Exam SC-300 topic 3 question 2 discussion

D is the correct answer, individual secrets have their own IAM. If you assigned secret administrator at the vault level then you would be granting access to all secrets in the vault.

Correct answer is A. Correct me if I'm wrong though. To achieve the requirements of allowing Automation1 to read the contents of Secret1 while preventing it from accessing other secrets in Vault1 and following the principle of least privilege, this is how you can achieve this as well: Navigate to the Azure portal. Go to the Azure Key Vault (Vault1). Select "Access control (IAM)". Add a role assignment for the Automation1's managed identity with the necessary permissions (e.g., "Get" for secrets). By configuring the access control (IAM) settings at the vault level, you can specifically grant the required permissions to the managed identity of Automation1 for the Secret1, while avoiding unnecessary access to other secrets. So, the correct answer is: A. From Vault1, configure the Access control (IAM) settings.

Answer D: When asking copilot to consider "the new modernization for Azure Key vault is to use the new RBAC permission model" and to elaborate on why not answer "A", I got the below. Certainly! Here’s why Answer A (configuring the Access control (IAM) settings from Vault1) is not the best choice: Granularity of Permissions: Configuring IAM settings at the vault level (Vault1) would grant permissions to the entire vault, potentially allowing Automation1 to access all secrets within Vault1. This does not adhere to the principle of least privilege, which aims to restrict access to only the necessary resources. Principle of Least Privilege: By configuring IAM settings directly on Secret1 (Answer D), you can ensure that Automation1 has access only to that specific secret and not to any other secrets stored in Vault1. This approach minimizes the risk of unauthorized access and follows best practices for security.

Answer D) From Secret1, configure the Access control (IAM) settings. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-portal#secret-scope-role-assignment

Tested in my tenant. First, choose Azure RBAC in Access configuration and then you see the IAM in the secret.

i think that in this case it must be A because the access policy is configured at kv infra & scoped at secret level, & they'r not talking about rbac access ebabled for the kv

Answer is D Tested

The correct answer is D. From Secret1, configure the Access control (IAM) settings. Explanation: Configuring the Access control (IAM) settings at the level of Secret1 ensures that the permissions are granted only for that specific secret and not for any other secrets stored in Vault1. This approach follows the principle of least privilege by granting the minimum required permissions.

Co Pilot and ChatGPT are sure it's A.

D is the corrects, in depend on Permission model if you have. " Vault access policy" we cannot find the IAM role in secret1 you need to change to "Azure role-based access control (recommended)" https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

Answer is D

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

The best course of action to achieve secure access to Secret1 while adhering to the principle of least privilege is: A. From Vault1, configure the Access control (IAM) settings. Here's why the other options are not ideal: B. From Automation1, configure the Identity settings: While enabling managed identity is a good first step, it doesn't grant specific permissions to access Vault1 resources. C. From Automation1, configure the Run as accounts settings (deprecated): Microsoft is phasing out Run As accounts, and they are considered less secure than managed identities. D. From Secret1, configure the Access control (IAM) settings: Secrets themselves cannot configure access control.

https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli Note: >Assigning roles on individual keys, secrets and certificates should be avoided. Exceptions to general guidance: >Scenarios where individual secrets must be shared between multiple applications, for example, one application needs to access data from the other application I guess the exam wants us to answer D in this case though. I would select D.

Answer is D: Secret scope role assignment: > Open a previously created secret. >Click the Access control(IAM) tab > Select Add > Add role assignment to open the Add role assignment page... https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli.