Exam SC-100 topic 3 question 16 discussion

https://docs.microsoft.com/en-us/azure/cosmos-db/audit-control-plane-logs

Enforcing all authentication thru AAD and using RBAC will make auditing more simpler and secure rather than having two sources of authentication the database. So I would go for a and D.

this answer is wrong, i think CE is the correct AAD wont give you details on the COSMOS data access

C. Send the Azure Cosmos DB logs to a Log Analytics workspace: By sending Azure Cosmos DB logs to a Log Analytics workspace, you can centrally collect and analyze the logs related to user access and interactions with the Cosmos DB accounts. This allows for the auditing and monitoring of all actions performed on the Cosmos DB data, which is essential for meeting the auditing requirement. You can then use Azure Monitor and Log Analytics to query, analyze, and create alerts based on specific events in the Cosmos DB logs. E. Enable Microsoft Defender for Cosmos DB: Enabling Microsoft Defender for Cosmos DB provides advanced threat protection, including auditing and identifying suspicious activities. Defender for Cosmos DB offers security alerts and recommendations, helping to detect potential security issues related to data access, thus enhancing auditing capabilities and overall security posture.

A - authentication log C - data access log

https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data?tabs=using-primary-key https://learn.microsoft.com/en-us/azure/cosmos-db/security-controls-policy

A, D is correct

i go with A&D

got this in exam 6oct23. passed with 896 marks. I answered AD

A&D for sure.

Definitely AC

AC is the answer. https://learn.microsoft.com/en-us/azure/cosmos-db/monitor-resource-logs?tabs=azure-portal Diagnostic settings in Azure are used to collect resource logs. Resources emit Azure resource Logs and provide rich, frequent data about the operation of that resource. These logs are captured per request and they're also referred to as "data plane logs". Some examples of the data plane operations include delete, insert, and readFeed. The content of these logs varies by resource type.

People with AD overthink

From what I can research on, as long as I have implemented the option A, I do not need to disable the local authentication on cosmos DB. The local authentication logins are also being forwarded to the log analytic workspace. if the local authentication credentials were shared, then that seems to create another issue, but that is not stated here to be the case. So option D seems unnecessary as the requirement is not to force Azure AD authentication either. Option C can be a more suitable answer here.

https://learn.microsoft.com/en-us/azure/cosmos-db/monitor-resource-logs?tabs=azure-portal - Question is about aditing

ChatGTP: To audit all users accessing data in Azure Cosmos DB Core (SQL) API accounts, the following two configurations should be included in the recommendation: A. Send the Azure Active Directory (Azure AD) sign-in logs to a Log Analytics workspace: This will enable logging of all sign-in activities, including successful and failed attempts, by all users accessing the Cosmos DB account. This will provide insight into who is accessing the data and when. C. Send the Azure Cosmos DB logs to a Log Analytics workspace: This will enable logging of all activities within the Cosmos DB account, including queries, modifications, and deletions. This will provide insight into what data is being accessed and how it is being used.

Purpose is Audit - So sending logs to Log analytics is the action. Question does not say to restrict access to only AD users, it just say audit. So why do you need to disable to local authentication? you just need the logs to see who accessed and what acctions perfomed in the DB, So I would choose A and C