Exam SC-100 topic 2 question 14 discussion

C is the correct answer. You should read Microburst toolkit - it is an open-source tool. Find Get-AZStorageKeysREST.ps1 it tries to enumerate all storage accounts then the respective storage keys. There is nothing to do with anonymous access here. Even if a storage account allows public acces you can't get the key without being authenticated and authorized. The preventive control here is to manage Shared Key Authorization.

I would select "Storage accounts should prevent shared key access"

MicroBurst exploitation toolkit used to extract keys to your storage accounts (ARM_MicroBurst.AZStorageKeysREST) Description: A PowerShell script was run in your subscription and performed a suspicious pattern of extracting keys to Storage Account(s). Threat actors use automated scripts, like MicroBurst, to list keys and use them to access sensitive data in your Storage Account(s). This was detected by analyzing Azure Resource Manager operations in your subscription. This operation might indicate that an identity in your organization was breached, and that the threat actor is trying to compromise your environment for malicious intentions. IF IT NEEDS TO BE BREACHED, THEN MAYBE SHARED KEY ACCESS WILL BE THE ANSWER

Option C - When you disallow Shared Key authorization for a storage account, Azure Storage rejects all subsequent requests to that account that are authorized with the account access keys. Only secured requests that are authorized with Microsoft Entra ID will succeed.

The Correct Answer is A. According to Microsoft Public storage accounts have a URL of a public endpoint (more information in the Background section), which means that it's possible to guess storage accounts names by performing DNS queries on the URL and examining the response. The way to prevent this is to remove Public access. https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/protect-your-storage-resources-against-blob-hunting/ba-p/3735238

Not sure why preventing shared key access would be better than blocking public access. After all there are far more hackers in the outer world that would rather push an open door than test shared keys. Just my own two pennies

Not sure how 80% voted for the wrong answer. The correct answer is A. https://hacknowledge.com/blog-post/azure-blob-storage-detect-and-prevent-public-accesses/

After remediating the threat, to prevent it from reoccurring, you should assign the following policy definition: C. Storage accounts should prevent shared key access This policy ensures that shared keys are not used for access to storage accounts, which aligns with security best practices and helps prevent similar threats in the future .

MicroBurst leverages the Get-AZStorageKeysREST.ps1 script to brute-force enumerate storage accounts and subsequently attempt to retrieve their keys using REST API calls. Public access isn't directly targeted by this script. While disallowing public access (option A) is a generally good security practice, it wouldn't specifically prevent the MicroBurst exploitation technique that relies on shared key access. Even with public access blocked, the script could still enumerate accounts and try brute-forcing shared keys. Preventing shared key access (option C) directly addresses the vulnerability exploited by the script. By disabling this access method, storage accounts become protected from unauthorized key retrieval attempts using Get-AZStorageKeysREST.ps1 or similar tools.

is the right answer

Selected Answer: A From the picture above you can see access from IP 0.0.0.0 that means from internet (public access). SAS token allow limited access to storage.

C is the answer. https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal Every secure request to an Azure Storage account must be authorized. By default, requests can be authorized with either Azure Active Directory (Azure AD) credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. To require clients to use Azure AD to authorize requests, you can disallow requests to the storage account that are authorized with Shared Key.

The correct is C, see the docs: https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference

My answer would be C. Note that the question is asking "After remediating the threat, which policy definition should you assign to prevent the threat from reoccurring". Answer A mitigate the attack by limiting exploit only thru private network links. However, to entirely prevent threat from re-occuring, simply stop using preShare key authorization.

I vote for C. Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft. here the link: https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal

I am torn between A and C, in my opinion it should be both that would make sense. I really don't know what to choose for the exam now - A or C.

"... By default, requests can be authorized with either Azure Active Directory credentials, or by using the account access key for Shared Key authorization. Of these two types of authorization, Azure AD provides superior security and ease of use over Shared Key, and is recommended by Microsoft." https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountAllowSharedKeyAccess_Audit.json