DP-300 Implement a secure environment • Complete Question Bank
Complete DP-300 Implement a secure environment question bank — all 0 questions with answers and detailed explanations.
You are the database administrator for a healthcare company that uses Azure SQL Database to store patient records. The database is named PatientDB. The security team mandates that all database access must be audited, and any suspicious activity must be alerted in real-time. Additionally, compliance requires that all data at rest be encrypted using a customer-managed key stored in Azure Key Vault. You have configured the following: - TDE with customer-managed key in AKV (key vault name: KV-Health, key name: PatientKey) - Azure SQL Auditing enabled, writing logs to a storage account (StorageAcctLogs) - Advanced Threat Protection (ATP) enabled with alerts sent to the security team's email - Firewall rules allowing only the application server's public IP (203.0.113.50)
A week later, the security team reports that they received an ATP alert about a potential SQL injection attack from IP 198.51.100.25. However, when they check the audit logs, they find no entries from that IP. They also notice that the database remains accessible. The security team wants to know why the audit logs do not contain the suspicious IP even though ATP detected it. What is the most likely reason?
Refer to the exhibit.
```json
{
"properties": {
"startIPAddress": "10.0.0.0",
"endIPAddress": "10.0.0.255"
}
}
```Refer to the exhibit. ``` ALTER DATABASE SCOPED CREDENTIAL MyCred WITH IDENTITY = 'Managed Identity'; ```
You are the database administrator for a company that uses Azure SQL Database. The company has a strict security policy requiring that all database connections be encrypted using TLS 1.2 or higher and that the server certificate be validated to prevent man-in-the-middle attacks. Additionally, the company wants to ensure that only applications running on Azure virtual machines (VMs) in a specific virtual network (VNet) can access the database. The VMs use a subnet named 'AppSubnet'. You have configured the following: 1. The server 'Allow Azure Services' setting is OFF. 2. A virtual network rule is added for 'AppSubnet' with the service endpoint for Microsoft.Sql enabled. 3. The server firewall has no other rules. 4. The 'Minimum TLS version' is set to 1.2. 5. All client applications are configured to use 'Encrypt=True' and 'TrustServerCertificate=False' in their connection strings.
After deployment, you discover that connections from the VMs are failing with error: 'The certificate chain was issued by an authority that is not trusted'. What is the most likely cause of this issue?
Refer to the exhibit.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"Microsoft.Sql/servers/databases/read"
],
"Principal": {
"AzureAD": "devops@contoso.com"
},
"Scope": "/subscriptions/12345678-1234-1234-1234-123456789abc/resourceGroups/rg1/providers/Microsoft.Sql/servers/sqlsrv1/databases/db1"
}
]
}
```Refer to the exhibit.
```json
{
"role": "Azure SQL Database Contributor",
"scope": "/subscriptions/12345/resourceGroups/ProdRG/providers/Microsoft.Sql/servers/prodserver/databases/proddb",
"assignee": "user@contoso.com",
"condition": "((!(ActionMatches{'Microsoft.Sql/servers/databases/read'})) OR (@Request[Microsoft.Sql/servers/databases/read:DataAction] NotExists))",
"conditionVersion": "2.0"
}
```Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Single node, suitable for development and small workloads
Balanced compute and memory for most production workloads
High memory-to-core ratio for memory-intensive workloads
Low-cost option with ability to burst CPU performance
Drag a concept onto its matching description — or click a concept then click the description.
Managed service for online and offline migrations
Tool for migrating from other database platforms to SQL Server
Assesses compatibility and recommends improvements
Cross-platform tool for managing and migrating databases
Refer to the exhibit.
```json
{
"type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies",
"apiVersion": "2023-05-01-preview",
"name": "Default",
"properties": {
"retentionDays": 7,
"diffBackupIntervalInHours": 12
}
}
```Refer to the exhibit.
```json
{
"properties": {
"state": "Enabled",
"storageEndpoint": "https://storagesample.blob.core.windows.net",
"storageAccountAccessKey": null,
"retentionDays": 90,
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP"
],
"storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
"isStorageSecondaryKeyInUse": false,
"queueDelayTime": 0
}
}
```Refer to the exhibit. ```sql CREATE USER [user@contoso.com] FROM EXTERNAL PROVIDER; ALTER ROLE db_datareader ADD MEMBER [user@contoso.com]; ```
Refer to the exhibit.
```json
{
"type": "Microsoft.Sql/servers/databases/auditingSettings",
"apiVersion": "2022-05-01-preview",
"properties": {
"state": "Enabled",
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP"
],
"isAzureMonitorTargetEnabled": true,
"storageEndpoint": "https://mystorageaccount.blob.core.windows.net",
"storageAccountAccessKey": "...",
"retentionDays": 90
}
}
```Refer to the exhibit.
```json
{
"type": "Microsoft.Sql/servers/databases/backupShortTermRetentionPolicies",
"apiVersion": "2022-05-01-preview",
"properties": {
"retentionDays": 35,
"diffBackupIntervalInHours": 12
}
}
```Refer to the exhibit.
```json
{
"type": "Microsoft.Sql/servers/databases/securityAlertPolicies",
"apiVersion": "2022-05-01-preview",
"properties": {
"state": "Enabled",
"emailAddresses": ["admin@contoso.com", "dba@contoso.com"],
"emailAccountAdmins": true,
"disabledAlerts": ["SqlInjection", "AccessAnomaly"],
"retentionDays": 0
}
}
```Refer to the exhibit.
```json
{
"type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
"apiVersion": "2022-05-01-preview",
"properties": {
"status": "Enabled"
}
}
```Refer to the exhibit. You are reviewing an Azure Policy assignment for an Azure SQL Database server. The policy definition is as follows:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers"
},
{
"field": "Microsoft.Sql/servers/publicNetworkAccess",
"equals": "Enabled"
}
]
},
"then": {
"effect": "deny"
}
}Refer to the exhibit. You execute the following PowerShell command to set the auditing policy for an Azure SQL Database: Set-AzSqlDatabaseAudit -ResourceGroupName "RG1" -ServerName "srv1" -DatabaseName "db1" -AuditActionGroup "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", "FAILED_DATABASE_AUTHENTICATION_GROUP" -StorageAccountResourceId $storage.Id -RetentionInDays 90
Refer to the exhibit. You have an Azure SQL Database and you run the following KQL query in Azure Monitor: AzureDiagnostics | where ResourceProvider == "MICROSOFT.SQL" | where Category == "SQLSecurityAuditEvents" | where action_id_s == "LGIF" | project TimeGenerated, client_ip_s, application_name_s, succeeded_s
{
"properties": {
"publicNetworkAccess": "Disabled",
"minimalTlsVersion": "1.2",
"azureAdOnlyAuthentication": true,
"administratorLogin": "admin123",
"administratorLoginPassword": "P@ssw0rd!"
}
}{
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/123/resourceGroups/rg1/providers/Microsoft.ManagedIdentity/userAssignedIdentities/mi-sql-access": {}
}
},
"properties": {
"serverKeyType": "AzureKeyVault",
"uri": "https://kv-sql-keys.vault.azure.net/keys/sql-key/abc123",
"serverKeyName": "sql-key"
}
}SET IDENTITY_INSERT dbo.Orders ON; INSERT INTO dbo.Orders (OrderID, CustomerName) VALUES (1001, 'Contoso'); SET IDENTITY_INSERT dbo.Orders OFF;
Refer to the exhibit.
{
"type": "Microsoft.Sql/servers/databases/transparentDataEncryption",
"apiVersion": "2022-05-01-preview",
"name": "current",
"properties": {
"state": "Enabled"
}
}Refer to the exhibit.
$auditRule = @{
AuditAction = @("SELECT", "UPDATE", "DELETE")
AuditActionGroup = @("DATABASE_OBJECT_CHANGE_GROUP")
RetentionDays = 90
StorageEndpoint = "https://auditlogs.blob.core.windows.net"
StorageAccountAccessKey = $storageKey
StorageAccountSubscriptionId = $subscriptionId
}Refer to the exhibit.
{
"properties": {
"serverKeyType": "AzureKeyVault",
"uri": "https://myvault.vault.azure.net/keys/mykey/123456",
"serverKeyName": "mykey",
"kind": "azurekeyvault"
},
"id": "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Sql/servers/myserver/encryptionProtector/current",
"name": "current",
"type": "Microsoft.Sql/servers/encryptionProtector"
}Refer to the exhibit.
```json
{
"properties": {
"startIpAddress": "0.0.0.0",
"endIpAddress": "0.0.0.0"
}
}
```Refer to the exhibit.
```json
{
"properties": {
"state": "Enabled",
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP"
],
"storageAccountAccessKey": null,
"storageEndpoint": null,
"isAzureMonitorTargetEnabled": true
}
}
```You are the database administrator for a large e-commerce company. The company has an Azure SQL Database named SalesDB that stores sensitive customer data including credit card numbers and personal details. The security team has mandated the following requirements:
1. All customer credit card numbers must be encrypted at rest and in transit between the application and the database. The encryption keys must be stored in a hardware security module (HSM) managed by the company. 2. All access to the database must be authenticated using Microsoft Entra ID, and multi-factor authentication (MFA) must be enforced for all administrative users. 3. Any attempts to access the database from unusual geographic locations must be detected and automatically blocked for 24 hours. 4. All schema changes must be audited, and the audit logs must be sent to a central Log Analytics workspace for analysis.
Currently, the database uses SQL authentication, no encryption, and no auditing. You need to implement the required security controls with minimal downtime. What should you do?
Refer to the exhibit.
```json
{
"properties": {
"name": "myAuditPolicy",
"type": "Microsoft.Sql/servers/databases/auditingSettings",
"apiVersion": "2023-02-01-preview",
"properties": {
"state": "Enabled",
"auditActionsAndGroups": [
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
"FAILED_DATABASE_AUTHENTICATION_GROUP"
],
"storageEndpoint": "https://mystorage.blob.core.windows.net",
"storageAccountAccessKey": "...",
"retentionDays": 90,
"isAzureMonitorTargetEnabled": true
}
}
}
```You are a database administrator for a financial services company that uses Azure SQL Database for a critical trading application. The application connects using a service principal (Microsoft Entra application) and executes stored procedures. You need to implement the following security requirements:
1. All connections must use Microsoft Entra authentication with MFA enforced for the service principal. 2. The application should only be able to execute specific stored procedures (usp_Trade, usp_GetQuote) and no other operations. 3. All data at rest must be encrypted using customer-managed keys stored in Azure Key Vault. 4. Auditing must capture all failed login attempts and all changes to the database schema. 5. The database must be protected against SQL injection attacks from the application layer.
You have already configured Microsoft Entra authentication and enabled TDE with customer-managed key in Azure Key Vault. Which additional steps should you take to meet all remaining requirements?
You are the DBA for a company that uses Azure SQL Managed Instance to host multiple databases for different departments. The security team has mandated that:
- All connections to the managed instance must be encrypted using TLS 1.2 or higher. - SQL Server authentication must be disabled; only Microsoft Entra authentication is allowed. - A dedicated audit log must be created for each database to track all DDL changes and all failed login attempts. - The audit logs must be stored in a central Azure Storage account with 180-day retention. - Database administrators (DBAs) should not be able to view or modify the audit logs.
You have already set the minimal TLS version to 1.2 and disabled SQL Server authentication. What should you do next to meet the remaining requirements?
You are a junior DBA at a startup that uses Azure SQL Database for its SaaS application. The application uses a single database and the development team frequently makes schema changes. You need to implement security measures to:
1. Ensure that all connections from the application use TLS encryption. 2. Prevent unauthorized access from the internet. 3. Allow your office IP range (203.0.113.0/24) to connect for management. 4. Enable auditing of all schema changes. 5. Encrypt the database at rest using Azure-managed keys.
You have already enabled Transparent Data Encryption (TDE) with service-managed keys. What should you do next to meet the remaining requirements?
You are a database administrator for a healthcare company. You have an Azure SQL Database that stores patient records. The database is currently accessible from the public internet via firewall rules. You need to implement a secure environment that meets the following requirements: - All traffic to the database must be private and not traverse the internet. - The database must be accessible from an Azure Virtual Machine in a specific VNet. - The solution must minimize management overhead and cost. - You need to ensure that the database can be failed over to a secondary region in case of an outage.
What should you do?
Your organization is migrating a legacy on-premises SQL Server database to Azure SQL Managed Instance. The database contains sensitive financial data. You need to implement column-level encryption so that even database administrators cannot view the plaintext data. The encryption keys must be stored in Azure Key Vault, and the application must be able to encrypt and decrypt data transparently. The application currently uses Entity Framework Core and runs on Azure App Service. You have the following requirements: - Use a solution that provides the strongest security by ensuring the database never has access to the plaintext. - Minimize changes to the application code. - The application must be able to perform equality searches on encrypted columns.
What should you implement?
You are setting up a new Azure SQL Database for a development team. The database will contain test data that mimics production but with some sensitive fields obfuscated. You need to ensure that developers can query the database without seeing the actual sensitive data. The developers will use Microsoft Entra ID authentication. You have the following requirements: - The sensitive data should be automatically masked in query results for all developers except the database administrator. - The masking should be applied without modifying the application code. - The solution should be easy to manage and not require changes to the data model.
What should you implement?
Your company has an Azure SQL Database that is accessed by multiple applications. You need to implement a security solution that meets the following requirements: - Each application must have its own database user with specific permissions. - All authentication must use Microsoft Entra ID. - You need to be able to rotate credentials for each application without impacting other applications. - The solution must support automatic credential rotation for service principals.
What should you do?
Refer to the exhibit.
```json
{
"type": "Microsoft.Sql/servers/auditingSettings",
"apiVersion": "2021-02-01-preview",
"properties": {
"state": "Enabled",
"auditActionsAndGroups": [
"DATABASE_LOGOUT_GROUP",
"DATABASE_ROLE_MEMBER_CHANGE_GROUP",
"BATCH_COMPLETED_GROUP"
],
"isAzureMonitorTargetEnabled": true,
"storageEndpoint": "https://auditlogs.blob.core.windows.net/",
"retentionDays": 365
}
}
```