Exam SC-100 topic 4 question 9 discussion

https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview. A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data. For example: 1. What resources the client may access. 2. What permissions they have to those resources. 3. How long the SAS is valid.

Time limited -> SAS

Answer is D. Its all in the link provided https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview

To provide vendors with secure access to specific blobs without exposing the blobs publicly and ensuring that the access is time-limited, you should include the following recommendation: D. Create shared access signatures (SAS) Shared access signatures (SAS) are the ideal solution for granting limited, secure access to specific blobs in Azure Storage. With a SAS, you can specify the exact permissions (read, write, delete, etc.) the vendor should have, the start and expiration times for access, and even the specific blob or container they can access. This provides fine-grained control over access and ensures that it's time-limited and limited to specific resources.

D is the answer. https://learn.microsoft.com/en-us/azure/storage/common/storage-sas-overview A shared access signature (SAS) provides secure delegated access to resources in your storage account. With a SAS, you have granular control over how a client can access your data. For example: - What resources the client may access. - What permissions they have to those resources. - How long the SAS is valid.

Should be Private Endpoint You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network (VNet) to securely access data over a Private Link. The private endpoint uses a separate IP address from the VNet address space for each storage account service. Network traffic between the clients on the VNet and the storage account traverses over the VNet and a private link on the Microsoft backbone network, eliminating exposure from the public internet.

Answer is A , please check the word exposing the blobs publicly

q is: secure access to specific blobs without exposing the blobs publicly so: sec recomendation is Use private endpoints https://learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations recomendation is: Create a virtual network and bastion host. Create a virtual machine. Create a storage account with a private endpoint. Test connectivity to the storage account private endpoint.

Create shared access signatures