OCI Operations Associate (1Z0-1067-20)
11. You have a group of developers who launch multiple VM.Standard2.2 compute instances every day into the compartment Dev. As a result, your OCI tenancy quickly hit the service limit for this shape. Other groups can no longer create new instances using VM.Standard2.2 shape. Because of this, your company has issued a new mandate that the Dev compartment must include a quota to allow for use of only 20 VM.Standard2.2 shapes per Availability Domain. Your solution should not affect any other compartments in the tenancy. Which quota statement should be use to implement this new requirement?
set compute quota vm-standard2-2-count to 20 in compartment dev
12. As the operations administrator for your company's OCI, you have been entrusted the task of ensuring that data being accessed by the application is encrypted. Your application portfolio includes both VM and BM database systems. Which method should you use to achieve encryption of data in-transit?
Native Oracle Net Services encryption and integrity capabilities.
54. You have set up a threshold alarm for CPU utilization metric for a value greater than 80 percent. You get a notification email about this alarm. Which of the following action will help you respond to this notification?
Suppress the alarm notifications temporarily.
55. You launched a Linux compute instance to host the new version of your company website via Apache HTTPS server on HTTPS (port 443). The instance is created in a public subnet along with other instances. The default security list associated to the subnet is: Ingress: CIDR. IP Protocol. Source Port. Destination Port. State 0.0.0.0/0 TCP All 22 Stateful 0.0.0.0/0 ICMP. Stateful Egress: CIDR. IP Protocol. Source Port. Destination Port. State 0.0.0.0/0 All. Stateful You want to allow access to the company website from public internet without exposing websites eventually hosted on the other instances in the public subnet. Which 2 actions should you do?
- Access the Linux instance via SSH and configure IP tables to allow HTTPS access on port 443. - Create a network security group, add a stateful rule to allow ingress access on port 443 and associate it to the instance that hosts the company's website.
61. You created a group for several auditors. You assign the following policies to the group: Allow group Auditors to inspect all-resources in tenancyAllow group Auditors to read instances in tenancy Allow group Auditors to read audit-events in tenancy What actions are the auditors allowed to perform within your tenancy?
- Auditors are able to view all resources in the compartment - The Auditors can view resources in the tenancy
41. An organization wants to extend their existing on-premises data centers to the OCI us-phoenix-1 region. In order to achieve it, they have created an IPSec VPN connection between their Customer Premises Equipment (CPE) and Dynamic Routing Gateway (DRG). How can you make this connection highly available (HA)?
Add another CPE and create a second IPSec VPN connection with the same DRG.
9. You are tasked with creating a group called volumeBackupAdmins to manage only block volume backups. Which of the following set of policy/policies would you need to write to meet this requirement?
Allow group volumeBackupAdmins to use volumes in tenancy Allow group volumeBackupAdmins to manage volume-backups in tenancy.
53. Several development teams in your company have each been provided with a budget and a dedicated compartment to be used for testing purposes. You are asked to help them to control the costs and avoid any overspending. What should you do?
Associate a budget tag to each compartment with the monthly budget amount and set an alert rule to notify the developer's teams when they reached a specific percentage of budget.
39. Your team implemeted a SaaS application that requires a whole system deployment for each new customer. The infrastructure provisioning is already automated via Terraform, and now you have been asked to develop an Ansible playbook to centralize configuration file management and deployment. What is the most effective way to ensure your playbooks are utilizing up-to-date and accurate inventory?
Download the dynamic inventory script provided by OCI and include it in the playbook invocation command.
7. You need to set up daily incremental backups of your database in OCI Database Service. The backups need to be retained for at least 50 days. Which of the following methods allow you to accomplish this is an efficient and cost effective manner?
Enable automatic backups and choose the preset retention period of 60 days.
15. A subscriber of an OCI Notifications Service topic complained about not receiving messages from the service. Which of the following options can help you debug this issue?
If OCI Notifications service does not receive an acknowledgement from a subscription endpoint, the service tries to redeliver messages for up to 2 hours. Configure an alarm on the NumberofNotificationFailed metric through the OCI Monitoring service to help debug the issue.
17. One of the compute instances that you have deployed is malfunctioning. You have created a console connection to remotely troubleshoot.
If you do not disconnect from the session, your serial console connection will automatically be terminated after 24 hours.
31. Which technique does NOT help you get the optimal performance out of the OCI File Storage Service?
Serialize operations to the file system to access consecutive blocks as much as possible
36. You are a system administrator at a retail company. You just received a ticket stating that the account team is unable to access an internal application. The application is running behind an OCI public load balancer and is using a compute instance pool with auto-scaling enabled. You noticed some deleted items in the Audit Log while troubleshooting. Which resource deletion could have caused this issue?
The route table rules associated with the subnet within the VCN
24. You have created a geolocation steering policy in the Traffic Management service with this configuration: Rule 1: GEOLOCATION: Asia, North AmericaPOOL PRIORITY: (1) Pool 1, (2) Pool 2 What happens to requests that originate in Africa?
The traffic will be forwarded randomly to any of the pools mentioned in the rules
21. You are working as a Cloud Operations Administrator for your company. They have different OCI tenancies for development and production workloads. Each tenancy has resources in 2 regions - uk-london-1 and eu-frankfort-1. You are asked to manage all resources and to automate all the tasks using OCI CLI. Which is the most efficient method to manage multiple environments using OCI CLI?
Use OCI CLI profiles to create multiple sets of credentials in your config file and reference the appropriate profile at runtime.
13. Which 2 statements accurately describe Ansible Modules for OCI?
a. OCI Ansible Modules represent discreet provisioning tasks or operations that you can invoke individually from the command line, or else run individually or in sequence from a playbook. b. OCI Ansible Modules enable orchestrating, provisioning, and configuration management tasks on OCI.
16. Which 3 statements are true about Object Storage data security and encryption in OCI?
- Client-side encryption is managed by the customer - Server-side encryption uses per-object keys which are managed by Oracle - All traffic to and from Object Storage service is encrypted using TLS
32. Which 2 statements are true about the Bulk Export of OCI Audit Log Events?
- Exported logs remain available indefinitely - Exported logs are available in the Object Storage buckets in your tenancy.
45. Your company has restructured its HR departments. As part of this change, you also need to re-organize compartments within OCI to align to the company's new organizational structure. The following change is required: Compartment Team_X needs to be moved under a new parent compartment, Project_B The tenancy has the following policies defined for compartments Project_A and Project_B: Policy 1: Allow group G1 to manage instance-family in compartment HR:Project_A Policy 2: Allow group G2 to manage instance-family in compartment HR:Project_B Which 2 statements describe the impacts after the compartment Team_X is moved?
- Group G1 can now manage instance-families in compartment Project_A but not in compartment Team_X - Group G2 can now manage instance-families in compartment Project_B and compartment Team_X
29. You are using OCI console to set up an alarm on a budget to track your OCI spending. Which 2 are valid targets for creating a budget in OCI?
- Select cost-tracking tags as the type of target for your budget - Select compartment as the type of target for your budget
34. Which 3 statements are true about Object Storage data security and encryption in OCI?
- Server-side encryption uses per-object keys which are managed by Oracle - All traffic to and from Object Storage service is encrypted using TLS - Client-side encryption is managed by the customer
23. In order to manage Alarms in OCI, which 3 actions can be performed through the OCI console?
- View alarm history for the last 3 months - View all the firing alarms - Move an alarm to a different compartment
40. Which 2 statements about the OCI CLI are true?
- You can filter CLI output using the JMESPath query option for JSON. - The CLI provides the same core functionality as the console, plus additional commands.
57. You are using the OCI CLI to launch a Linux virtual machine. You enter the following command (with correct values for all parameters): oci compute instance launch --availability-domain "<AD Name>" -t <tenancy id> -c <compartment id> --shape "<shape name>" --display-name "<instance display name>" --image-id <image id> --ssh-authorized-keys-file "<path to authorized keys file>" --subnet-id <subnet id> The command fails. Which is NOT a valid parameter in this command?
-t <tenancy id>
52. Which of the following are essential components of the OCI Notifications Service?
A topic with a name across the tenancy, a subscription, and a message where content is published
50. You set up a bastion host in your VCN to only allow your IP address (140.19.2.140) to establish SSH connections to your compute instances that are deployed in a private subnet. The compute instances have an attached Network Security Group with a Source Type: Network Security Group, Source NSH: -050504. To secure the bastion host, you added the following ingress rules to its NSG: Type: All TCP Protocol: TCP Port Range: 22 Source: 140.19.2.140/32 Type: All TCP Protocol: TCP Port Range: 22 Source: NSG-050504 However, after checking the bastion host logs, you discovered that there are IP addresses other than your own that can access your bastion host. What is the root cause of this issue?
All compute instances associated with NSG-050504 are also able to connect to the bastion host.
59. You are using OCI services across several regions: us-phoenix-1, us-ashburn-1, uk-london-1, and ap-tokyo-1. You have created a separate administrator group for each region: PHX-Admins, ASH-Admins, LHR-Admins, and NRT-Admins, respectively. You want to restrict admin access to a specific region, e.g. PHX-Admins should be able to manage all resources in the us-phoenix-1 region only and not in any other OCI regions. What IAM policy syntax is required to restrict PHX-Admins to manage OCI resources in the us-phoenix-1 region only?
Allow group PHX-Admin to manage all-resources in tenancy where request.region = 'phx'
20. You have the following compartment structure within your company's OCI tenancy: (root) -> CompartmentA -> CompartmentB -> CompartmentC You want to create a policy in the root compartment to allow SystemAdmins to manage VCNs only in CompartmentC. Which policy is correct?
Allow group SystemAdmins to manage virtual-network-family in compartment CompartmentA:CompartmentB:CompartmentC
42. You are asked to implement disaster recovery (DR) and business continuity requirements for OCI block volumes. Two OCI regions are being used: a primary/source region and a DR/destination region. The requirements are: - There should be a copy of data in the destination region to use if a region-wide disaster occurs in the source region - Minimize costs Which of the following designs will help you meet these requirements?
Backup block volumes. Copy block volumes from the source region to the destination region at regular intervals.
63. You have set an alarm to be generated when the CPU usage of a specified instance is greater than 10%. In the alarm behavior view below, you notice that the critical condition happened around 23:30. You were expecting a notification after 1 minute, however, the alarm firing state did not begin until 23:23. {graph} What should you change to fix it?
Change the alarm's trigger delay minutes value to 1.
46. You have created an ADW service in your company's OCI tenancy and you now have to load historical data into it. You have already extracted this historical data from multiple data marts and data warehouses. This data is stored in multiple CSV text files and these files are ranging in size from 25MB to 20GB. Which step is most efficient and error tolerant method for loading data into ADW?
Create Auth Token, use it to create an Object Storage credential by executing DBMS_CLOUD.CREATE_CREDENTIAL. Using OCI CLI, upload the CSV files to an OCI Object Storage bucket, create the tables in the ADW database, and then execute DBMS_CLOUD.COPY_DATA for each CSV file to copy the contents into the corresponding ADW database table.
44. You have been tasked with allocating an identity to one of your compute instances that needs to retrieve and process static files that are stored in an Object Storage bucket. After creating a dynamic group with a matching rule that specifies the OCID of the compute instance, you discover that the API calls are failing. Which step should you take to resolve this issue?
Create IAM policies to permit instances in these groups to make API calls against OCI services.
49. The boot volume on your Oracle Linux instance has run out of space. Your application has crashed due to a lack of swapspace, forcing you to increase the size of the boot volume. Which step should NOT be included in the process used to solve the issue?
Create a RAID0 configuration to extend the boot volume file system onto another block volume.
4. You have recently joined a startup company and quickly find that nobody is tracking the amount of money spent on OCI. Seeing an opportunity to help save money, you begin creating a solution to better track the cost of resources provisioned by each individual on the team. Which option allows you to identify excessive spend across all resources in your tenancy?
Create a budget for each compartment that will send a notification when monthly spend reaches a pre-defined amount.
2. You have been contracted by a local e-commerce company to assist with enhancing their online shopping application. The application is currently deployed in a single OCI region. The application utilizes a public load balancer, application servers in a private subnet, and a database in a separate, private subnet. The company would like to deploy another set of similar infrastructure in a different OCI region that will act as standby site. In the event of a failover at the primary site, all customers should be routed to the failover site automatically. After deploying the additional infrastructure within the second region, how should you configure automated failover requirements?
Create a failover policy in the Traffic Management service. Set the IP address of the public load balancer for the primary site in answer pool 1. Set the IP address of the public load balancer for the secondary site in answer pool 2. Define a health check to monitor both sites.
38. You have shared your OCI tenancy with a group of developers in your organization by creating a compartment called developer. You are an administrator in the tenancy with privileges to modify IAM policies. Developers need privileges to configure Federation to a SSO. How would you give them permissions to complete their task in the most secure manner?
Create a group called IdPAdmins. Assign the following IAM policy statement:Allow group IdPAdmins to manage identity-providers in tenancyAllow group IdPAdmins to manage groups in tenancy
56. An insurance company has contracted you to help automate their application business continuity plan. They have the application running in eu-frankfort-1 as the primary site and uk-london-1 as a disaster recovery site. Normally they have a DNS A record associated with the IP address of the primary endpoint in eu-frankfort-1. In the event of a disaster, they use OCI DNS Zone Management to update the A record and replace it with the IP address of the endpoint in uk-london-1. How can you automate the failover process?
Create a health check that evaluates both regional endpoints. Create a Traffic Management steering policy with failover type and associate it with the Health Check.
43. You are asked to deploy a new application that has been designed to scale horizontally. The business stakeholders have asked that the application be deployed in us-phoenix-1. Normal usage requires 2 OCPUs. You expect to have few spikes during the week, that will require up to 4 OCPUs, and a major uptick at the end of the month that will require 8 OCPUs. What is the most cost-effective approach to implement a highly available and scalable solution?
Create an instance pool with a VM.Standard2.2 shape instance configuration. Setup the autoscaling configuration to use 2 ADs and have a minimum of 2 instances to handle the weekly spikes and a maximum of 4 instances.
37. Multiple teams are sharing a tenancy in OCI. You are asked to figure out an appropriate method to manage OCI costs. Which is NOT a valid technique to accurately attribute costs to resources used by each team?
Create and Identify an Access Management (IAM) group for each team. Create an OCI budget for each group to track spending.
58. Security testing policy describes when and how you may conduct certain types of security testing of OCI services, including vulnerability and penetration tests, as well as involving data scraping tools. What does Oracle allow as part of this testing?
Customers are allowed to use their own testing and monitoring tools.
28. You have a Linux compute instance located in a public subnet in a VCN which hosts a web application. The security list attached to subnet containing the compute instance has the following stateful ingress rule: Source: 0.0.0.0/0 IP Protocol: TCP Source Port Range: All Destination Port Range:22 The route table attached to the public subnet is shown below. You can establish a SSH connection into a compute instance from the internet. However, you are not able to connect to the web server using your web browser . Destination: 0.0.0.0/0 Target Type: Internet Gateway Which step will resolve the issue?
In the security list, add an ingress rule for port 80 (http).
18. You have created several block volumes in the us-phoenix-1 region in a specified compartment. The compartment can be identified by the following OCI unique identifier, or ocid1.compartment.oc1.phx..exampleuniqueID Your manager has asked you to leverage the OCI monitoring service and write a metric query showing all read IOPS at one-minute intervals, filtered to this compartment and aggregated for the maximum. Which metric query will you create?
IopsRead[lm]{compartmentId="ocid1.compartment.oc1.phx..exampleuniqueID"}.grouping().max()
30. You have recently been asked to take over management of your company's infrastructure provisioning efforts, utilizing Terraform v0.12 to provision and manage infrastructure resources in OCI. For the past few days, the development environments have been failing to provision. Terraform returns the following error: Error: Missing item separator on vcn_peer_lab.tf line 15, in resource "oci_core_security_list" "ManagementSecurityList":15: tcp_options = [min = "22", max = "22"] Expected a comma to mark the beginning of the next item. You locate the related code block in the Terraform config and find the following: (11) ingress_security_rules {(12) protocol = 6(13) source = "0.0.0.0/0"(14)(15) tcp_options = [min = "22", max = "22"](16) } Which correction should you make to solve this issue?
Modify line 15 to be the following: tcp_options {min = "22" max = "22"}
62. You are configuring an alarm in OCI for a compute instance named Vision. The metric needs to be triggered when the ingress network rate is greater than 1MB. Which statement will accomplish this?
NetworksBytesIn[1m]{resourceDisplayName - "Vision"}.rate() > 1024
1. You have been asked to provision a new production environment on OCI. After working with the solution architect you decide that you are going to automate this process. Which OCI service can help automate the provisioning of this new environment?
OCI Resource Manager
27. You have created the following JSON file to specify a lifecycle policy for one of your Object Storage buckets. How will this policy affect the objects that are stored in the bucket?
Objects containing the same prefix LOGS will be automatically migrated from standard storage to archive storage 30 days after the creation date. The objects will be deleted 120 days after creation.
48. What is a key benefit of using OCI's Resource Manager for your Terraform provisioning and management activities?
Resource Manager manages the Terraform state file for your infrastructure and locks the file so that only one job at a time can run on a given stack.
5. You are a Cloud Operations administrator who has recently joined a new department. You have created 10 Terraform stacks using OCI Resource Manager. Each stack creates a different set of resources in OCI for your development team. What determines the cost of these Terraform stacks?
Resource Manager stacks are free but you are charged for the resources they create.
6. You have been brought in to help secure an existing application that leverages Object Storage buckets to distribute content. The data is currently being shared from public buckets and the security team is not satisfied with this approach. They have stated that all data must be stored in storage buckets. Your application should be able to provide secure access to the data. The URL that is provided for access to the data must be rotated every 30 days. Which design option will meet these requirements?
Use Pre-Authenticated Request, even though there will be multiple URLs, this will provide better security.
10. To take advantage of cloud agility and burst computing capability, ABC Automobiles have extended their data center to a VCN in OCI us-phoenix-1 region. They have several members in their CloudOps team that need access to the OCI management console. The security administrator does not want to create new IAM users and credentials that would then need to be distributed to each CloudOps member. Which option will help the solution architect meet the needs for CloudOps?
Use an existing SAML 2.0 compliant identity provider to grant CloudOps members federated access to OCI console via the OCI single sign-on (SSO) endpoint.
35. Your deployment platform within OCI leverages a compute instance with multiple block volumes attached. There are multiple teams that use the same compute instance and have access to these block volumes. You want to ensure that no one accidentally deletes any of these block volumes. You have started to construct the following IAM policy but need to determine which permissions should be used. Allow group DeploymentUsers to manage volume-family where ANY [ request permission != <???>, request.permission != <???>, request.permission != <???>]
VOLUME_DELETE, VOLUME_ATTACHMENT_DELETE, VOLUME_BACKUP_DELETE
60. Recently your e-commerce web application has been receiving significantly more traffic than usual. Users are reporting they often encounter a 903 when trying to access your site. Sometimes the site is very slow. You check your instance pool configuration to confirm that the maximum number of instances is configured to allow 20 compute instances. Currency 14 compute instances have been provisioned by the instance pool. You also confirm that current CPU utilization across all hosts exceeds the scale-threshold you set in your auto-scaling policy. However, the instance pool is not provisioning any new instances. What can you check to determine why the application is NOT functioning properly?
Verify that the compute resource quota has not been exceeded.
25. You have deployed a 3-tier web application inside an OCI VCN with a CIDR block of 10.0.0.0/28. You initially deploy 3 web servers (VM.Standard2.2), 2 application servers (VM.Standard2.4), and 2 servers (VM.Standard2.8) running Oracle database. The web, application, and database servers are deployed across 2 ADs in the us-ashburn-1 region. You also deployed a public load balancer in front of the two web servers. The web traffic gradually increases in the first few days following the deployment, so you attempt to double the number of instances in each tier of the application to handle the new load. Unfortunately, some of these new instances fail to launch. Your tenancy comes with the following set of predefined service limits for the AD and compartment where the application is deployed. What is a possible reason for this deployment to fail?
You do not have enough private IP addresses to launch all of the new compute instances.
14. You created an Oracle Linux compute instance through the OCI management console then immediately realize you forgot to add an SSH key file. You notice that OCI compute service provides instance console connections that support adding SSH keys for running an instance. Hence, you created the console connection for your Linux server and activated it using the connection string provided. However, now you get prompted for a username and password to login. What option should you recommend to add the SSH key to your running instance, while minimizing the administrative overhead?
You need to modify the serial console connection string to include the identity file flag, -i, to specify the SSH key to use
33. You have been asked to investigate a potential security risk on your company's OCI tenancy. You decide to start by looking through the audit logs for suspicious activity. How can you retrieve the audit logs using the OCI CLI?
oci audit event list --start-time $start-time --end-time $end-time --compartment-id $compartment-id
3. One of your development teams has asked for your help to standardize the creation of several compute instances that must be provisioned each day of the week. You initially write several Command Line Interface commands with all appropriate configuration parameters to achieve this task, later determining this method lacks flexibility. Which command generates a JSON-based template that OCI CLI can use to provision these instances on a regular basis?
oci compute instance launch --generate-full-command-json-input
26. Your applications using Object Storage bucket named app-data in the namespace vision to store both persistent and temporary data. Every week all the temporary data should be deleted to limit the storage consumption. Currently you need to navigate to the Object Storage page using the web console, select the appropriate bucket to view all the objects, and delete the temporary ones. To simplify the task you have configured the application to save all the temporary data with /temp prefix. You have also decided to use the CLI to perform this operation. What is the command you should use to speed up the data cleanup?
oci os object bulk-delete -ns vision -bn app-data --prefix /temp --force
19. Which command sample can be used to copy an object from OCI Object Storage bucket in source region to a bucket in a destination region?
oci os object copy --namespace-name <object-storage-namespace> --bucket-name <source-bucket-name> --source-object-name <source-object> --destination-namespace <destination-namespace-name> --destination-region <destination-region> --destination-bucket <destination-bucket-name> --destination-object-name <destination-object-name>
51. Your company will undergo a security audit in one week. Your manager has asked you to download and review recent logs from an Object Storage bucket. The current log archive file is approximately 19GB in size. Which command would you run to download the archive file as quickly as possible?
oci os object get -ns my-namespace -bn my-bucket --name my-large-object --multipart-download-threshold 2000 --part-size 128
22. You have been asked to update the lifecycle policy for Object Storage using the OCI CLI. Which command can successfully update the policy?
oci os object-lifecycle-policy put -ns <object_storage_namespace> -bn <bucket_name> -items <json_formatted_lifecycle_policy>
8. You have received an email from your manager to provision new resources on OCI. When researching OCI you detect that you should use OCI Resource Manager. Since this is a task that will be done multiple times for development, test, and production, you need to create a command that can be re-used. Which CLI command can be used in this situation?
oci resource-manager stack create --compartment-id <compartment_OCID> \--config-source prod.zip --variables file://variables.json \--display-name "Production stack build" \--description Creating new Production environment
47. 1 / 1 point Your company recently adopted a hybrid cloud architecture which requires them to migrate some of their on-premises web applications to OCI. You created a Terraform template that automatically provisions OCI resources such as compute instances, load balancer, and a database instance. After running the stack using the Terraform apply command, it successfully launched the compute instances and the load balancer, but it failed to create a new database instance with the following error: Service error: NotAuthorizedOrNotFound. Shape VM.Standard2.4 not found, http status code: 404 You discovered that the resource quotas assigned to your compartment prevent you from using VM.Standard2.4 instance shapes available in your tenancy. You edit the Terraform script and replace the shape with VM.Standard2.2. Which option would you recommend to re-run the Terraform command to have required OCI resources provisioned with the least effort?
terraform apply -auto-approve
