You need to recommend a security solution for containers in Azure Blob storage. The solution must ensure that only read permissions are granted to a specific user for a specific container. What should you include in the recommendation?
A.
shared access signatures (SAS)
B.
an RBAC role in Azure Active Directory (Azure AD)
Suggested Answer:A🗳️
You can delegate access to read, write, and delete operations on blob containers, tables, queues, and file shares that are not permitted with a service SAS. Note: A shared access signature (SAS) provides secure delegated access to resources in your storage account without compromising the security of your data. With a SAS, you have granular control over how a client can access your data. You can control what resources the client may access, what permissions they have on those resources, and how long the SAS is valid, among other parameters. Incorrect Answers: C: You can enable anonymous, public read access to a container and its blobs in Azure Blob storage. By doing so, you can grant read-only access to these resources without sharing your account key, and without requiring a shared access signature (SAS). Public read access is best for scenarios where you want certain blobs to always be available for anonymous read access. Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
Reading this carefully: "granted to a specific user for a specific container." It should be RBAC. SAS is not for a specific user. It is designed to be created and given to ANY authenticated user. On the other hand, RBAC is to authorize the users on the container level.
It is pretty simple sent the SAS to just this user. But we cannot prove if someone else accessed it. In AD if the user is added to a role and then given the role access then we know the role accessed but not if other users are in that role!
Explanation
While both SAS and RBAC can achieve this. However user delegated SAS is backed by Azure AD, hence RBAC is a preferred way.
Azure Active Directory (Azure AD) authorizes access rights to secured resources through Azure role-based access control (Azure RBAC). Azure Storage defines a set of Azure built-in roles that encompass common sets of permissions used to access blob or queue data.
When an Azure role is assigned to an Azure AD security principal, Azure grants access to those resources for that security principal. Access can be scoped to the level of the subscription, the resource group, the storage account, or an individual container or queue.
https://docs.microsoft.com/en-us/azure/storage/common/storage-auth-aad-rbac-portal
RBAC: Storage Blob Data Owner: Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-reader
An RBAC on the container itself would be the easiest way. But option B states 'an RBAC role in Azure Active Directory (Azure AD)'. You don't create the role itself in AD. I therefore think SAS is the only valid option here.
RBAC provides coarse grain access i.e: at account level. RBAC cannot provide access to specific containers . You will need to do ACL for that. Since, ACL is not an option here , the next best choice becomes SAS. Though , SAS is usually used for temporary time bound access.
I think RBAC is correct - because you need to provide access to a specific user for a specific container (using SAS anyone with the URL can access the container)
Both SAS and RBAC are okay for container level.
For folder level should be SAS.
https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control
When your application design requires shared access signatures for access to Blob storage, use Azure AD credentials to create a user delegation SAS when possible for superior security.
So SAS is good choice
Create a user delegation SAS for a container or blob with the Azure CLI https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli
"To get the user delegation key and create the SAS, an Azure AD security principal must be assigned a role-based access control (RBAC) "
-> I would say RBAC directly then ?
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
I think you are right, besides the question start with 'recommend a security solution for containers', maybe SAS works too but RBAC is more secure 'Authorizing requests against Azure Storage with Azure AD provides superior security ...Microsoft recommends using Azure AD authorization with your blob applications when possible to assure access with minimum required privileges.' https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory
This section is not available anymore. Please use the main Exam Page.DP-201 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
M0e
Highly Voted 4 years, 6 months agoazurearch
Highly Voted 4 years, 11 months agotes
Most Recent 3 years, 10 months agotes
3 years, 10 months agodavita8
4 years agodavita8
4 years agosturcu
4 years, 2 months agoonde
4 years, 3 months agoThijsN
4 years, 3 months agoAditya167
4 years, 4 months agoZenRajnish
4 years, 3 months agoandreeavi
4 years, 4 months agoedlayop
4 years, 4 months agosyu31svc
4 years, 4 months agomabc360
4 years, 7 months agoBob123456
4 years, 8 months agoTaddi10
4 years, 9 months agotes
3 years, 10 months agoenvy
4 years, 9 months agoAbhilvs
4 years, 10 months agoMamadouNiang
4 years, 12 months agopsal2020
3 years, 8 months ago