ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-100 All Questions

View all questions & answers for the SC-100 exam
Go to Exam

Exam SC-100 topic 3 question 17 discussion

Actual exam question from Microsoft's SC-100
Question #: 17
Topic #: 3
[All SC-100 Questions]

You have an Azure subscription that contains several storage accounts. The storage accounts are accessed by legacy applications that are authenticated by using access keys.
You need to recommend a solution to prevent new applications from obtaining the access keys of the storage accounts. The solution must minimize the impact on the legacy applications.
What should you include in the recommendation?

  • A. Set the AllowSharedKeyAccess property to false.
  • B. Apply read-only locks on the storage accounts.
  • C. Set the AllowBlobPublicAccess property to false.
  • D. Configure automated key rotation.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by K1SMM at Sept. 5, 2022, 12:40 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
zts
Highly Voted 2 years, 11 months ago
Selected Answer: B
A read-only lock on a storage account prevents users from listing the account keys ----> https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json
upvoted 11 times
...
besoaus
Highly Voted 1 year, 1 month ago
It should be A This will force the modern Applications to get authorized by AD, and old legacy apps will keep their access because the have the keys already https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.management.storage.models.storageaccount.allowsharedkeyaccess?view=azure-dotnet-legacy
upvoted 8 times
Onimole
11 months, 2 weeks ago
a solution to prevent NEW applications
upvoted 2 times
...
...
Mithu94
Most Recent 1 year, 3 months ago
Selected Answer: B
Correct Answer B: If a client is in possession of the account access keys at the time that the lock is applied to the storage account, then that client can continue to use the keys to access data. However, clients who do not have access to the keys will need to use Microsoft Entra credentials to access blob or queue data in the storage account.
upvoted 2 times
...
titiledozo
1 year, 4 months ago
B because the important point is "obtaining" , if it was "using" A would be correct
upvoted 1 times
...
Camsecu9
1 year, 5 months ago
A: is the correct answer. here's why: If you set the AllowSharedKeyAccess property to false for the storage accounts, it means that access to the storage accounts via shared access signatures (SAS) and access keys will be disabled. This effectively prevents any new applications or users from obtaining and using access keys to access the storage resources. However, existing applications that are already using access keys will continue to function normally unless you update their authentication mechanism to use alternatives such as Azure AD authentication or managed identities. This approach enhances security by limiting the use of access keys, which are considered sensitive credentials, and encourages the adoption of more secure authentication methods.
upvoted 5 times
Luweho
1 month ago
Says who? ChatGPT?
upvoted 1 times
...
...
masby661
1 year, 6 months ago
Selected Answer: C
Defender for Containers scans the container images in Azure Container Registry (ACR)
upvoted 1 times
...
Mblott77
2 years ago
Selected Answer: A
Set-AzStorageAccount -ResourceGroupName <resource-group> ` -AccountName <storage-account> ` -AllowSharedKeyAccess $false
upvoted 4 times
...
Mblott77
2 years ago
Set-AzStorageAccount -ResourceGroupName <resource-group> ` -AccountName <storage-account> ` -AllowSharedKeyAccess $false
upvoted 1 times
...
zellck
2 years, 3 months ago
Selected Answer: B
B is the answer. https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources?tabs=json#considerations-before-applying-your-locks A read-only lock on a storage account prevents users from listing the account keys. A POST request handles the Azure Storage List Keys operation to protect access to the account keys. The account keys provide complete access to data in the storage account. When a read-only lock is configured for a storage account, users who don't have the account keys need to use Azure AD credentials to access blob or queue data. A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue).
upvoted 3 times
...
smudo1965
2 years, 5 months ago
Selected Answer: B
When a read-only lock is configured for a storage account, users who don't have the account keys need to use Azure AD credentials to access blob or queue data. A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue).
upvoted 3 times
...
Ajdlfasudfo0
2 years, 5 months ago
Selected Answer: B
reading keys is actually a POST request, therefor a read only lock would work. (the data is NOT readonly, only the control plane)
upvoted 3 times
...
awssecuritynewbie
2 years, 5 months ago
Selected Answer: B
a read-only lock
upvoted 2 times
...
Mo22
2 years, 6 months ago
Selected Answer: D
In order to prevent new applications from obtaining the access keys, while minimizing the impact on the legacy applications, it is recommended to use a solution that allows you to regularly rotate the access keys, such as automated key rotation (Option D).
upvoted 1 times
Fal991l
2 years, 5 months ago
ChatGTP agreed with you. The best solution to prevent new applications from obtaining the access keys of the storage accounts while minimizing the impact on the legacy applications is to configure automated key rotation. This solution will rotate the access keys on a regular basis, making it more difficult for unauthorized applications to gain access to the storage accounts. The legacy applications can continue to use the access keys without interruption, as long as they are updated with the new keys after each rotation.
upvoted 1 times
Mithu94
1 year, 3 months ago
B Correct. If a client is in possession of the account access keys at the time that the lock is applied to the storage account, then that client can continue to use the keys to access data. However, clients who do not have access to the keys will need to use Microsoft Entra credentials to access blob or queue data in the storage account.
upvoted 1 times
...
Fal991l
2 years, 5 months ago
Option A (Set the AllowSharedKeyAccess property to false) is not a valid solution because this property is used to enable or disable shared key authentication for a storage account. Disabling shared key authentication would impact the legacy applications that are currently using the access keys for authentication. Option B (Apply read-only locks on the storage accounts) is not a valid solution because it would prevent any application from modifying the storage accounts, including the legacy applications that require write access. Option C (Set the AllowBlobPublicAccess property to false) is not a valid solution because this property is used to enable or disable public access to blobs in a storage account. Disabling public access would not prevent new applications from obtaining the access keys. Therefore, the correct answer is D (Configure automated key rotation).
upvoted 1 times
Funkydave
2 years, 1 month ago
don't rely on chatgpt ask it the same question or reply with "why" and it will almost certainly reply apologising for getting the answer wrong.
upvoted 4 times
...
...
...
...
TJ001
2 years, 7 months ago
legacy application still need to work, then Ready Only Lock (assume only on the management plane) is an option
upvoted 2 times
...
CertShooter
2 years, 8 months ago
Selected Answer: A
The AllowSharedKeyAccess property is a feature of Azure Storage that controls whether the shared key (also known as the access key) of a storage account can be accessed. When this property is set to false, only the storage account owner can access the shared key. This can help prevent unauthorized access to the storage account by new applications, while still allowing the legacy applications to continue using the shared key for authentication. Other options, such as applying read-only locks on the storage accounts, setting the AllowBlobPublicAccess property to false, or configuring automated key rotation, may not be as effective at preventing new applications from obtaining the access keys of the storage accounts, or may have a greater impact on the legacy applications.
upvoted 3 times
KrisDeb
2 years, 6 months ago
Any source? Because according to this below, apps will stop working correctly after setting this property to false. https://learn.microsoft.com/en-us/azure/storage/common/shared-key-authorization-prevent?tabs=portal#disable-shared-key-authorization
upvoted 2 times
...
...
panoz
2 years, 8 months ago
To avoid confusion we should mention that a read only lock applies to the management plane and not the data plane so this lock doesn't affect data access and has no impact to the legacy applications.
upvoted 3 times
Luweho
1 month ago
We are to prevent new application from OBTAINING the keys which IS a management plane operation.
upvoted 1 times
...
...
emiliocb4
2 years, 10 months ago
Selected Answer: B
B is the correct one... preventing the user list the keys
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel