Back to Azure Security Engineer Associate (AZ-500)

Secure compute, storage, and databases

Implement advanced security for compute resources, storage accounts, and Azure SQL databases.

Covers planning and implementing advanced security for compute including Azure Bastion, JIT VM access, AKS network isolation and authentication, container security monitoring, Azure Container Registry access, disk encryption options, and API Management security. Includes storage security such as access control, storage account keys, Azure Files and Blob access, data protection (soft delete, versioning, immutable storage), BYOK, and infrastructure encryption. Also covers Azure SQL Database and SQL Managed Instance security including Entra authentication, auditing, dynamic data masking, TDE, and Always Encrypted.
5 minutes 5 Questions

Secure compute, storage, and databases are fundamental pillars of Azure security that protect your cloud infrastructure and data assets. **Secure Compute** involves protecting virtual machines, containers, and serverless functions. Key practices include implementing Azure Defender for servers, ena…

Concepts covered: Access methods for Azure Files, Azure SQL Database Always Encrypted, Azure Bastion and just-in-time (JIT) VM access, Network isolation for Azure Kubernetes Service (AKS), AKS security and monitoring, Authentication for AKS, Security monitoring for Azure Container Instances (ACIs), Security monitoring for Azure Container Apps (ACAs), Access management for Azure Container Registry (ACR), Disk encryption (ADE, encryption at host, confidential disk), Security configurations for Azure API Management, Access control for storage accounts, Storage account access keys management, Access methods for Azure Blob Storage, Data protection (soft delete, backups, versioning, immutable storage), Bring your own key (BYOK) for storage, Double encryption at Azure Storage infrastructure level, Microsoft Entra database authentication, Database auditing, Dynamic data masking, Transparent Data Encryption (TDE)

Test mode:
Start practice test
AZ-500 - Secure compute, storage, and databases Example Questions

Test your knowledge of Secure compute, storage, and databases

Question 1

Constellation Media operates a content distribution platform where archived video assets totaling 280 TB are stored across 6 Azure Storage accounts in the Australia East region. Each storage account uses BYOK encryption with customer-managed keys stored in Azure Key Vault Premium tier. The original encryption key 'MediaArchive2023' is an RSA-2048 key that has been operational for 19 months. The Chief Information Security Officer initiates a cryptographic key rotation policy requiring an upgrade to RSA-4096 keys for enhanced security posture. The security architect creates a new key 'MediaArchive2024' with RSA-4096 specification in the same Key Vault and updates all 6 storage accounts to reference the new key URI through the Azure Portal encryption settings blade. The configuration change completes successfully, and the storage accounts now display 'MediaArchive2024' as their active encryption key. The operations team confirms that applications can successfully read existing video files and write new content to the storage accounts. The CFO questions whether the organization needs to allocate budget for re-encrypting 280 TB of existing data to fully benefit from the stronger RSA-4096 key protection. What is the accurate technical outcome regarding the cryptographic protection applied to the pre-existing 280 TB of archived video content after the key rotation operation?

Correct Answer: The existing 280 TB of data remains encrypted with the original RSA-2048 key's wrapped DEKs, while newly written data uses RSA-4096 wrapped DEKs, creating a mixed cryptographic state until data is naturally rewritten through application operations or lifecycle policies trigger rewrites.

When rotating customer-managed keys in Azure Storage accounts, the key rotation only affects NEW data operations, not existing data.

Here's what actually happens during CMK rotation:

Azure Storage uses envelope encryption, where actual data is encrypted with Data Encryption Keys (DEKs), and these DEKs are wrapped (encrypted) with the Customer-Managed Key (CMK) from Key Vault. When you update the storage account to reference a new key:

  1. The storage account metadata is updated to reference the new key URI (MediaArchive2024 with RSA-4096)
  2. All FUTURE write operations will use DEKs that are wrapped with the new RSA-4096 key
  3. Existing data blobs remain encrypted with DEKs that were wrapped using the original RSA-2048 key
  4. Azure Storage maintains the ability to unwrap old DEKs using the previous key version (MediaArchive2023) while simultaneously using the new key for new operations

This creates a mixed cryptographic state where the 280 TB of pre-existing data continues to use RSA-2048 wrapped DEKs, while new data uses RSA-4096 wrapped DEKs. The existing data will only transition to the new key protection when:
- Applications naturally rewrite the data
- Lifecycle management policies trigger data operations that rewrite blobs
- Manual re-encryption procedures are executed (like copying data to new locations)

Therefore, to fully benefit from RSA-4096 protection on the existing 280 TB, the organization would need to implement a strategy to rewrite the data, though this is not automatically performed by Azure.

The second answer is incorrect because Azure Storage does NOT perform automatic background re-encryption of existing data during key rotation. There is no 48-72 hour cryptographic transformation process.

The third answer is partially correct about existing data remaining with the old key, but incorrectly states it remains 'indefinitely' and that Azure maintains a rigid version mapping requiring explicit operations. In reality, the data transitions to new key protection whenever it's naturally rewritten.

The fourth answer is incorrect because Azure Storage does not perform selective re-encryption of metadata while leaving content unchanged, nor does it re-encrypt blobs during read operations. Reads simply decrypt using the appropriate key version; re-encryption only occurs during write operations.

Question 2

What is the cryptographic relationship between the two encryption layers when infrastructure encryption is enabled on an Azure Storage account?

Correct Answer: Each encryption layer operates using independent key sets managed separately by the Azure platform at different architectural boundaries

When infrastructure encryption is enabled on an Azure Storage account, it provides double encryption at rest through two distinct and independent encryption layers:

The Correct Approach:
Each encryption layer operates with completely independent key sets that are managed separately by the Azure platform. The service-level encryption (which is always enabled by default) encrypts data at the storage service layer using 256-bit AES encryption. When infrastructure encryption is enabled, a second layer of encryption is applied at the physical infrastructure layer using a different algorithm (also 256-bit AES) with completely separate keys. These keys are managed at different architectural boundaries within Azure's infrastructure, ensuring true defense-in-depth security. This independence means that even if one encryption layer were compromised, the data would still be protected by the other layer.

Why Other Approaches Are Incorrect:

The concept of sharing a common master key hierarchy with derived subkeys would create a single point of failure. If the master key were compromised, both encryption layers could potentially be defeated, negating the security benefit of double encryption.

The idea of using a subordinate key cryptographically derived from the service-layer key creates a hierarchical dependency that undermines the defense-in-depth principle. True double encryption requires cryptographic independence between layers.

The notion of rotating between shared key material pools synchronized across tiers contradicts the fundamental security architecture of Azure's infrastructure encryption. Sharing key material between layers would reduce the security posture rather than enhance it, as it creates potential attack vectors and correlation points.

The independence of encryption keys across layers is a critical security feature that ensures maximum protection for data at rest in Azure Storage accounts.

Question 3

BlueSky Aviation operates an Azure Container Registry named 'bluesky-acr-fleet' in the Japan East region containing containerized aircraft maintenance scheduling and flight operations planning applications across repositories: 'maintenance-schedulers', 'flight-planners', 'crew-rosters', and 'fuel-optimizers'. The company has a legacy on-premises data center hosting 20 Docker Swarm nodes that execute nightly batch processing jobs for aircraft utilization analytics. These Swarm nodes need to pull images from 'maintenance-schedulers' and 'fuel-optimizers' repositories during their scheduled execution windows between 01:00 and 05:00 UTC. The IT Director has mandated a security upgrade requiring that authentication credentials must be rotated quarterly, access should be restricted to pull operations only on the two designated repositories, and the solution must provide audit trails showing which Swarm node pulled which image version during each batch execution cycle. The infrastructure runs in an air-gapped network segment where Azure AD integration and managed identity assignment are architecturally infeasible due to regulatory restrictions on external authentication dependencies. The operations team requires that credentials can be programmatically retrieved and injected into Docker Swarm service definitions during deployment using configuration management tools, and the authentication mechanism must function reliably using standard Docker login commands across all 20 nodes. The security team needs the capability to revoke access for individual credentials if any Swarm node is suspected of compromise while maintaining uninterrupted operations for the remaining nodes. What authentication approach should the cloud architect implement for these on-premises Docker Swarm nodes?

Correct Answer: Generate repository-scoped tokens with scope maps limiting access to 'maintenance-schedulers' and 'fuel-optimizers' repositories with pull-only actions, create individual tokens for each Swarm node with 90-day expiration, distribute token credentials through secure configuration management, and implement quarterly rotation procedures with audit log monitoring

The correct approach is to generate repository-scoped tokens with scope maps limiting access to the two designated repositories with pull-only actions, create individual tokens for each Swarm node with 90-day expiration, distribute token credentials through secure configuration management, and implement quarterly rotation procedures with audit log monitoring.

This solution is optimal because:

  1. Repository-Scoped Tokens Address the Air-Gapped Constraint: The scenario explicitly states that Azure AD integration and managed identity assignment are architecturally infeasible due to regulatory restrictions on external authentication dependencies. Repository-scoped tokens work independently of Azure AD and don't require external authentication dependencies, making them ideal for air-gapped environments.

  2. Granular Access Control: Scope maps allow precise control by limiting access to only 'maintenance-schedulers' and 'fuel-optimizers' repositories with pull-only actions, meeting the security requirement exactly.

  3. Individual Node Authentication: Creating separate tokens for each of the 20 Swarm nodes enables individual credential management and selective revocation if any node is compromised, without affecting others.

  4. Standard Docker Compatibility: Repository-scoped tokens work with standard Docker login commands across all nodes, fulfilling the operational requirement.

  5. Programmatic Credential Management: Tokens can be easily retrieved and injected into Docker Swarm service definitions through configuration management tools.

  6. Audit Trail Capability: Azure Container Registry provides audit logs that track which credentials were used for image pulls, enabling the security team to determine which Swarm node pulled which image version.

  7. Quarterly Rotation: The 90-day expiration aligns with the quarterly rotation mandate.

Why the other answers are incorrect:

The second answer proposes service principals with federated identity credentials and Azure AD token endpoint integration. This approach fails because it requires Azure AD integration, which the scenario explicitly states is architecturally infeasible due to regulatory restrictions on external authentication dependencies in the air-gapped network segment.

The third answer suggests managed identities through Azure Arc-enabled servers and Azure Instance Metadata Service integration. This solution is incompatible with the air-gapped environment as it requires Azure Arc connectivity and managed identity assignment, both of which the scenario states are architecturally infeasible due to external authentication dependency restrictions.

The fourth answer recommends Azure AD B2B guest accounts with conditional access policies and long-lived refresh tokens. This approach is fundamentally unsuitable because it relies entirely on Azure AD authentication infrastructure, which contradicts the scenario's explicit constraint that Azure AD integration is not possible in the air-gapped network segment with regulatory restrictions on external authentication dependencies.

More Secure compute, storage, and databases questions
778 questions (total)
Start 100 question test