Oracle Cloud Infrastructure (OCI) is distinguished in the cloud market by its offering of Bare Metal servers. This core compute component provides customers with dedicated, single-tenant physical servers, ensuring maximum performance, security, and control. Unlike virtualized environments, bare metal instances eliminate the "noisy neighbor" effect and provide direct hardware access. This capability is crucial for high-performance computing (HPC), I/O-intensive databases, and other enterprise workloads that require consistent performance and strong isolation, making it a key differentiator for OCI's computing platform.

A. Virtual Desktop Interfaces (VDIs) are a higher-level service offered by many cloud providers, not a core, differentiating compute component of OCI's fundamental infrastructure.

B. This statement is factually incorrect. OCI is architected for massive scalability to meet the demands of large enterprise workloads, which is a key feature, not a limitation.

C. While OCI provides single-tenant options, Bare Metal compute is the specific core component that differentiates its capabilities, not a generalized concept of "single-tenant storage."

1. Oracle Cloud Infrastructure Documentation

"Overview of Compute": "Oracle Cloud Infrastructure's Compute service offers both bare metal and virtual machine instances. A bare metal instance gives you dedicated physical server access for highest performance and strong isolation." This document establishes Bare Metal as a primary and distinct compute offering.

2. Oracle White Paper

"Oracle Cloud Infrastructure—A Technical Overview" (Doc ID: 11182020-WP): Section "Compute Services

" Page 8

discusses the range of compute shapes

stating

"OCI offers bare-metal compute instances

which are single-tenant servers with no hypervisor

giving customers full control of the server." This highlights the single-tenancy and control that differentiates the service.

3. Oracle Cloud Infrastructure Blog

"Bare metal

virtual machines

or containers? Which compute service is right for you?": This article explicitly positions Bare Metal instances for "workloads that are performance-intensive" and require "access to specific hardware

" confirming its role as a specialized and differentiating component for high-demand use cases.

Under the Oracle Cloud Infrastructure (OCI) Shared Security Responsibility Model, security is a shared effort between Oracle and the customer. Oracle is responsible for the security of the cloud, which includes the physical data centers and the core infrastructure. The customer is responsible for security in the cloud. This includes protecting their own data, managing user access, and configuring the security of their cloud resources. Configuring network security features like firewalls, security lists, and network security groups within their Virtual Cloud Network (VCN) is a fundamental customer responsibility to control traffic to and from their applications and workloads.

A. Ensuring the integrity of the underlying cloud infrastructure is Oracle's responsibility. The customer builds on top of this infrastructure, but does not manage its core integrity.

B. Physical security of data centers, including access controls and environmental protections, is exclusively managed by Oracle as the cloud provider.

C. Management of hardware firmware and patching the underlying hypervisors are Oracle's responsibilities to maintain the security and stability of the cloud infrastructure.

1. Oracle Cloud Infrastructure Documentation

"Security Overview": This document explicitly outlines the shared model. Under the "Customer Responsibilities" section for "Network security

" it states the customer is responsible for the "Configuration of virtual network

subnets

routing tables

and gateways. Configuration of security lists

network security groups

and network firewalls." Conversely

under "Oracle Responsibilities

" it lists "Hardware

software

networking

and facilities that run Oracle Cloud services." This directly supports option D and refutes A

B

and C.

Source: Oracle Cloud Infrastructure Documentation

"Security Overview"

Section: "Shared Security Responsibility Model".

2. Oracle Cloud Infrastructure Security Guide: This guide details the customer's role in securing their tenancy. It emphasizes that customers must configure network controls to secure their workloads.

Source: Oracle Cloud Infrastructure Security Guide

Section: "Securing the Network"

Paragraph 1. "You are responsible for securing your cloud network and its perimeters."

3. Oracle Cloud Infrastructure Documentation

"Overview of Networking": This document describes the components of a VCN that customers must configure

including Security Lists and Network Security Groups

reinforcing that this configuration is a customer task.

Source: Oracle Cloud Infrastructure Documentation

"Overview of Networking"

Section: "Comparing Security Lists and Network Security Groups".

Oracle Cloud Guard is a cloud-native service specifically designed for Cloud Security Posture Management (CSPM). It continuously monitors your Oracle Cloud Infrastructure (OCI) tenancy for security weaknesses related to configuration, identifies potential security risks, and provides recommendations for remediation. It operates by using detector recipes to identify misconfigured resources and insecure activities, and responder recipes to automatically correct problems, thereby helping to maintain a strong security posture across the cloud environment.

A. OCI Audit: This service records API calls made to OCI resources. It provides a log of events for auditing and compliance purposes but does not proactively manage or recommend fixes for security posture.

B. OCI Virtual Cloud Network (VCN): This is a foundational networking service for creating a private network in OCI. While it includes security features like Security Lists, it is not a posture management service.

D. OCI Identity and Access Management (IAM): This service controls user access and permissions to OCI resources. It is a critical security component but its primary function is authentication and authorization, not continuous posture monitoring.

---

1. Oracle Cloud Infrastructure Documentation - Overview of Cloud Guard: "Oracle Cloud Guard is a cloud-native service that helps customers monitor

identify

achieve

and maintain a strong security posture on Oracle Cloud. Use the service to examine your Oracle Cloud Infrastructure resources for security weakness related to configuration

and your Oracle Cloud Infrastructure operators and users for risky activities." (Oracle Cloud Infrastructure Documentation

"Overview of Cloud Guard

" Section: How Cloud Guard Works).

2. Oracle Cloud Infrastructure Documentation - Overview of the Audit Service: "The Oracle Cloud Infrastructure Audit service automatically records calls to all supported Oracle Cloud Infrastructure public application programming interface (API) endpoints as log events. Currently

all services support logging by the Audit service." (Oracle Cloud Infrastructure Documentation

"Overview of the Audit Service

" First paragraph).

3. Oracle Cloud Infrastructure Documentation - Overview of IAM: "Oracle Cloud Infrastructure Identity and Access Management (IAM) service lets you control who can access your cloud resources. You can control what type of access a group of users has and to which specific resources." (Oracle Cloud Infrastructure Documentation

"Overview of IAM

" Section: How IAM Works).

4. Oracle Cloud Infrastructure Documentation - Overview of Networking: "A VCN is a customizable

software-defined network that you set up in an Oracle Cloud Infrastructure region. Like a traditional data center network

a VCN gives you complete control over your network environment." (Oracle Cloud Infrastructure Documentation

"Overview of Networking

" Section: Virtual Cloud Networks).

A Route Table in Oracle Cloud Infrastructure (OCI) contains a set of route rules that the Virtual Cloud Network (VCN) virtual router uses to determine where to send network traffic. Each rule specifies a destination CIDR block and the target (the next hop) for that traffic. The primary function is to direct traffic originating from subnets to destinations outside of the VCN, such as the internet (via an Internet Gateway), an on-premises network (via a Dynamic Routing Gateway), or another VCN (via a Local Peering Gateway).

A. A Dynamic Routing Gateway (DRG) provides the private connection to an on-premises network, not the route table itself. The route table only directs traffic to the DRG.

B. An Internet Gateway is the component that connects a VCN to the public internet. The route table contains a rule to forward internet-bound traffic to this gateway.

D. Security Lists and Network Security Groups (NSGs) define firewall rules to control (allow or deny) traffic flow between subnets and to/from other network endpoints.

1. Oracle Cloud Infrastructure Documentation

"VCN Route Tables": "For a given subnet

you use its route table to control how traffic flows from the subnet to destinations outside the VCN. The VCN's virtual router uses the rules in the table to route the traffic." (This directly supports the correct answer C).

2. Oracle Cloud Infrastructure Documentation

"Overview of Networking": "Route tables: Virtual route tables for your VCN. They have rules to route traffic from subnets to destinations outside the VCN (for example

to the internet

to your on-premises network

or to a peered VCN)." (This further reinforces answer C).

3. Oracle Cloud Infrastructure Documentation

"Security Lists": "Security lists act as virtual firewalls for your compute instances... A security list consists of a set of ingress and egress security rules that specify the types of traffic (protocol and port) allowed in and out." (This clarifies the function described in incorrect option D).

4. Oracle Cloud Infrastructure Documentation

"Internet Gateway" and "Dynamic Routing Gateway (DRG)": These documents define Internet Gateways and DRGs as the specific virtual router components that provide connectivity to the internet and on-premises networks

respectively

distinguishing their roles from that of a route table. (This supports why options A and B are incorrect).

Oracle Cloud Infrastructure (OCI) compartments are a fundamental component for organizing and isolating cloud resources. Their primary purpose is to act as logical containers to which Identity and Access Management (IAM) policies can be applied, thereby controlling access. The service specifically designed for storing and managing encryption keys and secrets is the OCI Vault service. While a vault and its keys reside within a compartment, the compartment itself does not provide the storage or management functionality; it is merely the container for the Vault resource.

A. Compartments are indeed global resources. When a compartment is created, it is available across all regions within the tenancy, allowing for a consistent organizational structure.

B. This describes the core function of compartments. IAM policies are attached to compartments (or the tenancy) to grant specific permissions to groups of users for the resources within that compartment.

D. OCI supports a hierarchical structure by allowing compartments to be nested up to six levels deep. This enables a granular organization of resources that can mirror a company's internal structure.

1. Oracle Cloud Infrastructure Documentation

"Managing Compartments": This document states

"Compartments are tenancy-wide

across all regions." It also details the process of creating nested compartments

confirming

"You can create subcompartments in compartments to create a hierarchy up to six levels deep."

Source: Oracle Cloud Infrastructure Documentation

Service: Identity and Access Management

Section: Managing Compartments.

2. Oracle Cloud Infrastructure Documentation

"Overview of Vault": This source clarifies the function of the Vault service

distinguishing it from compartments. It states

"Oracle Cloud Infrastructure Vault is a managed service that lets you centrally manage the encryption keys that protect your data and the secret credentials that you use to access resources."

Source: Oracle Cloud Infrastructure Documentation

Service: Security > Vault

Section: Overview of Vault.

3. Oracle Cloud Infrastructure Documentation

"How Policies Work": This document explains the relationship between IAM policies and compartments. It specifies

"You can attach a policy to a compartment or the tenancy. Where you attach it controls who can then modify it or delete it." This confirms that policies are applied to compartments to control access.

Source: Oracle Cloud Infrastructure Documentation

Service: Identity and Access Management

Section: How Policies Work.

Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) is the primary service for controlling access to OCI resources. Policies are the core mechanism used to enforce this control. An administrator writes a policy statement that grants a specific group of users a set of permissions (e.g., manage, read, use) on certain resource types (e.g., all-resources, instance-family) within a designated compartment. This method provides precise, fine-grained control, directly fulfilling the requirement to limit a group's management capabilities to a specific compartment.

B. OCI Cloud Guard is a security posture management service that detects and responds to misconfigurations and threats. It does not grant or define user access permissions.

C. A Network Security Group (NSG) is a virtual firewall that controls network traffic to and from resources like compute instances. It operates at the network layer, not the user identity and access layer.

D. Dynamic Groups are used for grouping OCI resources (e.g., compute instances), not users. They allow resources to make API calls to other services, which is different from user access control.

1. Oracle Cloud Infrastructure Documentation

"Overview of IAM". This document states

"You control access by creating policies. A policy is a document that specifies who can access which Oracle Cloud Infrastructure resources

and how." It further explains that policies are attached to compartments.

2. Oracle Cloud Infrastructure Documentation

"How Policies Work". This section details the policy syntax: Allow group to in compartment . This syntax directly demonstrates how to grant a group permissions within a specific compartment

which is the core of the question.

3. Oracle Cloud Infrastructure Documentation

"Overview of Cloud Guard". This document describes Cloud Guard's function: "Cloud Guard is an Oracle Cloud Infrastructure native service that helps customers monitor

identify

achieve

and maintain a strong security posture... It is not an access control mechanism for users."

4. Oracle Cloud Infrastructure Documentation

"Network Security Groups". This source clarifies

"Network security groups (NSGs) act as a virtual firewall for your compute instances and other kinds of resources... An NSG consists of a set of ingress and egress security rules that apply only to a set of VNICs of your choice in a single VCN." This confirms its role in network traffic control

not user permissions.

5. Oracle Cloud Infrastructure Documentation

"Managing Dynamic Groups". The documentation specifies

"A dynamic group is a group of OCI instances that match rules you define... You can then create policies to permit instances in the dynamic group to make API calls against Oracle Cloud Infrastructure services." This confirms dynamic groups are for resources

not users.

Security Lists and Subnets are fundamental components of an Oracle Cloud Infrastructure (OCI) Virtual Cloud Network (VCN). Security Lists act as virtual firewalls for subnets, defining stateful ingress and egress rules that control traffic at the packet level, thereby establishing the core security posture. Subnets are required subdivisions of a VCN's IP address space that enable the logical segmentation of the network. They dictate the connectivity model (public or private) for the resources within them, forming the essential connectivity framework of the VCN.

B. Object Storage: This is a storage service for unstructured data and is not a foundational component for defining the VCN's network connectivity or security rules.

D. Instance Pools: This is a feature of the OCI Compute service used for managing the lifecycle of multiple instances, not for VCN networking or security.

E. Block Volume Service: This provides persistent block-level storage for compute instances and does not play a direct role in the VCN's security or connectivity architecture.

1. Oracle Cloud Infrastructure Documentation

"Overview of VCNs and Subnets": This document states

"A VCN is a customizable

software-defined network that you set up in an Oracle Cloud Infrastructure region... When you create a VCN

you assign a contiguous IPv4 CIDR block of your choice. You can subdivide the VCN's address range into one or more smaller address ranges called subnets." This establishes subnets as a core part of the connectivity framework.

2. Oracle Cloud Infrastructure Documentation

"Security Lists": This source defines the service's role: "A security list acts as a virtual firewall for a subnet

with a set of ingress and egress security rules that apply to all the VNICs in that subnet... Security lists are a key part of the VCN security posture." This confirms the role of Security Lists in VCN security.

3. Oracle Cloud Infrastructure Documentation

"Networking": In the core networking overview

VCNs are described with their key components: "The virtual cloud network (VCN) is the centerpiece of your network in Oracle Cloud Infrastructure. It is a virtual

private network that you set up in Oracle data centers... Key components of a VCN include subnets

route tables

security lists

gateways

and DNS." This explicitly lists Subnets and Security Lists as key components.

Under the Oracle Cloud Infrastructure (OCI) Shared Security Responsibility Model, security is a partnership between Oracle and the customer. Oracle is responsible for the security of the cloud, which includes the physical data centers, host infrastructure, and the underlying network. The customer is responsible for security in the cloud.

This includes configuring network-level security controls like Security Groups and Network Access Control Lists (ACLs) to control traffic flow to their resources. Additionally, the customer is responsible for protecting their data, which involves implementing and managing data encryption for data in transit and at rest, ensuring their applications and connections use secure protocols like TLS.

B. OCI Platform Compliance Audits: Oracle is responsible for the compliance and audits of its own cloud platform and infrastructure, providing customers with attestation reports.

C. Patch Management of the OCI Hypervisor: The hypervisor is part of the core virtualization infrastructure, and its security and patching are solely Oracle's responsibility.

D. Physical Security of Cloud Infrastructure: Securing the physical data centers, including access control and environmental protections, is a fundamental responsibility of Oracle as the cloud provider.

1. Oracle Cloud Infrastructure Documentation

Security

"Overview of Security": This document outlines the shared model. It states

"You are responsible for securely configuring network elements such as virtual networks

subnets

gateways

and firewalls." This directly supports option A. It also states

"You are responsible for data classification

data encryption

and backups

" which supports option E.

Reference: Oracle Cloud Infrastructure Documentation > Security > Overview of Security > Shared Security Responsibility Model section.

2. Oracle Cloud Infrastructure Security Guide: This guide details the security approach. In the "Security Responsibilities" section

it clearly delineates tasks. Customer responsibilities include "Network Controls" (like Security Lists and Network Security Groups) and "Data Classification and Compliance

" which encompasses managing data encryption. Oracle's responsibilities are listed as "Physical Security

" "Host Infrastructure Security" (including the hypervisor)

and "Network Infrastructure Security."

Reference: Oracle Cloud Infrastructure Security Guide PDF

"Security Responsibilities" chapter

pages 6-8.

OCI Identity and Access Management (IAM) policies can include a where clause to specify conditions. This feature allows administrators to enforce more granular security by restricting access based on variables within the request context. For example, a policy can be written to only permit access from a specific range of IP addresses or require that the user has authenticated using multi-factor authentication (MFA). This directly implements an additional layer of security by ensuring that permissions are only granted when specific, verifiable conditions are met.

B. Users: Users are IAM principals (identities) that are granted permissions through policies; they are not the feature that defines conditional access rules.

C. Federation: Federation manages user identities from an external provider (e.g., Azure AD) but does not itself define the conditional logic for resource access within OCI policies.

D. Groups: Groups are collections of users for simplifying permission management. Policies are applied to groups, but the groups themselves do not contain conditional logic.

1. Oracle Cloud Infrastructure Documentation

"Policy Syntax": This document details the components of an IAM policy statement

including the where clause for conditions. It states

"You can add conditions to your policies to narrow the scope of the policy statement... A condition consists of one or more variables."

Reference: Oracle Cloud Infrastructure Documentation > Identity and Access Management > Policies > Policy Syntax

Section: "Conditions".

2. Oracle Cloud Infrastructure Documentation

"How Policies Work": This guide explains the core concepts of IAM policies. It describes how policies grant permissions and mentions the use of conditions for more specific control.

Reference: Oracle Cloud Infrastructure Documentation > Identity and Access Management > Policies > How Policies Work

Section: "Policy Attachment".

3. Oracle Cloud Infrastructure Documentation

"Overview of Identity and Access Management": This overview defines the core components of IAM

clearly distinguishing between principals (Users

Groups)

policies

and other features like Federation.

Reference: Oracle Cloud Infrastructure Documentation > Identity and Access Management > Overview of IAM

Sections: "Principals"

"Policies"

"Federation".

The Oracle Cloud Infrastructure (OCI) Virtual Cloud Network (VCN) is the fundamental networking service for OCI. It is a software-defined, private network that you set up in OCI data centers. A VCN provides complete control over your network environment, including assigning your own private IP address space, creating subnets, configuring route tables, and setting up various gateways (like Internet Gateway, NAT Gateway, and Dynamic Routing Gateway) to connect to other networks. This directly matches all the capabilities described in the question. Options B and E are identical and therefore both are correct.

A. OCI Object Storage: This is a high-performance storage platform for unstructured data. It does not create or manage virtual networks.

C. OCI Identity and Access Management (IAM): This service controls who has access to your cloud resources and what actions they can perform; it is not a networking service.

D. OCI Load Balancer: This service distributes network traffic to multiple backend servers. It operates within a VCN but is not the service used to create the VCN itself.

1. Oracle Cloud Infrastructure Documentation

"Overview of Networking": "A VCN is a virtual

private network that you set up in Oracle data centers. It is a software-defined network that closely resembles a traditional network

with firewall rules and specific types of communication gateways that you can choose to use."

2. Oracle Cloud Infrastructure Documentation

"VCNs and Subnets": "A VCN covers a single

contiguous IPv4 CIDR block of your choice... You can subdivide the VCN into one or more subnets... For each subnet

you create a route table with rules that determine how traffic is directed out of the subnet."

3. Oracle Cloud Infrastructure Documentation

"Gateways": This section details the various gateways (Internet Gateway

NAT Gateway

Dynamic Routing Gateway

Service Gateway

Local Peering Gateway) that are components of a VCN

enabling connectivity to the internet

on-premises networks

and other services.