Microsoft Azure AZ-500 Security Technologies (Practice Exam #2) - Udemy Flashcards

1
Q

True or false: a guest user in Azure AD can make use of the paid Azure AD features without having a member account in Azure AD.

A. True
B. False

A

A. True

Explanation:
As you can invite external guest users to use your paid Azure AD services, for each paid Azure AD license, you can invite up to five guest users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe the steps required to ensure that writing Azure SQL Database audit logs to a storage destination are uninterrupted by a storage access key refresh

A. Switch the storage destination to an alternative storage account, refresh the primary and secondary storage keys in the storage configuration of the original storage account; optionally switch the storage destination back to the original account
B. Stop the Azure SQL Server associated with the Azure SQL Database; refresh the primary and secondary storage keys in the storage configuration; start the Azure SQL Server associated with the Azure SQL database
C. No action is required - storage keys are automatically updated for SQL Data audit logs when Storage access keys are refreshed
D. Switch the storage access key in the audit configuration to secondary; refresh the primary storage key in the storage configuration; switch the storage access key in the audit configuration to primary; refresh the secondary storage access key in the storage configuration

A

D. Switch the storage access key in the audit configuration to secondary; refresh the primary storage key in the storage configuration; switch the storage access key in the audit configuration to primary; refresh the secondary storage access key in the storage configuration

Explanation:
Switching the storage configuration to secondary, refreshing the primary key, then switching the storage configuration back to primary before finally refreshing the secondary key is the recommended method to ensure uninterrupted audit logging in Azure SQL Database. You can not stop a SQL server (unless you delete the server along with all the databases on it).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You configure Azure SQL Database auditing. You select Storage as the audit log destination and do not change the retention period. What is the effect on audit log retention?

A. A retention period must be specified
B. Audit logs are kept indefinitely
C. Audit logs are kept for the default 90 days
D. Audit logs are kept for the default of 120 days

A

B. Audit logs are kept indefinitely

Explanation:
The default retention period setting for Azure SQL Database audit logs is 0. This equals to keeping audit logs indefinitely. A retention period of 3285 days can be specified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the destinations available for Azure SQL server audit logs?

A. SQL Data Warehouse
B. Storage
C. Event Hubs
D. SQL Database
E. Log Analytics
F. Service Bus

A

B. Storage
C. Event Hubs
E. Log Analytics

Explanation:
Storage (account), event hubs and log analytics are supported destinations for SQL Database (and/or SQL Server) audit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

To configure Azure Monitor log collection and analysis on an Azure VM several configuration steps are required as listed in the answer options. Identify the step that is not required.

A. Create a Log Analytics Workspace
B. Enable a Log Analytics VM Extension
C . Select logs and metrics to collect
D. Provide the VM local administrator username and password

A

D. Provide the VM local administrator username and password

Explanation:
All of the options are required to enable Azure Monitor log collection and analytics on an Azure VM except for providing a local administrator username and password. See: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the minimum required RBAC role required to view Azure Monitor logs?

A. Security Admin
B. Monitoring Contributor
C. Monitoring Administrator
D. Monitoring Reader
E. Security Reader

A

D. Monitoring Reader

Explanation:
All the roles listed are valid built in Azure roles, except for Monitoring Administrator. The minimum role required to view Azure Monitor Logs is Monitoring Reader

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following describe logging of control-plane actions on your Azure subscription?

A. Metrics
B. Diagnostic Log
C. Activity Log
D. Subscription Log
E. Tenant Log
F. Audit Log

A

C. Activity Log

Explanation:
Monitoring data from Azure comes in three basic forms: Activity log - Azure subscription control-plane log; Metrics - near real-time monitoring information emitted by resources; Diagnostic log - traditional log information emitted by resources. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following are valid Azure Monitor data sources?

A. Application Insights
B. Log Analytics Agent
C. Azure Resource Diagnostic Log
D. Azure Subscription
E. Azure Tenant Audit Log
F. On-Premises Operating System

A

Overall explanation
All of the options are valid sources for Azure Monitor. Custom sources (via Data Collector API), Guest Operating Systems and Application Insights are supported for on-premises or other clouds deployments. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following are not characteristics of Azure Monitor Metrics?
A. Text or numeric data
B. Collected at regular intervals
C. Lightweight
D. Sourced from Application Insights
E. Sourced from Azure resources

A

A. Text or numeric data

Explanation:
All the options are true for Azure Monitor Metrics except for Text or numeric data. Metrics are only numeric data. Azure Monitor Logs can also contain Text data. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform#compare-azure-monitor-metrics-and-logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are two types of data store used by Azure Monitor?
Your selection is correct

A. Logs
B. Metrics
C. Event Hubs
D. Blobs
E. Queues

A

A. Logs
B. Metrics

Explanation:
Azure monitor stores data in Logs and Metrics data stores. The other answers are examples of Azure storage products. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

True or False: you can create custom service tags when making use of Network Security Groups?
Your answer is incorrect

TRUE
FALSE

A

FALSE

Explanation:
False is correct, you cannot create your own service tag or specify which IP’s are included within a tag.https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

True or false: when there are 2 NSG’s associated to the same subnet, when one NSG denies traffic on port 80 inbound and another allows traffic on port 80 inbound to the same VM, the traffic will automatically be blocked due to the one NSG rule that denies the traffic.

TRUE
FALSE

A

TRUE

Explanation:
True is correct, whenever a VM/subnet is associated to 2 or more NSG’s and there are conflicting rules on each NSG (i.e. one NSG has allow and one NSG deny) the NSG which has the deny rule will take preference and traffic will not pass through. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following can be associated to a Network Security Group (NSG) ? Select all that apply.
Your selection is correct

A. Subnet
B. Resource Group
C. Network Interface Card (NIC)
D. Virtual Network (VNet)

A

A. Subnet
C. Network Interface Card (NIC)

Explanation:
Subnet and Network Interface cards (NIC’s) are correct, you cannot associate a VNet or resource group to a Network Security Group (NSG). https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You need to provide RBAC access to a third party to manage a “LOB-VM”. The third party should be able to restart the VM, however not be able to shut down the VM. When using Azure CLI, how should this be defined? Select all that apply.
Your selection is correct

A. Action: Microsoft.compute/virtualmachines/restart/action
B. Action: Microsoft.compute/virtualmachines/start/action
C. NotActions:Microsoft.compute/virtualmachines/start/action
D. NotAction:Microsoft.compute/virtualmachines/shutdown/action

A

A. Action: Microsoft.compute/virtualmachines/restart/action
D. NotAction:Microsoft.compute/virtualmachines/shutdown/action

Explanation:
Option 1 is correct as you need to define the allowed action as restart. Option 4 is correct as you need to define the action which is not allowed, in this case it is shutdown. Option 2 is incorrect as you do not want the third party to start the VM as this is not a requirement. Option 3 is incorrect as you should make use of the shutdown parameter instead of start as you want to prohibit the shutdown of the VM, not the starting of the VM. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is supported to create custom RBAC roles? Select all that apply.
Your selection is correct

A. Azure PowerShell
B. Azure CLI
C. Rest API
D. CMD

A

A. Azure PowerShell
B. Azure CLI
C. Rest API

Explanation:
Azure PowerShell, CLI and Rest API is correct and can be used to create custom RBAC roles in Azure. CMD is incorrect as this is not supported. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When making use of resource locks, which of the following locking modes are valid? Select all that apply.
Your selection is correct

A. Read only
B. Do not delete
C. Write only

A

A. Read only
B. Do not delete

Explanation:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You plan on deploying anti-malware solution to your LOB application VM via security extension. Is it possible to add the anti-malware security extension on top of the built-in Windows Defender anti-malware solution running locally on the VM?
Your answer is correct

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
True is correct as it is possible to add the Azure VM Antimalware extension. It is to be noted that Windows Server 2016 OS has Windows Defender built-in by default which protects against malware. However, if you run the Azure VM Antimalware extension on top of Windows Defender, the extension will apply any optional configuration policies to be used by Windows Defender and that the extension will not deploy any additional antimalware services. https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware

18
Q

You are planning on rolling out Privilege Identity Management (PIM) to the IT and Dev department. Which of the following licenses should be assigned to your directory to enable this functionality? Select all that apply.

A. Azure AD P1
B. Azure AD P2
C. EMS E3
D. EMS E5
E. Microsoft 365 M5

A

B. Azure AD P2
D. EMS E5
E. Microsoft 365 M5

Explanation:
When you want to make use of PIM, you need one of the following trail or paid licenses assigned to your tenant: Azure AD P2, EMS E5 and Microsoft 365 M5. Azure AD P1 and EMS E3 does not support PIM functionality. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/subscription-requirements

19
Q

Which of the following statements are true when transferring the subscription ownership to another user? Select all that apply.
Your selection is correct

A. When transferring a subscription to a new Azure AD tenant, all RBAC assignments are permanently deleted from the source tenant and not migrated to the target tenant
Correct selection
B. Self-serve subscription transfer is only available for selected offers
C. When transferring a subscription to another administrator will cause downtime
D. The offer type can be changed during the transferring a subscription

A

A. When transferring a subscription to a new Azure AD tenant, all RBAC assignments are permanently deleted from the source tenant and not migrated to the target tenant
Correct selection
B. Self-serve subscription transfer is only available for selected offers

Explanation:
Option 1 is correct, when transferring a subscription to a new Azure AD tenant, all existing RBAC roles linked to the subscription will be permanently deleted and not migrated to the new tenant. Option 2 is correct as the self-serve option is only available for selected offers. Option 3 is incorrect as there will be no downtime when transferring ownership to another user/administrator. Option 4 is incorrect as you cannot change the offer type while transferring the subscription, the offer must remain the same. https://docs.microsoft.com/en-us/azure/billing/billing-subscription-transfer

20
Q

Which of the following roles are required to manage assignments for other administrators in Privilege Identity Management (PIM) for Azure AD roles?
Your selection is incorrect

A. Global administrators
B. Security administrators
C. Security readers
D. Privilege role administrator

A

D. Privilege role administrator

Explanation:
Privilege role administrator is correct as this is the only role that can manage other administrators in PIM for Azure AD roles. Global administrator, Security administrator and security readers can only view assignments to Azure AD roles in PIM. https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure

21
Q

Which of the following roles are required to manage assignments for other administrators in PIM for Azure Resource roles?

A. Subscription administrator
B. Resource owner
C. Resource User Access Administrator
D. Security administrator
E. Security reader

A

A. Subscription administrator
B. Resource owner
C. Resource User Access Administrator

Explanation:
Only these roles can manage assignments for other administrators in PIM for Azure resource roles; subscription admin, resource owner and resource user access admin. Security admin and security reader do not by default have access to view assignments to Azure resource roles in PIM

22
Q

One of the developers needs API access to the “Dev” resource group. Which of the following roles do you need to assign to the developer?

A. Owner role
B. Contributor role
C. API management contributor role
D. Reader role

A

C. API management contributor role

Explanation:
API management contributor role is correct, this also needs to be assigned on the resource group level. The developer should now be able to sign in via PowerShell

23
Q

True or false: The API management gateway IP address is constant and can be used in firewall rules as a static IP.

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
True is correct, in all tiers of API management the public IP address of the API management tenant is static of the lifetime of the tenant, however there are some exceptions like if the service is deleted and re-created. https://docs.microsoft.com/en-us/azure/api-management/api-management-faq

24
Q

True or false: You can move an API Management service from one subscription to another.

TRUE
FALSE

A

TRUE

Explanation:
True is correct, you can move the API management service from one subscription to another. https://docs.microsoft.com/en-us/azure/api-management/api-management-faq

25
Q

Contoso Airways has adopted Azure as their cloud platform. Contoso has 2 offices: a head office in America and a secondary office in Japan. In Azure they have the following:

“US Subscription” which has 2 resource groups

  • East US resource group which contains
    • Virtual network 1

*West US resource group which contains

  • Virtual network 4

“Japan Subscription” which has 1 resource group

  • Japan resource group which contains
    • Virtual network 5
      Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.
      You need to connect resources from VNet1 to Site 2 and Site 3. The connectivity solution must be encrypted and cost effective. Which of the following should you configure?

A. Site to Site VPN
B. Express Route
C. Vnet Peering
D. VNet to VNet connection

A

A. Site to Site VPN

Explanation:
Site-to-Site VPN is correct as this provides a connectivity solution between the required networks and uses IPsec encryption, this solution is also the most cost effective. Express route is incorrect as technically it can suffice as it is secure and can connect the required networks with each other, however the cost is considerably more than a VPN connection. VNet peering is incorrect as it can only be used to connect Azure virtual networks with each other and not on-premises to Azure networks. VNet-to-VNet connection is incorrect as this supports virtual networks in Azure and not on-premises workloads. https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

26
Q

Contoso Airways has adopted Azure as their cloud platform. Contoso has 2 offices: a head office in America and a secondary office in Japan. In Azure they have the following:

“US Subscription” which has 2 resource groups

  • East US resource group which contains
    • Virtual network 1

*West US resource group which contains

  • Virtual network 4

“Japan Subscription” which has 1 resource group

  • Japan resource group which contains
    • Virtual network 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

You need to connect resources from VNet1 to VNet 5. The connectivity solution must be encrypted and cost effective with the least amount of effort to configure and maintain. Which of the following should you configure?

A. Site-to-Site VPN connection
B. Express route
C. VNet peering
D. VNet-to-VNet connection

A

D. VNet-to-VNet connection

Explanation:
VNet-to-VNet connection is correct as this provides a secure connectivity solution between the required networks, this connection also supports connectivity across different subscriptions and regions. Express route is incorrect as this is used to connect on-premises networks to Azure with low latency. VNet peering is incorrect as the traffic is not encrypted when traveling from one VNet to another VNet. Site-to-Site VPN is incorrect as this is method is used to connect on-premises networks to Azure networks, however both Site-to-Site and VNet-to-VNet connections makes use of a VPN gateway on each VNet. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-faq

27
Q

Contoso Airways has adopted Azure as their cloud platform. Contoso has 2 offices: a head office in America and a secondary office in Japan. In Azure they have the following:

“US Subscription” which has 2 resource groups

  • East US resource group which contains
    • Virtual network 1

*West US resource group which contains

  • Virtual network 4

“Japan Subscription” which has 1 resource group

  • Japan resource group which contains
    • Virtual network 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

You need to connect resources from VNet1 to VNet 4. The connectivity solution must not route traffic over the public internet and the solution should be cost effective with the least amount of effort to configure and maintain. Which of the following should you configure?

A. Site to Site VPN
B. Express Route
C. VNet Peering
D. VNet to VNet connection

A

C. VNet Peering

Explanation:
VNet peering is correct as this is does not route traffic over the public internet, it routes traffic over the Microsoft backbone, however the data routed is not encrypted. Site-to-Site VPN is incorrect as this is method is used to connect on-premises networks to Azure networks and routes encrypted traffic over the public internet. Express route is incorrect as this is used to connect on-premises networks to Azure with low latency at a higher cost. VNet-to-VNet connection is incorrect as this routes encrypted traffic over the public internet and also is more expensive than VNet peering. https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview

28
Q

Contoso Airways has adopted Azure as their cloud platform. Contoso has 2 offices: a head office in America and a secondary office in Japan. In Azure they have the following:

“US Subscription” which has 2 resource groups

  • East US resource group which contains
    • Virtual network 1
    • “LOB VM” which is hosted on a Windows Server 2016 OS

*West US resource group which contains

  • Virtual network 4

“Japan Subscription” which has 1 resource group

  • Japan resource group which contains
    • Virtual network 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than once correct solution, while others might not have a correct solution.

You need to block the “LOB VM” from accessing the internet by using NSG rules, what is the easiest way to achieve this?

A. Create inbound NSG rule with an Internet service tag and set the action to Deny
B. Create outbound NSG rule with an Internet service tag and set the action to Deny
C. Create inbound NSG rule with an ANY Destination and set the action to Deny
D. Create outbound NSG rule with an ANY destination and set the action to Deny

A

B. Create outbound NSG rule with an Internet service tag and set the action to Deny

Explanation:
Option 2 is correct. You need to create an OUTBOUND NSG rule with an “Internet” service tag as this will automatically block the VM from accessing the internet with the built-in service tag, the deny action is correct. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

29
Q

You need to manage inbound and outbound traffic rules at scale to specific VMs with minimum effort. You plan on creating separate inbound and outbound NSG rules with CIDR notation. Is this the easiest method to manage multiple VMs?

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
False, you need to make use of Application Security Groups (ASG’s). ASG’s allows you to group VM’s to make management easier, for example you can group several VMs with an ASG and only make changes once to the ASG instead of manually adding/removing/editing NSG rules with CIDR notation. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#application-security-groups

30
Q

You have a storage account named “BlobStore” and you have noticed that anyone can access this storage account over the internet. You need to secure this storage account so that only users from the Head Office with IP 197.145.42.202/32 can access this storage account, however you still require anonymous access over the internet to the storage metrics for this account. Which 2 options should you configure?

Your selection is incorrect
Configure Allow access from selected networks and specify 197.145.42.202/32

A. Configure Allow access from selected networks and specify 197.145.42.202/32
B. Configure Allow access from all networks
C. Configure IP ranges under the firewall section and specify 197.145.42.202/32
D. Allow trusted Microsoft services to access this storage account
E. Allow read access to storage metrics from any network

A

C. Configure IP ranges under the firewall section and specify 197.145.42.202/32
E. Allow read access to storage metrics from any network

Explanation:
Option 3 is correct as you need to specify the public IP address range you want to allow under the firewall section for the storage account. Option 5 is also correct as you need to allow only read access to storage metrics from any network. Option 1 is incorrect as you cannot specify the public IP address under the “selected networks” section as this is used to allow access from Virtual Networks in Azure to the storage account. Option 2 is incorrect as you should not configure “allow access from all networks” as you need to limit the access to specific public IPs as described in the scenario. Option 4 is incorrect as this will only allow Microsoft services access to the storage account and not the users from the Head Office. https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

31
Q

Which of the following core features are available when you deploy Microsoft anti-malware for Azure applications. Select all that apply.

A. Real-time protection
B. Malware remediation
C. Exclusions
D. Anti-malware engine and platform updates

A

A. Real-time protection
B. Malware remediation
C. Exclusions
D. Anti-malware engine and platform updates

Explanation:
All of the above are correct. When deploying Microsoft antimalware for Azure applications, some of the features are: real-time protection, malware remediation, exclusion of files, processes and drives, and automatic updates to the antimalware engine and platform. https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware

32
Q

What are the three headline capabilities of advanced data security in Azure SQL Database?

A. SQL Server Firewall
B. Data discovery and classification
C. Vulnerability assessment
D. Azure security center
E. Advanced threat protection
F. Dynamic data masking

A

B. Data discovery and classification
C. Vulnerability assessment
E. Advanced threat protection

Explanation:

33
Q

Which of the following authentication mechanisms is used by Azure HDInsight?

A. Kerberos
B. OAuth
C. SAML
D. Azure Active Directory
E. OpenID

A

A. Kerberos

Explanation:
Azure HDInsight uses Kerberos authentication provided through integration with Azure Active Directory Domain Services. The other authentication standards are not supported. https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-architecture

34
Q

Multiple layers of security is recommended for Azure HDInsight. Which of the following is not considered a protection layer?

Your answer is incorrect
Perimeter security

A. Authorisation security
B. Authentication security
C. Data security
D. Cluster security

A

D. Cluster security

Explanation:
Perimeter, authentication, authorisation and data layer security is recommended. Cluster security is not considered part of deploying Azure HDInsight security. https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-introduction

35
Q

Which component is used to manage role-based access control in Azure HDInsight?

A. Azure Active Directory
B. Azure Active Directory Domain Services
C. Apache Ranger
D. Apache Hive Server
E. Apache Spark

A

C. Apache Ranger

Explanation:
Apache Ranger is used to create RBAC policies in Azure HDInsight. HDInsight is integrated with Azure AD DS for Kerberos authentication services, but RBAC is handled in the HDInsight cluster itself using Apache Ranger. https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-introduction#authorization

36
Q

How does HDInsight provide protection for data at rest?

A. Apache Hive Server Encryption
B. Azure Storage Service Encryption
C. Apache HBase Encryption
D. Apache Ranger Encryption
E. AES 256-bit Encryption

A

B. Azure Storage Service Encryption

Explanation:
HDInsight integrates with Azure Blob storage and Azure Data Lake Storage as the underlying storage infrastructure which is automatically encrypted by Azure Storage Service Encryption. SSE uses AES 256-bit, but this is not the best answer for the question. The Apache components is not responsible for encryption. https://docs.microsoft.com/en-us/azure/hdinsight/domain-joined/apache-domain-joined-introduction#encryption

37
Q

It is considered best practice to add an additional layer of access control security to Azure Cosmos DB. Which Azure features provides this capability?

A. Network Security Group
B. Azure Firewall
C. Cosmos DB Firewall
D. Network Security Appliance
E. Azure Active Directory Conditional Access
F. Azure Information Protection

A

C. Cosmos DB Firewall

Explanation:
Azure Cosmos DB has a built-in firewall service. Similar to any other database firewall, a firewall rule is required for all sites and over-the-internet connections to the database. This is the best answer to the question. Network security groups, Azure Firewall and a 3rd party firewall appliance commonly referred to as a network security appliance can all also be configured as an additional layer of security - but this is not the best answer to the question. AAD conditional access and AIP is not directly involved in Cosmos DB access control. https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#configure-ip-policy

38
Q

Azure Cosmos DB uses two types of keys to authenticate users and provide access to its data and resources. Select them from the answer options.

A. Access Key
B. Shared Access Key
C. Role Based Access Control
D. Resource Token
E. Shared Access Signature
F. Master Key

A

D. Resource Token
F. Master Key

Explanation:
Cosmos DB uses a Master Key for administrative resources: database accounts, databases, users, and permissions. It also uses a Resource Token for application resources: containers, documents, attachments, stored procedures, triggers, etc. https://docs.microsoft.com/en-us/azure/cosmos-db/database-security#how-does-azure-cosmos-db-secure-my-database

39
Q

How does Cosmos DB provide protection for data at rest?

A. Hash-based Message Authentication Code (HMAC)
B. Azure Storage Service Encryption
C. Azure Key Vault
D. SSL/TLS 1.2
E. AES 256-bit Encryption

A

B. Azure Storage Service Encryption

Explanation:
Azure storage encryption is used to encrypt data at rest for Cosmos DB. HMAC is used in Cosmos DB authorisation, but not for data encryption. Applications can make use of Cosmos DB by storing the access tokens in Azure Key Vault instead of with the application. SSL/TLS is used by the system to ensure data protection (encryption) in transit. https://docs.microsoft.com/en-us/azure/cosmos-db/database-encryption-at-rest

40
Q

How does Azure Data Lake provide protection for data at rest?

A. BitLocker
B. Azure Storage Service Encryption
C. Azure Key Vault
D. SSL/TLS 1.2
E. AES 256-bit Encryption

A

B. Azure Storage Service Encryption

Explanation:
Azure Data Lake is built on Azure Storage, just like Blobs, Tables and Queues. It uses the same underlying encryption for data at rest - Storage Service Encryption. SSE uses AES 256-bit as the underlying encryption algorithm, but this is not the best answer for the question. SSL/TLS is encryption for data in transit, not data at rest. Azure Key Vault can be used for SSE in a Bring Your Own Key scenario, but does not perform encryption itself. Bitlocker is Microsoft’s encryption technology used on the endpoint, not relevant for SSE. https://docs.microsoft.com/en-za/azure/storage/common/storage-service-encryption?toc=%2fazure%2fstorage%2fblobs%2ftoc.json#view-encryption-settings-in-the-azure-portal