O R A C L E C E R T I F I C A T I O N
1Z0-1104 Oracle Cloud Infrastructure Security 2022 Professional Practice Exam
Exam Number: 4823 | Last updated April 19, 2026 | 700+ questions across 4 vendor-aligned objectives
The 1Z0-1104 Oracle Cloud Infrastructure Security 2022 Professional exam is written for security engineers, cloud architects, and compliance specialists who protect workloads on OCI. Candidates validate command of identity, network security, data protection, and the detection and response services that keep production tenancies compliant with enterprise and regulatory requirements.
The heaviest content is Identity and Access Management (roughly 30%), covering users, groups, dynamic groups, compartments, policies, federation, and network perimeter controls such as security zones. Network Security contributes another 25% with security lists, Network Security Groups, Web Application Firewall, Bastion, and private connectivity patterns.
Data Protection and Key Management sits near 20% and drills into OCI Vault, customer-managed keys, Transparent Data Encryption, and Data Safe. Threat Detection and Compliance rounds out the remaining weight with Cloud Guard, Security Zones, Logging Analytics, Threat Intelligence, and the OCI compliance framework.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Oracle documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
557
practice exam users
91.0%
satisfied users
89.4%
passed the exam
4.2/5
quality rating
Test your 1Z0 1104 OCI Security Pro knowledge
10 of 700+ questions
Question #1 - Identity and Access Management
A security architect at a multinational retailer is designing IAM policies. The DevOps group should manage all compute in the Non-Prod compartment but only read compute in Prod. Developers should have no access to Prod at all.
Which policy pattern enforces this split with least-privilege?
A) Two policies: DevOps manage instance-family in compartment Non-Prod, and DevOps read instances in compartment Prod; no policy grants Developers anything in Prod.
B) No policies; rely on the honor system.
C) A single policy granting DevOps full tenancy admin.
D) A tenancy-wide read policy for all groups.
Show solution
Correct answers: A – Explanation:
Compartment-scoped policies with distinct verbs (manage vs read) give DevOps the right access per compartment, and the absence of any policy granting Developers access to Prod enforces denial by default — the correct least-privilege design. Option C over-grants. Option D exposes too much. Option B has no control. Source: Check Source
Question #2 - Identity and Access Management
A compliance lead wants only specific high-trust groups to log in from the corporate IP ranges and deny sensitive operations from elsewhere. Operations from unknown networks should never be allowed regardless of user group membership.
Which IAM feature enforces network-conditional access?
A) Hoping IT blocks traffic at the firewall.
B) Policies with network source conditions (request.origin.ip, network source) on sensitive permissions.
C) Disabling all users outside business hours.
D) A UI banner asking users to self-certify.
Show solution
Correct answers: B – Explanation:
IAM policy conditions can reference a defined network source so sensitive verbs only apply when the request originates from approved networks. Option A is a guess. Option D is not enforcement. Option C is brittle and time-based, not network-based. Source: Check Source
Question #3 - Network Security
A web architect is deploying a public-facing application and wants an edge service that filters OWASP Top 10 attacks like SQL injection and XSS before requests reach the backend.
Which OCI service fits edge-layer OWASP Top 10 filtering for a public web app?
A) VCN security lists only.
B) Object Storage ACLs.
C) Web Application Firewall (WAF) with managed rulesets for OWASP Top 10.
D) A plain load balancer with no WAF.
Show solution
Correct answers: C – Explanation:
OCI WAF includes managed rulesets for OWASP Top 10 threats and inspects requests at the edge before the backend sees them. Option D has no L7 inspection. Option A is L3/L4 filtering. Option B is for buckets. Source: Check Source
Question #4 - Network Security
A security engineer needs ad-hoc SSH access to a private compute instance without attaching a public IP to the instance or standing up a jump host.
Which OCI service fits ad-hoc SSH to a private instance without a jump host?
A) A VPN from every engineer’s laptop.
B) Assigning a public IP to every private instance.
C) A manually configured jump host on a public subnet.
D) OCI Bastion with an SSH session to the private instance.
Show solution
Correct answers: D – Explanation:
OCI Bastion provides short-lived SSH sessions to private instances without exposing them to the public internet — the designed answer. Option B is insecure. Option C requires ongoing maintenance. Option A is heavier than needed. Source: Check Source
Question #5 - Data Protection and Key Management
A DBA wants Transparent Data Encryption on an Autonomous Database, with the master key controlled by the customer and rotated on a fixed schedule.
Which OCI service manages customer-controlled TDE keys with rotation?
A) OCI Vault with customer-managed master keys referenced by TDE and scheduled key rotation.
B) A text file with the key stored in Object Storage.
C) Disabling TDE entirely.
D) The default Oracle-managed keys with no customer control.
Show solution
Correct answers: A – Explanation:
OCI Vault holds master encryption keys with customer control and scheduled rotation, referenced by TDE for Autonomous Database — the supported pattern. Option B is insecure. Option D does not meet the requirement. Option C violates policy. Source: Check Source
Question #6 - Threat Detection and Compliance
A SOC analyst needs automated detection when someone creates a public Object Storage bucket or attaches a public IP to a resource that should be private, with optional automated remediation.
Which OCI service fits detection and optional auto-remediation of risky configurations?
A) Manual quarterly audits.
B) Cloud Guard with configuration detectors and responders.
C) A BI Publisher report emailed weekly.
D) A third-party SIEM only.
Show solution
Correct answers: B – Explanation:
Cloud Guard detects risky configurations and can auto-remediate via responders, exactly matching the requirement. Option A is lagging. Option D may exist but is not the native OCI answer. Option C is reporting only. Source: Check Source
Question #7 - Threat Detection and Compliance
A security architect wants a compartment where policy-violating resources simply cannot be created — for example, no public subnets and no unencrypted storage.
Which OCI feature enforces preventive policies at the compartment level?
A) Manual reviews by the cloud team.
B) A BI Publisher weekly audit.
C) Security Zones with a security recipe bound to the compartment.
D) Cloud Guard detectors alone.
Show solution
Correct answers: C – Explanation:
Security Zones enforce preventive security policies at the compartment level, blocking creation of non-compliant resources — distinct from Cloud Guard’s detection model. Option D detects, not prevents. Option B and Option A are lagging/manual. Source: Check Source
Question #8 - Identity and Access Management
A federation architect wants employees to log in to OCI using their corporate identity from Azure Active Directory / Microsoft Entra ID via SAML, with SSO and group mapping.
Which OCI IAM feature supports SAML federation with external IdPs?
A) A custom Python script synchronizing users hourly.
B) A shared service account for all employees.
C) Disabling OCI IAM and relying only on network controls.
D) IAM Identity Providers with SAML 2.0 federation and group mappings.
Show solution
Correct answers: D – Explanation:
OCI IAM supports SAML 2.0 federation to external IdPs with group-to-IAM-group mappings, which is the SSO mechanism. Option A reinvents the wheel. Option B is a security violation. Option C leaves IAM off. Source: Check Source
Question #9 - Data Protection and Key Management
A DBA wants to identify sensitive columns (credit card numbers, SSNs) across an Autonomous Database, monitor user activity on those columns, and mask them for non-production clones.
Which Oracle service fits this sensitive-data lifecycle?
A) Oracle Data Safe with data discovery, activity auditing, and data masking.
B) A periodic DBA review meeting.
C) A spreadsheet listing suspected sensitive columns.
D) Encryption at rest only with no auditing.
Show solution
Correct answers: A – Explanation:
Oracle Data Safe covers sensitive data discovery, activity auditing, and data masking in one service — exactly the described lifecycle. Option C is outside the system. Option D does not address activity monitoring or masking. Option B is not automated. Source: Check Source
Question #10 - Network Security
A security lead wants to capture packet-header metadata for all traffic in a VCN to troubleshoot a suspected data exfiltration incident later.
Which OCI capability captures packet-level metadata on a VCN?
A) A BI Publisher monthly report.
B) A manual tcpdump on every compute instance.
C) VCN Flow Logs enabled on subnets and exported to Logging.
D) No capture; rely on firewall logs on a laptop.
Show solution
Correct answers: C – Explanation:
VCN Flow Logs capture packet-header metadata for subnet traffic and integrate with OCI Logging for retention and analysis. Option B is laborious and incomplete. Option D has nothing to search. Option A is lagging. Source: Check Source
Get 700+ more questions with source-linked explanations
Every answer traces to the exact Oracle documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated April 19, 2026
Learn more...
What the 1Z0 1104 OCI Security Pro exam measures
- Identity and access management (30%) — design IAM policies with groups, dynamic groups, compartments, federation, and tag-based conditions for least-privilege access.
- Network security (25%) — configure security lists, Network Security Groups, Web Application Firewall, Bastion, and private connectivity for defense in depth.
- Data protection and key management (20%) — apply OCI Vault, customer-managed keys, Transparent Data Encryption, and Data Safe across database and object storage.
- Threat detection and compliance (25%) — operate Cloud Guard, Security Zones, Logging Analytics, and Threat Intelligence to meet enterprise and regulatory requirements.
How to prepare for this exam
- Review the official 1Z0-1104 exam page and confirm the current objectives.
- Complete the Oracle University OCI Security Professional learning path on MyLearn.
- In an OCI tenancy, enable Cloud Guard, create a Security Zone with a hardened compartment, and rotate keys stored in OCI Vault while watching the audit log stream into Logging Analytics.
- Apply the skills at work: harden a staging tenancy against the CIS benchmark, add bastion-only access to a database subnet, or register a production DB with Data Safe.
- Master one objective at a time, starting with identity and access management since it carries the most weight.
- Run PowerKram learn mode to see feedback after every question with sourced links back to Oracle documentation.
- Finish with PowerKram exam mode across all objectives until you pass three back-to-back full-length attempts.
Career paths and salary outlook
OCI Security skills command premium rates across cloud security roles:
- Cloud Security Engineer (OCI) — $125,000–$175,000 (Glassdoor).
- Security Architect — $140,000–$195,000 (PayScale).
- Information Security Analyst — $95,000–$135,000 (U.S. Bureau of Labor Statistics).
Official resources
Follow the OCI Security Professional Learning Path on Oracle MyLearn. Reinforce with the OCI Security documentation and the Cloud Guard documentation.