AZ-204 Security Flashcards

1
Q

What are the authenticaton methods for key vault?

A

Managed identities for Azure resources: When you deploy an app on a virtual machine in Azure, you can assign an identity to your virtual machine that has access to Key Vault. You can also assign identities to other Azure resources. The benefit of this approach is that the app or service isn’t managing the rotation of the first secret. Azure automatically rotates the service principal client secret associated with the identity. We recommend this approach as a best practice.

Service principal and certificate: You can use a service principal and an associated certificate that has access to Key Vault. We don’t recommend this approach because the application owner or developer must rotate the certificate.

Service principal and secret: Although you can use a service principal and a secret to authenticate to Key Vault, we don’t recommend it. It’s hard to automatically rotate the bootstrap secret that’s used to authenticate to Key Vault.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the key vault best practices?

A

Use separate key vaults: Recommended to use a vault per application per environment (Development, Pre-Production and Production). This helps you not share secrets across environments and also reduces the threat in case of a breach.

Control access to your vault: Key Vault data is sensitive and business critical, you need to secure access to your key vaults by allowing only authorized applications and users.

Backup: Create regular back ups of your vault on update/delete/create of objects within a Vault.

Logging: Be sure to turn on logging and alerts.

Recovery options: Turn on soft-delete and purge protection if you want to guard against force deletion of the secret.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the 2 ways to get a service principal?

A

Enable a system-assigned managed identity for the application. With managed identity, Azure internally manages the application’s service principal and automatically authenticates the application with other Azure services. Managed identity is available for applications deployed to a variety of services.

If you cannot use managed identity, you instead register the application with your Azure AD tenant. Registration also creates a second application object that identifies the app across all tenants.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What library can be used to authenticate an app?

A

Azure Identity SDK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the difference between user assigned and system assigned identities?

A

User assigned: 1 to Many relationship (1 identity per many resources), requires clean up to make sure it’s deleted

System-Assigned: 1-1 relationship (1 identity per resource), does not require clean up as once the resource is deleted so is the identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How do you register an app?

A
  1. If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to switch to the tenant in which you want to register the application.
  2. Search for and select Azure Active Directory.
  3. Under Manage, select App registrations > New registration.
  4. Enter a display Name for your application. Users of your application might see the display name when they use the app, for example during sign-in. You can change the display name at any time and multiple app registrations can share the same name. The app registration’s automatically generated Application (client) ID, not its display name, uniquely identifies your app within the identity platform.
  5. Specify who can use the application, sometimes called its sign-in audience.
  6. Register
  7. Add a redirect URI (A redirect URI is the location where the Microsoft identity platform redirects a user’s client and sends security tokens after authentication.)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is an Application Object?

A

An application object is used as a template or blueprint to create one or more service principal objects. (It is like an OOP class)

Describes the following:
How the service can issue tokens in order to access the application
The resources that the application might need to access
The actions that the application can take

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How to assign a system-managed identity to an existing resource?

A

az <resourcetype> identity assign</resourcetype>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How to assign a system-managed identity to a new resource?

A

Use –assign-identity parameter along with –scope and –role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How to create a new user-assigned identity?

A

az identity create -g myResourceGroup -n myUserAssignedIdentity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How to assign a user-managed identity to a new resource?

A

Use –assign-identity parameter along with –scope and –role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How to get an access token in C#?

A

-Create GET request at specified endpoint and parse JSON response:

using System;
using System.Collections.Generic;
using System.IO;
using System.Net;
using System.Web.Script.Serialization;

// Build request to acquire managed identities for Azure resources token
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(“http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/”);
request.Headers[“Metadata”] = “true”;
request.Method = “GET”;

try
{
// Call /token endpoint
HttpWebResponse response = (HttpWebResponse)request.GetResponse();

// Pipe response Stream to a StreamReader, and extract access token
StreamReader streamResponse = new StreamReader(response.GetResponseStream()); 
string stringResponse = streamResponse.ReadToEnd();
JavaScriptSerializer j = new JavaScriptSerializer();
Dictionary<string, string> list = (Dictionary<string, string>) j.Deserialize(stringResponse, typeof(Dictionary<string, string>));
string accessToken = list["access_token"]; } catch (Exception e) {
string errorText = String.Format("{0} \n\n{1}", e.Message, e.InnerException != null ? e.InnerException.Message : "Acquire token failed"); }
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How do you use App Configuration?

A
  • Create key pair value hierarchy structure
  • Use the feature flag (bool value for feature), feature manager (application package that handles lifecycle of all features flags in an app) and filters (evaluates state of feature flag)
  • secure app config data using customer-managed keys, private endpoints and managed identities.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the 3 types of service principals?

A

Application: application instance of a global application object in a single tenant or directory. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal object defines what the app can actually do in the specific tenant, who can access the app, and what resources the app can access.

Managed Identity: Managed identities provide an identity for applications to use when connecting to resources that support Azure Active Directory authentication. When a managed identity is enabled, a service principal representing that managed identity is created in your tenant. Service principals representing managed identities can be granted access and permissions, but cannot be updated or modified directly.

Legacy: This type of service principal represents a legacy app, which is an app created before app registrations were introduced or an app created through legacy experiences. A legacy service principal can have credentials, service principal names, reply URLs, and other properties that an authorized user can edit, but does not have an associated app registration. The service principal can only be used in the tenant where it was created.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the 2 permission types supported by the Microsoft identity platform?

A

Delegated permissions are used by apps that have a signed-in user present. For these apps, either the user or an administrator consents to the permissions that the app requests. The app is delegated with the permission to act as a signed-in user when it makes calls to the target resource.

Application permissions are used by apps that run without a signed-in user present, for example, apps that run as background services or daemons. Only an administrator can consent to application permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the consent types supported by the MS identity platform?

A

Static user: You must specify all the permissions it needs in the app’s configuration in the Azure portal.

Incremental and Dynamic User: You can ask for a minimum set of permissions upfront and request more over time as the customer uses additional app features.

To do so, you can specify the scopes your app needs at any time by including the new scopes in the scope parameter when requesting an access token - without the need to pre-define them in the application registration information.

Admin: Admin consent ensures that administrators have some additional controls before authorizing apps or users to access highly privileged data from the organization.

17
Q

What are the two types of apps for MSAL?

A

Public client applications: Are apps that run on devices or desktop computers or in a web browser. They’re not trusted to safely keep application secrets, so they only access web APIs on behalf of the user. (They support only public client flows.) Public clients can’t hold configuration-time secrets, so they don’t have client secrets.

Confidential client applications: Are apps that run on servers (web apps, web API apps, or even service/daemon apps). They’re considered difficult to access, and for that reason capable of keeping an application secret. Confidential clients can hold configuration-time secrets. Each instance of the client has a distinct configuration (including client ID and client secret).

18
Q

How do you instantiate a public client application?

A

IPublicClientApplication app = PublicClientApplicationBuilder.Create(clientId).Build();

19
Q

How do you instantiate a confidential client application?

A

string redirectUri = “https://myapp.azurewebsites.net”;
IConfidentialClientApplication app = ConfidentialClientApplicationBuilder.Create(clientId)
.WithClientSecret(clientSecret)
.WithRedirectUri(redirectUri )
.Build();

20
Q

What are the confidential client app specific modifiers?

A

.WithCertificate(X509Certificate2 certificate) - sets the certificate identifying the application with Azure Active Directory.

.WithClientSecret(string clientSecret) - Sets the client secret (app password) identifying the application with Azure Active Directory.

21
Q

What are the common modifiers for public and confidential client apps?

A

.WithAuthority() - Sets the application default authority to an Azure Active Directory authority, with the possibility of choosing the Azure Cloud, the audience, the tenant (tenant ID or domain name), or providing directly the authority URI.

.WithTenantId(string tenantId) - Overrides the tenant ID, or the tenant description.

.WithClientId(string) - Overrides the client ID.

.WithRedirectUri(string redirectUri) - Overrides the default redirect URI. In the case of public client applications, this will be useful for scenarios requiring a broker.

.WithComponent(string) - Sets the name of the library using MSAL.NET (for telemetry reasons).

.WithDebugLoggingCallback() - If called, the application will call Debug.Write simply enabling debugging traces.

.WithLogging() - If called, the application will call a callback with debugging traces.

.WithTelemetry(TelemetryCallback telemetryCallback) - Sets the delegate used to send telemetry.

22
Q

What is a Shared Access Signature? (SAS)

A

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients that you want to grant delegate access to certain storage account resources.

23
Q

What are the 3 types of shared access signatures?

A

User delegation SAS: A user delegation SAS is secured with Azure Active Directory credentials and also by the permissions specified for the SAS. A user delegation SAS applies to Blob storage only.

Service SAS: A service SAS is secured with the storage account key. A service SAS delegates access to a resource in the following Azure Storage services: Blob storage, Queue storage, Table storage, or Azure Files.

Account SAS: An account SAS is secured with the storage account key. An account SAS delegates access to resources in one or more of the storage services. All of the operations available via a service or user delegation SAS are also available via an account SAS.

24
Q

What are SAS best practices?

A
  • To securely distribute a SAS and prevent man-in-the-middle attacks, always use HTTPS.
  • The most secure SAS is a user delegation SAS. Use it wherever possible because it removes the need to store your storage account key in code. You must use Azure Active Directory to manage credentials. This option might not be possible for your solution.
  • Try to set your expiration time to the smallest useful value. If a SAS key becomes compromised, it can be exploited for only a short time.
  • Apply the rule of minimum-required privileges. Only grant the access that’s required. For example, in your app, read-only access is sufficient.
  • There are some situations where a SAS isn’t the correct solution. When there’s an unacceptable risk of using a SAS, create a middle-tier service to manage users and their access to storage.
25
Q

What are the components of a SAS token?

sp=r&st=2020-01-20T11:42:32Z&se=2020-01-20T19:42:32Z&spr=https&sv=2019-02-02&sr=b&sig=SrW1HZ5Nb6MbRzTbXCaPm%2BJiSEn15tC91Y4umMPwVZs%3D

A

sp=r - Controls the access rights. The values can be a for add, c for create, d for delete, l for list, r for read, or w for write.
st=2020-01-20T11:42:32Z - The date and time when access starts.
se=2020-01-20T19:42:32Z - The date and time when access ends. This example grants eight hours of access.
sv=2019-02-02 - The version of the storage API to use.
sr=b - The kind of storage being accessed. In this example, b is for blob.
sig=SrW1HZ5Nb6MbRzTbXCaPm%2BJiSEn15tC91Y4umMPwVZs%3D - The cryptographic signature.

26
Q

When should you use SAS?

A

Use a SAS when you want to provide secure access to resources in your storage account to any client who does not otherwise have permissions to those resources.

  • When you copy a blob to another blob that resides in a different storage account, you must use a SAS to authorize access to the source blob. You can optionally use a SAS to authorize access to the destination blob as well.
  • When you copy a file to another file that resides in a different storage account, you must use a SAS to authorize access to the source file. You can optionally use a SAS to authorize access to the destination file as well.
  • When you copy a blob to a file, or a file to a blob, you must use a SAS to authorize access to the source object, even if the source and destination objects reside within the same storage account.
27
Q

What is a stored access policy?

A

A stored access policy provides an additional level of control over service-level shared access signatures (SAS) on the server side. Establishing a stored access policy groups shared access signatures and provides additional restrictions for signatures that are bound by the policy. You can use a stored access policy to change the start time, expiry time, or permissions for a signature, or to revoke it after it has been issued.

The following storage resources support stored access policies:

Blob containers
File shares
Queues
Tables

28
Q

How can you query ms graph using REST?

A

{HTTP method} https://graph.microsoft.com/{version}/{resource}?{query-parameters}

29
Q

what are the MS Graph best practices?

A
  • Use MSAL to acquire the access token for Microsoft Graph

Consent and authorization
- Use least privilege.

  • Use the correct permission type based on scenarios - If you’re building an interactive application where a signed in user is present, your application should use delegated permissions. If, however, your application runs without a signed-in user, such as a background service or daemon, your application should use application permission
  • Consider the end user and admin experience.

-Consider multi-tenant applications

Handle responses using pagination and evolvable enumerations

  • Only cache/store data locally if necessary and permitted by policy.
30
Q

What are the steps for binding an SSL certificate to an app service?

A
  1. Map fully qualified domain name to a variable
  2. Map domain name to webapp
  3. Create variable for pfx path and password
  4. use “az webapp config ssl upload” to upload certificate
  5. bind to webapp with “az webapp config ssl bind”
31
Q

How to configure container with container from dockerhub?

A

az webapp config container set –docker-custom-image-name $dockerHubContainerPath –name $webApp –resource-group $resourceGroup

32
Q

What are the dependency tiers for app services?

A

Tier 1:

  • App Service plan.
  • Any other related resources, like databases or storage accounts.

Tier 2:

  • Web app–depends on the App Service plan.
  • Azure Application Insights instance that targets the server farm–depends on the App Service plan.
    Tier 3:
  • Source control–depends on the web app.
  • MSDeploy site extension–depends on the web app.
  • Azure Application Insights instance that targets the web app–depends on the web app.
    Tier 4:
  • App Service certificate–depends on source control or MSDeploy if either is present. Otherwise, it depends on the web app.
  • Configuration settings (connection strings, web.config values, app settings)–depends on source control or MSDeploy if either is present. Otherwise, it depends on the web app.

Tier 5

  • Host name bindings–depends on the certificate if present. Otherwise, it depends on a higher-level resource.
  • Site extensions–depends on configuration settings if present. Otherwise, it depends on a higher-level resource.
33
Q

What are app service app settings?

A

In App Service, app settings are variables passed as environment variables to the application code. For Linux apps and custom containers, App Service passes app settings to the container using the –env flag to set the environment variable in the container.