Exam AZ-300 topic 4 question 24 discussion

1. Key Vault 2. MSI 3. Key Vault

I think Key vault is for box 3 as well because They want to protect the connection string which can be stored securely in a key vault. Managed identity can not secure connection string.

I'll go with - KeyVault, MSI and KeyVault. Fight me.

All are Key vault. The question is asking to store and protect the keys, certificates, and connection strings, which are all protected by Key Vault. Btw, key vault itself is protected by AD.

Bit of a tricky question, but #2 should be MSI just for the access token. No sure how that would be done in KV. So: KV MSI MSI

The B part is a bit tricky , you need to read the lines carefully . If you see certs then first thing would com to mind that its key vault but then it talks about access so it is MSI

Box 2 should be MSI. https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#obtain-tokens-for-azure-resources An app can use its managed identity to get tokens to access other resources protected by Azure AD.

Database: The requirement asks for asymmetric real-time encryption and decryption of Azure SQL database and log files. This calls for "Transparent data encryption (TDE)" which performs real-time I/O encryption and decryption of the data at the page level. The process involves a so called TDE protector, which is either a service-managed certificate or an asymmetric key stored in Azure Key Vault. https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview?tabs=azure-portal Development & Security Azure Key Vault supports to store "connection strings" and "certificates" https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates Conclusion: ==> 3x Azure Key Vault

Notice the use of the key words: 1. store = keyvault. reason - keyvault can be used to store keys 2. access token = msi. reason - Your code can use a managed identity to request access tokens for services that support Azure AD authentication. This includes key vault. 3. protect/allow access = keyvault. reason - 'protect' by storing the key in the keyvault, 'allow access' by configuring an access policy in keyvault. we are not concerned about MSI here because of the keywords.

Database: Azure Key Vault is an ideal location for key storage Development: for application you can call the MSI endpoint to get an access token to authenticate the the Azure resource. Security: pay attention on "only allow access to the connection strings during the application runtime", again this is an application authentication to AZ resource, why not MSI.

Boxes might have got switched around in the answer. Box 2, Development mentions X.509 cert and access token so MSI might fit with that?

Under the Azure Key Vaults Secret Documentation, it clearly states that: "Key Vault provides secure storage of secrets, such as passwords and database connection strings." Ref: https://docs.microsoft.com/en-us/azure/key-vault/secrets/about-secrets

Box 3 MSI is right. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi

I think its because of this. https://docs.microsoft.com/en-us/azure/app-service/app-service-web-tutorial-connect-msi Tutorial: Secure Azure SQL Database connection from App Service using a managed identity

Why Box 3 is MSI? not key vault?