(AZ-204 topic) Implement Azure Security Flashcards
Test takers will need to understand how to secure their Azure Solutions using authentication and authorization tools like Microsoft Identity Platform, Azure Active Directory, OAuth 2.0, & Managed Identities. Additionally, they will be expected to understand how to leverage Azure Key Vault to store secrets, keys, & certifications in addition to use those keys securely in their applications & other azure services. Questions for this domain comprise 25% of the total questions for this exam.
You need to enable managed identity for a VM. Using the PowerShell statement below, complete the last piece of the segment using the options below..
- $vm= Get-AzVM -ResourceGroupName “AzureDale” -Name “ComputeWoodVM”*
- Update-AzVM -ResourceGroupName “AzureDale” -Name $vm*
- AssignIdentity: $SystemAssigned
- AssignIdentity: $UserAssigned
- IdentityId: $UserAssigned
- IdentityId: $SystemAssigned
-IdentityId: $SystemAssigned
Correct, this will enable a managed identity for the VM to use.
What are the three components of an App Configuration resource?
- Config, Key, Label
- Key, Value, Group
- Key, Value, Label
- Config, Key, Value
-Key, Value, Label
You can set a series of key-value pairs for your application to use and create groups of pairs using labels.
Which level of blob storage can you NOT apply a Shared Access Signature (SAS) to?
- At the Container Level (Blob Containers, Queues, Tables, etc.)
- The Snapshot Level — (Blob Snapshots)
- The Service Level — (Blob Service, File Share Service, etc.)
- At the Object Level (individual blobs)
-The Snapshot Level — (Blob Snapshots)
Blob snapshot-level SAS is not supported.
You need to create a new Azure Key Vault (AKV) access policy for your secrets. Which of the following commands will accomplish this?
az keyvault set-policy –name chamberOfSecrets –object-id –certificate-permissions
az keyvault set-policy –name chamberOfSecrets –object-id –secret-permissions
az keyvault create-policy –name chamberOfSecrets –object-id –secret-permissions
az keyvault create-policy –name chamberOfSecrets –object-id –key-permissions
az keyvault set-policy –name chamberOfSecrets –object-id –secret-permissions
Correct, this will create a new policy that is designed to work with your secrets
You are developing a solution using Azure Key Vault. You have a web application and would like to ensure that only the application can access the secrets in the Key Vault and not the application users. Out of the options below, how can you accomplish this?
- Register your web app with AD, register your app with Key Vault, associate a certificate with your Azure AD web app, and have your web app use the certificate to authenticate to Key Vault.
- Build a Managed Identity and store it inside the Key Vault. Have your application reference the identity whenever it needs to access secrets associated with it.
- Get a shared access signature (SAS) for your secret in the Key Vault, and have your web app use the SAS to get secrets from the Key Vault.
- Register your application in Key Vault, and have your web app pass credentials to the Key Vault.
-Register your web app with AD, register your app with Key Vault, associate a certificate with your Azure AD web app, and have your web app use the certificate to authenticate to Key Vault.
Certificates can be used to authenticate to Key Vault, and you can ensure your web app has access to the certificate and not the users.
Your company is in the process of developing an Azure API. One of the requirements is to implement authentication to ensure all api calls are secured but those credentials cannot be sent directly to the API. What authentication method will satisfy this requirment?
- Basic
- Utilize a Managed Identity
- Anonymous
- Certificate based Authentication
-Utilize a Managed Identity
A managed identity will offload the need to authenticate against the API as caller will need to first Authenticate with AzureAD to recieve an access token, which would then be used to authorize access to the API.
When configuring your custom application to use OAuth authentication with Azure Active Directory, which of the following steps needs to be completed first?
- Register your application with Azure Active Directory in Enterprise Applications.
- Containerize and push your application to Azure Container Registry.
- Create a Managed Identity for your application to authenticate with.
- Update your application to utilize its assigned application id & map to your AAD application endpoint.
-Register your application with Azure Active Directory in Enterprise Applications.
Once you’ve registered your application in Enterprise Application, you can collect your application ID and endpoint URI for configuration in your application code.
Your company is developing an application that will have multiple instances running across multiple nodes in different regions. What solution can be used to ensure the configurations for each node are always consistent?
- Use Azure API Management.
- Have the nodes pull their configuration file from a shared Azure File Share.
- Use an Azure Function to copy the configuration file from a source golden image.
- Utilize Azure App Configuration.
-Utilize Azure App Configuration.
Using Azure App Configuration, you can have all your nodes point to a central point that can store all of your configurations key value pairs. You can restrict access by utilizing access keys that will only grant the level of control your application needs.
You are developing an application that stores keys, secrets, and certificates in Azure Key Vault. The application leverages Azure Key Vault APIs to interact with Azure Key Vault. There is a requirement for the application to allow recovery of an accidental deletion of the key vault or key vault objects. Key vault objects must be retained for 90 days after deletion. You need to protect the key vault and key vault objects. Which of the following should you use to ENABLE the retention period and prevent accidental deletion?
- Object Lock
- Access Policy
- Soft Delete
- Purge Protection
-Soft Delete
When you enable soft-delete, resources marked as deleted are retained for a specified duration (defaults to 90 Days)
Recently, you company implemented new compliance standards that require new access controls to be set on your company files at rest in your Azure Storage Containers. These standards require all actions in the storage account be monitored and audited regularly. Which of the following solutions will meet this new requirement?
- Create a Diagnostic Setting for Azure Monitor with Storage Account and enable StorageRead, StorageWrite, and StorageDelete log collection and send the data to Log Analytics
- Enable the Storage Account Audit feature and have it stream data to an Event Hub
- Create a Diagnostic Setting for Azure Monitor with Storage Account and enable StorageRead, StorageWrite, and StorageDelete log collection with no retention
- Enable Change Tracking on your Storage Account
-Create a Diagnostic Setting for Azure Monitor with Storage Account and enable StorageRead, StorageWrite, and StorageDelete log collection and send the data to Log Analytics
This will not only monitor, but also place the log data in Log Analytics, where you can search the data and build dashboards which can be used to create consistent and accurate auditing dashboards
Which of the following Azure CLI commands can be used to create a new Azure Key Vault?
az keyvault new –name “vaultname” –resource-group “yourRGname” –location “westus”
az vault new –name “vaultname” –resource-group “yourRGname” –location “westus”
az keyvault create –name “vaultname” –resource-group “yourRGname” –location “westus”
az create keyvault –name “vaultname” –resource-group “yourRGname” –location “westus”
az keyvault create –name “vaultname” –resource-group “yourRGname” –location “westus”
This follows the correct structure for creating a new Azure Key Vault.
You have a billing document management site that needs to ensure scanned forms containing customer data are processed and store securely. Your have a requirement to keep all scanned forms for at least 1 year. You need to ensure that the forms, when accessed from a third-party source, cannot be compromised. With this in mind, what can you do to store the forms and ensure security?
- Place all forms in an Azure Key Vault for safekeeping
- Encrypt all incoming forms using an Azure Key Vault key & store them in a Blob Container
- Store all forms in an Azure Storage Blob and restrict access to only those using a Shared Access Signature
- Scrape the data into a CosmosDb container and delete the forms once the data has been validated
-Encrypt all incoming forms using an Azure Key Vault key & store them in a Blob Container
Keeping it in an Azure Storage Blob keeps the data accessible to only authorized processes and individuals while encrypting the documents ensures that even if they’re accessed by an unauthorized party, they’ll be unable to steal or manipulate the data inside.
You have an Azure App Service website that houses sensitive company data your users log in to daily. You have a new requirment from your security team that all users who authenticate against your web app will need to validate their identity using Multi-Factor Authentication (MFA) since your website contains sensitive data. Your application uses Azure AD to authenticate your users. What is the first step you should take to enable MFA?
- Enable Multi-Factor Authentication on your Azure App Service instance.
- Enforce the use of OAuth 2.0 in your web application
- Create a conditional access policy that enforces MFA on all authentication attempts.
- Create a conditional access policy that enforces MFA on all authentication attempts to your website.
-Create a conditional access policy that enforces MFA on all authentication attempts to your website.
Creating a conditional access policy will ensure users are prompted where MFA is required and not every time they login.
Recently, your company implemented new compliance standards that require new access controls to be set on your company files at rest in your Azure Storage Containers. These standards require files access to be controlled based on factors such as IP, access protocol, and Azure AD rights. In order to be in compliance with this new standard, which setting should you implement to restrict file access?
- Managed Identities
- Connection Strings
- Role-Based Access Control (RBAC)
- Shared Access Signature (SAS) Token
-Role-Based Access Control (RBAC)
Azure storage can utilize authentication and authorization from AzureAD through the use of RBAC. This allows assignments to both individual users & groups based on a role, rather than assignments based on the user.
You’re building a function to process data from an Event Hub subscription into a CosmosDB running the MongoDB API. You have a requirement to secure access to both the CosmosDB instance & the Event Hub subscription. How can you accomplish this without storing secrets in your function code?
- Create a User-Assigned Managed Identity for your Function & grant the required access to both services
- Create a secret in Azure Key Vault for both services and add the secret URI’s to your function to allow access
- Create a System-Assigned Managed Identity for your Function & grant the required access to both services
- Functions are not required to authenticate against Azure services since they are a trusted service and already have access
-Create a System-Assigned Managed Identity for your Function & grant the required access to both services
Using a system-assigned managed identity will allow you to control access for your function without the need to manage keys or store potentially compromising information in your code.
You are the administrator of the Nutex Corporation. You want to upload a certificate into the certificate portion of an Azure key vault. You want to do that with PowerShell. You must fill the empty spaces in the following PowerShell script (see image) using the code snippets below.
- Import-AzKeyVaultCertificate
- Remove-AzureKeyVaultManagedStorageAccount
- Get-AzKeyVault
- Get-AzureKeyVaultSecret
- Remove-AzKeyVaultCertificate
- Get-AzKeyVaultCertificate
See attached image for solution.
First you would use the Get-AzKeyVaultCertificate cmdlet. This cmdlet is used to search for an existing certificate in the key vault. You verify if a certificate exists. If yes, the text ‘Skipped replacing certificate…’ will be displayed.
You would use the Get-AzKeyVault cmdlet to retrieve and store the key vault in the variable $vault.
You would use the Remove-AzKeyVaultCertificate cmdlet to remove an existing certificate from the key vault.
You would use the Import-AzKeyVaultCertificate cmdlet to upload a new certificate into the key vault.
You would not use the Remove-AzureKeyVaultManagedStorageAccount cmdlet. This cmdlet removes a key vault storage account and any SAS definitions. In this scenario, you want to upload a certificate into the certificate portion of an Azure key vault, not remove the key vault.
You would not use the Get-AzureKeyVaultSecret cmdlet. This cmdlet retrieves secrets in a key vault. In this scenario, you need to retrieve the certificate in the key vault, not the secrets of the key vault.
You work as an Azure architect for your company and are involved in an application review for a corporate system implemented around the globe via regions in Azure. The system is installed on a VM that looks for new vaccines and automatically interacts with a blob storage account by sending and receiving sensitive DNA data. Every branch which contains a VM uploads and downloads data to a different blob storage account. Currently, there are five thousand VMs across multiple Azure regions operating worldwide. Your company does not want to change the infrastructure. Permission for downloaded data depends on the location and is often changed. The audited code is
as follows:
public async Task ConnectionStringAsync(){
string connectionString = ConnectionString; BlobServiceClient service = new BlobServiceClient(connectionString); await service.GetPropertiesAsync();
}
Security is the company’s primary goal. What change would you make to better secure the application?
- Use Azure AD OAuth2 Implicit grant flow to authenticate.
- Use a third party solution such as KeyCloak or Ping.ID.
- Use Key Vault to store credentials in the storage account.
- Use a token credential that can use an Azure Active Directory application to authenticate.
- Use Azure AD-managed identities.
- Use SAS tokens.
- Use Active Directory Federation Services to authenticate.
- Use Azure AD-managed identities.
You would use Azure AD-managed identities. The managed identities for Azure resources solves the problems of logins and passwords. Azure AD-managed identities provides Azure services with a managed identity in Azure AD. You can use the identity to authenticate to Key Vault or any service that uses Azure AD authentication, without needing to provide credentials in your code. The code that runs on the VM requests a token from two endpoints that are accessible only from the VM. You can use Managed Identity in permissions definition for different storage accounts.
You would not use SAS tokens because the permission for downloaded data depends on the location and is often changed. SAS tokens do not resolve problems of often-changed permissions.
You would not use the Azure AD Oauth2 Implicit grant flow. A suitable scenario for the OAuth2 Implicit grant flow is to enable user-agent applications, such as JavaScript applications executing within a browser. Azure AD Oauth2 Implicit grant flow will not integrate with Azure Active Directory for storage of logins and passwords.
Using Active Directory Federation Services (ADFS) is not a complete solution and needs more changes. You need to implement ADFS as two additional virtual machines and integrate it with Active Directory. The question asks what changes you should implement in the code, not to build a new infrastructure.
Using a third-party solution such as KeyCloak or Ping.ID is not a complete solution. It is not the best answer because you need to implement KeyCloak or PingID on additional virtual machines and integrate it with Azure Active Directory. The question asks what changes you should implement in the code, not to build a new infrastructure.
You would not use a token credential that can use an Azure Active Directory application to authenticate. This solution still needs to store a login and password in the code.
You would not use Key Vault to store credentials in the storage account. While Key Vault can store SAS tokens, it does not resolve the problem of often-changed permissions.
Application Insights is only useful for Web Applications. True or false.
False.
Application Insights can be configured in any application where you can install and/or configure the application insights module, including non-cloud native applications, so it is not just useful for web applications.
What resource is responsible for validating your token after authenticating in the case of OAuth?
- The Authorization Server (The identity provider, such as Azure AD)
- The Resource Server (Such an an Azure WebApp)
- The Resource Owner
- The Resource Server (Such an an Azure WebApp)
Correct! The resource server is responsible for refreshing the authentication token once issues from the identity provider.
With Managed Identities, a standalone resource that can be assigned to a configuration store such as a group, but can persist after that configuration store is removed is an example of what?
- A System-Assigned Identity
- A System Identifier
- A User Group
- A User-Assigned Identity
- A User-Assigned Identity
User-Assigned identities stick around after a configuration store has been removed. Additionally, configuration stores can have many user-assigned identities, and user-assigned identities can be assigned to multiple configuration stores.
Fill in the blank - Shared Access Signatures come in 3 varieties: the Account Level, the ___ Level, and the User Level.
- Container level.
- Blob level
- Service level
- System level
- Service level
Correct! When building a SAS, you can build them at the Account Level, the SERVICE Level, or the User Level.
What two types of data is Azure Monitor collecting from your environments?
- Metrics and Events
- Events and Logs
- Metrics and Logs
- Only Event data
- Metrics and Logs
Azure Monitor collects metric and log data.
What service gives you the ability to centralize cloud application settings for standardization and security?
- Azure Service Bus
- Azure App Configuration
- Azure API Management
- Azure Blob Storage
- Azure App Configuration
Azure App Configuration allows you to centralize, standardize, and secure your application configurations.
Microsoft Graph API can be used for a variety of things, including…
- Creating graphs for complex geographic data
- Storing, Retrieving, and Manipulating User Data in Azure AD
- Creating charts and dashboards for use by your leadership team
- Generating geographic data about 2 points on a map
- Storing, Retrieving, and Manipulating User Data in Azure AD
While the Graph API can be used to also correlate data in Microsoft 365 products, its primary concern will be on utilizing it in conjunction with Azure AD and user data.
