ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam DP-200 All Questions

View all questions & answers for the DP-200 exam
Go to Exam

Exam DP-200 topic 1 question 60 discussion

Actual exam question from Microsoft's DP-200
Question #: 60
Topic #: 1
[All DP-200 Questions]

DRAG DROP -
You need to create an Azure Cosmos DB account that will use encryption keys managed by your organization.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Select and Place:

Show Suggested Answer Hide Answer
Suggested Answer:
Step 1: Create an Azure key vault and enable purge protection
Using customer-managed keys with Azure Cosmos DB requires you to set two properties on the Azure Key Vault instance that you plan to use to host your encryption keys: Soft Delete and Purge Protection.
Step 2: Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed Key (Enter key URI), and enter the key URI
Data stored in your Azure Cosmos account is automatically and seamlessly encrypted with keys managed by Microsoft (service-managed keys). Optionally, you can choose to add a second layer of encryption with keys you manage (customer-managed keys).
Step 3: Add an Azure Key Vault access policy to grant permissions to the Azure Cosmos DB principal
Add an access policy to your Azure Key Vault instance
Step 4: Generate a new key in the Azure key vault
Generate a key in Azure Key Vault
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
by vaseva1 at April 5, 2021, 8:54 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Wendy_DK
Highly Voted 4 years, 1 month ago
Step 1 Create an Azure Key vault and enable purge protection Step 2 Add an Azure Key Vault access policy to grant permission to the Azure Cosmos DB principal Step 3 Generate a new key in Azure Key Vault Step 4 Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed key (Enter Key URI), and enter the key URI
upvoted 37 times
vrmei
4 years ago
Perfect. Microsoft.DocumentDB Resouce Provider to be registerd and then all the steps mentioned here.
upvoted 1 times
...
vaio
4 years, 1 month ago
this solution is correct. Check documentation here: https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
upvoted 2 times
...
...
vaseva1
Highly Voted 4 years, 2 months ago
Step 1: Create an Azure key vault and enable purge protection Step 2: Generate a new key in the Azure key vault Step 3: Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed Key (Enter key URI), and enter the key URI Step 4: Add an Azure Key Vault access policy to grant permissions to the Azure Cosmos DB principal
upvoted 22 times
cadio30
4 years, 1 month ago
this make sense. checked the documentation in the url below https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
upvoted 2 times
cadio30
4 years, 1 month ago
retracting my feedback here instead go for the solution below Step 1 Create an Azure Key vault and enable purge protection Step 2 Add an Azure Key Vault access policy to grant permission to the Azure Cosmos DB principal Step 3 Generate a new key in Azure Key Vault Step 4 Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed key (Enter Key URI), and enter the key URI
upvoted 4 times
...
...
...
nit687
Most Recent 3 years, 11 months ago
right sequence looks like this : Step 1 Create an Azure Key vault and enable purge protection Step 2 Generate a new key in Azure Key Vault Step 3 Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed key (Enter Key URI), and enter the key URI Step 4 Add an Azure Key Vault access policy to grant permission to the Azure Cosmos DB principal In discussions there is confusion going on whether step 4 should come above step 3 etc..but unless we dont create a cosmos DB resource , how can we create key vault access policy and grant permission to cosmos DB principal.so step 4 should be last
upvoted 2 times
...
hoangton
4 years ago
Step 1:Create an Azure key vault and enable purge protection Step 2:Add an Azure Key Vault access policy to grant permissions to the Azure Cosmos DB principal Step 3:Generate a new key in the Azure key vault Step 4:Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed Key (Enter key URI), and enter the key URI
upvoted 1 times
...
MMM777
4 years, 1 month ago
Step 1: Create an Azure key vault and enable purge protection Step 2: Add an Azure Key Vault access policy to grant permissions to the Azure Cosmos DB principal (doesn't have to actually exist yet) Step 3: Generate a new key in the Azure key vault Step 4: Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed Key (Enter key URI), and enter the key URI https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
upvoted 2 times
...
dangal95
4 years, 1 month ago
These are the correct steps: Step 1 Create an Azure Key vault and enable purge protection Step 2 Generate a new key in Azure Key Vault Step 3 Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed key (Enter Key URI), and enter the key URI Step 4 Add an Azure Key Vault access policy to grant permission to the Azure Cosmos DB principal You cannot add the key URI before you've even created the key so creating the Cosmos DB account AND inserting the key uri before the key even exists does not make sense. Also, you cannot add an access policy for a resource that does not exist yet so adding the access policy to the key vault before you even created the cosmos DB account does not make sense.
upvoted 1 times
...
alf99
4 years, 2 months ago
The Cosmos DB account must be created as last step using previous created key. MS docs states that: "When you create a new Azure Cosmos DB account from the Azure portal, choose Customer-managed key in the Encryption step. In the Key URI field, paste the URI/key identifier of the Azure Key Vault key that you copied from the previous step" https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
upvoted 10 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel