Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AZ500 > Kindle Practice Test 2 > Flashcards

Kindle Practice Test 2 Flashcards

1
Q

How does Azure SQL Database provide protection for data at rest?

A. BitLocker
B. SSL/TLS 1.2
C. Azure Storage Service Encryption
D. Transparent Data Encryption
E. AES Encryption
F. Azure Key Vault

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 31). Kindle Edition.

A

D. Transparent Data Encryption

Explanation:
Azure SQL Database has a built-in data at rest encryption capability called Transparent Data Encryption. The encryption key is managed by Microsoft, but it is possible to bring your own key through the TDE integration with Azure Key Vault - Key Vault is not the best answer here though. SSL/TLS is used for securing data in transit. Bitlocker is used for endpoint encryption, not for SQL Database encryption. By default TDE uses the AES encryption algorithm, but this is also not the best answer for the question. TDE is used for database encryption and is very similar to the Azure Storage counterpart called Storage Service Encryption. https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 31). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following Azure tools can help mature the security baseline specific to detecting malicious activity? Select all that apply.

A. Azure Key Vault
B. Azure portal
C. Azure AD
D. Azure Security Center
E. Azure Monitor
F. Azure policy

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 31-32). Kindle Edition.

A

D. Azure Security Center
E. Azure Monitor

Explanation:
Azure Security Center is correct as this tool allows you to mature the policies and processes in your Azure environment. Azure monitor is correct as this tool can also be used in maturing polices and processes regarding security baselines in Azure. The Azure portal, Key vault, Azure AD and Azure policy cannot be used as a tool regarding a security baseline when detecting malicious activity in your Azure environment. https://docs.microsoft.com/bs-latn-ba/azure/architecture/cloud-adoption/governance/security-baseline/toolchain

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 32). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You are the administrator of all resources in Azure. You need to enforce all new resources created to a specific region. Solution: You create an Azure policy Does this meet the requirements?

A. TRUE
B. FALSE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 32). Kindle Edition.

A

A. TRUE

Explanation:
True is correct, you can create an Azure Policy to enforce a specific region when new resources are created. https://docs.microsoft.com/en-us/azure/governance/policy/samples/allowed-locations

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 32). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When securing Azure Key Vault one has to secure the management plane and the data plane. Which of these options is relevant when securing the management plane?

A. Create, read, update, delete key vaults
B. Set key vault tags
C. Set key vault access policies
D. Set key vault secrets
E. Create RBAC roles
F. Create key vault keys

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 33). Kindle Edition.

A

A. Create, read, update, delete key vaults
B. Set key vault tags
C. Set key vault access policies

Explanation:
Key vault management plane security operations covers administering the key vault itself; whereas the data plane covers the data (keys and secrets) inside the key vault. One would use built-in RBAC roles as part of assigning access control to the vault. One can create a custom RBAC role as part of this, but that would be performed in AAD and is not considered part of vault security operations. See: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault#resource-endpoints

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 33). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which single Azure SQL Database feature provides data security for data at rest, data in transit and data in use?

A. SSL/TLS 1.2
B. Always Encrypted
C. Azure Storage Service Encryption
D. Transparent Data Encryption
E. Azure Key Vault

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 33-34). Kindle Edition.

A

B. Always Encrypted

Explanation:
Always Encrypted is a data encryption technology in Azure SQL Database and SQL Server that helps protect sensitive data at rest on the server, during movement between client and server, and while the data is in use, ensuring that sensitive data never appears as plain text inside the database system. The encryption is performed on the endpoint application before writing the data to the database. The encryption keys are not revealed to the database management system. The encrypted data is also not readable by other privileged users like database administrators. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted-azure-key-vault

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 34). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What PowerShell cmdlet is used to initiate Azure Disk Encryption for a Windows-based VM on Azure?

A. Set-AzVMDiskEncryptionExtension
B. Disable-AzVMDiskEncryption
C. Set-AzVMDiskEncryption
D. Set-AzVMDiskEncryptionWindows
E. Set-AzVMDiskEncryptionLinux
F. Get-AzVmDiskEncryptionStatus

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 34). Kindle Edition.

A

A. Set-AzVMDiskEncryptionExtension

Explanation
Set-AzVMDiskEncryptionExtension is the correct answer. The same cmdlet is used for both Windows and Linux VMs See https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-windows

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 34-35). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

True of false: Just-in-time VM access will automatically create the NSG rules, however you will need to manually remove the NSG rules afterwards.

A. TRUE
B. FALSE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 35). Kindle Edition.

A

B. FALSE

Explanation:
False is correct, JIT VM Access will automatically create the NSG rules to the user to connect securely to the VM and will also automatically remove the NSG rule it created after the configured time expired. https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 35). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following are valid access control options for Azure Data Lake? Choose 3

A. Shared Access Key
B. Service Key
C. Shared Access Signature
D. Role Based Access Control
E. Access Key

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 35). Kindle Edition.

A

C. Shared Access Signature
D. Role Based Access Control
E. Access Key

Explanation:
Access keys, Azure AD RBAC and Shared Access Signatures are all valid access control methods for storage accounts - the underlying technology for Data Lake. Service key and shared access key are not valid names for storage account access controls. https://docs.microsoft.com/en-za/azure/storage/blobs/data-lake-storage-access-control

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 35-36). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You are the administrator for the ACME banking group. You are responsible for managing the key vault in Azure called ACMEvault. You have decommissioned a production server which has its password stored in the key vault labelled “FinanceAdmin”. You need to remove the password from the vault by using an API call. Which API call is correct?

A. RECOVER https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0
B. DELETE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0
C. PURGE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0
D. 1. REMOVE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 36). Kindle Edition.

A

B. DELETE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0

Explanation:
DELETE is the correct operation name as it references the correct vault and secret name. REMOVE not a valid operation name. PURGE is used to remove the password irreversibly, almost the same as emptying the recycle bin on your desktop. RECOVER will not suffice as this is used to recover a deleted secret on soft-delete enabled vaults. https://docs.microsoft.com/en-us/rest/api/keyvault/deletesecret/deletesecret

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 36). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Azure backup can be configured to backup on-premises VMs. What is used to ensure data is encrypted at rest?

A. Passphrase
B. Azure Recovery Vault
C. Azure Storage Service Encryption
D. Azure Recovery Services
E. Transparent Data Encryption

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 36-37). Kindle Edition.

A

A. Passphrase

Explanation:
When using Azure backup to backup on-premises VMs a passphrase is used along with AES256 to encrypt the backup. See: https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq#encryption

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 37). Kindle Edition.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 37). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Azure backup can be configured to Azure VMs. What is used to ensure data is encrypted at rest?

A. Passphrase
B. Azure Storage Service Encryption
C. Transparent Data Encryption
D. Azure Recovery Services
E. Azure Recovery Vault

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 37). Kindle Edition.

A

B. Azure Storage Service Encryption

Explanation:
When using Azure backup to backup Azure VMs, Azure Storage Service encryption is used to encrypt the backup. See: https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq#encryption

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 37). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is not a technology that can be used to visualise Azure Monitor data?

A. Azure Dashboards
B. All of the answers are correct
C. None of the answers are correct
D. Power BI
E. Azure Monitor Workbooks
F. Azure Monitor Views

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 37-38). Kindle Edition.

A

C. None of the answers are correct

Explanation:
All of the answers provided are valid ways to visualise Azure Monitor data. The question, however, asked which of the options can not be used to visualise Azure Monitor data. None of the answer option are therefore correct. It is doubtful that the official exam will use such double-negative tactics, but it is used here as a reminder to be aware of negative answers to negative questions. See: https://docs.microsoft.com/en-us/azure/azure-monitor/visualizations

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 38). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is not a configuration step required to create an Azure Monitor Alert?

A. Define alert details
B. Define alert condition
C. Define action group
D. Define notification action

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 38). Kindle Edition.

A

D. Define notification action

Explanation:
Creating an Azure Monitor Alert required defining alert conditions, alert details and the action group. Although specifying the alert action is part of defining the action group, there is no define notification action step. See: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 38). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are configuring security for data in transit for an Azure App Service. Which of the following security tasks should be performed? Choose all that apply, do not choose any that does not apply.

A. Minimum TLS version enforced
B. Test HTTPS
C. Upload SSL Certificate
D. Bind SSL Certificate
E. HTTPS enforced

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 39). Kindle Edition.

A

A. Minimum TLS version enforced
B. Test HTTPS
C. Upload SSL Certificate
D. Bind SSL Certificate
E. HTTPS enforced

Explanation:
All the answer options should be configured for Azure App Service. See: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 39). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Select all the answers that specify the technology and Azure resource prerequisites for Azure Disk Encryption.

A. DM-Crypt
B. SSL/TLS 1.2
C. BitLocker
D. Azure Storage Service Encryption
E. Azure Key Vault
F. Transparent Data Encryption

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 39-40). Kindle Edition.

A

A. DM-Crypt
C. BitLocker
E. Azure Key Vault

Explanation:
Azure Disk Encryption uses BitLocker for Windows-based VMs and DM-Crypt for supported Linux-based VMs in Azure. It also requires Azure Key Vault to provide secure access to the encryption/decryption keys. https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 40). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Your organization is planning on synchronizing their on premises identities to Azure via the AD Connect tool. You need to ensure that all domain user identities are properly formatted before they are synchronized as to not cause synchronization errors. What should you do?

A. Re-run the AD Connect application
B. Run the IdFix tool
C. Run synchronization rules editor
D. Run synchronization service manager

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 40). Kindle Edition.

A

B. Run the IdFix tool

Explanation:
IdFix tool is correct as this free tool is used to isolate and remediate common errors reported by the AD Connect tool like formatting issues with domain user names. Re-running the AD Connect application will not resolve any sync issues. Running the synchronization service manager is incorrect as this tool is used to configure more advanced aspects of AD Connect like connectors and synchronization schedule. Running the synchronization rules editor is incorrect as this can only be run post-deployment of directory synchronization, this tool is used to customize user and group attributes synched between on-prem and Azure. https://docs.microsoft.com/en-us/office365/enterprise/install-and-run-idfix

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 40-41). Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

True or false: you can configure multiple AD Connect connectors for the same Active Directory domain.

A. FALSE
B. TRUE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 41). Kindle Edition.

A

A. FALSE

Explanation:
False is correct, multiple connectors for the same AD domain are not supported. You can however configure a secondary connector in staging mode for DR purposes. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-faq

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 41). Kindle Edition.

18
Q

You have configured VNet peering between 2 VNets in your “Production” resource group. You implement an Azure firewall and create a user defined route (UDR) that forces all traffic through the firewall. Will traffic destined to route over the VNet peering link be forced to route through the firewall?

A. NO
B. YES

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 41). Kindle Edition.

A

A. NO

Explanation:
No is correct, even if there is a UDR defined for all traffic to route through the Azure firewall, traffic going over the VNet peering link will not go through the UDR (Azure firewall) and instead go directly over the peered link. https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 41). Kindle Edition.

19
Q

Which of the following Azure features provide the capability to define and enforce security settings when new Azure resources are created?

A. Azure Policy
B. Role-Based Access Control
C. Azure Resource Manager
D. Azure Security Center
E. Azure Advanced Threat Protection

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 42). Kindle Edition.

A

A. Azure Policy

Explanation:
Azure Policy can be used to enforce security settings when new Azure resources are created. Security policies is visible in Azure Security Center, but the capability is provided by Azure Policy. Azure Resource Manager is the service used to provision resources in Azure - it will respect assigned policies, but doesn’t provide the ability to define security policies. RBAC can be used to prevent certain users from creating resources, but doesn’t enforce what security settings that must be applied when RBAC allows the creation of resources. ATP detects and can be configured to respond to breaches in security, but doesn’t allow the definition and enforcement of security settings to be applied when new resources are created. See: https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 42). Kindle Edition.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 41). Kindle Edition.

20
Q

Azure Policy allows the assignment of a policy to a management group. What level of scope is provided by management groups?

A. Resource group
B. All of the options
C. Tenant
D. Resource
E. Subscription

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 42-43). Kindle Edition.

A

E. Subscription

Explanation:
An Azure management group provides a level of scope at the subscription level. One can assign a policy to a management group which is made up of a defined set of subscriptions. All subscriptions in the management group inherits the policy. A root management group is created that contains all other management groups. See: https://docs.microsoft.com/en-za/azure/governance/management-groups/index and https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy#management-groups

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 43). Kindle Edition.

21
Q

Select the most accurate description of the Always Encrypted feature of Azure SQL Database.

A. Column-level encryption
B. Row-level encryption
C. Table-level encryption
D. Database-level encryption
E. User-level encryption
F. Network-level encryption

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 43). Kindle Edition.

A

A. Column-level encryption

Explanation:
Always Encrypted is applied on the data in the database at a column level. Unlike Transparent Data Encryption used by Azure SQL Database where the encryption/decryption key is known to the database management engine, Always Encrypted performs encryption/decryption on the endpoint application, out of band of the database engine. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-2017

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 43-44). Kindle Edition.

22
Q

You have synchronized your IT departments on-premises identities with Azure AD via the AD Connect tool. You need to onboard the rest of the on-premises users with the least amount of effort. What should you do?

A. Uninstall and re-install the ADConnect tool
B. Stop the synchronization service
C. Restart the ADConnect VM
D. Re-run the ADConnect tool

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 44). Kindle Edition.

A

D. Re-run the ADConnect tool

Explanation:
Re-run ADConnect tool is correct, this will allow you to customize the synchronization properties to add additional Object Unit filtering. Uninstall and re-install ADConnect is incorrect as this will take more effort than to re-run the ADConnect tool. Stopping the synchronization service is incorrect as this will stop all configured identities from synching. Restarting the ADConnect VM is incorrect as this will not enable you to onboard the additional users. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-installation-wizard

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 44). Kindle Edition.

23
Q

You are the administrator for the ACME banking group. You are responsible for managing the key vault in Azure. You need to create a new certificate in the ACMEvault with a key size of 2018 and that cannot be reused via an API call which should be called ACMEcertificate. Which statement below is correct?

A. POST http://ACMEvault.vault.azure.net/certificates/ACMEcertificate/create?api-version=7.0
B. POST https://ACMEvault.vault.azure.net/certificates/ACMEcertificate/create?api-version=7.0
C. SET https://ACMEvault.vault.azure.net/certificates/ACMEcertificate/create?api-version=7.0
D. GET https://ACMEvault.vault.azure.net/certificates/ACMEcertificate/create?api-version=7.0

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 44-45). Kindle Edition.

A

B. POST https://ACMEvault.vault.azure.net/certificates/ACMEcertificate/create?api-version=7.0

Explanation:
POST {https://ACMEvault.vault.azure.net}/certificates/{ACMEcertificate}/create?api-version=7.0 is correct as this follows the correct way to create a new certificate. Here is the way the statement is used in general: POST {vaultBaseUrl}/certificates/{certificate-name}/create?api-version=7.0. It uses HTTPS by default, GET and SET are incorrect when creating a new certificate. https://docs.microsoft.com/en-us/rest/api/keyvault/createcertificate/createcertificate

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 45). Kindle Edition.

24
Q

Which of the following Azure tools can help mature the security baseline specific to securing virtual networks? Select all that apply.

A. Azure Security Center
B. Azure policy
C. Azure AD
D. Azure Key Vault
E. Azure portal
F. Azure Monitor

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 45). Kindle Edition.

A

B. Azure policy
E. Azure portal

Explanation:
Azure portal is correct as you can use the portal to mature network policies and processes. Azure policy is also correct as you can enforce policies that supports security baselines. Key Vault, Azure AD, Azure Security Center and Azure Monitor does not contribute to the security baseline for securing virtual networks. https://docs.microsoft.com/bs-latn-ba/azure/architecture/cloud-adoption/governance/security-baseline/toolchain

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 45-46). Kindle Edition.

25
Q

You notice a recommendation in the Azure Security Center to add a vulnerability assessment solution to your Azure virtual machines. Which of the following options are Azure Security Center-integrated solutions to the recommendation. Select two.

A. Microsoft Advanced Threat Analytics
B. Azure Log Analytics
C. Rapid7
D. Azure Monitor
E. Nessus
F. Qualys

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 46). Kindle Edition.

A

C. Rapid7
F. Qualys

Explanation:
Azure Security Center supports Qualys and Rapid7 as integrated vulnerability assessment solutions. Nessus is not currently integrated with Azure Security Center. Azure Log Analytics, Azure Monitor and Microsoft ATA are not vulnerability assessment solutions related to this ASC recommendation. See: https://docs.microsoft.com/en-us/azure/security-center/security-center-vulnerability-assessment-recommendations

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 46). Kindle Edition.

26
Q

Which of the following roles can make use of Azure Identity Protection in the portal?

A. Global administrator
B. Security Administrator
C. Security reader
D. Owner role
E. Contributor role

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 46-47). Kindle Edition.

A

A. Global administrator
B. Security Administrator
C. Security reader

Explanation:
The following roles can make use of Identity Protection: Security reader, security admin and global admin. Contributor and owner roles are both incorrect as these are related to https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/faqs

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 47). Kindle Edition.

27
Q

What are the three authentication mechanisms that an application can use when using Azure Key Vault for storing secrets, certificates and/or keys?

A. Container instance registry
B. Service principal with secret
C. Service principal with encrypted credential
D. Azure app registry
E. Service principal with certificate
F. Managed identities for Azure resources

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 47). Kindle Edition.

A

B. Service principal with secret
E. Service principal with certificate
F. Managed identities for Azure resources

Explanation:
The preferred method for applications to authenticate with an integrated Azure Key Vault is via Managed identities for Azure resources. Alternatively, applications can use service principal with secret or service principal with certificate. None of the other options exist - they are made-up. See: https://docs.microsoft.com/en-za/azure/key-vault/key-vault-whatis

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 48). Kindle Edition.

28
Q

What PowerShell cmdlet is used to initiate Azure Disk Encryption for a Linux-based VM on Azure?

A. Set-AzVMDiskEncryptionLinux
B. Set-AzVMDiskEncryption
C. Set-AzVMDiskEncryptionWindows
D. Set-AzVMDiskEncryptionExtension
E. Get-AzVmDiskEncryptionStatus
F. Disable-AzVMDiskEncryption

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 48). Kindle Edition.

A

D. Set-AzVMDiskEncryptionExtension

Explanation:
Set-AzVMDiskEncryptionExtension is the correct answer. The same cmdlet is used for both Windows and Linux VMs See https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-linux

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 48). Kindle Edition.

29
Q

Which of the following statements is true for Azure Policy initiatives?

A. A policy initiative is a policy assignment scope
B. A policy initiative is a policy definition
C. A policy initiative is a policy parameter
D. A policy initiative is a collection of policies
E. A policy initiative is a policy assignment

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 48-49). Kindle Edition.

A

D. A policy initiative is a collection of policies

Explanation:
One can assign a built-in policy within a specific scope. Similarly, one can also define a custom policy for assignment. Policies can be parameterised to make them more generic. Lastly, one can define Policy Initiatives that are collections of policies that can be parameterised and assigned at the same time. See: https://docs.microsoft.com/en-us/azure/governance/policy/overview#initiative-definition

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 49). Kindle Edition.

30
Q

True or false: you can configure multiple domains to sync with ADConnect.

A. FALSE
B. TRUE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 49). Kindle Edition.

A

B. TRUE

Explanation:
True is correct, you can configure multiple domains to sync with Azure AD via AD Connect. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-multiple-domains

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 49). Kindle Edition.

31
Q

When securing Azure Key Vault one has to secure the management plane and the data plane. Which of these options is relevant when securing the data plane?

A. Set key vault secrets
B. Create key vault keys
C. Set key vault access policies
D. Create key vault
E. Set key vault tags
F. Create RBAC roles

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 49-50). Kindle Edition.

A

A. Set key vault secrets
B. Create key vault keys

Explanation:
Key vault management plane security operations covers administering the key vault itself; whereas the data plane covers the data (keys and secrets) inside the key vault. One would use built-in RBAC roles as part of assigning access control to the vault. One can create a custom RBAC role as part of this, but that would be performed in AAD and is not considered part of vault security operations. See: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault#resource-endpoints

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 50). Kindle Edition.

32
Q

You need to configure additional Network Security Group rules to allow the following types of traffic: * Remote Desktop Protocol * SSH * Secure web traffic Which three ports should you configure as part of the NSG rules?

A. Port 22
B. Port 23
C. Port 389
D. Port 80
E. Port 3389
F. Port 443

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 50). Kindle Edition.

A

A. Port 22
E. Port 3389
F. Port 443

Explanation:
Port 22 is correct as this is used for SSH, Port 443 is correct as this is used for secure web traffic (HTTPS), Port 3389 is correct as this is used for RDP. Port 23 is incorrect as this is used for Telnet. Port 80 is incorrect as this is used for insecure web traffic. Port 389 is incorrect as this is used with Lightweight Directory Access Protocol (LDAP). https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 51). Kindle Edition.

33
Q

You are the administrator for the Contoso financial group. You are responsible for all storage accounts in Azure. You have been tasked to share limited access to the Blob files in storage account “Company_function” with another company for a limited time. The other company should only be able to list and read the data in the blob storage. The other company’s administrator is familiar with Azure Storage Explorer and want you to share secure access with him by using this tool. Which information should you configure and give the administrator?

A. Provide the administrator with the storage name and key
B. Create Shared Access Signature for “Company_function” and configure the following: start and expiry time, read and list permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer (Correct)
C. Create Shared Access Signature for “Company_function” and configure the following: start and expiry time, read and write permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer.
D. Create Shared Access Signature for “Company_function” and configure the following: read and list permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 51). Kindle Edition.

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 51). Kindle Edition.

A

B. Create Shared Access Signature for “Company_function” and configure the following: start and expiry time, read and list permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer (Correct)

Explanation:
You need to create a Shared Access Signature for “Company_function” and configure start and expiry time as this is part of the time limitation request, list and read permissions are the least intrusive and blob storage is correct. The administrator should be able to use the SAS URI to configure access in Storage Explorer in their side. Option 1 is incorrect as there is write permissions assigned. Option 3 is incorrect as there is no time limitation set. Option 4 is incorrect as sending a storage name and key will not provide limited access as required. https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 51-52). Kindle Edition.

34
Q

True of false: Azure firewall supports inbound and outbound filtering.

A. TRUE
B. FALSE

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 52). Kindle Edition.

A

A. TRUE

Explanation:
True is correct as the Azure firewall supports inbound and outbound filtering, however inbound filtering is for non HTTP/S protocols i.e. RDP, SSH and FTP protocols are supported. https://docs.microsoft.com/en-us/azure/firewall/firewall-faq

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 52). Kindle Edition.

35
Q

You are the administrator for the Contoso financial group. You are responsible for managing the key vault in Azure. You need to update a certificate that has become stale in the CONTOSOvault which is called “WebsiteCertificate” via an API call to the Key Vault. Which statement below is correct?

A. PATCH http://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0
B. PATCH https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0 (Correct)
C. POST https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0
D. POST http://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 52-53). Kindle Edition.

A

B. PATCH https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0 (Correct)

Explanation:
PATCH is correct https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0 is correct as this follows the correct way to update a specific certificate in the Azure Key Vault via API call. Here is the way the statement is used in general: PATCH {vaultBaseUrl}/certificates/{certificate-name}/{certificate-version}?api-version=7.0. using HTTP will not suffice as the Key Vaults use HTTPS by default and POST is not the correct action. https://docs.microsoft.com/en-us/rest/api/keyvault/updatecertificate/updatecertificate

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 53). Kindle Edition.

36
Q

What is the default retention period for Azure Monitor logs?

A. 30 days
B. 90 days
C. 3 years
D. 1 year
E. Indefinite
F. 60 days

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 53). Kindle Edition.

A

B. 90 days

Explanation:
Azure monitor retains logs for 90 days before starting to purge the oldest logs. You can set up log archival to a storage account if a longer retention is required. See: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-archive-data

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 53). Kindle Edition.

37
Q

You have been requested to configure VM security in the form of encrypting IaaS VM disks. You are planning to make use of PowerShell to encrypt the disks. Complete the following PowerShell command: Set-1 -ResourceGroupName “MySecureRG” -VMName “MySecureVM” -2 “VaultID” -3 “VaultURL”

A. 1 = AzVmDiskEncryptionExtension, 2 = DiskEncryptionKeyVaultId, 3 = DiskEncryptionKeyVaultUrl
B. 1 = DiskEncryptionKeyVaultUrl, 2 = DiskEncryptionKeyVaultId, 3 = AzVmDiskEncryptionExtension
C. 1 = AzVmDiskEncryptionExtension, 2 = DiskEncryptionKeyVaultUrl, 3 = DiskEncryptionKeyVaultId

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 53-54). Kindle Edition.

A

A. 1 = AzVmDiskEncryptionExtension, 2 = DiskEncryptionKeyVaultId, 3 = DiskEncryptionKeyVaultUrl

Explanation:
The correct command is as follows: Set-AzVmDiskEncryptionExtension -ResourceGroupName “MySecureRG” -VMName “MySecureVM” -DiskEncryptionKeyVaultId “VaultID” -DiskEncryptionKeyVaultUrl “VaultUrl”. You need to use the AzVmDiskEncryption command first followed by the DiskEncryptionKeyVaultID and lastly the DiskEncryptionKeyVaultUrl command. https://docs.microsoft.com/en-us/azure/security/quick-encrypt-vm-powershell#bkmk_PrereqScript

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 54). Kindle Edition.

38
Q

You are the administrator for the Contoso financial group. You are responsible for managing the key vault in Azure. You need to recover a certificate that has been deleted in the CONTOSOvault which is called “FinanceAdmin” via an API call to the Key Vault. Which statement below is correct?

A. POST http://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0
B. GET https://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0
C. POST https://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0
D. GET http://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 54-55). Kindle Edition.

A

C. POST https://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0

Explanation:
POST https://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0 is correct as this follows the correct way to recover a deleted certificate in the Azure Key Vault via API call. Here is the way the statement is used in general: POST {vaultBaseUrl}/deletedsecrets/{secret-name}/recover?api-version=7.0. It uses HTTPS by default, GET is incorrect when recovering a deleted certificate. https://docs.microsoft.com/en-us/rest/api/keyvault/restorecertificate/restorecertificate

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 55). Kindle Edition.

39
Q

You need to configure secure access to one of your production VMs. You are planning to enable secure remote access via Just-In-Time VM access. Which of the following settings can you configure? Select all that apply.

A. Port numbers
B. IP address
C. Virtual network
D. IP range
E. Time range
F. Protocol type

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 55). Kindle Edition.

A

A. Port numbers
B. IP address
D. IP range
E. Time range
F. Protocol type

Explanation:
Port number is correct as you can configure which ports are allowed to be requested to the VM. IP address and IP ranges are correct as you can either specify a specific IP or a range of IP’s allowed to connect to the resource via JIT VM access. Time range is correct as you can specify how long a user can access the VM without having to request a new session via JIT VM access. Protocol type is correct as you need to specify TCP or UDP regarding the port ranges. Virtual network is incorrect as this option is not configurable via JIT VM access. https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (pp. 55-56). Kindle Edition.

40
Q

What is the minimum Azure Active Directory built-in RBAC role required to manage Azure Key Vault?

A. Security Admin
B. Key Vault Administrator
C. Key Vault Reader
D. Key Vault Contributor
E. Reader
F. Owner

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 56). Kindle Edition.

A

D. Key Vault Contributor

Explanation:
Key Vault Contributor is the built-in RBAC role required to manage Azure Key Vault. See: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

Utrecht, Jee. Azure AZ-500 Security Technologies Practice Tests: Pratice questions with answers and explanations (p. 56). Kindle Edition.

AZ500 (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions