You have an Azure subscription that contains an Azure Automation account named Automation1 and an Azure key vault named Vault1. Vault1 contains a secret named Secret1.
You enable a system-assigned managed identity for Automation1.
You need to ensure that Automation1 can read the contents of Secret1. The solution must meet the following requirements:
• Prevent Automation1 from accessing other secrets stored in Vault1.
• Follow the principle of least privilege.
What should you do?
To ensure that Automation1 can read the contents of Secret1 while preventing access to other secrets stored in Vault1, you should configure the Access control (IAM) settings at the specific secret level. This allows you to apply the principle of least privilege by granting permissions only for the necessary secret. By doing this, Automation1 will have access to Secret1 without affecting any other secrets in Vault1.
Correct answer is A. Correct me if I'm wrong though. To achieve the requirements of allowing Automation1 to read the contents of Secret1 while preventing it from accessing other secrets in Vault1 and following the principle of least privilege, this is how you can achieve this as well: Navigate to the Azure portal. Go to the Azure Key Vault (Vault1). Select "Access control (IAM)". Add a role assignment for the Automation1's managed identity with the necessary permissions (e.g., "Get" for secrets). By configuring the access control (IAM) settings at the vault level, you can specifically grant the required permissions to the managed identity of Automation1 for the Secret1, while avoiding unnecessary access to other secrets. So, the correct answer is: A. From Vault1, configure the Access control (IAM) settings.
To ensure that Automation1 can read the contents of Secret1 in Vault1 while adhering to the principle of least privilege, you should: A. From Vault1, configure the Access policy settings specifically for the managed identity of Automation1. You'll need to grant the managed identity of Automation1 the 'Get' permission on the secret. This can be done through the "Access policies" in the Azure Key Vault, not the general "Access control (IAM)" settings, which manage access at a broader scope. By doing this, you give Automation1 access only to Secret1 and not to any other secrets in the vault, which aligns with the principle of least privilege.
A. From Vault1, configure the Access control (IAM) settings. Even though it's worth noting, as I explained earlier, that in Azure Key Vault, granular permissions at the level of individual secrets are managed through access policies, not IAM settings. In reality, you would use Access Policies.
D is the corrects, in depend on Permission model if you have. " Vault access policy" we cannot find the IAM role in secret1 you need to change to "Azure role-based access control (recommended)" https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
this was the old way. The answer is D. The new key vault RBAC permission model is now to setup IAM directly at key level https://learn.microsoft.com/en-us/answers/questions/816270/provide-access-to-key-vault-keys-certificates-and
https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli Note: >Assigning roles on individual keys, secrets and certificates should be avoided. Exceptions to general guidance: >Scenarios where individual secrets must be shared between multiple applications, for example, one application needs to access data from the other application I guess the exam wants us to answer D in this case though. I would select D.
Answer is D: Secret scope role assignment: > Open a previously created secret. >Click the Access control(IAM) tab > Select Add > Add role assignment to open the Add role assignment page... https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli.
D is the correct answer, individual secrets have their own IAM. If you assigned secret administrator at the vault level then you would be granting access to all secrets in the vault.
D is the corrects, in depend on Permission model if you have. " Vault access policy" we cannot find the IAM role in secret1 you need to change to "Azure role-based access control (recommended)" https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
Answer is D
https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli
The correct answer is D. From Secret1, configure the Access control (IAM) settings. Explanation: Configuring the Access control (IAM) settings at the level of Secret1 ensures that the permissions are granted only for that specific secret and not for any other secrets stored in Vault1. This approach follows the principle of least privilege by granting the minimum required permissions.
Co Pilot and ChatGPT are sure it's A.
the new modernization for Azure Key vault is to use the new RBAC permission model. So A will become obsolete. D is the way of the future...
This is the way
The best course of action to achieve secure access to Secret1 while adhering to the principle of least privilege is: A. From Vault1, configure the Access control (IAM) settings. Here's why the other options are not ideal: B. From Automation1, configure the Identity settings: While enabling managed identity is a good first step, it doesn't grant specific permissions to access Vault1 resources. C. From Automation1, configure the Run as accounts settings (deprecated): Microsoft is phasing out Run As accounts, and they are considered less secure than managed identities. D. From Secret1, configure the Access control (IAM) settings: Secrets themselves cannot configure access control.
D is the corrects, in depend on Permission model if you have. " Vault access policy" we cannot find the IAM role in secret1 you need to change to "Azure role-based access control (recommended)" https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli