Oracle 1z0-997-22: Most efficient solution to allow Operations team to fully manage monitoring nodes without alter other resources across tenancy

Question

You are the security architect for a medium sized e-commerce company that runs all of their applications in Oracle Cloud Infrastructure (OCI). Currently, there are 14 unique applications, each deployed and secured in their own compartment. The Operations team has procured a new monitoring tool that will be deployed throughout the OCI ecosystem. Their requirement is to deploy one management node into each compartment.

Currently, the Operations team Identity and Access Management (IAM) group has the following policy: allow group OpsTeam to READ all-resources in tenancy.

Once the new monitoring nodes are deployed, the Operations team may need to stop, start, or reboot them occasionally.

What is the most efficient solution to allow the Operations team to fully manage the monitoring nodes, without allowing them to alter other resources across the tenancy?

A. In each of the 14 compartments, create a new policy with the following statement: allow group OpsTeam to manage instance-family in compartment XXX where XXX is the name of the compartment where you are creating the policy.
B. Create a new policy in the root compartment with the following policy statement: allow group OpsTeam to manage instance-family in tenancy where ANY (request.operation – ‘UpdateInstance’, request.operation – ‘InstanceAction’)
C. Tag all the monitoring nodes with the defined tag AllPolicy:AllowAccess:OpsTeam and write the following IAM policy: allow group OpsTeam to manage instance-family in tenancy where target.resource.tag.AllPolicy.AllowAccess – ‘OpsTeam’
D. Tag all the monitoring nodes with the free-form tag AllowAccess:OpsTeam and write the following IAM policy: allow group OpsTeam to manage instance-family in tenancy where target.resource.tag.AllowAccess = ‘OpsTeam’

Answer

A. In each of the 14 compartments, create a new policy with the following statement: allow group OpsTeam to manage instance-family in compartment XXX where XXX is the name of the compartment where you are creating the policy.

Explanation

The most efficient solution is option A:

In each of the 14 compartments, create a new policy with the following statement: allow group OpsTeam to manage instance-family in compartment XXX where XXX is the name of the compartment where you are creating the policy.

This limits the OpsTeam group’s permissions to only managing the instances (monitoring nodes) within that specific compartment. Since each application is deployed in its own compartment, this ensures OpsTeam can only manage the monitoring nodes for that application and nothing else.

The other options are not as targeted:

B allows OpsTeam to manage instances across the whole tenancy, not just their monitoring nodes.

C and D use tagging, but since existing resources are not tagged, OpsTeam would still have permission to manage all instances, not just their monitoring nodes.

So option A is the most efficient since it grants just the right level of permission for OpsTeam in each specific compartment where they need access.

Here are some additional details regarding option A:

• It follows the principle of least privilege by granting only the exact permissions needed. OpsTeam only needs the ability to manage the instances within each specific compartment, so that’s the permission that is granted.
• It is very targeted and granular. Since a policy is created within each compartment, OpsTeam’s permissions apply only to that compartment. This avoids blanket permissions across the tenancy.
• It is scalable. As more applications are deployed in new compartments, a targeted policy can easily be created within that compartment to allow OpsTeam to manage the monitoring node for that application.
• It keeps permissions static. The policies do not rely on tags to dynamically determine access, so OpsTeam’s permissions will remain the same even if tags change.
• It is simple to implement and maintain. Creating a single policy within each compartment is straightforward and the policies are self-contained within that scope.
• It minimizes security risks. By granting very specific and targeted permissions, it reduces the likelihood of OpsTeam inadvertently impacting other resources within the tenancy.

So in summary, option A provides an efficient and secure way to grant just the right level of access for OpsTeam to manage their monitoring nodes, without allowing broader access across the tenancy. The targeted, compartment-level policies follow the principle of least privilege.

Reference

• Overview of Identity and Access Management (oracle.com)
• Common Policies (oracle.com)
• Oracle Cloud Infrastructure Federation with OCI IAM Identity Domains
• Getting Started with Policies (oracle.com)
• Create an IAM Policy (oracle.com)
• Tags and Tag Namespace Concepts (oracle.com)
• Policy Reference (without Identity Domains) (oracle.com)
• Overview of IAM (oracle.com)
• Creating an Instance (oracle.com)
• Cloud Compute | Oracle

Oracle Cloud Infrastructure 2022 Architect Professional 1z0-997-22 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Oracle Cloud Infrastructure 2022 Architect Professional 1z0-997-22 exam and earn Oracle Cloud Infrastructure 2022 Architect Professional 1z0-997-22 certification.