configuration parameters to achieve this task, later determining this method lacks flexibility. Which command generates a JSON-based template that OCI CLI can use to provision these instances on a regular basis? oci compute instance create --generate-cll-skeleton oci compute instance launch --generate-full-command-json-input oci compute provision-instance --generate-full-command-json-input oci compute instance launch --generate-cll-skeleton

oci compute instance launch --generate-full-command-json-input

Your applications using Object Storage bucket named app-data in the namespace vision to store both persistent and temporary data. Every week all the temporary data should be deleted to limit the storage consumption. Currently you need to navigate to the Object Storage page using the web console, select the appropriate bucket to view all the objects, and delete the temporary ones. To simplify the task you have configured the application to save all the temporary data with /temp prefix. You have also decided to use the CLI to perform this operation. What is the command you should use to speed up the data cleanup? oci os object delete app-data in vision where prefix = /temp oci objectstorage bulk-delete -ns vision -bn app-data --prefix /temp --force oci os object delete -ns vision -bn app-data --prefix /temp oci os object bulk-delete -ns vision -bn app-data --prefix /temp --force

oci os object bulk-delete -ns vision -bn app-data --prefix /temp --force

Which command sample can be used to copy an object from OCI Object Storage bucket in source region to a bucket in a destination region? oci os object copy --source-compartment-id<source-compartment-id> --bucket-name <source-bucket-name> --source-object-name <source-object> --destination-copmartment-id <destination-compartment-id> --destination-namespace <destination-namespace-name> --destination-region <destination-region> --destination-bucket <destination-bucket-name> --destination-object-name <destination-object-name> oci os object copy --namespace-name <object-storage-namespace> --bucket-name <source-bucket-name> --source-object-name <source-object> --destination-namespace <destination-namespace-name> --destination-region <destination-region> --destination-bucket <destination-bucket-name> --destination-object-name <destination-object-name> oci os object copy --bucket-name <source-bucket-name> --source-object-name <source-object-name> --destination-region <destination-region> --destination-bucket <destination-bucket-name> --destination-object-name <destination-object-name> oci cli object copy --bucket-name <source-bucket-name> --source-object-name <source-object> --destination-region <destination-region> --destination-bucket <destination-bucket-name> --destination-object-name <destination-object-name>

oci os object copy --namespace-name <object-storage-namespace> --bucket-name <source-bucket-name> --source-object-name <source-object> --destination-namespace <destination-namespace-name> --destination-region <destination-region> --destination-bucket <destination-bucket-name> --destination-object-name <destination-object-name>

Your company will undergo a security audit in one week. Your manager has asked you to download and review recent logs from an Object Storage bucket. The current log archive file is approximately 19GB in size. Which command would you run to download the archive file as quickly as possible? oci os object put -ns my-namespace -bn my-bucket --name my-large-object --multipart-downlaod-threshold 20000 --part-size 128 oci os object get -ns my-namespace -bn my-bucket --name my-large-object --multipart-download-threshold 2000 --part-size 128 oci as object get -ns my-namespace -bn my-bucket --name my-large-object --multipart-download-threshold 2000 --part-size 120 oci os object get -ns my-namespace -bn my-bucket --name my-large-object --multipart-download-threshold 20000 --part-size 128

oci os object get -ns my-namespace -bn my-bucket --name my-large-object --multipart-download-threshold 2000 --part-size 128

You have been asked to update the lifecycle policy for Object Storage using the OCI CLI. Which command can successfully update the policy? oci os object-lifecycle-policy put -ns <object_storage_namespace> -bn <bucket_name> oci os object-lifecycle-policy put -ns <object_storage_namespace> -bn <bucket_name> -items <json_formatted_lifecycle_policy> oci os object-lifecycle-policy get -ns <object_storage_namespace> -bn <bucket_name> oci os object-lifecycle-policy delete -ns <object_storage_namespace> -bn <bucket_name>

oci os object-lifecycle-policy put -ns <object_storage_namespace> -bn <bucket_name> -items <json_formatted_lifecycle_policy>

You have received an email from your manager to provision new resources on OCI. When researching OCI you detect that you should use OCI Resource Manager. Since this is a task that will be done multiple times for development, test, and production, you need to create a command that can be re-used. Which CLI command can be used in this situation? oci resource-manager stack create --tenancy-id <tenancy_OCID> \--config-source prod.zip --variables file:\\variables.json \--display-name "Production stack build" \--description Creating new Production environmenta oci resource-manager stack update --compartment-id <compartment_OCID> \--config-source prod.zip --variables file://variables.json \--display-name "Production stack build" \--description Creating new Production environment oci resource-manager stack update --tenancy-id <tenancy_OCID> \--config-source prod.zip --variables file://variables.json \--display-name "Production stack build" \--description Creating new Production environment oci resource-manager stack create --compartment-id <compartment_OCID> \--config-source prod.zip --variables file://variables.json \--display-name "Production stack build" \--description Creating new Production environment

oci resource-manager stack create --compartment-id <compartment_OCID> \--config-source prod.zip --variables file://variables.json \--display-name "Production stack build" \--description Creating new Production environment

You have a group of developers who launch multiple VM.Standard2.2 compute instances every day into the compartment Dev. As a result, your OCI tenancy quickly hit the service limit for this shape. Other groups can no longer create new instances using VM.Standard2.2 shape. Because of this, your company has issued a new mandate that the Dev compartment must include a quota to allow for use of only 20 VM.Standard2.2 shapes per Availability Domain. Your solution should not affect any other compartments in the tenancy. Which quota statement should be use to implement this new requirement? zero compute quotas in tenancyset compute quota in vm-standard2-2-count to 20 in tenancy dev set compute quota vm-standard2-2-count to 20 in compartment dev where availability-domain is us-phoenix-1 zero compute quotas in tenancyset compute quota vm-standard2-2-count to 20 in compartment dev set compute quota vm-standard2-2-count to 20 in compartment dev zero compute quotas in tenancyset compute quota vm-standard2-2-count to 20 in tenancy dev

set compute quota vm-standard2-2-count to 20 in compartment dev

Your company recently adopted a hybrid cloud architecture which requires them to migrate some of their on-premises web applications to OCI. You created a Terraform template that automatically provisions OCI resources such as compute instances, load balancer, and a database instance. After running the stack using the Terraform apply command, it successfully launched the compute instances and the load balancer, but it failed to create a new database instance with the following error: Service error: NotAuthorizedOrNotFound. Shape VM.Standard2.4 not found, http status code: 404 You discovered that the resource quotas assigned to your compartment prevent you from using VM.Standard2.4 instance shapes available in your tenancy. You edit the Terraform script and replace the shape with VM.Standard2.2. Which option would you recommend to re-run the Terraform command to have required OCI resources provisioned with the least effort? terraform refresh -target=oci_database_db_system.db_system terraform apply -auto-approve terraform plan -target=oci_database_db_system.db_system terraform apply -target=ocl_database_db_system.db_system

terraform apply -auto-approve