Oracle Cloud Infrastructure 2022 Architect Associate — Question 44

You created a virtual cloud network (VCN) with three private subnets. Two of the subnets contain application servers and the third subnet contains a DB System. The application requires a shared file system, therefore you have provisioned one using the file storage service (FSS).
You have also created the corresponding mount target in one of the application subnets. The VCN security lists are properly configured so that the application servers can access FSS. The security team changed the settings for the DB System to have read-only access to the file system. However, when they test it, they are unable to access FSS.
How would you allow access to FSS?

Answer options

• A. Modify the security list associated with the subnet where the mount target resides. Change the ingress rules corresponding to the DB System subnet to be stateless.
• B. Modify the security list associated with the subnet where the mount target resides. Change the ingress rules corresponding to the DB System subnet to be stateful.
• C. Create an NFS export option that allows READ_ONLY access where the source is the CIDR range of the DB System subnet.
• D. Create an instance principal for the DB System. Write an Identity and Access Management (IAM) policy that allows the instance principal read-only access to the file storage service.

Correct answer: D

Explanation

The correct answer is D because creating an instance principal with an IAM policy specifically allows the DB System to access FSS with the necessary permissions. Options A and B focus on modifying security lists, which does not directly address the need for IAM permissions. Option C suggests creating an NFS export, but without the proper IAM policy, access will still be denied.