Exam AZ-304 topic 3 question 19 discussion

Since it says "All of the Data", the answer is C. https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-faq#how-is-azure-disk-encryption-different-from-storage-server-side-encryption-with-customer-managed-key-and-when-should-i-use-each-solution

Since it says "All of the Data" Azure Disk Encryption provides end-to-end encryption for the OS disk, data disks, and the temporary disk with a customer-managed key. If your requirements include encrypting all of the above and end-to-end encryption, use Azure Disk Encryption. if your requirements include encrypting only data at rest with customer-managed key, then use Server-side encryption with customer-managed keys. You can't encrypt a disk with both Azure Disk Encryption and Storage server-side encryption with customer managed keys.

Here: https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption#restrictions-1 Supports ephemeral OS disks but only with platform-managed keys. However I find it creazy that so many answers are unclear ... Maybe the documentation of Azure is not clear enough

please refer below links and explanation, it has answers for all given requirements. https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption#full-control-of-your-keys - You can audit the encryption key usage with Azure Key Vault monitoring to ensure that only managed disks or other trusted Azure services are accessing your keys https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption#customer-managed-keys - You can choose to manage encryption at the level of each managed disk, with your own custom keys https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption - Most Azure managed disks are encrypted with Azure Storage encryption, which uses server-side encryption (SSE) to protect your data and to help you meet your organizational security and compliance commitments

the key here is not whether SSE or ADE can encrypt or do it using CMK, it is about "The use of encryption keys is audited", with SSE+CMK audit is "Unhealthy, not applicable if exempt" and with ADE it is "Healthy" ...

Answer is C.

Azure storage Server-Side Encryption can be answer but the options say 'Azure Storage Services Encryption' and that is different. Azure Storage Service Encryption Data at rest in Azure Blob storage and Azure file shares can be encrypted in both server-side and client-side scenarios. Azure Storage Service Encryption (SSE) can automatically encrypt data before it is stored, and it automatically decrypts the data when you retrieve it. The process is completely transparent to users. Storage Service Encryption uses 256-bit Advanced Encryption Standard (AES) encryption, which is one of the strongest block ciphers available. AES handles encryption, decryption, and key management transparently. Please see the link below https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview

The link is self-explanatory

https://docs.microsoft.com/en-us/azure/storage/common/storage-service-encryption?toc=/azure/storage/blobs/toc.json

if you follow the link and look "Encryption at Rest" section you will see the following : "Any customer using Azure Infrastructure as a Service (IaaS) features can achieve encryption at rest for their IaaS VMs and disks through Azure Disk Encryption" https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest#azure-disk-encryption

I'd go for C https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview#comparison

read the link it is self explanatory

C. Azure Disk Encryption --- https://docs.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-faq#how-is-azure-disk-encryption-different-from-storage-server-side-encryption-with-customer-managed-key-and-when-should-i-use-each-solution-

I will go for B, because question says "encryption at rest" Note: ASSE is majorly for encryption at rest.

https://docs.microsoft.com/en-us/azure/virtual-machines/disk-encryption#full-control-of-your-keys C is correct

I think B Storage server-side encryption encrypts Azure managed disks in Azure Storage. Managed disks are encrypted by default with Server-side encryption with a platform-managed key (as of June 10, 2017). You can manage encryption of managed disks with your own keys by specifying a customer-managed key.

Answer is correct Both Azure Disk Encrypt and Azure Server Side Encryption(Customer Managed Key) can meet all 3 requirements. For given answers, C is correct