Your application stores user-generated content in Azure Blob Storage. You need to implement a shared access signature (SAS) that allows users to upload files to a specific container but not read or delete. The SAS must be valid for one hour. Which type of SAS should you use?
Service SAS can be restricted to a container with only write permission.
Why this answer
A Service SAS is the correct choice because it allows you to delegate access to a specific Azure Blob Storage resource (in this case, a container) with granular permissions. You can generate a Service SAS scoped to the container with only the 'Create' and 'Write' permissions (no 'Read' or 'Delete'), and set its expiry to one hour. This meets the requirement of allowing uploads while preventing reads or deletes.
Exam trap
The trap here is that candidates often confuse 'Service SAS' with 'Account SAS' because both can be used for blobs, but the Account SAS applies to the entire storage account and cannot be restricted to a single container, whereas the Service SAS is resource-specific.
How to eliminate wrong answers
Option A is wrong because an Account SAS grants access to multiple services (blob, queue, table, file) and all resources under the storage account, making it too broad and not scoped to a single container. Option C is wrong because a stored access policy is not a type of SAS; it is a server-side policy that can be used to control SAS permissions and expiry, but the question asks for the type of SAS itself. Option D is wrong because a User delegation SAS is secured with Azure AD credentials and is used for operations like listing blobs or reading/writing with specific RBAC roles, but it is typically used for scenarios requiring finer-grained identity-based access, not for a simple time-limited upload-only SAS.