Microsoft Azure AZ-500 Security Technologies (Practice Exam #2) - Udemy Flashcards
True or false: a guest user in Azure AD can make use of the paid Azure AD features without having a member account in Azure AD.
A. True
B. False
A. True
Explanation:
As you can invite external guest users to use your paid Azure AD services, for each paid Azure AD license, you can invite up to five guest users
Describe the steps required to ensure that writing Azure SQL Database audit logs to a storage destination are uninterrupted by a storage access key refresh
A. Switch the storage destination to an alternative storage account, refresh the primary and secondary storage keys in the storage configuration of the original storage account; optionally switch the storage destination back to the original account
B. Stop the Azure SQL Server associated with the Azure SQL Database; refresh the primary and secondary storage keys in the storage configuration; start the Azure SQL Server associated with the Azure SQL database
C. No action is required - storage keys are automatically updated for SQL Data audit logs when Storage access keys are refreshed
D. Switch the storage access key in the audit configuration to secondary; refresh the primary storage key in the storage configuration; switch the storage access key in the audit configuration to primary; refresh the secondary storage access key in the storage configuration
D. Switch the storage access key in the audit configuration to secondary; refresh the primary storage key in the storage configuration; switch the storage access key in the audit configuration to primary; refresh the secondary storage access key in the storage configuration
Explanation:
Switching the storage configuration to secondary, refreshing the primary key, then switching the storage configuration back to primary before finally refreshing the secondary key is the recommended method to ensure uninterrupted audit logging in Azure SQL Database. You can not stop a SQL server (unless you delete the server along with all the databases on it).
You configure Azure SQL Database auditing. You select Storage as the audit log destination and do not change the retention period. What is the effect on audit log retention?
A. A retention period must be specified
B. Audit logs are kept indefinitely
C. Audit logs are kept for the default 90 days
D. Audit logs are kept for the default of 120 days
B. Audit logs are kept indefinitely
Explanation:
The default retention period setting for Azure SQL Database audit logs is 0. This equals to keeping audit logs indefinitely. A retention period of 3285 days can be specified
What are the destinations available for Azure SQL server audit logs?
A. SQL Data Warehouse
B. Storage
C. Event Hubs
D. SQL Database
E. Log Analytics
F. Service Bus
B. Storage
C. Event Hubs
E. Log Analytics
Explanation:
Storage (account), event hubs and log analytics are supported destinations for SQL Database (and/or SQL Server) audit
To configure Azure Monitor log collection and analysis on an Azure VM several configuration steps are required as listed in the answer options. Identify the step that is not required.
A. Create a Log Analytics Workspace
B. Enable a Log Analytics VM Extension
C . Select logs and metrics to collect
D. Provide the VM local administrator username and password
D. Provide the VM local administrator username and password
Explanation:
All of the options are required to enable Azure Monitor log collection and analytics on an Azure VM except for providing a local administrator username and password. See: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/quick-collect-azurevm
What is the minimum required RBAC role required to view Azure Monitor logs?
A. Security Admin
B. Monitoring Contributor
C. Monitoring Administrator
D. Monitoring Reader
E. Security Reader
D. Monitoring Reader
Explanation:
All the roles listed are valid built in Azure roles, except for Monitoring Administrator. The minimum role required to view Azure Monitor Logs is Monitoring Reader
Which of the following describe logging of control-plane actions on your Azure subscription?
A. Metrics
B. Diagnostic Log
C. Activity Log
D. Subscription Log
E. Tenant Log
F. Audit Log
C. Activity Log
Explanation:
Monitoring data from Azure comes in three basic forms: Activity log - Azure subscription control-plane log; Metrics - near real-time monitoring information emitted by resources; Diagnostic log - traditional log information emitted by resources. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources
Which of the following are valid Azure Monitor data sources?
A. Application Insights
B. Log Analytics Agent
C. Azure Resource Diagnostic Log
D. Azure Subscription
E. Azure Tenant Audit Log
F. On-Premises Operating System
Overall explanation
All of the options are valid sources for Azure Monitor. Custom sources (via Data Collector API), Guest Operating Systems and Application Insights are supported for on-premises or other clouds deployments. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources
Which of the following are not characteristics of Azure Monitor Metrics?
A. Text or numeric data
B. Collected at regular intervals
C. Lightweight
D. Sourced from Application Insights
E. Sourced from Azure resources
A. Text or numeric data
Explanation:
All the options are true for Azure Monitor Metrics except for Text or numeric data. Metrics are only numeric data. Azure Monitor Logs can also contain Text data. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform#compare-azure-monitor-metrics-and-logs
What are two types of data store used by Azure Monitor?
Your selection is correct
A. Logs
B. Metrics
C. Event Hubs
D. Blobs
E. Queues
A. Logs
B. Metrics
Explanation:
Azure monitor stores data in Logs and Metrics data stores. The other answers are examples of Azure storage products. See: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-platform
True or False: you can create custom service tags when making use of Network Security Groups?
Your answer is incorrect
TRUE
FALSE
FALSE
Explanation:
False is correct, you cannot create your own service tag or specify which IP’s are included within a tag.https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#service-tags
True or false: when there are 2 NSG’s associated to the same subnet, when one NSG denies traffic on port 80 inbound and another allows traffic on port 80 inbound to the same VM, the traffic will automatically be blocked due to the one NSG rule that denies the traffic.
TRUE
FALSE
TRUE
Explanation:
True is correct, whenever a VM/subnet is associated to 2 or more NSG’s and there are conflicting rules on each NSG (i.e. one NSG has allow and one NSG deny) the NSG which has the deny rule will take preference and traffic will not pass through. https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
Which of the following can be associated to a Network Security Group (NSG) ? Select all that apply.
Your selection is correct
A. Subnet
B. Resource Group
C. Network Interface Card (NIC)
D. Virtual Network (VNet)
A. Subnet
C. Network Interface Card (NIC)
Explanation:
Subnet and Network Interface cards (NIC’s) are correct, you cannot associate a VNet or resource group to a Network Security Group (NSG). https://docs.microsoft.com/en-us/azure/virtual-network/security-overview
You need to provide RBAC access to a third party to manage a “LOB-VM”. The third party should be able to restart the VM, however not be able to shut down the VM. When using Azure CLI, how should this be defined? Select all that apply.
Your selection is correct
A. Action: Microsoft.compute/virtualmachines/restart/action
B. Action: Microsoft.compute/virtualmachines/start/action
C. NotActions:Microsoft.compute/virtualmachines/start/action
D. NotAction:Microsoft.compute/virtualmachines/shutdown/action
A. Action: Microsoft.compute/virtualmachines/restart/action
D. NotAction:Microsoft.compute/virtualmachines/shutdown/action
Explanation:
Option 1 is correct as you need to define the allowed action as restart. Option 4 is correct as you need to define the action which is not allowed, in this case it is shutdown. Option 2 is incorrect as you do not want the third party to start the VM as this is not a requirement. Option 3 is incorrect as you should make use of the shutdown parameter instead of start as you want to prohibit the shutdown of the VM, not the starting of the VM. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-cli https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Which of the following is supported to create custom RBAC roles? Select all that apply.
Your selection is correct
A. Azure PowerShell
B. Azure CLI
C. Rest API
D. CMD
A. Azure PowerShell
B. Azure CLI
C. Rest API
Explanation:
Azure PowerShell, CLI and Rest API is correct and can be used to create custom RBAC roles in Azure. CMD is incorrect as this is not supported. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
When making use of resource locks, which of the following locking modes are valid? Select all that apply.
Your selection is correct
A. Read only
B. Do not delete
C. Write only
A. Read only
B. Do not delete
Explanation: