CCNA Secure compute, storage, and databases Questions

18 of 243 questions · Page 4/4 · Secure compute, storage, and databases · Answers revealed

226
Multi-Selectmedium

You are designing a secure storage strategy for an Azure Storage account that will host sensitive financial data. The solution must protect data at rest, in transit, and during processing. Which three of the following security controls should you implement? (Choose three.)

Select 3 answers
.Enable Azure Storage encryption using customer-managed keys (CMK) stored in Azure Key Vault.
.Enable Azure Defender for Storage to detect anomalous access patterns and potential threats.
.Configure Azure Storage firewalls and virtual network service endpoints to restrict network access.
.Enable Azure Storage analytics logging with retention set to 90 days.
.Configure a shared access signature (SAS) token with full account-level permissions for each user.
.Use Azure Traffic Manager to distribute storage requests across multiple regions.

Why this answer

Customer-managed keys (CMK) in Azure Key Vault provide an additional layer of protection for data at rest by allowing you to control the encryption keys used by Azure Storage. Azure Defender for Storage detects anomalous access patterns and potential threats, protecting data during processing. Configuring firewalls and virtual network service endpoints restricts network access, securing data in transit by ensuring only trusted networks can communicate with the storage account.

Exam trap

The trap here is that candidates often confuse operational features like logging or load balancing with direct security controls that protect data confidentiality, integrity, and availability during all three states (at rest, in transit, and during processing).

227
MCQhard

Your company has an Azure SQL Managed Instance that stores sensitive customer data. You need to implement a solution that automatically classifies and protects the sensitive data in the database, with minimal manual intervention. The solution should integrate with Microsoft Purview. What should you use?

A.Microsoft Defender for SQL (Data Discovery & Classification)
B.SQL Server Audit
C.Azure Policy with built-in SQL classification policy
D.Dynamic Data Masking
AnswerA

Defender for SQL provides automated data discovery and classification, with integration to Purview for cataloging.

Why this answer

Option B is correct because Microsoft Defender for SQL includes data discovery and classification, which can be integrated with Purview. Option A is wrong because Azure Policy is for compliance enforcement, not classification. Option C is wrong because Dynamic Data Masking masks data but does not classify it.

Option D is wrong because SQL Server Audit logs access but does not classify data.

228
MCQhard

Your company uses Azure Database for PostgreSQL flexible server. You need to enable auditing of all database-level events and ensure audit logs are retained for compliance purposes for 5 years. What should you configure?

A.Configure Azure SQL Database auditing and point it to the PostgreSQL server.
B.Enable the pgAudit extension and write audit logs to a database table.
C.Enable diagnostic settings on the subscription and select the PostgreSQL server.
D.Enable server parameters for pgAudit, set audit log destination to Azure Monitor, and configure diagnostic settings to stream logs to a Log Analytics workspace with 5-year retention.
AnswerD

This meets auditing and retention requirements.

Why this answer

Option C is correct because Azure Database for PostgreSQL flexible server can log audit events via server parameters (e.g., pgaudit.log) and send logs to a Log Analytics workspace or storage account for long retention. Option A (audit logs to table) is not supported. Option B (Azure SQL Database) is not PostgreSQL.

Option D (diagnostic settings) must be configured for the PostgreSQL server, not for the entire subscription.

229
MCQhard

A company uses Azure SQL Database with Transparent Data Encryption (TDE) encrypted using a customer-managed key (CMK) stored in Azure Key Vault. The Key Vault is protected by a firewall that denies all public access. The SQL server must be able to access the key for TDE operations. Which additional configuration is necessary in the Key Vault to allow this?

A.Configure a private endpoint for the Key Vault and assign it to the SQL server's virtual network.
B.Enable soft-delete on the Key Vault.
C.Enable the 'Allow trusted Microsoft services to bypass this firewall' setting.
D.Add a firewall rule to allow traffic from the Azure SQL Database's public IP address.
AnswerC

This setting allows Azure services like Azure SQL Database, which are trusted by Azure, to access the Key Vault even when the firewall is enabled to deny public traffic. It is the required configuration to allow TDE operations.

Why this answer

Option C is correct because when Azure Key Vault is protected by a firewall that denies all public access, the Azure SQL Database service (a trusted Microsoft service) must be explicitly allowed to bypass the firewall to retrieve the customer-managed key for TDE operations. Enabling the 'Allow trusted Microsoft services to bypass this firewall' setting permits the SQL server's managed identity to authenticate and access the key vault without requiring a public IP address or network rule.

Exam trap

The trap here is that candidates often confuse network-level controls (private endpoints, firewall rules) with the Azure platform's built-in trust mechanism, mistakenly thinking that a private endpoint or a static IP rule is required when the simpler 'trusted Microsoft services' bypass is the correct and intended solution for PaaS services like Azure SQL Database.

How to eliminate wrong answers

Option A is wrong because a private endpoint for Key Vault would require the SQL server to be on the same virtual network, but Azure SQL Database is a PaaS service that does not reside in a customer's virtual network by default; the SQL server's managed identity accesses Key Vault over the Azure backbone, not via a private endpoint. Option B is wrong because soft-delete is a data protection feature that prevents permanent deletion of keys, secrets, or certificates, but it does not control network access or firewall bypass for TDE operations. Option D is wrong because Azure SQL Database does not have a static public IP address; its outbound IPs can change and are not assigned to the logical server, making a firewall rule based on a public IP unreliable and unnecessary when the trusted Microsoft services bypass is available.

230
MCQhard

Refer to the exhibit. You are reviewing an ARM template for an Azure Storage account. Which of the following is true about the deployment?

A.The storage account will use customer-managed keys from Azure Key Vault.
B.The storage account will use locally redundant storage (LRS).
C.The storage account will have a firewall rule to restrict access to specific IPs.
D.The storage account will enforce HTTPS traffic and replicate data to a paired region.
AnswerD

HTTPS enforced by supportsHttpsTrafficOnly; GRS replicates to paired region.

Why this answer

Option C is correct. The template sets 'supportsHttpsTrafficOnly': true, which enforces HTTPS. The SKU is Standard_GRS, which provides geo-redundant storage (6 copies across 2 regions).

Option A is wrong because keySource is Microsoft.Storage (platform-managed), not Key Vault. Option B is wrong because the template does not include any networking rules. Option D is wrong because Standard_GRS provides geo-redundancy, not just LRS.

231
MCQmedium

You are reviewing an Azure Resource Manager template for a storage account. The exhibit shows a snippet of the template. Which statement about the template is true?

A.Encryption is disabled for the storage account.
B.The storage account will use customer-managed keys from Azure Key Vault.
C.The storage account will use Microsoft-managed keys for encryption.
D.Encryption is enabled only for blob storage.
AnswerC

keySource is Microsoft.Storage, meaning Microsoft-managed keys.

Why this answer

The template shows encryption enabled for blob and file services using Microsoft-managed keys (keySource: Microsoft.Storage). Option A is correct. Option B is wrong because key source is not Key Vault.

Option C is wrong because encryption is for both blob and file. Option D is wrong because encryption is not disabled.

232
MCQeasy

You need to prevent data exfiltration from Azure Storage accounts by controlling which networks can access them. Which Azure feature should you use?

A.Azure Storage shared access signatures (SAS)
B.Azure Firewall
C.Azure Private Link
D.Azure Storage firewalls and virtual network rules
AnswerD

These rules restrict access to specific networks, preventing exfiltration.

Why this answer

Azure Storage firewalls and virtual network rules allow you to restrict access to specific IP addresses or virtual networks. Option B is correct. Option A is wrong because SAS tokens provide time-limited access but do not restrict networks.

Option C is wrong because Azure Private Link provides private connectivity but does not block exfiltration by itself. Option D is wrong because Azure Firewall is for network traffic filtering, not storage access control.

233
Multi-Selectmedium

You are responsible for securing Azure Storage accounts that contain confidential documents. You need to implement a solution that prevents accidental deletion of storage accounts and ensures that deleted blobs can be recovered within 30 days. Which two actions should you take?

Select 2 answers
A.Configure an immutability policy
B.Enable blob soft delete with a retention period of 30 days
C.Enable container soft delete
D.Apply a CanNotDelete resource lock to the storage account
E.Configure network rules to block all public access
AnswersB, D

Allows recovery of deleted blobs within 30 days.

Why this answer

Option A is correct because a resource lock prevents deletion of the storage account. Option D is correct because soft delete for blobs allows recovery within the specified retention period. Option B (containers) is for versioning for blobs, not deletion prevention.

Option C (immutability policy) is for legal hold, not recovery. Option E (firewall) is for access control.

234
MCQhard

You have an Azure SQL Database that stores credit card numbers. You need to encrypt the column containing the credit card numbers so that only authorized applications can decrypt the data. The database administrator should not be able to view the plaintext data. Which feature should you use?

A.Transparent Data Encryption (TDE)
B.Column-level encryption using SQL Server built-in functions
C.Dynamic Data Masking
D.Always Encrypted with secure enclaves
AnswerD

Keys are stored client-side; DBA cannot decrypt.

Why this answer

Option D is correct because Always Encrypted with secure enclaves allows client-side encryption, and the database administrator cannot access the plaintext keys. Option A is wrong because Dynamic Data Masking only masks data at query time; the DBA can still access the underlying data. Option B is wrong because TDE encrypts at rest but the DBA can still query the data.

Option C is wrong because column-level encryption in SQL Server is server-side and the DBA has access to keys.

235
MCQeasy

You need to securely store secrets, such as connection strings and API keys, for use by an Azure Functions app. The solution must automatically rotate the secrets and audit access. What should you use?

A.Azure Key Vault
B.Azure Blob Storage with encryption
C.Managed Identity
D.Application settings in the function app configuration
AnswerA

Key Vault securely stores secrets, supports rotation, and provides detailed audit logs.

Why this answer

Option B is correct because Azure Key Vault is designed to store secrets securely, supports automatic rotation, and provides auditing. Option A is wrong because App Settings are not encrypted at rest by default and do not support rotation or auditing. Option C is wrong because Azure Storage is not optimized for secrets management.

Option D is wrong because Managed Identities provide identity, not secret storage.

236
MCQeasy

A company stores sensitive data in Azure Blob Storage. They want to ensure that the data is encrypted at rest using a customer-managed key (CMK) stored in Azure Key Vault. Additionally, they need the ability to immediately make the data inaccessible in case of a security breach. Which configuration on the storage account enables this?

A.Enable Azure Storage encryption with a customer-managed key (CMK)
B.Enable infrastructure encryption
C.Enable soft delete for the storage account
D.Enable Azure AD authentication for Blob Storage
AnswerA

CMK gives the customer control over the encryption keys. Revoking the key in Key Vault immediately blocks access to the data, meeting the security requirement.

Why this answer

Option A is correct because enabling Azure Storage encryption with a customer-managed key (CMK) stored in Azure Key Vault allows the customer to control the encryption key used for data at rest. In the event of a security breach, the customer can immediately revoke access to the CMK in Key Vault (e.g., by disabling the key or deleting the key vault), which renders the encrypted Blob Storage data inaccessible because Azure Storage cannot decrypt it without the key. This satisfies both the encryption-at-rest requirement and the ability to make data inaccessible on demand.

Exam trap

The trap here is that candidates often confuse soft delete (which protects against accidental deletion) with the ability to make data inaccessible via key revocation, or they assume infrastructure encryption or Azure AD authentication provide the same control as CMK, but only CMK with key revocation in Key Vault gives the customer direct, immediate control over data accessibility.

How to eliminate wrong answers

Option B is wrong because infrastructure encryption provides an additional layer of encryption at the storage infrastructure level using platform-managed keys, but it does not use customer-managed keys and does not allow the customer to revoke access to make data inaccessible. Option C is wrong because soft delete for the storage account protects against accidental deletion by retaining deleted data for a retention period, but it does not provide encryption with customer-managed keys or the ability to immediately make data inaccessible during a breach. Option D is wrong because Azure AD authentication for Blob Storage controls access to data via identity-based authorization, but it does not encrypt data at rest with customer-managed keys or provide a mechanism to revoke encryption keys to make data inaccessible.

237
MCQmedium

A company stores confidential data in Azure Blob Storage. They need to ensure that all data at rest is encrypted and they must be able to quickly rotate the encryption key on demand in case of a security breach. They also want to minimize administrative overhead. Which encryption option should they use?

A.Server-side encryption with Microsoft-managed keys
B.Server-side encryption with customer-managed keys (CMK) stored in Azure Key Vault
C.Client-side encryption
D.Azure Disk Encryption
AnswerB

CMK allows you to bring your own key and rotate it as needed. Azure Key Vault integration simplifies key management.

Why this answer

Server-side encryption with customer-managed keys (CMK) stored in Azure Key Vault allows the organization to control and rotate the encryption key on demand, meeting the security breach response requirement. This option encrypts data at rest in Azure Blob Storage while minimizing administrative overhead because Azure manages the encryption process, and the customer only manages the key lifecycle in Key Vault.

Exam trap

The trap here is that candidates confuse Azure Disk Encryption (which encrypts VM disks) with Azure Storage encryption, or assume that Microsoft-managed keys support on-demand rotation, when in fact only customer-managed keys allow the customer to control the key lifecycle.

How to eliminate wrong answers

Option A is wrong because Microsoft-managed keys cannot be rotated on demand by the customer; the rotation schedule is controlled by Microsoft, which fails the requirement for quick key rotation in a breach. Option C is wrong because client-side encryption requires the application to manage encryption and key rotation, increasing administrative overhead and complexity, which contradicts the goal of minimizing overhead. Option D is wrong because Azure Disk Encryption is designed for encrypting virtual machine disks (OS and data disks), not for Azure Blob Storage data at rest.

238
MCQmedium

You have an Azure SQL Managed Instance that hosts a line-of-business application. The application requires that all connections use Windows Authentication. You need to ensure that the authentication is secure and that the managed instance can integrate with on-premises Active Directory. What should you configure?

A.Enable Always Encrypted with secure enclaves
B.Configure Azure AD Kerberos authentication and set up a trust with on-premises Active Directory
C.Enable Azure AD authentication and configure passwordless sign-in
D.Configure VNet integration with a site-to-site VPN
AnswerB

Enables Windows Authentication.

Why this answer

Option C is correct: Azure SQL Managed Instance supports Windows Authentication via Kerberos, and Azure AD Kerberos authentication allows on-premises AD integration. Option A (Azure AD passwordless) is for Azure AD, not on-premises AD. Option B (Always Encrypted) is for column encryption.

Option D (VNet integration) is for networking.

239
MCQmedium

Refer to the exhibit. You are deploying an Azure Disk Encryption Set using this ARM template. The deployment succeeds, but when you try to create a disk using this encryption set, the disk creation fails with an error about key vault permissions. What is the most likely cause?

A.The identity type should be UserAssigned
B.The key vault URI is malformed
C.The disk encryption set's system-assigned identity lacks Get, WrapKey, and UnwrapKey permissions on the key vault
D.The key source should be Microsoft.Storage
AnswerC

The identity must be granted these permissions to access the key. The empty key version means it uses the latest key, but permissions are still required.

Why this answer

Option D is correct because the key version is empty, which means the disk encryption set will use the latest version of the key. However, the system-assigned identity needs to have permission on the key vault. The error indicates that the key vault access policy is missing.

Option A is wrong because the identity is correctly defined. Option B is wrong because the key vault URI is correct. Option C is wrong because the key source is correctly set to Key Vault.

240
MCQmedium

You have an Azure Cosmos DB account with multiple containers. You need to ensure that data is encrypted at rest using a customer-managed key stored in Azure Key Vault. Which steps should you take?

A.Use Azure Disk Encryption on the VMs hosting Cosmos DB.
B.Configure the Cosmos DB account to use a customer-managed key from Key Vault and assign the appropriate RBAC role.
C.Enable Transparent Data Encryption (TDE) and bring your own key (BYOK) from Key Vault.
D.Enable Always Encrypted on the Cosmos DB account and reference the key from Key Vault.
AnswerB

This enables CMK for Cosmos DB.

Why this answer

Option C is correct because Cosmos DB supports customer-managed keys (CMK) through integration with Azure Key Vault. You must configure the key in the Cosmos DB encryption settings and grant the Cosmos DB managed identity access to the Key Vault. Option A is wrong because Always Encrypted is for SQL Server.

Option B is wrong because Azure Disk Encryption is for VMs. Option D is wrong because TDE is for Azure SQL Database.

241
MCQhard

A company plans to enable Azure Disk Encryption (ADE) on a fleet of Windows virtual machines. They want to use a key stored in Azure Key Vault to encrypt the disks. Which additional access configuration must be made in the Key Vault to allow ADE to succeed?

A.Grant the Azure Disk Encryption service principal (Microsoft.Azure.Security) appropriate key permissions in the Key Vault access policy.
B.Assign a managed identity to each VM and grant that identity key permissions in the Key Vault.
C.Enable soft-delete and purge protection on the Key Vault.
D.Assign the 'Key Vault Contributor' RBAC role to the Azure Disk Encryption service principal.
AnswerA

ADE relies on the Azure Disk Encryption service principal to access the encryption key. You must grant this principal the 'get', 'wrapKey', and 'unwrapKey' permissions in the access policy.

Why this answer

Azure Disk Encryption (ADE) uses the Azure platform's built-in service principal (Microsoft.Azure.Security) to access the Key Vault and retrieve the disk encryption key. Without granting this service principal the necessary 'Get', 'WrapKey', and 'UnwrapKey' key permissions in the Key Vault access policy, ADE cannot authenticate and perform the encryption operations. This is a mandatory configuration step for ADE to succeed.

Exam trap

The trap here is that candidates often confuse the need to grant permissions to the VM's managed identity (Option B) with the actual requirement to grant permissions to the Azure Disk Encryption service principal, because ADE does not use the VM's identity to access the Key Vault.

How to eliminate wrong answers

Option B is wrong because assigning a managed identity to each VM and granting that identity key permissions is not the required access configuration for ADE; ADE uses the Azure platform service principal, not the VM's identity, to access the Key Vault. Option C is wrong because enabling soft-delete and purge protection is a recommended security feature for Key Vault but is not an additional access configuration required for ADE to succeed; ADE can work without these settings. Option D is wrong because assigning the 'Key Vault Contributor' RBAC role to the Azure Disk Encryption service principal grants management plane permissions (e.g., to modify the vault itself), not the data plane key permissions (e.g., WrapKey, UnwrapKey) that ADE needs to encrypt disks.

242
MCQhard

Your company uses Azure SQL Database. You need to ensure that all queries from a specific application use Always Encrypted to protect sensitive columns. The application is developed in C#. What must you configure in the application and database?

A.Enable Transparent Data Encryption (TDE) on the database and use integrated security.
B.Configure Dynamic Data Masking and use ODBC driver.
C.Define column master key and column encryption key in the database, and update the connection string to include 'Column Encryption Setting=enabled'.
D.Use Azure Information Protection labels and configure the application to enforce protection.
AnswerC

This enables Always Encrypted in the client driver.

Why this answer

Option D is correct because Always Encrypted requires column master key definitions in the database and client-side driver support (e.g., .NET Framework 4.6.1+ with column encryption setting=enabled). Option A is wrong because Transparent Data Encryption (TDE) encrypts the entire database at rest, not columns at query time. Option B is wrong because Dynamic Data Masking only obfuscates results, not encryption.

Option C is wrong because Azure Information Protection is for classification, not SQL encryption.

243
Matchingmedium

Match each Azure encryption concept to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data is encrypted when stored on disk

Data is encrypted during network transmission

Azure encrypts data before writing to storage

Data encrypted by client before sending to Azure

Encrypts OS and data disks using BitLocker/DM-Crypt

Why these pairings

Encryption is key to data protection in Azure.

← PreviousPage 4 of 4 · 243 questions total

Ready to test yourself?

Try a timed practice session using only Secure compute, storage, and databases questions.