AZ900 Flashcards
What is the storage option best for unstructured Data?
Blob Storage - Azure Blob Storage is unstructured, object storage solution meaning that there are no restrictions on the kinds of data it can hold. Blobs are highly scalable and apps work with blobs in much the same way as they would work with files on a disk, such as reading and writing data. Blob Storage can manage thousands of simultaneous uploads, massive amounts of video data, constantly growing log files, and can be reached from anywhere with an internet connection.
For more information see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-data-in-azure/3-how-azure-storage-meets-your-business-storage-needs
What is Azure Cosmos DB?
Azure Cosmos DB is a globally distributed noSQL database service. As a noSQL database service, this work well with non-relational or semi-structured data. This is part of the back-end for solutions like Xbox - It supports noSQL API (like MongoDB, Cassandra, Tables, or Gremlins) that lets you build highly responsive and Always On applications to support constantly changing data.
For more info see:
https://docs.microsoft.com/en-us/azure/cosmos-db/introduction
What are the three types of data types Azure is set-up to store?
Structured or relational - Data fits neatly in tables (i.e. is structured) and the rows/columns define relationships between the data (i.e. relational); e.g. sensor or financial data
Semi-structured, NoSQL or non-relational: Data that has a schema for organization like tags or keys, but couldn’t work in a table.
Unstructured Data: Unstructured data is everything else. There’s no restrictions on file type.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-data-in-azure/2-benefits-of-using-azure-to-store-data
What data is best stored in Azure SQL database? and what are the benefits to its use?
SQL is a clue; The Azure SQL database is a DaaS (database as a service) that stores relational (or structured) data, using the MS SQL server database engine that can leverage serverless computing for easier scalability.
Benefits:
- Cloud-native
- Completely managed by MS
- Easy data migration
For more info see:
https://azure.microsoft.com/en-us/services/sql-database/#features
When you need to store “Big data” - what Azure solution comes to mind and why?
Azure Data Lake Storage - A storage solution built specifically for big data as it integrates with Data lake analytics, a cloud-native analytic tool that dynamically sources compute ressources and uses languages commonly used in data science (like R, Python) and more uniquely, U-SQL (SQL + C#)
Alternatively, you could use a SQL data Warehouse depending on the structure of your data.
What is the cloud-native file storage solution within Azure?
Azure Files - kind of like OneDrive but Azure-centric and can be mapped to a local drive. Used for sharing common file types like .docx or pdfs
For more information see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-data-in-azure/3-how-azure-storage-meets-your-business-storage-needs
If you were building a globally-distributed messaging platform that required high-availability, what storage solution might you use?
Azure Queue - This is a service for storing large numbers of messages that can be accessed from anywhere in the world. This system can dynamically distribute load to connected servers, while offering increase availibility.
For more information see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-data-in-azure/3-how-azure-storage-meets-your-business-storage-needs
What is the cloud storage solution (commonly associated with VMs) most closely mimics local storage solutions?
Azure Disk storage - Similar to a local hard drive, Azure can deploy disk storages in a range of configurations, from managed - unmanaged, and of performance, from Solid-state drives (SSD) - traditional Hard disk drive (HDD).
For more information see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-data-in-azure/3-how-azure-storage-meets-your-business-storage-needs
What are the three tiers of file accessibility within blob storage?
Hot storage tier: optimized for storing data that is accessed frequently.
Cool storage tier: optimized for data that are infrequently accessed and stored for at least 30 days.
Archive storage tier: for data that are rarely accessed and stored for at least 180 days with flexible latency requirements.
For more information see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-data-in-azure/3-how-azure-storage-meets-your-business-storage-needs
Suppose you work at a startup with limited funding. Why might you prefer Azure data storage over an on-premises solution?
A. To ensure you run on a specific brand of hardware, which will let you form a marketing partnership with that hardware vendor.
B. The Azure pay-as-you-go billing model lets you avoid buying expensive hardware.
C. To get exact control over the location of your data store.
Answer: B
Which of the following situations would yield the most benefits from relocating an on-premises data store to Azure?
A. Unpredictable storage demand that increases and decreases multiple times throughout the year.
B. Long-term, steady growth in storage demand.
C. Consistent, unchanging storage demand.
Answer: A
A newly released mobile app using Azure data storage has just been mentioned by a celebrity on social media, seeing a huge spike in user volume. To meet the unexpected new user demand, what feature of pay-as-you-go storage will be most beneficial?
A. The ability to provision and deploy new infrastructure quickly
B. The ability to predict the service costs in advance
C. The ability to meet compliance requirements for data storage
Answer: A
When considering security using Azure products as a SaaS offering, which of the following security concerns are your resposibility? (i.e. not Microsoft’s). Pick as many options below as necessary:
A. Physical security of data centers B. The data itself C. Authentication (access management) D. The Azure platform E. VMs deployed F. Endpoints G. Accounts H. Applications
Correct answer: B, C, F and G
You own (and assume responsibility for) your data, endpoints, accounts and the authentication of access to the platform. These will always be your responsibility. B, C, F and G are correct.
The Azure platform will always be secured by MS; E is not correct
The others depend on your deployment of Azure, if using a hybrid or private model, you may have physical security concerns. If using a IAAS offering, securing applications and VMs may be a split responsibility between you and MS. In this case, A, D and H are not correct.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/2-shared-responsibility
What is “Defence in Depth”? If you were to pick a Shrek quote to best describe it, what might that be?
“I’m like an onion; I have layers” - Shrek
Defence in Depth is a security design philosophy that employs redundant layers of security where your data is ‘at the centre of the onion’.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/2-shared-responsibility
Which of the following things is not a function of Azure Security Center?
A. Provide security recommendations
B. Monitor and identify potential vulnerabilities
C. Give a list of authenticated users
D. Provide just-in-time access control for ports
E. Use machine learning to detect and block malware
F. Define a list of allowed applications
Answer = C.
The Azure security center, as part of Azure working within the CIS (Center for Internet Security) framework, it offers all the other functionality listed but doesn’t control user authentication. Note for full functionality, a Standard (as opposed to a Free) account is required.
For more information see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/2a-azure-security-center
What’s the difference between Authorization and Authentication?
Authentication is the process of establishing the identity of a person or service looking to access a resource. It involves the act of challenging a party for legitimate credentials, and provides the basis for creating a security principal for identity and access control use. It establishes if they are who they say they are.
Authorization is the process of establishing what level of access an authenticated person or service has. It specifies what data they’re allowed to access and what they can do with it.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/3-identity-and-access
What are the advantages of SSO? Within Azure, where is this managed?
Single sign-on (SSO) is managed within Azure AD.
Benefits:
- Reduces load on help desk
- Simplifies user account management
- Reduces attack surface
What are the three elements used in MFA, that a user may be asked for in addition to credentials?
In Multi-factor authentication (MFA) the following may be asked for:
Something you know: like a security question
Something you possess: like an email or app confirmation
Someting you are: Like biometrics
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/3-identity-and-access
What is RBAC and how is that implemented in Azure?
Role-based access control is a security control measure where permissions are given on a perscribed hierarchy, like seniority within a corporate environment, or admin/developer/user or Contributor/Read-only. RBAC defines the capabilities, ressource access, and permissions within each group.
For more information see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/3-identity-and-access
Define Identity, Principal, and Service Principle:
An identity is something that can be authenticated. Obviously, this includes users with a user name and password, but it can also include applications or other servers, which might authenticate with secret keys or certificates.
A principal is an identity acting with certain roles or claims. Usually, it is not useful to consider identity and principal separately, but think of using ‘sudo’ on a Bash prompt in Linux or on Windows using “run as Administrator.” In both those cases, you are still logged in as the same identity as before, but you’ve changed the role under which you are executing. Groups are often also considered principals because they can have rights assigned.
A service principal is an identity that is used by a service or application. And like other identities, it can be assigned roles.
What is the primary difference between symmetric and asymmetric encryption? Which does TLS use?
Both cases involve securing transfered data and include a set of keys that can either encrypt or decrypt the data. In Symmetric, both keys can encrypt and decrypt the data transfered. In asymmetric, each key can encrypt the data, but can only decrypt data that the other encrypted–This is the encryption used in Transport Layer Security.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/4-encryption
What encryption service are employed for each of the following Azure products?
- Azure Files
- Azure Data Warehouse
- VM VHDs
- Blob Storage
- SQL Databases
- encryption keys
Azure Files, Blob storage (and Azure Queue) = Azure storage service encryption when stored and decrypted when accessed
VM Data = Azure Disk Encryption uses BitLocker (PC) and dm-crypt (Linux) to secure virtual hard drives
Data Warehouse and SQL database = Transparent Data Encryption (TDE) is used for relational databases
Encryption keys = Azure Key vault
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/4-encryption
Which of the following are stored within the Azure Key Vault? Select all that apply:
A. API keys B. Certificates (including SSL/TLS) C. HSM-backed secrets D. identity tokens E. Passwords F. Encryption keys G. All of the above
G. All of the above
Note. SSL/TLS = Secure Sockets Layer/ Transport Layer Security, HRM = hardware security modules
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/4-encryption
What are the benefits of Azure Key Vault?
- Secrets are centralized in a secure location
- Improved monitoring
- Integrates easily with Azure AD
What does DDoS stand for? and how is this threat mitigated in Azure?
DDoS = Distributed Denial of Service is an attempt to overwhelm a system by flooding it with requests.
The cloud employs Azure DDoS protection. Though the description is hand-wavy, it seems like DDoS protection uses the elasticity of the cloud to absorb the attack until it can be isolated, then it blocks it, so that the application never fails. This has two service tiers: Basic and Standard (which has added functionality to stop volumetric, protocol, and ressource layer DDoS attacks)
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/5-network-security
Which of these security options makes up the bulk of “perimeter security” for Azure? Identify it and describe it.
A. Azure DDoS Protection B. Network Security Groups C. Azure Firewall D. Azure security Center E. Azure application gateway
Best Answer: C - Azure Firewall
Generally, a firewall is a service that assesses permission based on IP address of a request using rules created by the user. Azure Firewall is a managed, cloud-based, network security service that provides inbound protection for non-HTTP/S protocols. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Possible answer: E - Azure Application Gateway
This is a load balancer that includes a Web Application Firewall (WAF) that provides protection from common, known vulnerabilities in websites. It is designed to protect HTTP traffic.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/5-network-security
Which of these security options (typically used with subnets) makes up the bulk of “internal security” for Azure ? Identify it and describe it.
A. Azure DDoS Protection B. Network Security Groups C. Azure Firewall D. Azure security Center E. Azure application gateway
Best Answer: B - Network Security Groups (NSG)
If the firewall is the exterior wall of a castle, NSG are like guards posted outside the stable and pantry; They monitor traffic within the network. NSG-controlled rules include allowable communication types, public access to ressources or network interfaces or subnets.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/5-network-security
Describe the process of applying Azure Information Protection (AIP)
- Admin configures rules that detect sensitive information
- When working with sensitive information that triggers rules, users recieve prompts to apply classification tags to the file
- If tagged, access to file can be restricted and monitored (depending on rules)
What is Azure ATP?
Azure Advanced Threat Protection (Azure ATP) is a cloud-based security solution that identifies, and investigates advanced threats, compromised identities, and malicious insider actions. It monitors the system by installing sensors on the domain portals and reports are viewable within the Azure ATP portal. It can be added on to an E5 license.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-security-in-azure/7-advanced-threat-protection
Cloud security is a shared responsibility between you and your cloud provider. Which category of cloud services requires the greatest security effort on your part?
A. Infrastructure as a service (IaaS)
B. Platform as a service (PaaS)
C. Software as a service (SaaS)
Answer: A
Which of these options helps you most easily disable an account when an employee leaves your company?
A. Enforce multi-factor authentication (MFA)
B. Monitor sign-on attempts
C. Use single sign-on (SSO)
Answer: C
Which of these approaches is the strongest way to protect sensitive customer data?
A. Encrypt data as it sits in your database
B. Encrypt data as it travels over the network
C. Encrypt data both as it sits in your database and as it travels over the network
Answer: C
There has been an attack on your public-facing website, and the application’s resources have been overwhelmed and exhausted, and are now unavailable to users. What service should you use to prevent this type of attack?
A. DDoS protection
B. Azure Firewall
C. Network Security Group
D. Application Gateway
Answer: A
You want to store certificates in Azure to centrally manage them for your services. Which Azure service should you use?
A. AIP
B. Azure AD
C. Azure Key Vault
D. Azure ATP
Answer: C
What is the difference between RBAC and Azure Policy?
Both create restrictions but role based access control (RBAC) and Azure Policy control user actions at two different times: Azure policy enforces rules when deploying or updating ressources like VMs, whereas RBAC controls actions when using those resources.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-governance/2-azure-policy
What is the process for creating policies using Azure Policy? How do JSON and Powershell fit in to this process?
- Create a policy definition (such as storage limit, approved deployment locations, or ressource type) using Azure Portal or by editing the policy definition (a JSON file) directly
- Apply the policy (could be done using PowerShell) and determine policy scope (such as to a subscription or ressource group)
- Identify non-conformities in the Azure Portal. Take actions as necessary.
- Retire a policy as needed (again potentially using PowerShell)
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-governance/2-azure-policy
True or False: Within Azure parlance, initiatives have less impact on ressource deployment than policies?
FALSE, Initiatives (typically) contain many policies, which in turn govern ressource deployment, therefore, initiatives have a GREATER impact on ressource deployment than policies
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-governance/3-initiatives
If you have many different types of subscriptions within your institution, what organization tool might you employ to create a hierachy of control?
Azure management groups. These can be used to break up subscription management over regions, geographies or to restrict functionality to particular business units within an organization
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-governance/4-management-groups
What is the function of both Ressource manager templates and Azure Blueprints? What is the primary difference between these?
Both a ressource manager template and an Azure blureprint can contain ressource groups, policies, and role assignments (everything you need for consistent deployment across an organization that upholds best-practices) but an Azure Blueprint is cloud native and can be linked to specific DevOps builds. Blueprints are objects that are stored in Cosmos DB and can be deployed globally.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-governance/5-azure-blueprints
What is the Microsoft Trust Center?
Trust Center is a website resource containing information and details about how Microsoft implements and supports security, privacy, compliance, and transparency in all Microsoft cloud products and services. You can use it to answer your security concerns when using Microsoft Products.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-governance/6-azure-compliance
What is the Service Trust Portal?
The Service Trust Portal (STP) is the Microsoft public site for publishing audit reports and other compliance-related information relevant to Microsoft’s cloud services. It is designed to help users comply with ISO, SOC, NIST, FedRAMP and GDPR framework.
Importantly it hosts the Compliance Manager service.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/intro-to-governance/6-azure-compliance
What is the Compliance Manager?
The Compliance Manager is a workflow-based risk assessment dashboard within the Service Trust Portal that enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft professional services and Microsoft cloud services.
It also has compilation of information from 3rd party auditors as it complies with specific standards such as ISO 27001, ISO 27018, HIPAA, GDPR and NIST
This is hosted by the Service Trust Portal.
What do the abbreviations GDPR, ISO/IEC, HIPAA and NIST stand for?
General Data Protection Regulation - implemented in the EU regarding how personal data must be handled. It was passed in 2016 and enforceable in 2018.
Internation Standards Organization/ International elecetrotechnical commission - (typically in regards to ISO/IEC 27001, a 2013 information security standard that necessitates on-going systematic management of vulnerabilities/control processes/risk management; It requires 3rd-party auditing to achieve)
Health insurance portability and accountability act - A 1996 (American) federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The Canadian equivalent is the Personal Information Protection and Electronic Documents Act (PIPEDA).
National Institute of Standards and Technology
What’s the difference between Azure Monitor and Azure Health Service? How might you use these in tandem to troubleshoot?
Both can be used to monitor the health/up-time of the Cloud but Azure Monitor looks after what you’ve built in the Cloud vs Azure Health Service monitors the Cloud itself.
So if your app is down, you’d likely check health service first to check if Azure was down, and then if not, then you’d check Azure Monitor to see if the problem was on your end.
For more info see: https://azure.microsoft.com/en-us/blog/what-s-the-difference-between-azure-monitor-and-azure-service-health/
True or false: You can download published audit reports and other compliance-related information related to Microsoft’s cloud service from the Service Trust Portal
Answer: True
Which Azure service allows you to configure fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs?
A. Locks
B. Policy
C. Initiatives
D. Role-based Access Control
Answer: D
Which Azure service allows you to create, assign, and, manage policies to enforce different rules and effects over your resources and stay compliant with your corporate standards and service-level agreements (SLAs)?
A. Azure Policy
B. Azure Blueprints
C. Azure Security Center
D. Role-based Access Control
Answer: A
Which of the following services provides up-to-date status information about the health of Azure services?
A. Compliance Manager
B. Azure Monitor
C. Service Trust Portal
D. Azure Service Health
Answer: D
Where can you obtain details about the personal data Microsoft processes, how Microsoft processes it, and for what purposes?
A. Microsoft Privacy Statement
B. Compliance Manager
C. Azure Service Health
D. Trust Center
Answer: A
Which of the following is false regarding Azure ressource groups?
A. Ressource groups should be organized logically, containing products with similar lifecycles, billing, usage restraints or regions/geographies.
B. Deployed ressources can be spread across ressource groups
C. Ressource groups can leverage RBAC to avoid non-compliant deployment
D. Azure Portal or PowerShell can be used to create ressource groups
B - All resources must be in a resource group and a resource can only be in a single resource group. Many resources can be moved between resource groups with some services having specific limitations or requirements to move. Resource groups can’t be nested.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/control-and-organize-with-azure-resource-manager/2-principles-of-resource-groups
If you were tasked with tracking spending for your company’s Azure usage but the entire company’s use was in a single ressource group (oh no!), what feature could you use to better classify and track spending within a ressource group?
Ressource group Tags. Individual ressources within a single ressource group (or perhaps similar ressources spread out over multiple RGs) can be tagged, and billing can be assessed using these. You could use this to determine any number of things, like how much each team is spending, or how much storage is costing you. This enables advanced reporting regardless of how you set up your ressource groups.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/control-and-organize-with-azure-resource-manager/3-use-tagging-to-organize-resources
How could you ensure that proper tagging is happening within your organization regardless of who deploys the ressource?
Create a policy definition in which deployment is blocked unless certain tagging requirements is completed.
For more info see:
https://docs.microsoft.com/en-us/learn/modules/control-and-organize-with-azure-resource-manager/4-use-policies-to-enforce-standards
What are the two types of ressource locks?
Delete and Read-only.
Delete doesn’t restrict any action except deleting the ressource.
Read-only blocks all modification of a ressource, (and MS notes it can have some unintended functionality restrictions like listing keys).
True or False: Tags can be applied to any type of resource on Azure
Answer: False (but they can be applied to a lot!)
True or False: Tags applied at a resource group level are propagated to resources within the resource group.
Answer: False - this doesn’t make sense when considering the variability of ressource group organization
Which of the following approaches might be a good usage of tags?
A. Using tags to associate a cost center with resources for internal chargeback
B. Using tags in conjunction with Azure Automation to schedule maintenance windows
C. Using tags to store environment and department association
D. All of the above are good ways to use tags
Answer: D
Which of the following approaches would be the most efficient way to ensure a naming convention was followed across your subscription?
A. Send out an email with the details of your naming conventions and hope it is followed
B. Create a policy with your naming requirements and assign it to the scope of your subscription
C. Give all other users except for yourself read-only access to the subscription. Have all requests to create resources sent to you so you can review the names being assigned to resources, and then create them.
Answer: B.