50 Oracle Cloud Infrastructure 2025 Security Professional Practice Questions: Question Bank 2025

A security administrator wants to ensure a specific group of compute instances can read secrets from OCI Vault, without allowing any user access from the console. Which approach best meets this requirement?

Your organization requires that all new Object Storage buckets are private by default and that developers cannot accidentally create public buckets. What is the best OCI-native control to enforce this requirement across compartments?

An application in a private subnet must call OCI Object Storage without traversing the public internet. Which network configuration is the most appropriate?

A database team needs to encrypt data at rest for an OCI Block Volume using customer-controlled keys. Which solution meets this requirement with the least operational overhead?

Your company uses OCI IAM policies heavily and wants to reduce the risk of overly permissive access. A new policy grants 'manage all-resources in tenancy' to a developer group. What is the best immediate remediation aligned with least privilege?

A security engineer wants to restrict inbound traffic to a web server subnet to only HTTPS from the internet, while allowing the instances to initiate outbound connections for patching. Which combination is most appropriate?

A team rotates secrets stored in OCI Vault. After rotation, an application running on compute instances starts failing with 'AccessDenied' when calling the Secrets service. The secret OCID did not change. What is the most likely cause?

Your organization must prove that all Object Storage buckets containing regulated data are encrypted with customer-managed keys and not Oracle-managed keys. Which OCI capability best helps you continuously assess and report this posture?

A regulated workload requires that encryption keys used for database and storage encryption are protected by hardware and that key material never leaves the hardware boundary. Which design best satisfies this requirement in OCI?

A security team needs to ensure that only traffic from specific on-premises CIDR ranges can reach a private application in OCI over an IPSec VPN. They also must prevent any other VCN subnets from accessing the app, even within the same VCN. What is the best architecture control?

A security administrator wants to ensure that user sign-ins to OCI are restricted based on network location. The requirement is to allow console access only from the corporate public IP ranges, while API access from automation in OCI should continue to work. What is the BEST approach?

A team must allow two compute instances in different VCNs (same region) to communicate privately. They also must ensure that only a specific TCP port is permitted and that traffic does not traverse the internet. Which solution BEST meets the requirement with least complexity?

A compliance requirement states that database backups must be encrypted with a customer-managed key and that key usage must be auditable. Which OCI feature set BEST satisfies this requirement?

A security engineer needs to detect outbound connections from compute instances to known malicious IP addresses and alert the SOC. Which OCI capability is the MOST appropriate primary data source for this detection?

A company uses Object Storage buckets that contain regulated data. They want to ensure objects cannot be made public accidentally, even by users with bucket management permissions. What is the BEST preventive control in OCI?

A workload requires that application servers in a private subnet access Object Storage without traversing the public internet. The security team also wants to keep the instances without public IP addresses. Which configuration meets these requirements?

A team is implementing OS hardening controls and needs to continuously identify insecure configurations (for example, weak SSH settings) across their OCI compute fleet. They want findings mapped to industry benchmarks and visible in a centralized security dashboard. Which OCI service BEST fits this use case?

An application uses OCI Vault secrets for database credentials. The security team requires automatic credential rotation without changing application code each time a secret version changes. What is the BEST design approach?

A security incident response team needs to prove whether any IAM policy changes occurred in a specific compartment during the last 24 hours and identify the principal that made each change. Where should they look first?

A company must ensure that only compliant compute instances (for example, with a specific CIS-aligned configuration) can access a highly sensitive database. They want enforcement at the network boundary and want to minimize reliance on IP-based allowlists. Which solution BEST meets the requirement?

A security engineer needs to ensure that OCI administrators cannot access a set of highly sensitive secrets (API keys) unless they are explicitly approved and actions are fully auditable. Which approach best meets this requirement?

You must restrict inbound traffic to an OCI instance to only TCP/443 from a single on-premises IP range. Which security control is the most direct and recommended first layer for this requirement?

An auditor asks how you can prove who changed a security list rule in a compartment and when the change occurred. Which OCI service provides this evidence by default?

A company is implementing a hub-and-spoke network in OCI. Spoke VCNs must not communicate with each other, but they must all reach shared services hosted in the hub VCN. Which design best enforces this segmentation?

A team uses instance principals for an application on Compute to call OCI APIs. Calls intermittently fail with "NotAuthorizedOrNotFound" after moving the instance to a different compartment. What is the most likely cause?

You need to enforce that all new Object Storage buckets are created with encryption using customer-managed keys (CMKs) from OCI Vault, and you want noncompliant resources to be flagged automatically. Which approach best meets this requirement?

An organization wants to reduce the risk of accidental data exposure in Object Storage. They require that buckets be private by default and that access be granted only through time-bound, least-privilege mechanisms for external parties. Which option best satisfies this?

A security team receives an alert that an instance is communicating with a known malicious IP. They want to automatically quarantine the instance by restricting all egress except to a patch repository subnet, without changing the instance OS configuration. Which action is most appropriate?

A regulated workload uses OCI Vault with customer-managed keys (CMKs) for Block Volume encryption. The auditor requires proof that key usage is controlled and that keys can be disabled quickly if compromise is suspected. Which capability best addresses this requirement?

A security engineer built a Cloud Guard responder to remediate public Object Storage buckets by making them private. The responder ran, but the bucket remained public. Audit logs show the responder attempted the change and received an authorization error. What is the most likely issue?

A security administrator needs to ensure that any newly created Object Storage bucket in a specific compartment is NOT publicly accessible. Which OCI capability best enforces this requirement proactively?

An engineer wants to allow administrators to log in to OCI using their corporate identity provider and require MFA based on corporate policies. What is the recommended OCI approach?

A team stores sensitive files in Object Storage and wants to protect against accidental deletion or overwrites while keeping data accessible to applications. Which configuration best meets this requirement with minimal application changes?

You must restrict outbound internet access for compute instances in a private subnet, but still allow them to initiate connections to OCI public services such as Object Storage without traversing the public internet. What should you implement?

A security team wants to ensure that database administrators cannot retrieve TDE master encryption keys in plaintext and that all key usage is auditable. Which approach best satisfies this?

A company uses a hub-and-spoke network topology. They want to centrally inspect east-west traffic between spoke VCNs and apply consistent security controls. Which design best meets this requirement in OCI?

Your organization must prove that all API calls that change security configurations (IAM policies, network rules, vault operations) are recorded and retrievable for audits. Which OCI service provides this capability by default?

A DevOps team uses Terraform and wants to allow a CI/CD pipeline running on OCI compute to manage resources in a compartment without storing long-lived user API keys. What is the best-practice authentication method?

A regulated workload requires that encryption keys are generated and stored in dedicated hardware, and that administrators cannot export private key material. Which OCI capability best satisfies this requirement?

A SOC receives an alert that an object in a sensitive bucket was made public briefly. They need to quickly determine WHO changed the bucket settings, FROM WHERE, and WHICH API operation was used. Which combination of OCI capabilities provides the most direct evidence?

You must enforce MFA for all OCI Console users, but you do NOT want MFA challenges for API key–based automation (OCI CLI/SDK) running in a CI/CD system. Which approach best meets this requirement?

A subnet’s security list allows inbound TCP 443 from 0.0.0.0/0 to a web server, but users still cannot reach the service. The VCN uses a Network Security Group (NSG) attached to the instance VNIC. What is the most likely cause?

You need a simple way to ensure that only encrypted connections are used when clients access an Object Storage bucket. Which bucket-level control best accomplishes this?

A security team needs to onboard 200 developers. They should manage access using least privilege and avoid writing per-user policies. Developers require read-only access to Networking resources and the ability to manage only their own compute instances in a specific compartment. What is the most appropriate IAM design?

You operate a private application in a VCN. You want to allow instances in a private subnet to call OCI APIs (for example, to write logs to Object Storage) without using the public internet or public IPs. Which architecture is recommended?

A compliance requirement states that encryption keys used for object encryption must be customer-controlled, and key usage must be auditable. Objects are stored in Object Storage. Which solution best meets the requirement?

Your security operations team wants to detect risky configuration changes across OCI resources (for example, a bucket becoming public or a security list opening to 0.0.0.0/0) and trigger an automated response. Which combination is the most appropriate?

A company uses OCI Logging and wants to centrally retain logs for security investigations. They need to ensure logs are immutable for a retention period and can be queried. Which approach best aligns with OCI best practices?

You must allow an external auditor to review configuration and activity across your tenancy for two weeks. The auditor must be able to view (but not modify) IAM, networking, and storage settings, and must also be able to view Audit events. What is the most secure approach?

A highly regulated workload requires that database backups remain encrypted with customer-controlled keys, and key administrators must not be able to decrypt data themselves. You are using OCI Vault. Which design best satisfies separation of duties?