deck_16773708 Flashcards
Fabrikam Inc. has adopted Azure as their cloud platform. Fabrikam currently has a hybrid identity model which is supported by ADConnect. Within the Azure environment there is 1 subscription labeled “Fab-Prod” which has a resource group labeled “Back-Office”. The “Back-Office” resource group has the following resources:
- “ADConnect” VM is running on a standard A2M spec VM
- “VPN-Gateway” is the VPN gateway which is configured for Site-to-Site VPN (Azure to on-premises)
There are 250 Azure Active Directory user accounts which has the Office E5 licenses assigned to each user individually. The Azure tenant is configured for Privilege Identity Management and has 3 global administrator accounts (Admin01, Admin02 and Admin03) enrolled which is used to manage the environment, these administrator accounts have EMS E5 license associated to each account. Admin01 is the subscription owner for the “Fab-Prod” subscription and permissions are handled via Privilege Identity Management (PIM).
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.
You need to enroll “Admin02” into PIM so that the administrator is eligible to manage resources in the “Fab-Prod” subscription for a maximum of 8-hour time period. Admin02 requires full access to all resources within the subscription however he should not be able to add additional role assignments to the subscription. Which role should you assign to Admin02?
A. Owner role
B. Reader role
C. Contribution role
D. Security administrator role
C. Contribution role
Explanation:
Contributor role is correct as this lets you manage all resources in the “Fab-Prod” subscription except access to resources. Owner role is incorrect as this allows full control on the subscription. Reader role is incorrect as this only allows you to view resources but not make any changes. Security Admin role is incorrect as this is role is used to manage Azure Security Center specifically and not all resources within the subscription. https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Which of the following elements are not associated with an Azure Region?
A. Azure Virtual Machine
B. Azure Resource Group
C. Azure Managed Disk
D. Storage Account
E. None of the answer are correct
F. All of the answers are correct
E. None of the answer are correct
Explanation:
All the listed Azure resources are associated with an Azure region. The region chosen for deployment of resources that holds data affects data sovereignty and residency.
What Azure feature ensures that data residency, sovereignty, compliance and resiliency requirements are honored?
A. Azure Geography
B. Azure Region
C. Azure Resource Group
D. Azure Tenant
E. Azure Trust Center
A. Azure Geography
Explanation:
Azure geography ensures that data residency, sovereignty, compliance and resiliency requirements are honored within geographical boundaries
You create an Azure Information Protection classification policy that defines a number of classification levels. You configure labels for general, sensitive and confidential. You configure the visual marker for the confidential label as watermark. A few weeks later you change the policy by creating sub labels for the confidential class as Confidential \ All Employees and Confidential \ Recipients Only. You configure the visual marker for each of these as footer. When the Confidential \ All Employees classification is applied to the document, which of the following visual marking(s) is/are applied?
A. None
B. Footer and Watermark
C. Watermark
D. Footer
D. Footer
Explanation:
When you use sub-labels, don’t configure visual markings, protection, and conditions at the primary label. When you use sub-levels, configure these settings on the sub-label only. If you configure these settings on the primary label and its sub-label, the settings at the sub-label take precedence. https://docs.microsoft.com/en-us/azure/information-protection/faqs-infoprotect#can-a-file-have-more-than-one-classification
When Azure Information Protection classifies a document, how can the classification label applied to the document? Choose 3.
A. Header and/or footer
B. Watermark
C. Encrypted metadata
D. Clear text metadata
E. Document fingerprint
A. Header and/or footer
B. Watermark
D. Clear text metadata
Explanation:
AIP can use a header, footer, watermark and clear text metadata to label a document as carrying a certain classification. The data can further be protected by encryption as well as the allowable actions (copy, print, etc) can be restricted. The metadata label added to the document header information must be clear text so that DLP solutions can identify documents belonging to certain classification, even if the document content (along with any visible labels) is encrypted and invisible to non integrated DLP scanners. Document fingerprint is used in O365 DLP, but is not part of AIP labeling. Digital text stenography is an advanced technique of invisibly watermarking documents, but it is not used by AIP
Which of the following should be chosen as the trigger when creating an Azure Security Center Playbook?
A. Triggers when a Windows Defender ATP alert occurs
B. When an event is created
C. When a data driven alert is triggered
D. When a response to an Azure Security alert is triggered
E. When an incident is created
D. When a response to an Azure Security alert is triggered
Explanation:
All of the options are valid triggers for Azure logic apps - the underlying technology used for ASC playbooks. When creating a playbook to be used with ASC, one must select When a response to an Azure Security Center alert is triggered as the trigger, else the playbook will not appear on the alert when View playbooks is selected
What Azure resource is created when an Azure Security Center playbook is created?
A. Azure Logic App
B. Azure Function
C. Microsoft Flow
D. Azure Log Analytics Workspace
E. Azure Playbook
F. Azure Runbook
A. Azure Logic App
Explanation:
The underlying technology used when ASC playbooks are created is an Azure Logic App. It does not require a Log Analytics workspace. MS Flow uses the same underlying technology but you cannot create ASC alert triggers in Flow.
You are the security administrator for your Azure subscription and are reviewing the security alerts as listed in Azure Security Center. You select one of the high severity alerts and select the resource identified by the alert as being attacked. What response options are available to you?
A. Click remediate from the alert details pane
B. Click isolate from the alert details pane
C. Select one or more of the recommended remediations steps and click Remediate
D. Manually execute the remediation steps recommended
E. Click investigate on the alert details pane
F. Click run playbooks on the alert details pane
D. Manually execute the remediation steps recommended
E. Click investigate on the alert details pane
F. Click run playbooks on the alert details pane
Explanation:
Generally speaking you would manually ac on the remediation steps listed on the alert details pane. The investigate button will launch the investigation interface of ASC. You can also run predefine playbooks to automatically execute action steps for common alerts
Which of the following is true for an Azure Security Center incident?
A. A single alert detected by more than one ASC detection mechanism
B. An aggregation of alerts that align with kill chain patterns
C. A single alert with a high probability of being a true positive
D. Any high severity alert (not low severity or medium severity alerts)
E. An alert detected by Azure Advanced Threat Protection
B. An aggregation of alerts that align with kill chain patterns
Explanation:
An aggregation of alerts that align with kill chain patterns is listed in ASC as a security incident. Incidents are listed with the other ASC alerts. They are almost always listed with a high severity and are very likely to be a true positive. Alerts are sometimes detected by multiple detection measures including ATP, but the defining factor for identifying an incident is multiple alerts that together alight to a known kill chain pattern. See: https://docs.microsoft.com/en-us/azure/security-center/security-center-incident-response
You are reviewing the security policies assigned to your subscription in Azure Security Center. In addition to the ASC Default policy that is already assigned, you need to assign the built-in policy initiative named Enable Data Protection Suite that contains a policy named Deploy Threat Detection on SQL servers. Choose the correct list of steps to accomplish your goals.
A. Azure Security Center, Security Policy, Assign Initiative, Select Enable Data Protection, Click Assign
B. Azure Policy, Assignments, Assign Initiative, Select Enable Data Protection, Click Assign
C. SQL Databases, Advanced Data Security, Assign Policy/Initiative, Select Enable Data Protection, Click Assign
D. Resource Group, Policies, Assign Initiative, Select Enable Data Protection, Click Assign
B. Azure Policy, Assignments, Assign Initiative, Select Enable Data Protection, Click Assign
Explanation:
Adding policies to Azure security center is performed through Azure Policy. There is no Assign Initiative option on the ASC security policy blade. From the resource group, clicking on the policies item redirects to Azure Policy - this option will work, but the assignment is performed on the RG level where the question refers to the subscription level. One can configure Advanced Data Security on the SQL database, but this will have to be repeated for all SQL servers - the policy applies the security measure to all SQL servers in the subscription. See: https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy
You plan to secure remote access from your on-premises network to your AKS cluster which is deployed to an existing Azure VNet. The solution should have the lowest possible latency and very high network speeds.
Solution: You implement a Site-to-Site VPN solution.
Does this solution meet the goal?
A. TRUE
B. FALSE
B. FALSE
Explanation:
You should make use of Express route. Express route enables you to connect from your on premises network to Azure with high speed and low latency
Question 12Correct
You are in the process of creating an Azure container registry via CLI in the “MyRG” resource group. Complete the following command to create the container registry labeled “MyContainer001”.
Az (1) create –resource group MyRG –(2) MyContainer001 (3) –Basic
A. 1=acr, 2=name, 3= sku
B. 1=akr, 2= id, 3= tier
C. 1=docker, 2=name, 3=tier
D. 1=acr, 2=id, 3=sku
A. 1=acr, 2=name, 3= sku
Explanation:
Option 1 is correct as the correct Azure CLI code is as follows: az acr -resource group MyRG - name MyContainer001 - sku Basic
You need to configure temporary access to an Azure VM on port 22, the solution should manage the inbound rules automatically in the back end and remove the rules when the time period expires. Which of the following technologies should you configure?
A. Network Security Group (NSG)
B. Application Security Groups (ASG)
C. Azure Firewall
D. Just In Time VM Access
D. Just In Time VM Access
Explanation:
Just in time VM access is correct as this allows you to connect to an Azure VM for a specific time period on specific ports - this is done automatically in the backend as this creates temporary NSG rules and removes them when the time expires. NSG is incorrect as this is a manual process and does not remove the rules after a specific time period. ASG is incorrect as this feature allows you to group VMs to make management easier for inbound and outbound traffic, however it cannot automatically create and remove NSG rules based on a time period. Azure firewall is incorrect as this is a stateful firewall and does not have the capability to automatically create rules for remote users to access VM’s based on a specific time period. https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time
You need to limit outbound HTTPS traffic to specific fully qualified domain names (FQDN). Which of the following technologies support this?
A. Network Security Groups (NSG)
B. Application Security Groups (ASG)
C. Azure Firewall
D. Just-in-time VM access (JIT VM Access)
C. Azure Firewall
Explanation:
Azure firewall is correct as this supports limiting outbound HTTPS traffic to a specified list of FQDNs including wildcards, this feature does not require SSL termination. NSG is incorrect as this does not have the ability to filter outbound traffic by FQDNs, rather by IPs or grouped IPs like the Internet tag. ASG is incorrect as this feature allows you to group VMs to make management easier for inbound and outbound traffic. JIT VM Access is incorrect as this is used to access Azure VMs remotely.
You have inherited an Azure environment which has plenty of resource groups. You have been tasked to manage access, policies and compliance for the subscriptions in an efficient manner.
Solution: You decide to make use of RBAC.
Does this solution meet the goal?
A. TRUE
B. FALSE
B. FALSE
Explanation:
False is correct, you cannot manage policies and compliance via RBAC, you should instead make use of Azure management groups
You need to harden your Docker containers.
Solution: You enable AppArmor.
Does this solution meet the goal?
A. TRUE
B. FALSE
A. TRUE
Explanation:
True is correct, you can use AppArmor, SELinux, GRSEC or another appropriate hardening system