Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AZ500 > Microsoft Azure AZ-500 Security Technologies (Practice Exam #3) - Udemy > Flashcards

Microsoft Azure AZ-500 Security Technologies (Practice Exam #3) - Udemy Flashcards

1
Q

Which of the following are valid access control options for Azure Data Lake? Choose 3

A. Role Based Access Control
B. Shared Access Key
C. Shared Access Signature
D. Service Key
E. Access Key

A

A. Role Based Access Control
C. Shared Access Signature
E. Access Key

Explanation:
Access keys, Azure AD RBAC and Shared Access Signatures are all valid access control methods for storage accounts - the underlying technology for Data Lake. Service key and shared access key are not valid names for storage account access controls. https://docs.microsoft.com/en-za/azure/storage/blobs/data-lake-storage-access-control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Your organization is planning on synchronizing their on premises identities to Azure via the AD Connect tool. You need to ensure that all domain user identities are properly formatted before they are synchronized as to not cause synchronization errors. What should you do?

A. Run the IdFix tool
B. Re-run the AD Connect application
C. Run synchronization service manager
D. Run synchronization rules editor

A

A. Run the IdFix tool

Explanation:
IdFix tool is correct as this free tool is used to isolate and remediate common errors reported by the AD Connect tool like formatting issues with domain user names. Re-running the AD Connect application will not resolve any sync issues. Running the synchronization service manager is incorrect as this tool is used to configure more advanced aspects of AD Connect like connectors and synchronization schedule. Running the synchronization rules editor is incorrect as this can only be run post-deployment of directory synchronization, this tool is used to customize user and group attributes synched between on-prem and Azure. https://docs.microsoft.com/en-us/office365/enterprise/install-and-run-idfix

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following Azure tools can help mature the security baseline specific to securing virtual networks? Select all that apply.

A. Azure Monitor
B. Azure Security Center
C. Azure policy
D. Azure portal
E. Azure AD
F. Azure Key Vault

A

C. Azure policy
D. Azure portal

Explanation:
Azure portal is correct as you can use the portal to mature network policies and processes.
Azure policy is also correct as you can enforce policies that support security baselines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following is not a technology that can be used to visualise Azure Monitor data?

A. Azure Monitor Workbooks
B. None of the answers are correct
C. Azure Monitor Views
D. All of the answers are correct
E. Azure Dashboards
F. Power BI

A

B. None of the answers are correct

Explanation:
All of the answers provided are valid ways to visualise Azure Monitor data. The question, however, asked which of the options can not be used to visualise Azure Monitor data. None of the answer option are therefore correct. It is doubtful that the official exam will use such double-negative tactics, but it is used here as a reminder to be aware of negative answers to negative questions. See: https://docs.microsoft.com/en-us/azure/azure-monitor/visualizations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

True or false: you can configure multiple domains to sync with ADConnect.

TRUE
FALSE

A

TRUE

Explanation:
You can configure multiple domains to sync with Azure AD via AD connect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is not a configuration step required to create an Azure Monitor Alert?

A. Define notification action
B. Define alert condition
C. Define alert details
D. Define action group

A

A. Define notification action

Explanation:
Creating an Azure Monitor Alert required defining alert conditions, alert details and the action group. Although specifying the alert action is part of defining the action group, there is no define notification action step. See: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You are configuring security for data in transit for an Azure App Service. Which of the following security tasks should be performed? Choose all that apply, do not choose any that does not apply.

A. HTTPS enforced
B. Test HTTPS
C. Bind SSL Certificate
D. Minimum TLS version enforced
E. Upload SSL Certificate

A

A. HTTPS enforced
B. Test HTTPS
C. Bind SSL Certificate
D. Minimum TLS version enforced
E. Upload SSL Certificate

Explanation:
All the answer options should be configured for Azure App Service. See: https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-custom-ssl

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Select all the answers that specify the technology and Azure resource prerequisites for Azure Disk Encryption.

A. DM-Crypt
B. BitLocker
C. Azure Key Vault
D. Azure Storage Service Encryption
E. Transparent Data Encryption
F. SSL/TLS 1.2

A

A. DM-Crypt
B. BitLocker
C. Azure Key Vault

Explanation:
Azure Disk Encryption uses BitLocker for Windows-based VMs and DM-Crypt for supported Linux-based VMs in Azure. It also requires Azure Key Vault to provide secure access to the encryption/decryption keys. https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-overview

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following roles can make use of Azure Identity Protection in the portal?
Your selection is incorrect
A. Owner role
B. Global administrator
C. Security reader
D. Contributor role
E. Security Administrator

A

B. Global administrator
C. Security reader
E. Security Administrator

Explanation:
The following roles can make use of Identity Protection: Security reader, security admin and global admin. Contributor and owner roles are both incorrect as these are related to https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/faqs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the minimum Azure Active Directory built-in RBAC role required to manage Azure Key Vault?
A. Reader
B. Key Vault Reader
C. Security Admin
D. Key Vault Contributor
E. Key Vault Administrator
F. Owner

A

D. Key Vault Contributor

Explanation:
Key Vault Contributor is the built-in RBAC role required to manage Azure Key Vault. See: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You are the administrator for the ACME banking group. You are responsible for managing the key vault in Azure called ACMEvault. You have decommissioned a production server which has its password stored in the key vault labelled “FinanceAdmin”. You need to remove the password from the vault by using an API call. Which API call is correct?
A. RECOVER https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0
B. PURGE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0
C. 1. REMOVE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0
D. DELETE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0

A

D. DELETE https://ACMEvault.vault.azure.net/secrets/FinanceAdmin?api-version=7.0

Explanation:
DELETE is the correct operation name as it references the correct vault and secret name. REMOVE not a valid operation name. PURGE is used to remove the password irreversibly, almost the same as emptying the recycle bin on your desktop. RECOVER will not suffice as this is used to recover a deleted secret on soft-delete enabled vaults. https://docs.microsoft.com/en-us/rest/api/keyvault/deletesecret/deletesecret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ou are the administrator for the Contoso financial group. You are responsible for all storage accounts in Azure. You have been tasked to share limited access to the Blob files in storage account “Company_function” with another company for a limited time. The other company should only be able to list and read the data in the blob storage. The other company’s administrator is familiar with Azure Storage Explorer and want you to share secure access with him by using this tool. Which information should you configure and give the administrator?

A. Provide the administrator with the storage name and key
B. Create Shared Access Signature for “Company_function” and configure the following: read and list permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer
C. Create Shared Access Signature for “Company_function” and configure the following: start and expiry time, read and write permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer.
D. Create Shared Access Signature for “Company_function” and configure the following: start and expiry time, read and list permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer

A

D. Create Shared Access Signature for “Company_function” and configure the following: start and expiry time, read and list permissions, service access to Blobs. Send the administrator the SAS URI to be used in Storage Explorer

Explanation:
You need to create a Shared Access Signature for “Company_function” and configure start and expiry time as this is part of the time limitation request, list and read permissions are the least intrusive and blob storage is correct. The administrator should be able to use the SAS URI to configure access in Storage Explorer in their side. Option 1 is incorrect as there is write permissions assigned. Option 3 is incorrect as there is no time limitation set. Option 4 is incorrect as sending a storage name and key will not provide limited access as required. https://docs.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You are the administrator for the Contoso financial group. You are responsible for managing the key vault in Azure. You need to update a certificate that has become stale in the CONTOSOvault which is called “WebsiteCertificate” via an API call to the Key Vault. Which statement below is correct?

A. PATCH http://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0
B. POST http://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0
C. PATCH https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0
D. POST https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0

A

C. PATCH https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0

Explanation:
PATCH is correct https://CONTOSOvault.vault.azure.net/certificates/WebsiteCertificate/3d31d7b36c942ad83ef36fc?api-version=7.0 is correct as this follows the correct way to update a specific certificate in the Azure Key Vault via API call. Here is the way the statement is used in general: PATCH {vaultBaseUrl}/certificates/{certificate-name}/{certificate-version}?api-version=7.0. using HTTP will not suffice as the Key Vaults use HTTPS by default and POST is not the correct action. https://docs.microsoft.com/en-us/rest/api/keyvault/updatecertificate/updatecertificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following statements is true for Azure Policy initiatives?

A. A policy initiative is a policy parameter
B. A policy initiative is a collection of policies
C. A policy initiative is a policy assignment scope
D. A policy initiative is a policy assignment
E. A policy initiative is a policy definition

A

B. A policy initiative is a collection of policies

Explanation:
One can assign a built-in policy within a specific scope. Similarly, one can also define a custom policy for assignment. Policies can be parameterised to make them more generic. Lastly, one can define Policy Initiatives that are collections of policies that can be parameterised and assigned at the same time. See: https://docs.microsoft.com/en-us/azure/governance/policy/overview#initiative-definition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Azure backup can be configured to Azure VMs. What is used to ensure data is encrypted at rest?

A. Transparent Data Encryption
B. Azure Storage Service Encryption
C. Azure Recovery Vault
D. Azure Recovery Services
E. Passphrase

A

B. Azure Storage Service Encryption

Explanation:
When using Azure backup to backup Azure VMs, Azure Storage Service encryption is used to encrypt the backup. See: https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq#encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the default retention period for Azure Monitor logs?

A. 60 days
B. 3 years
C. 90 days
D. 30 days
E. 1 year
F. Indefinite

A

C. 90 days

Explanation:
Azure monitor retains logs for 90 days before starting to purge the oldest logs. You can set up log archival to a storage account if a longer retention is required. See: https://docs.microsoft.com/en-us/azure/azure-monitor/learn/tutorial-archive-data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

You are the administrator for the ACME banking group. You are responsible for managing the key vault in Azure. You need to create a new certificate in the ACMEvault with a key size of 2018 and that cannot be reused via an API call which should be called ACMEcertificate. Which statement below is correct?
A. GET https://ACMEvault.vault.azure.net/certificates/ACMEcertificate/create?api-version=7.0
B. SET https://ACMEvault.vault.azure.net/certificates/ACMEcertificate/create?api-version=7.0
C. POST https://ACMEvault.vault.azure.net/certificates/ACMEcertificate/create?api-version=7.0
D. POST http://ACMEvault.vault.azure.net/certificates/ACMEcertificate/create?api-version=7.0

A

C. POST https://ACMEvault.vault.azure.net/certificates/ACMEcertificate/create?api-version=7.0

Explanation:
POST {https://ACMEvault.vault.azure.net}/certificates/{ACMEcertificate}/create?api-version=7.0 is correct as this follows the correct way to create a new certificate. Here is the way the statement is used in general: POST {vaultBaseUrl}/certificates/{certificate-name}/create?api-version=7.0. It uses HTTPS by default, GET and SET are incorrect when creating a new certificate. https://docs.microsoft.com/en-us/rest/api/keyvault/createcertificate/createcertificate

18
Q

True or false: you can configure multiple AD Connect connectors for the same Active Directory domain.

TRUE
FALSE

A

FALSE

Explanation:
False is correct, multiple connectors for the same AD domain are not supported. You can however configure a secondary connector in staging mode for DR purposes. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-faq

19
Q

You need to configure additional Network Security Group rules to allow the following types of traffic: * Remote Desktop Protocol * SSH * Secure web traffic Which three ports should you configure as part of the NSG rules?

Port 22
Port 443
Port 23
Port 389
Port 80
Port 3389

A

Port 22
Port 443
Port 3389

Explanation:
Port 22 is correct as this is used for SSH, Port 443 is correct as this is used for secure web traffic (HTTPS), Port 3389 is correct as this is used for RDP. Port 23 is incorrect as this is used for Telnet. Port 80 is incorrect as this is used for insecure web traffic. Port 389 is incorrect as this is used with Lightweight Directory Access Protocol (LDAP). https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

20
Q

You have configured VNet peering between 2 VNets in your “Production” resource group. You implement an Azure firewall and create a user defined route (UDR) that forces all traffic through the firewall. Will traffic destined to route over the VNet peering link be forced to route through the firewall?

NO
YES

A

NO

Explanation:
No is correct, even if there is a UDR defined for all traffic to route through the Azure firewall, traffic going over the VNet peering link will not go through the UDR (Azure firewall) and instead go directly over the peered link. https://docs.microsoft.com/en-us/azure/firewall/tutorial-hybrid-ps

21
Q

Azure backup can be configured to backup on-premises VMs. What is used to ensure data is encrypted at rest?

A. Passphrase
B. Azure Recovery Servies
C. Transparent Data Encryption
D. Azure Storage Service Encryption
E. Azure Recovery Vault

A

A. Passphrase

Explanation:
When using Azure backup to backup on-premises VMs a passphrase is used along with AES256 to encrypt the backup. See: https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq#encryption

22
Q

Select the most accurate description of the Always Encrypted feature of Azure SQL Database.

A. User-level encryption
B. Network-level encryption
C. Database-level encryption
D. Column-level encryption
E. Row-level encryption
F. Table-level encryption

A

D. Column-level encryption

Explanation:
Always Encrypted is applied on the data in the database at a column level. Unlike Transparent Data Encryption used by Azure SQL Database where the encryption/decryption key is known to the database management engine, Always Encrypted performs encryption/decryption on the endpoint application, out of band of the database engine. https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-2017

23
Q

You have been requested to configure VM security in the form of encrypting IaaS VM disks. You are planning to make use of PowerShell to encrypt the disks. Complete the following PowerShell command: Set-1 -ResourceGroupName “MySecureRG” -VMName “MySecureVM” -2 “VaultID” -3 “VaultURL”

A. 1 = DiskEncryptionKeyVaultUrl, 2 = DiskEncryptionKeyVaultId, 3 = AzVmDiskEncryptionExtension
B. 1 = AzVmDiskEncryptionExtension, 2 = DiskEncryptionKeyVaultId, 3 = DiskEncryptionKeyVaultUrl
C. 1 = AzVmDiskEncryptionExtension, 2 = DiskEncryptionKeyVaultUrl, 3 = DiskEncryptionKeyVaultId

A

B. 1 = AzVmDiskEncryptionExtension, 2 = DiskEncryptionKeyVaultId, 3 = DiskEncryptionKeyVaultUrl

Explanation:
The correct command is as follows: Set-AzVmDiskEncryptionExtension -ResourceGroupName “MySecureRG” -VMName “MySecureVM” -DiskEncryptionKeyVaultId “VaultID” -DiskEncryptionKeyVaultUrl “VaultUrl”. You need to use the AzVmDiskEncryption command first followed by the DiskEncryptionKeyVaultID and lastly the DiskEncryptionKeyVaultUrl command. https://docs.microsoft.com/en-us/azure/security/quick-encrypt-vm-powershell#bkmk_PrereqScript

24
Q

Azure Policy allows the assignment of a policy to a management group. What level of scope is provided by management groups?

A. Tenant
B. Resource
C. All of the options
D. Resource group
E. Subscription

A

E. Subscription

Explanation:
An Azure management group provides a level of scope at the subscription level. One can assign a policy to a management group which is made up of a defined set of subscriptions. All subscriptions in the management group inherits the policy. A root management group is created that contains all other management groups. See: https://docs.microsoft.com/en-za/azure/governance/management-groups/index and https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy#management-groups

25
Q

You have synchronized your IT departments on-premises identities with Azure AD via the AD Connect tool. You need to onboard the rest of the on-premises users with the least amount of effort. What should you do?

A. Stop the synchronization service
B. Restart the ADConnect VM
C. Re-run the ADConnect tool
D. Uninstall and re-install the ADConnect tool

A

C. Re-run the ADConnect tool

Explanation:
Re-run ADConnect tool is correct, this will allow you to customize the synchronization properties to add additional Object Unit filtering. Uninstall and re-install ADConnect is incorrect as this will take more effort than to re-run the ADConnect tool. Stopping the synchronization service is incorrect as this will stop all configured identities from synching. Restarting the ADConnect VM is incorrect as this will not enable you to onboard the additional users. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-installation-wizard

26
Q

Which of the following Azure features provide the capability to define and enforce security settings when new Azure resources are created?

A. Role-Based Access Control
B. Azure Resource Manager
C. Azure Security Center
D. Azure Policy
E. Azure Advanced Threat Protection

A

D. Azure Policy

Explanation:
Azure Policy can be used to enforce security settings when new Azure resources are created. Security policies is visible in Azure Security Center, but the capability is provided by Azure Policy. Azure Resource Manager is the service used to provision resources in Azure - it will respect assigned policies, but doesn’t provide the ability to define security policies. RBAC can be used to prevent certain users from creating resources, but doesn’t enforce what security settings that must be applied when RBAC allows the creation of resources. ATP detects and can be configured to respond to breaches in security, but doesn’t allow the definition and enforcement of security settings to be applied when new resources are created. See: https://docs.microsoft.com/en-us/azure/security-center/tutorial-security-policy

27
Q

Which of the following Azure tools can help mature the security baseline specific to detecting malicious activity? Select all that apply.

A. Azure policy
B. Azure Security Center
C. Azure Monitor
D. Azure Key Vault
E. Azure AD
F. Azure portal

A

C. Azure Monitor

Explanation:
Azure Security Center is correct as this tool allows you to mature the policies and processes in your Azure environment. Azure monitor is correct as this tool can also be used in maturing polices and processes regarding security baselines in Azure. The Azure portal, Key vault, Azure AD and Azure policy cannot be used as a tool regarding a security baseline when detecting malicious activity in your Azure environment. https://docs.microsoft.com/bs-latn-ba/azure/architecture/cloud-adoption/governance/security-baseline/toolchain

28
Q

What PowerShell cmdlet is used to initiate Azure Disk Encryption for a Linux-based VM on Azure?

A. Disable-AzVMDiskEncryption
B. Set-AzVMDiskEncryption
C. Get-AzVmDiskEncryptionStatus
D. Set-AzVMDiskEncryptionLinux
E. Set-AzVMDiskEncryptionExtension
F. Set-AzVMDiskEncryptionWindows

A

E. Set-AzVMDiskEncryptionExtension

Explanation:
Set-AzVMDiskEncryptionExtension is the correct answer. The same cmdlet is used for both Windows and Linux VMs See https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-linux

29
Q

What are the three authentication mechanisms that an application can use when using Azure Key Vault for storing secrets, certificates and/or keys?

A. Container instance registry
B. Azure app registry
C. Service principal with secret
D. Service principal with certificate
E. Service principal with encrypted credential
F. Managed identities for Azure resources

A

C. Service principal with secret
D. Service principal with certificate
F. Managed identities for Azure resource

Explanation:
The preferred method for applications to authenticate with an integrated Azure Key Vault is via Managed identities for Azure resources. Alternatively, applications can use service principal with secret or service principal with certificate. None of the other options exist - they are made-up. See: https://docs.microsoft.com/en-za/azure/key-vault/key-vault-whatis

30
Q

You are the administrator for the Contoso financial group. You are responsible for managing the key vault in Azure. You need to recover a certificate that has been deleted in the CONTOSOvault which is called “FinanceAdmin” via an API call to the Key Vault. Which statement below is correct?
A. GET http://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0
B. GET https://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0
C. POST http://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0
D. POST https://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0

A

D. POST https://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0

Explanation:
POST https://CONTOSOvault.vault.azure.net/deletedsecrets/FinanceAdmin/recover?api-version=7.0 is correct as this follows the correct way to recover a deleted certificate in the Azure Key Vault via API call. Here is the way the statement is used in general: POST {vaultBaseUrl}/deletedsecrets/{secret-name}/recover?api-version=7.0. It uses HTTPS by default, GET is incorrect when recovering a deleted certificate. https://docs.microsoft.com/en-us/rest/api/keyvault/restorecertificate/restorecertificate

31
Q

What PowerShell cmdlet is used to initiate Azure Disk Encryption for a Windows-based VM on Azure?

A. Get-AzVmDiskEncryptionStatus
B. Disable-AzVMDiskEncryption
C. Set-AzVMDiskEncryptionExtension
D. Set-AzVMDiskEncryptionLinux
E. Set-AzVMDiskEncryptionWindows
F. Set-AzVMDiskEncryption

A

C. Set-AzVMDiskEncryptionExtension

Explanation:
Set-AzVMDiskEncryptionExtension is the correct answer. The same cmdlet is used for both Windows and Linux VMs See https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-windows

32
Q

You notice a recommendation in the Azure Security Center to add a vulnerability assessment solution to your Azure virtual machines. Which of the following options are Azure Security Center-integrated solutions to the recommendation. Select two.

A. Microsoft Advanced Threat Analytics
B. Qualys
C. Nessus
D. Azure Log Analytics
E. Rapid7
F. Azure Monitor

A

B. Qualys
E. Rapid7

Explanation:
Azure Security Center supports Qualys and Rapid7 as integrated vulnerability assessment solutions. Nessus is not currently integrated with Azure Security Center. Azure Log Analytics, Azure Monitor and Microsoft ATA are not vulnerability assessment solutions related to this ASC recommendation. See: https://docs.microsoft.com/en-us/azure/security-center/security-center-vulnerability-assessment-recommendations

33
Q

True of false: Azure firewall supports inbound and outbound filtering.

A. TRUE
B. FALSE

A

A. TRUE

Explanation:
True is correct as the Azure firewall supports inbound and outbound filtering, however inbound filtering is for non HTTP/S protocols i.e. RDP, SSH and FTP protocols are supported. https://docs.microsoft.com/en-us/azure/firewall/firewall-faq

34
Q

True of false: Just-in-time VM access will automatically create the NSG rules, however you will need to manually remove the NSG rules afterwards.

A. TRUE
B. FALSE

A

B. FALSE

Explanation:
False is correct, JIT VM Access will automatically create the NSG rules to the user to connect securely to the VM and will also automatically remove the NSG rule it created after the configured time expired. https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

35
Q

You need to configure secure access to one of your production VMs. You are planning to enable secure remote access via Just-In-Time VM access. Which of the following settings can you configure? Select all that apply.

A. Time range
B. Virtual network
C. IP range
D. Port numbers
E. Protocol type
F. IP address

A

A. Time range
C. IP range
D. Port numbers
E. Protocol type
F. IP address

Explanation:
Port number is correct as you can configure which ports are allowed to be requested to the VM. IP address and IP ranges are correct as you can either specify a specific IP or a range of IP’s allowed to connect to the resource via JIT VM access. Time range is correct as you can specify how long a user can access the VM without having to request a new session via JIT VM access. Protocol type is correct as you need to specify TCP or UDP regarding the port ranges. Virtual network is incorrect as this option is not configurable via JIT VM access. https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

36
Q

You are the administrator of all resources in Azure. You need to enforce all new resources created to a specific region. Solution: You create an Azure policy Does this meet the requirements?

A. FALSE
B. TRUE

A

B. TRUE

Explanation:
True is correct, you can create an Azure Policy to enforce a specific region when new resources are created. https://docs.microsoft.com/en-us/azure/governance/policy/samples/allowed-locations

37
Q

When securing Azure Key Vault one has to secure the management plane and the data plane. Which of these options is relevant when securing the management plane?

A. Set key vault tags
B. Create RBAC roles
C. Create key vault keys
D. Create, read, update, delete key vaults
E. Set key vault secrets
F. Set key vault access policies

A

A. Set key vault tags
D. Create, read, update, delete key vaults
F. Set key vault access policies

Explanation:
Key vault management plane security operations covers administering the key vault itself; whereas the data plane covers the data (keys and secrets) inside the key vault. One would use built-in RBAC roles as part of assigning access control to the vault. One can create a custom RBAC role as part of this, but that would be performed in AAD and is not considered part of vault security operations. See: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault#resource-endpoints

38
Q

Which single Azure SQL Database feature provides data security for data at rest, data in transit and data in use?

A. AES Encryption
B. Transparent Data Encryption
C. SSL/TLS 1.2
D. Azure Key Vault
E. Azure Storage Service Encryption
F. Always Encrypted

A

F. Always Encrypted

Explanation:
Always Encrypted is a data encryption technology in Azure SQL Database and SQL Server that helps protect sensitive data at rest on the server, during movement between client and server, and while the data is in use, ensuring that sensitive data never appears as plain text inside the database system. The encryption is performed on the endpoint application before writing the data to the database. The encryption keys are not revealed to the database management system. The encrypted data is also not readable by other privileged users like database administrators. https://docs.microsoft.com/en-us/azure/sql-database/sql-database-always-encrypted-azure-key-vault

39
Q

When securing Azure Key Vault one has to secure the management plane and the data plane. Which of these options is relevant when securing the data plane?

A. Set key vault access policies
B. Set key vault secrets
C. Create key vault
D. Create RBAC roles
E. Create key vault keys
F. Set key vault tags

A

B. Set key vault secrets
E. Create key vault keys

Explanation:
Key vault management plane security operations covers administering the key vault itself; whereas the data plane covers the data (keys and secrets) inside the key vault. One would use built-in RBAC roles as part of assigning access control to the vault. One can create a custom RBAC role as part of this, but that would be performed in AAD and is not considered part of vault security operations. See: https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault#resource-endpoints

40
Q

How does Azure SQL Database provide protection for data at rest?

A. Transparent Data Encryption
B. AES Encryption
C. Azure Key Vault
D. SSL/TLS 1.2
E. Azure Storage Service Encryption

A

A. Transparent Data Encryption

Explanation:
Azure SQL Database has a built-in data at rest encryption capability called Transparent Data Encryption. The encryption key is managed by Microsoft, but it is possible to bring your own key through the TDE integration with Azure Key Vault - Key Vault is not the best answer here though. SSL/TLS is used for securing data in transit. Bitlocker is used for endpoint encryption, not for SQL Database encryption. By default TDE uses the AES encryption algorithm, but this is also not the best answer for the question. TDE is used for database encryption and is very similar to the Azure Storage counterpart called Storage Service Encryption. https://docs.microsoft.com/en-us/azure/sql-database/transparent-data-encryption-azure-sql

AZ500 (19 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions