ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-303 All Questions

View all questions & answers for the AZ-303 exam
Go to Exam

Exam AZ-303 topic 2 question 33 discussion

Actual exam question from Microsoft's AZ-303
Question #: 33
Topic #: 2
[All AZ-303 Questions]

You have an Azure subscription that contains an Azure key vault named KeyVault1 and the virtual machines shown in the following table.

KeyVault1 has an access policy that provides several users with Create Key permissions.
You need to ensure that the users can only register secrets in KeyVault1 from VM1.
What should you do?

  • A. Create a network security group (NSG) that is linked to Subnet1.
  • B. Configure the Firewall and virtual networks settings for KeyVault1.
  • C. Modify the access policy for KeyVault1.
  • D. Configure KeyVault1 to use a hardware security module (HSM).
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Deepbond at Jan. 2, 2021, 9:14 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Deepbond
Highly Voted 4 years, 4 months ago
B should be correct. https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault#firewalls-and-virtual-networks
upvoted 44 times
gssd4scoder
4 years ago
correct, I've done a lot of work with key vault
upvoted 4 times
BrettusMaximus
3 years, 11 months ago
Wrong . Although your can configure access based on the v-net both VM1 and VM2 are in the same V-Net.
upvoted 3 times
Gulam
3 years, 10 months ago
Though it is same Vnet but they are on different subnets, you can restrict access to subnets. Answer is B
upvoted 1 times
minihere
3 years, 3 months ago
Wouldn't that also block reads? I think question is for blocking writes only.
upvoted 3 times
...
...
...
...
OmerBeyond
4 years, 4 months ago
I don't think you are correct. You can create a managed identity for the VM and create an access policy to allow it. The FW&VNets will allow all the subnet/network to access so it is not 100% right
upvoted 16 times
Granwizzard
4 years, 3 months ago
Access policies don't work with managed identities only service principals.
upvoted 1 times
jank
4 years, 2 months ago
Answer is C, here is why: - Granwizzard, you are incorrect, I just tested myself, I successfully assigned a system-assigned managed identity of a VM as "service principle" (using the Object ID of the managed identity) in an Key Vault access policy. Furthermore you can restrict access to secrets, and deny access to keys and certificates. - the question says "users can only register secrets from VM1", which means they must not be able to configure keys or certificates. You cannot achieve that with any type of network control (firewall, NSG, etc.), but you can with an access policy - Furthermore you need to ensure that only access from VM1 is provided, which is achieved using the managed identity of VM1. - docu link: https://docs.microsoft.com/de-de/azure/key-vault/general/assign-access-policy-portal
upvoted 35 times
jank
4 years, 2 months ago
I am sorry, my previous arguments are correct, but answer is still B, here is why: - while answer C technically will work, I think B is what they are after because an access policy allowing access to only the defined users is ALREADY in place, hence they expect us to use that. I did not consider that info in my previous answer. - in the firewall settings in KeyVault you can indeed restrict access to a certain vNet or certain IP. So if we configure the IP of VM1 there, then also all requirements of the question are met. - docu: https://docs.microsoft.com/de-de/azure/key-vault/general/network-security#key-vault-firewall-enabled-ipv4-addresses-and-ranges---static-ips
upvoted 20 times
kubinho
3 years, 11 months ago
in question is not mentioned that VM1 has no access. Or has access. In this question is that user can create key permission but you need to allow the to do secret. They do not ask about VM. they are asking about permission. So logically answer is an C.
upvoted 1 times
...
Load full discussion...
...
...
...
...
...
Aghora
Highly Voted 4 years, 3 months ago
users already have permissions . the vult firewall will help us limit access to an IP(vm) or subnet . by default the vault can be accesses from all networks as long as the users have permissions, the objective here is to make the restrictions so that users can only access the vault from VM1 which can be done using the firewall and networks . the question is not asking for managed identity for VM but rather data plane access only . answer should be B in my humble opinion
upvoted 13 times
QiangQiang
4 years ago
Totally agree with you. it's B
upvoted 2 times
...
...
kvsaheed
Most Recent 3 years, 1 month ago
Only Key Vault Policy provide granular Key and Certificate permissions. So here we have to assume that there is an existing separate policy for VM1 which need to be modified - for C to be correct
upvoted 1 times
...
[Removed]
3 years, 2 months ago
Selected Answer: B
B is correct option
upvoted 1 times
...
ritears41
3 years, 2 months ago
Selected Answer: C
C should be correct
upvoted 1 times
...
AberdeenAngus
3 years, 3 months ago
I'm going B (key vault firewall). The answer can't be MSI because that would allow any user on VM1 to create secrets, but the question reads as though it's only "several users". The question also only mentions that these users have Create Key permission, so we're not concerned with any other permissions they might have and we don't need to provide access from anywhere except VM1.
upvoted 1 times
...
JayBee65
3 years, 3 months ago
This link https://docs.microsoft.com/en-us/azure/key-vault/general/security-features#privileged-access VERY clearly states create permission is controlled using Key Vault access policy or Azure RBAC, NOT by a FW rule...
upvoted 1 times
...
azurelearner666
3 years, 3 months ago
Response is correct. C - Modify access policy. With network control you cannot assign permissions but restrict (or allow) access. You need an access policy to do this. Thus, C is correct.
upvoted 2 times
...
valgaw
3 years, 4 months ago
Selected Answer: B
B should be correct one
upvoted 1 times
...
thebarber87
3 years, 4 months ago
These long topic discussions suggesting the wrong answer is really not helpful for study.
upvoted 1 times
JayBee65
3 years, 3 months ago
Here's an idea, why not research it yourself and learn? :)
upvoted 1 times
...
...
Fartfart
3 years, 4 months ago
Selected Answer: B
From vm1
upvoted 1 times
...
Dawn7
3 years, 4 months ago
Selected Answer: B
I will go with B
upvoted 1 times
...
gcpbrig01
3 years, 5 months ago
Selected Answer: B
Users are already assigned permissions on the dataplane using the access policy. The ask here is to restrict the ability of those users to do the task only from the VM1. This can be done only by adding the subnet associated with the VM under the networking blade. Once this is done, whenever users try to access the vault for data operations from outside that subnet they will receive an error "Firewall is turned on and your client ip address is not authorized to access this key vault"
upvoted 2 times
...
Dpejic
3 years, 5 months ago
On exam today 22/11/21. r. Score 839
upvoted 2 times
...
edmacoar123
3 years, 6 months ago
On exam today 19/11/21. Correct answer. Score 860.
upvoted 2 times
...
HiAws
3 years, 7 months ago
Modify the access policy for KeyVault1.
upvoted 2 times
...
Thisismynickname001
3 years, 8 months ago
You can restrict access to a specific Subnet in a VNET with Firewall but you cannot restrict what kind of actions user can perform. "Users can only register secrets in KV from VM1" cannot be set with Firewall - yes, you can restrict access to only Subnet where the VM is but it won't give you the ability to define what kind of actions user can take.
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago