A company wants to store application configuration settings and secrets (e.g., database connection strings, API keys) securely with automatic rotation. Access must be controlled and audited. Which Azure service should they use?
Correct. Key Vault provides secure storage for secrets, supports automatic rotation policies, and integrates with Azure services for access control and auditing.
Why this answer
Azure Key Vault is the correct choice because it is designed specifically for securely storing and managing secrets, keys, and certificates. It supports automatic rotation of secrets via integration with Azure managed identities and event grid notifications, and provides fine-grained access control through Azure RBAC and access policies, with full auditing via Azure Monitor and diagnostic logs.
Exam trap
The trap here is that candidates often confuse Azure App Configuration with Key Vault because both deal with configuration, but App Configuration is for non-sensitive settings and feature flags, while Key Vault is the only service that provides secure secret storage with rotation and auditing.
How to eliminate wrong answers
Option B (Azure App Configuration) is wrong because it is optimized for managing application configuration settings and feature flags, not for storing secrets; it lacks native automatic rotation and secret-specific access policies. Option C (Azure Storage Queues) is wrong because it is a message queue service for asynchronous communication, not a secure store for secrets or configuration. Option D (Azure Service Bus) is wrong because it is an enterprise message broker for reliable messaging and pub/sub patterns, not a secrets management service.