Oracle Cloud Infrastructure 2025 Security Professional Advanced Practice Exam: Hard Questions 2025

A global enterprise uses OCI IAM Identity Domains federated with an external IdP for workforce SSO. They must enforce step-up MFA only when users attempt privileged actions (for example, managing dynamic groups, creating policies, or modifying network security lists) while keeping standard console read-only access frictionless. The security team also wants the enforcement to apply even if users already authenticated at the external IdP without MFA. Which approach best meets the requirement with the strongest security posture and least operational overhead?

A security engineer is troubleshooting why an OCI Function can no longer read secrets from OCI Vault. The function runs in a private subnet and uses a dynamic group. Recent changes included: moving the function to a new compartment, rotating the secret, and tightening IAM policies. The function logs show authorization failures (not network timeouts). Which troubleshooting step is MOST likely to identify the root cause quickly?

A company operates multiple OCI tenancies. They want a centralized security tooling tenancy to scan Object Storage buckets in application tenancies for misconfigurations and malware. Requirements: no long-lived keys, least privilege, and the ability to revoke access centrally. What is the best design pattern?

You are designing a hub-and-spoke architecture with an OCI Network Firewall in the hub VCN. Spoke VCNs connect via DRG attachments. Requirement: all east-west traffic between spokes must be inspected by the firewall, but traffic from spokes to OCI public services (like Object Storage via Service Gateway) should NOT hairpin through the firewall to avoid latency. Which routing strategy best satisfies these requirements?

A private web application in OCI must be accessible from on-premises over FastConnect. The security team requires TLS inspection and L7 allow/deny controls, but the application team insists end-to-end TLS with their own certificates. You must design a solution that balances both, with minimal changes to application code. What is the best approach?

After implementing NSGs and security lists, a team reports intermittent connectivity from a bastion host to instances in a private subnet over SSH. Packet captures show SYNs arriving at the target, but SYN-ACKs are sometimes not returned. The target instances are in an NSG that allows ingress TCP/22 from the bastion NSG. Egress rules on the target NSG are restrictive. What is the MOST likely cause in OCI and the correct fix?

A regulated workload requires customer-managed keys (CMK) for Object Storage encryption. The security team wants assurance that disabling or deleting the key will immediately prevent any future reads of existing objects, even if an administrator has Object Storage read permissions. Which statement best describes the correct behavior and design implication in OCI?

A team must encrypt boot volumes and block volumes with customer-managed keys and also ensure that backups and volume clones remain encrypted under the same key control. They also need to rotate keys without re-encrypting entire volumes and must support rapid incident response by key disablement. Which approach best satisfies these requirements?

Your organization uses OCI Cloud Guard with a centralized security compartment. A detector rule flags multiple compute instances for "Public IP attached" in a compartment where public IPs are allowed for a specific autoscaling service. You need to reduce noise without weakening detection for other compartments and still ensure that unexpected public IPs are caught. What is the best solution?

A SOC team ingests OCI Audit logs into a SIEM. They suspect a compromised API key is being used to enumerate IAM policies and then modify network route tables. They need a high-confidence detection that minimizes false positives and helps scope blast radius quickly. Which detection logic is BEST?