1z0-1104-23 Exam Dumps - Oracle Cloud Infrastructure 2023 Security Professional

Challenge 1 - Task 5 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured

To complete this requirement, you are provided with:

• An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
• An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
• A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
• Access to Cloud Shell.
• Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Challenge 4 - Task 2 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script: [http:// /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN)
• Create a Compute Instance and install the Web Server
• Create a Load Balancer and update Security List
• Create a WAF policy
• Configure Protection Rules against XSS attacks
• Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

• Create a Compute Instance with the name IAD-SP-PBT-VM-01, using the Oracle Linux 8 image and VM.Standard2.1 shape.
• SSH to the compute instance using Cloud Shell.
• Install and configure Apache web server:a. Install Apache server:

• sudo yum -y install httpd

b. Enable Apache and start Apache server:

• bash

• sudo systemctl enable httpd
• sudo systemctl restart httpd

c. Create a firewall rule to enable HTTP connection through port 80 and reload the firewall:

• css

• sudo firewall-cmd --permanent --add-port=80/tcp
• sudo firewall-cmd --reload

d. Create an index file for your web server:

• vbnet

• sudo bash -c 'echo You are visiting Web Server 1 >>
• /var/www/html/index.html'

Challenge 4 - Task 3 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script: [http:// /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN)
• Create a Compute Instance and install the Web Server
• Create a Load Balancer and update Security List
• Create a WAF policy
• Configure Protection Rules against XSS attacks
• Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

• Go to the VCN IAD-WAF-PBT-VCN-01.
• Create a Security List with the name IAD-SP-PBT-LB-SL-01.
• Create a Public subnet named LB-Subnet-IAD-SP-PBT-SNET-02 and attach the above-created security list.
• Create a Load Balancer with the name IAD-SP-PBT-LB-01.
• Create a Listener Name with the name IAD_SP_PBT_LB_LISN_01.
• Add appropriate Ingress and Egress rules to IAD-SP-PBT-LB-SL-01, to allow http traffic to the Load Balancer subnet.

Challenge 1 - Task 3 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured

To complete this requirement, you are provided with:

• An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
• An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
• A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
• Access to Cloud Shell.
• Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following task in the OCI environment provisioned:

Create a new VCN with the name PBT_SECRET_VCN01 and public subnet within your assigned compartment.

Challenge 3 - Task 2 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

 

Create a Compute Instance with the name PBT-BAS-VM-01, using the "Oracle Linux 8" image and shape "VM.Standard2.1", without SSH key and enable Bastion plugin.

Challenge 1 - Task 4 of 5

Authorize OCI Resources to Retrieve the Secret from the Vault

Scenario

You are working on a Python program running on a compute instance that needs to access an external service. To access the external service, the program needs credentials (password). Given that it is not a best security practice, you decide not to hard code the credential in the program. Instead, you store the password (secret) in a vault using the OCI Vault service. The requirement now is to authorize the compute instance so that the Python program can retrieve the password (secret) by making an API call to the OCI Vault.

Preconfigured

To complete this requirement, you are provided with:

• An OCI Vault to store the secret required by the program, which is created in the root compartment as PBT_Vault_SP.
• An instance principal IAM service, which enables instances to be authorized actors (principals) that can retrieve the secret from the OCI Vault.
• A dynamic group named PBT_Dynamic_Group_SP with permissions to access the OCI Vault. This dynamic group includes all of the instances in your compartment.
• Access to Cloud Shell.
• Permissions to perform only the tasks within the challenge.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99234021-C01 and Region us-ashburn-1.

Complete the following tasks in the OCI environment provisioned:

• Create a Linux Instance with the name [Provide Name Here] within the compartment.

Provide your own public key to SSH the instance.

Challenge 4 - Task 6 of 6

Configure Web Application Firewall to Protect Web Server Against XSS Attack

Scenario

You have to protect web applications hosted on OCI from cross-site scripting (XSS) attacks. You can use the OCI Web Application Firewall (WAF) capabilities to create rules that compare against incoming requests to determine if the request contains an XSS attack payload. If a request is determined to be an attack, WAF should return the HTTP Service Unavailable (503) error.

To ensure that the configured WAF blocks the XSS attack, run the following script: [http:// /index.html?

/index.html?

)

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN)
• Create a Compute Instance and install the Web Server
• Create a Load Balancer and update Security List
• Create a WAF policy
• Configure Protection Rules against XSS attacks
• Verify the created environment against XSS attacks

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1.

Complete the following task in the provisioned OCI environment:

You will connect to the web server and append an XSS script. The protection rule will evaluate the requests and respond accordingly.

Challenge 3 - Task 1 of 4

Set Up a Bastion Host to Access the Compute Instance in a Private Subnet Scenario

A compute instance is provisioned in a private subnet that is not accessible through the Internet. To access the compute instance resource in a private subnet, you must provide a time-bound SSH session without deploying and maintaining a public subnet and a jump server, which eliminates the hassle and potential attack surface from remote access.

To complete this deployment, you have to perform the following tasks in the environment provisioned for you:

• Configure a Virtual Cloud Network (VCN) and a Private Subnet.

• Provision a Compute Instance in the private subnet and enable Bastion Plugin.

• Create a Bastion and Bastion session.

• Connect to a compute instance using Managed SSH session.

Note: You are provided with access to an OCI Tenancy, an assigned compartment, and OCI credentials. Throughout your exam, ensure to use the assigned Compartment 99233424-C01 and Region us-ashburn-1

Complete the following tasks in the provisioned OCI environment:

• Create a Virtual Cloud Network (VCN) with the name PBT-BAS-VCN-01
• Create a Private Subnet with the name PBT-BAS-SNET-01
• Create a Service Gateway with the name PBT-BAS-SG-01, using the service "All IAD Services in Oracle Services Network"
• Add Route Rules for Service Gateway