Examice

Exam 1z0-932 All QuestionsBrowse all questions from this exam

Question 128

You have created a virtual cloud network (VCN) with three private subnets. Two of the subnets contain application servers and the third subnet contains a DB

System. The application requires a shared file system so you have provisioned one using the file storage service (FSS). You also created the corresponding mount target in one of the application subnets. The VCN security lists are properly configured so that both application servers and the DB System can access the file system. The security team determines that the DB System should have read-only access to the file system.

What change would you make to satisfy this requirement?

Create an NFS export option that allows READ_ONLY access where the source is the CIDR range of the DB System subnet.

Connect via SSH to one of the application servers where the file system has been mounted. Use the Unix command chmod to change permissions on the file system directory, allowing the database user read-only access.

Modify the security list associated with the subnet where the mount target resides. Change the ingress rules corresponding to the DB System subnet to be stateless.

Create an instance principal for the DB System. Write an Identity and Access Management (IAM) policy that allows the instance principal read-only access to the file storage service.

Correct Answer: A

To ensure the DB System only has read-only access to the file system, you should create an NFS export option that allows READ_ONLY access where the source is the CIDR range of the DB System subnet. This approach directly addresses the requirement for access control at the file system level based on network location (CIDR), fitting the scenario's constraints and making it a suitable solution.

Discussion

umarkhanOption: A

A is ans

surya274Option: A

A is the Correct answer, NFS_Export

RahulAzureCertifiedOption: D

NFS export (A) is partially correct because creating an NFS export option that allows READ_ONLY access would restrict access to the file system based on the source CIDR range of the DB System subnet. However, it is not the most secure option because it relies on IP-based access control, which can be less secure than access control based on identity and access management (IAM) policies. Therefore, the most secure and appropriate option is to create an instance principal for the DB System and write an IAM policy that allows the instance principal read-only access to the file storage service. This approach provides fine-grained control over access to the file system based on the identity of the DB System, ensuring that only the DB System can access the file system and only for read-only operations.

Mohamed79Option: A

Correct answer is A