Exam SC-300 topic 3 question 45 discussion

I think its B, in my lab, I have created an Azure Cosmos DB for NoSQL, then, in its "Access control (IAM)" blade, I can assign the role "Cosmos DB Account Reader Role" to a Managed Identity.

Azure Cosmos DB Account Reader Role: This role provides read access to the account metadata and settings. You can find it in the Azure portal under the Access control (IAM) section of your Azure Cosmos DB account.

Ik ga voor C. Bis niet goed want deze rol geeft toegang tot account metadata (niet tot de daadwerkelijke documenten/data). Niet geschikt om de inhoud van de database te lezen.

Answer B (considering this exam is based in security): After multiple back and forths with copilot, I got the following: Yes, there could be cases where AKS1 only needs the Azure Cosmos DB Account Reader Role. This role provides read access to the account metadata and settings, which might be sufficient for certain administrative or monitoring tasks. Here are a few scenarios where this role might be appropriate: Monitoring and Reporting: If AKS1 needs to monitor the status and configuration of DB1 without accessing the actual data, the Account Reader Role would be sufficient. Configuration Management: For tasks that involve reviewing account settings or configurations without interacting with the data, this role is appropriate. Security Audits: If AKS1 is used for security audits that require access to account details but not the data itself, the Account Reader Role would meet the requirements. However, if AKS1 needs to interact with the data within DB1, the Azure Cosmos DB Data Reader Role would be necessary to provide the required permissions.

Both Azure Cosmos DB Account Reader and Azure Cosmos DB Data Reader roles exist. The Account Reader role is for management plane settings (viewing configurations without data access), while the Data Reader role is for data plane access (reading stored data). Typically, security, IT, and compliance teams use the Account Reader role, while microservices, APIs, and developers use the Data Reader role. Since Azure Kubernetes Service (AKS) needs database access but not configuration settings, the least privilege approach applies, granting access only to DB1, not the entire RG1—making option 'B' correct.

The Azure Cosmos DB Account Reader Role allows read access to the account's metadata and configuration, not the data itself. Cannot Access Data: AKS1 would be able to read properties like account keys and settings but not the actual database content.

The built-in role "Cosmos DB data reader" does exist https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/reference-data-plane-roles

The built-in role Cosmos DB reader does exist https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/security/reference-data-plane-roles

Built-in roles supported by Azure Cosmos DB DocumentDB Account Contributor - Can manage Azure Cosmos DB accounts Cosmos DB Account Reader Role - Can read Azure Cosmos DB account data CosmosBackupOperator - Can submit a restore request in the Azure portal for a periodic backup enabled database or a container. Can modify the backup interval and retention in the Azure portal. Cannot access any data or use Data Explorer CosmosRestoreOperator - Can perform a restore action for an Azure Cosmos DB account with continuous backup mode. Cosmos DB Operator - Can provision Azure Cosmos DB accounts, databases, and containers. Cannot access any data or use Data Explorer https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control

It's got to be B. Answers A and D give too much privileges (A is for subscription scope and D is for Resource group scope). As for answer C, such role does not exist.

Be careful! remember that RBAC in Azure Cosmos DB applies to either a data plane operations (database) or a management plane operations (outside of the database / account level only). The Data Reader Role is for those who need to work with the data stored in Cosmos DB (data plane), while the Account Reader Role is for those who need to manage the account itself without accessing the data within it. AKS1 needs to access DB1 data plane to read the data, else whats the point? I think the answer is Azure Cosmos DB Data Reader Role role = C

https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control

In IAM of DB1: Assign the Managed Identity of AKS1 as CDB Account Reader Role

In IAM of DB1: Assign the Managed Identity of AKS1 as CDB Account Reader Role

If a Azure Cosmos DB Data Reader Role exists I can't find it. I think B has to be correct.

Correct Answer is B