1z0-1104-23 無料問題集「Oracle Cloud Infrastructure 2023 Security Professional」
you are part of security operation of an organization with thousand of your users accessing Oracle cloud infrastructure it was reported that an unknown user action was executedresulting in configuration error you are tasked to quickly identify the details of all users who were active in the last six hours also with any rest API call that were executed. Which oci feature should you use?
正解:B
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
Challenge 1 - Task 5 of 5
Authorize OCI Resources to Retrieve the Secret from the Vault
Scenario
You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.
Preconfigured
To complete this requirement, you are provided with:
An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
Access to Cloud Shell.
Permissions to perform only the tasks within the challenge.
Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.
Authorize OCI Resources to Retrieve the Secret from the Vault
Scenario
You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.
Preconfigured
To complete this requirement, you are provided with:
An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
Access to Cloud Shell.
Permissions to perform only the tasks within the challenge.
Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.
正解:
See the solution below in Explanation
Explanation:
SOLUTION:
Select the Developer Tools icon at the right of the OCI console header and click Cloud Shell to launch your Cloud Shell.
While Cloud Shell is launching, take a moment to locate the public and private keys that you downloaded to your workstation in the previous section.
Example Public Key name: ssh-key-<date>.key.pub
Example Private Key name: ssh-key-<date>.key
Once the Cloud Shell window is open, upload the private key to the Cloud Shell:
Click the Settings icon in the top-right corner of the Cloud Shell window and click Upload.
Navigate to and select the private key. Either drag the private key to the Drop a file window or click Select from your computer, select the private key, and click Upload.
Change the private key permissions by issuing the following command:
chmod 400 <private key name>.key
Retrieve the Public IP address of the instance that you created in the previous section and paste it to connect to the instance using the opc user in the Cloud Shell.
ssh -i <private key name> opc<public IP address of instance>
After connecting to the compute instance, run the following commands to install/verify Python and OCI CLI packages on the Linux Instance.
sudo dnf -y install oraclelinux-developer-release-el8
sudo dnf install python36-oci-cli
After installing Python and the required dependencies, download the Python script to retrieve the secret.
wget https://objectstorage.us-ashburn-1.oraclecloud.com/n/ocuocictrng5/b/PBT_Storage/o/getsecret.py Open a Python file with a nano editor.
nano getsecret.py
In the Python script, replace the secret ID ocid with your secret ID.
Replace secret id value below with the ocid of your secret secret id = <secret id> For example: Secret id = "ocid1.vaultsecret.oci.iad.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Note: if you have not already copied the secret ID, go to Vault and select the Secret link from the resources. Then, in List Scope, choose <your working compartment>, click your secret key, and copy the OCID.
To save the script hit:
Ctrl+o > Enter [To write/save]
Ctrl+x > Yes > Enter [To exit]
Make the getsecret .py script executable.
chmod +x getsecret.py
Run the following command to retrieve the secret:
python getsecret.py
The secret content created in the vault has been retrieved by the application running on the instance. Instance Principal and the Vault enable you to abstract the difficulty of developing your own security strategy for storing and encrypting passwords and other sensitive information.
Explanation:
SOLUTION:
Select the Developer Tools icon at the right of the OCI console header and click Cloud Shell to launch your Cloud Shell.
While Cloud Shell is launching, take a moment to locate the public and private keys that you downloaded to your workstation in the previous section.
Example Public Key name: ssh-key-<date>.key.pub
Example Private Key name: ssh-key-<date>.key
Once the Cloud Shell window is open, upload the private key to the Cloud Shell:
Click the Settings icon in the top-right corner of the Cloud Shell window and click Upload.
Navigate to and select the private key. Either drag the private key to the Drop a file window or click Select from your computer, select the private key, and click Upload.
Change the private key permissions by issuing the following command:
chmod 400 <private key name>.key
Retrieve the Public IP address of the instance that you created in the previous section and paste it to connect to the instance using the opc user in the Cloud Shell.
ssh -i <private key name> opc<public IP address of instance>
After connecting to the compute instance, run the following commands to install/verify Python and OCI CLI packages on the Linux Instance.
sudo dnf -y install oraclelinux-developer-release-el8
sudo dnf install python36-oci-cli
After installing Python and the required dependencies, download the Python script to retrieve the secret.
wget https://objectstorage.us-ashburn-1.oraclecloud.com/n/ocuocictrng5/b/PBT_Storage/o/getsecret.py Open a Python file with a nano editor.
nano getsecret.py
In the Python script, replace the secret ID ocid with your secret ID.
Replace secret id value below with the ocid of your secret secret id = <secret id> For example: Secret id = "ocid1.vaultsecret.oci.iad.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Note: if you have not already copied the secret ID, go to Vault and select the Secret link from the resources. Then, in List Scope, choose <your working compartment>, click your secret key, and copy the OCID.
To save the script hit:
Ctrl+o > Enter [To write/save]
Ctrl+x > Yes > Enter [To exit]
Make the getsecret .py script executable.
chmod +x getsecret.py
Run the following command to retrieve the secret:
python getsecret.py
The secret content created in the vault has been retrieved by the application running on the instance. Instance Principal and the Vault enable you to abstract the difficulty of developing your own security strategy for storing and encrypting passwords and other sensitive information.
Your company has implemented a new VPN connection policy, three months after you connected your on-premises network to Oracle Cloud Infrastructure (OCI). Your chief security officer has instructed you to edit the IPSec connection and replace the shared secrets with the new ones that he has provided. Where do you edit the shared secrets? (Choose the best Answer.)
正解:A
解答を投票する
You have three compartments: ProjectA, ProjectB, and ProjectC. For each compartment, there is an admin group set up: A-Admins, B-Admins, and C-Admins. Each admin group has full access over their respective compartments as shown in the graphic below. Your organization has set up a tag namespace, EmployeeGroup.Role and all your admin groups are tagged with a value of 'Admin'.
You want to set up a "Test" compartment for members of the three projects to share, and need to give admin aress to all three of your existing admin groups. Which policy should you write to accomplish this task? (Choose the best Answer.)
You want to set up a "Test" compartment for members of the three projects to share, and need to give admin aress to all three of your existing admin groups. Which policy should you write to accomplish this task? (Choose the best Answer.)
正解:D
解答を投票する