Microsoft Azure Security Solutions Flashcards
Which of the following statements regarding auditing an Azure SQL database is correct?
A. Auditing policies apply to only individual databases on the Azure SQL Database server, not to all databases on the entire server.
B. Auditing policies apply to all databases on the entire Azure SQL Database server, not to individual databases on the server.
C. Reviewing audit reports allows you to identify unusual activity and suspicious events.
D. Microsoft recommends simultaneously using server blob auditing and database blob auditing.
C. Reviewing audit reports allows you to identify unusual activity and suspicious events.
Explanation:
Auditing your SQL databases helps organizations to not only maintain regulatory compliance, but also to understand whats going on within the database
It also helps track down information on anomalies that may or may not be related to suspected security violations or business concerns
By analyzing audit reports on a regular basis, it becomes easier to identify unusual activity and suspicious events
Which Azure AD tool do we use for credential synchronization and sign in?
A. Active Directory
Federation Services (AD FS)
B. DirSync
C. Azure AD Sync
D. Azure AD Connect
D. Azure AD Connect
Explanation:
DirSync and Azure AD Sync are deprecated in favor of the newer Azure AD Connect tool.
AD FS is irrelevant
The Shared Responsibility Model defines the responsibilities of the cloud service provider (CSP) and customer. Which of these responsibilities is owned by the customer across all service types (IaaS, PaaS, SaaS)?
A. Client and endpoint protection
B. Data classification and accountability
C. Application level controls
D. Identity and access management
B. Data classification and accountability
Explanation:
Ensuring that the data and its classification is done correctly and that the solution will be compliant with regulatory obligations is the responsibility of the customer
Physical security is the one responsibility that is wholly owned by cloud service providers when using cloud computing
The remaining responsibilities are shared between customers and cloud service providers
You want to provide a third party temporary access to a single file, and only this file, stored in Azure Storage’s Azure Files. Which type of shared access signature (SAS) should you provide?
A. A user delegation SAS
B. A service SAS
C. An account SAS
D. Any kind of SAS will work.
B. A service SAS
Explanation:
A user delegation SAS, which applies to Blob storage only, is secured with Azure AD credentials and by the permissions specified for the SAS
A service SAS is secured with the storage account key and is used to delegate access to a resource in either Blob storage, Queue storage, Table storage or Azure files
It delegates access to a resource in just one of the services
An account SAS is also secured with the storage account key
However, unlike a service SAS, it delegates access to resources in one or more of the storage services
Which of the following features is used to encrypt data at rest within an Azure SQL Database?
A. Transparent Data Encryption (TDE)
B. The Always Encrypted setting
C. SQL Database Auditing
D. Azure SQL Firewall rules
A. Transparent Data Encryption (TDE)
Explanation:
Transparent data encryption, or TDE, is used to protect Azure SQL Databases, Azure SQL Managed instances and even Azure Synapse from malicious offline activities
It provides this protection by encryption the data at rest.
TDE performs real time encryption and decryption of the database, associated backups and the transaction log files at rest - and it does so without the need for any changes to the applicastion
Which of the following statements regarding Microsoft Defender for Cloud is correct?
A. Defender for Cloud is designed to specifically monitor Azure-native resources, not on-premises servers connected to Azure.
B. Defender for Cloud is designed to specifically monitor on-premises servers connected to Azure, not Azure-native resources.
C. Defender for Cloud identifies security risks in your environment and automatically fixes them.
D. Defender for Cloud is designed to help secure quickly changing workloads.
D. Defender for Cloud is designed to help secure quickly changing workloads.
Explanation:
Defender for Cloud can improve the security of not only Azure resources but also of your data centers
Defender for Cloud provides advanced threat protection for workloads in the cloud and for on prem workloads by providing you with tools hat you can use to harden your network and secure your services
Organizations will typically use defender for cloud to address common security challenges, including things like workloads that asre constantly changing and sophisticated security threats
Which of the following is NOT a feature of Azure B2C and B2B Applications?
A. Single Sign-On to all apps no matter the location
B. Minimal account management
C. Partners can use their own credentials
D. Automatic code-sharing repositories
D. Automatic code-sharing repositories
Explanation:
Automatic code sharing respos is a non existent feature in AZure
All other features are valid for Azure B2B and B2C applicastions
Azure Active Directory enables which the following features?
A. Provides SSO to SaaS apps
B. Integrates with On-Premises
C. Security monitoring and alerting
D. All choices are correct
D. All choices are correct
Explanation:
All of these options are features of Azure AD
Accessing an Azure Key Vault requires proper authentication and authorization. How does Azure Key Vault authenticate the identity of the user or app?
A. Role-Based Access Control
B. Key Vault Access Policy
C. Azure Active Directory
D. SSL Certificate
C. Azure Active Directory
Explanation:
The authentication, which establishes the identity of the user or app, is performed by Azure AD
Authorization, which determines the operations that the user or app is allowed to perform, is typically handled via role based access control or via a Key Vault access
