ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam AZ-400 All Questions

View all questions & answers for the AZ-400 exam
Go to Exam

Exam AZ-400 topic 4 question 7 discussion

Actual exam question from Microsoft's AZ-400
Question #: 7
Topic #: 4
[All AZ-400 Questions]

Your company has a project in Azure DevOps for a new web application.
The company identifies security as one of the highest priorities.
You need to recommend a solution to minimize the likelihood that infrastructure credentials will be leaked.
What should you recommend?

  • A. Add a Run Inline Azure PowerShell task to the pipeline.
  • B. Add a PowerShell task to the pipeline and run Set-AzureKeyVaultSecret.
  • C. Add an Azure Key Vault task to the pipeline.
  • D. Add Azure Key Vault references to Azure Resource Manger templates.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by artisticcheese at Dec. 5, 2019, 4:36 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
silverdeath
Highly Voted 5 years, 1 month ago
D is correct and needed, so the correct answer should be D
upvoted 54 times
jay158
3 years, 1 month ago
What is web app is deployed using Terraform, it is not specified that deployment is using ARM Templates?
upvoted 6 times
hotspot02103
5 months, 1 week ago
terraform (or any other tool of choice is irrelevant) even if you decide for terraform, configuring KeyVault alone, doesn't necessarily mean that you are clever enough not to use the key vault in a wrong way -> keys flying around in/out the key vault, not following security best practices. The step of referencing key from key vault implies already having the key vault ( the task to add the key vault is completed too), refferencing keys just emphasizes on properly handling the keys eg. the topic of the question -> correct answer D.
upvoted 1 times
...
NandoRU777
2 years, 3 months ago
In terraform you can reference to Azure Key Vault secrets too and inject it in the entire Terreform infrastructure deployment code
upvoted 1 times
...
Tyler2023
1 year, 9 months ago
This is a Microsoft related certification, there is small number of question that requires third party tools, so always assume that we are using Microsoft Azure tools like ARM and Bicep
upvoted 7 times
...
...
...
artisticcheese
Highly Voted 5 years, 6 months ago
Correct answer is C. This is the task to retreive Keyvault secrets to use in following tasks
upvoted 30 times
NKnab
4 years, 10 months ago
https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-key-vault?view=azure-devops
upvoted 2 times
...
Yanzhi
5 years, 5 months ago
D is more "correct" than C, because the protection object is infra's credential, it may or may not used in pipeline.
upvoted 73 times
Fred64
5 years ago
The pbl with C is that we will inject secrets into parameters. They can later be read in the deployent blade in the portal
upvoted 6 times
ppp_ppp1
1 month ago
And generaly you create random string and push to kv as a seceret so only users with kv secret officer or higher role can see it after
upvoted 1 times
...
icedog
1 year, 11 months ago
not if the parameter type is securestring, if it's anything else then yes it can be read
upvoted 1 times
...
...
hart232
5 years ago
.....Assuming ARM is used for deploying infrastructure.
upvoted 5 times
...
TosO
5 years, 2 months ago
Correct
upvoted 10 times
silverdeath
5 years, 1 month ago
yes, correct
upvoted 3 times
...
...
...
Tyler2023
1 year, 9 months ago
The Set-AzKeyVaultSecret cmdlet creates or updates a secret in a key vault in Azure Key Vault. If the secret does not exist, this cmdlet creates it. If the secret already exists, this cmdlet creates a new version of that secret. You need to use the Get-AzKeyVaultSecret cmdlet gets secrets in a key vault. This cmdlet gets a specific secret or all the secrets in a key vault. ANSWER is D: https://learn.microsoft.com/en-us/powershell/module/az.keyvault/set-azkeyvaultsecret?view=azps-10.2.0
upvoted 2 times
ozbonny
1 year, 3 months ago
but it stores credentials within scripts so it poses a security risk.
upvoted 1 times
...
...
...
Rabi3
Most Recent 1 week, 5 days ago
Selected Answer: D
Adding a keyVault step in the pipeline doesn't necessarily eliminate the risk of credentials leaking, while adding references for key Vault in the deployment template would do
upvoted 1 times
...
abhmala1
4 months, 2 weeks ago
Selected Answer: C
the question talks about ADO and there is pipeline word in 3/4 options so it has to be C rather than D
upvoted 1 times
...
Dankho
6 months, 1 week ago
Selected Answer: C
can be C and D to be frank, they both are good solutions to "minimize the likelihood that infrastructure credentials will be leaked". Going with C because it's more general and it seems that the initial building of the infrastructure has been done.
upvoted 2 times
...
DaveVentura
6 months, 1 week ago
Selected Answer: D
I would say D
upvoted 1 times
...
maqsoodshah
7 months, 3 weeks ago
Option C is better when secrets are needed inside the pipeline execution (e.g., during deployment). Option D is better for ARM templates or app configurations that need to reference secrets without pipeline interaction.
upvoted 1 times
...
Mattt
8 months ago
Selected Answer: C
The given answer is correct
upvoted 1 times
...
hajurbau
11 months, 4 weeks ago
Selected Answer: C
Going with C assuming adding kv task in ado pipeline
upvoted 1 times
...
hajurbau
12 months ago
Selected Answer: C
I am going with C assuming I am adding keyvault task in the ado pipeline.
upvoted 1 times
...
isaurabhgoyal
1 year, 1 month ago
Selected Answer: C
Option D, adding Azure Key Vault references to Azure Resource Manager templates, is a valid approach for securely accessing credentials and other sensitive information in your infrastructure deployment. However, it is more focused on managing secrets within your infrastructure code rather than in your CI/CD pipeline. For the specific scenario of minimizing the likelihood of infrastructure credentials being leaked in an Azure DevOps pipeline, using an Azure Key Vault task directly in the pipeline (Option C) is a more direct and secure approach. This allows you to retrieve secrets from Azure Key Vault at runtime without exposing them in your pipeline configuration. So the ANS is C
upvoted 4 times
...
4bd3116
1 year, 1 month ago
Selected Answer: C
By using an Azure Key Vault task in your pipeline, you can retrieve secrets during runtime without exposing them in your code or configuration files.
upvoted 1 times
...
chloaus
1 year, 1 month ago
The question is referring to infrastructure credentials. Instead of putting a secure value (like a password) directly in your template or parameter file, you can retrieve the value from an Azure Key Vault during a deployment. You retrieve the value by referencing the key vault and secret in your parameter file. The value is never exposed because you only reference its key vault ID. https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli
upvoted 2 times
...
ozbonny
1 year, 3 months ago
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/key-vault-parameter?tabs=azure-cli
upvoted 1 times
...
ozbonny
1 year, 3 months ago
C. Add an Azure Key Vault task to the pipeline.
upvoted 1 times
...
saket051985
1 year, 4 months ago
C. Add an Azure Key Vault task to the pipeline. By using Azure Key Vault tasks, you can securely store and retrieve secrets in Azure Key Vault during your build or release process, reducing the exposure of sensitive information like credentials in your pipelines. Option D (Add Azure Key Vault references to Azure Resource Manager templates) is also a good practice, but it may not directly address the concern of credentials leaking during the pipeline execution. It's more about securely referencing secrets during infrastructure deployment. Therefore, the correct answer is C
upvoted 1 times
...
vsvaid
1 year, 5 months ago
Selected Answer: C
I think C as this task is only for reteiving passwords securly. Can be done with D as well but for C is better choice
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel