Oracle Cloud Infrastructure 2025 Security Professional Practice Exam 2025: Latest Questions

You need to quickly restrict who can create and manage buckets in a single compartment without affecting access in other compartments. What is the most appropriate OCI control to use?

A security engineer wants to reduce the blast radius of an accidental policy change by ensuring administrators cannot both create and approve highly privileged IAM changes. Which approach best supports this goal in OCI?

You need to allow only outbound connections from a private subnet to the public internet for OS patching while keeping all instances in the subnet unreachable from inbound internet traffic. Which OCI network component best meets this requirement?

A web application in a public subnet must accept HTTPS traffic from the internet. You want to enforce that only HTTPS (443) is reachable and only from specific source CIDR ranges. Which configuration is the best practice in OCI?

A database team must meet a requirement that encryption keys are rotated and tightly controlled. They want OCI to manage HSM-backed keys but need full control over which services can use the key. Which OCI feature best matches this need?

An application writes sensitive files to block volumes attached to compute instances. You are asked to ensure data is unreadable if a volume backup is copied outside the organization. What is the most appropriate control in OCI?

A security analyst wants to detect publicly exposed Object Storage buckets and misconfigured network rules across multiple compartments, and then automatically open incidents for high-severity findings. Which OCI service combination best supports this requirement?

You suspect an administrator made unauthorized changes to IAM policies. You need an authoritative record of who changed what and when, and you need to query it for specific API actions. Which OCI capability should you use?

A company uses dynamic groups so instances can call OCI APIs. An instance in compartment A must read secrets from OCI Vault in compartment B. The call fails with authorization errors even though the instance is in the correct dynamic group. Which is the most likely issue?

You operate workloads in multiple VCNs across compartments. Security requires that only a specific set of compute instances can reach a database on TCP 1521, regardless of which subnet those instances are moved to later. What is the most robust OCI approach?

A security engineer must quickly reduce the blast radius of overly permissive IAM policies across multiple teams. They want a preventive control that blocks risky permissions from being created, without manually reviewing every policy. Which OCI feature best meets this requirement?

You need to allow a third-party auditor read-only access to a single compartment for 30 days. After 30 days, access must automatically expire without requiring manual changes. Which is the best approach in OCI IAM?

A team reports they cannot reach a private OCI Object Storage endpoint from an instance in a private subnet. The instance uses a route table that already contains a route to a Service Gateway. What is the MOST likely missing configuration?

Your organization requires that all outbound internet access from workloads be inspected by a next-generation firewall appliance in OCI before reaching the public internet. Which architecture best enforces this requirement?

A database team must ensure that data stored in OCI Block Volumes cannot be decrypted by OCI operators and that the organization controls key rotation. Which solution best meets these requirements?

An application uses OCI Vault secrets for database credentials. The security team wants to ensure applications can retrieve secrets without embedding user credentials or API keys on instances. Which is the recommended approach?

A security analyst needs near real-time visibility into changes to security lists and network security groups, including who made the change and the before/after values. Which OCI capability should they use?

Your organization uses multiple compartments and wants to detect when any compute instance becomes publicly reachable due to an accidental security list or NSG rule change. They also want an automated remediation to remove the risky ingress rule. Which combination is MOST appropriate?

A compliance team requires evidence that all Object Storage buckets containing regulated data are encrypted with customer-managed keys and that public access is disabled. They need continuous assessment across compartments. Which OCI approach best meets this requirement?

A company must enforce strict network segmentation: only specific OCI services should be reachable from a private subnet, and all other destinations (including internet and other Oracle services) must be blocked. Which design best satisfies this requirement with least operational overhead?

A security administrator wants to ensure that developers can manage only the resources they create in a shared compartment, without granting broader permissions over other teams’ resources. Which OCI IAM feature best meets this requirement?

An auditor asks for proof that all Object Storage buckets in a tenancy are encrypted at rest with customer-managed keys (CMKs) rather than Oracle-managed keys. What is the MOST direct way to verify this across buckets?

A production web tier is in a private subnet and must be reachable only through an OCI Load Balancer in a public subnet. A pen test finds the instances are still reachable directly from the internet on TCP/443. What is the MOST likely misconfiguration causing this exposure?

A security team needs to detect and alert when any IAM policy in the tenancy is changed, including creation, update, or deletion. They also want to store evidence for later investigation. Which approach best satisfies this requirement?

A company must enforce that resources in a sensitive compartment cannot have public IP addresses and that Object Storage buckets cannot be public. They want preventive controls (deny noncompliant creation) rather than only detection after the fact. What is the BEST OCI-native solution?