Examice

Exam AZ-500 All QuestionsBrowse all questions from this exam

Question 316

You have an Azure subscription that contains a managed identity named Identity1 and the Azure key vaults shown in the following table.

KeyVault1 contains an access policy that grants Identity1 the following key permissions:

• Get

• List

• Wrap

• Unwrap

You need to provide Identity1 with the same permissions for KeyVault2. The solution must use the principle of least privilege.

Which role should you assign to Identity1?

Key Vault Crypto Service Encryption User

Key Vault Crypto User

Key Vault Reader

Key Vault Crypto Officer

Correct Answer: A

To provide Identity1 with the same permissions for KeyVault2, the most appropriate role to assign would be 'Key Vault Crypto Service Encryption User.' This role grants permissions to read metadata of keys, perform wrap operations, and perform unwrap operations. Since it includes the 'Get' and 'List' permissions and adheres to the principle of least privilege, it is the most suitable role for Identity1.

Discussion

Nickname01Option: B

I think it should be B: Key Vault Crypto User "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/keys/update/action", "Microsoft.KeyVault/vaults/keys/backup/action", "Microsoft.KeyVault/vaults/keys/encrypt/action", "Microsoft.KeyVault/vaults/keys/decrypt/action", "Microsoft.KeyVault/vaults/keys/wrap/action", "Microsoft.KeyVault/vaults/keys/unwrap/action", "Microsoft.KeyVault/vaults/keys/sign/action", "Microsoft.KeyVault/vaults/keys/verify/action"

Nick66Option: A

Why not Key Vault Crypto Service Encryption User "dataActions": [ "Microsoft.KeyVault/vaults/keys/read", List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. "Microsoft.KeyVault/vaults/keys/wrap/action", Wraps a symmetric key with a Key Vault key. Note that if the Key Vault key is asymmetric, this operation can be performed by principals with read access.javascript:void(0) "Microsoft.KeyVault/vaults/keys/unwrap/action" Unwraps a symmetric key with a Key Vault key.

juandmi

agree with A) given the principle of least privilege

AzureJobsTillRetire

Key Vault Crypto Service Encryption User can do: Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model. I have doubt about its capacity to GET. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli

majstor86Option: A

My wrong. Definitely A. Key Vault Crypto Service Encryption User Key Vault Crypto Service Encryption User can reads key's metadata and performs wrap/unwrap operations.

zellckOption: A

A is the answer. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-crypto-service-encryption-user - Read metadata of keys and perform wrap/unwrap operations.

PapaLionOption: A

The correct answer i A Look the detail: https://www.azadvertizer.net/azrolesadvertizer/e147488a-f6f5-4113-8e2d-b22465e65bf6.html The Crypto users have too many permissions

_punky_Option: A

Vault Crypto Service Encryption User: "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/keys/wrap/action", "Microsoft.KeyVault/vaults/keys/unwrap/action"

CatlynOption: A

While following principle of least privilege, Key Vault Crypto Service Encryption User (A) is the best fit. Key Vault Crypto Service Encryption User (Option A): Capabilities: Get: Can retrieve encryption-related information. List: Can list encryption-related information. Wrap: Can encrypt keys. Unwrap: Can decrypt keys. Whereas, Key Vault Crypto User and Key Vault Crypto Officer have the extra capabilities excluding the ones mentioned above: Key Vault Crypto User (Option B): Additional Capabilities: Purge: Can permanently delete keys. This action is irreversible. Recover: Can recover deleted keys within the retention period. Key Vault Crypto Officer (Option D): Additional Capabilities: Create: Can create new keys. Purge: Can permanently delete keys. This action is irreversible. Recover: Can recover deleted keys within the retention period.

saturation97Option: A

Answer: "A" Name: "Key Vault Crypto Service Encryption User", Id: "e147488a-f6f5-4113-8e2d-b22465e65bf6", IsCustom: false, Description: "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model."

Jimmy500Option: D

Answer is D. 1-Key vault Crypto Service Encryption user only has permission for wrap and unwrap, read keys (list) but can not get keys . 2-Key Vault crypto user- can have permission, sign, verify, read (list),encrpt,decrypt,backup,update but can not get keys. 3-Key vault reader, can read key(list) 4- Is the answer and most excessive permission I know question asks least privilidge but other roles does not have enough permission for list,get,wrap,unwrap operations

wingcheukOption: A

Both A and B can meet the required permissions, but B's permission is more than that. As the principle of least privilege is needed, A is the best answer here. Detail RBAC here: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

OrangeSGOption: A

The Key Vault Crypto Service Encryption User role allows the user to read metadata of keys and perform wrap/unwrap operations. This role is typically used when your application needs to use ASP.NET Core Data Protection with Key Vault keys. On the other hand, the Key Vault Crypto User role allows more access to operations for keys, such as data signing. This role is typically used when more access to operations is needed for keys. In terms of the specific permissions of Get/List/Wrap/Unwrap, both roles should be able to perform these operations. However, the Key Vault Crypto User role might have additional permissions that go beyond these specific ones.

TheProfessorOption: A

A. Key Vault Crypto Service Encryption User

yanaginagiOption: B

I've checked with chat GPT "Key Vault Crypto User" role in Azure Key Vault has the following permissions: Wrap key: This permission allows the user to encrypt (wrap) a symmetric key or RSA key using another key, often referred to as key encryption key (KEK). Unwrap key: This permission allows the user to decrypt (unwrap) a symmetric key or RSA key using the key encryption key (KEK). Get key: This permission allows the user to retrieve (get) the value of a key from the Key Vault. List keys: This permission allows the user to list the keys in the Key Vault, typically used to retrieve a list of keys within a vault.

AzureAdventureOption: A

Answer should A https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#:~:text=Key%20Vault%20Crypto%20Service%20Encryption%20User

Self_StudyOption: C

I don't know how the voting messed up, but it is really C. On an exam on 7/8/23

bibkamOption: A

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-crypto-service-encryption-user Description: "Read metadata of keys and perform wrap/unwrap operations. Only works for key vaults that use the 'Azure role-based access control' permission model."

billo79152718Option: A

A. Key Vault Crypto Service Encryption User