Exam AZ-204 All QuestionsBrowse all questions from this exam
Go to Exam
Question 367

HOTSPOT -

You need to configure security and compliance for the corporate website files.

Which Azure Blob storage settings should you use? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

    Correct Answer:

    Box 1: role-based access control (RBAC)

    Azure Storage supports authentication and authorization with Azure AD for the Blob and Queue services via Azure role-based access control (Azure RBAC).

    Scenario: File access must restrict access by IP, protocol, and Azure AD rights.

    Box 2: storage account type -

    Scenario: The website uses files stored in Azure Storage

    Auditing of the file updates and transfers must be enabled to comply with General Data Protection Regulation (GDPR).

    Creating a diagnostic setting:

    1. Sign in to the Azure portal.

    2. Navigate to your storage account.

    3. In the Monitoring section, click Diagnostic settings (preview).

    4. Choose file as the type of storage that you want to enable logs for.

    5. Click Add diagnostic setting.

    Reference:

    https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction https://docs.microsoft.com/en-us/azure/storage/files/storage-files-monitoring

Discussion
clarionprogrammer

shared access signature (SAS) token change feed

surprise0011

received 2023-04-17 went with above, score 926

mlantonis

Box 1: shared access signature (SAS) token According to the diagram, blob storage is accessed from Azure CDN. Azure CDN doesn't support authentication with managed identity. If you want to grant limited access to private storage containers, you can use the Shared Access Signature (SAS) feature of your Azure storage account. Also, using a managed identity you can't restrict access by IP as requested. Box 2: change feed The purpose of the change feed is to provide transaction logs of all the changes that occur to the blobs and the blob metadata in your storage account. The file updates must be read-only, stored in the order in which they occurred, include only create, update, delete, and copy operations, and be retained for compliance reasons. Reference: https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-change-feed?tabs=azure-portal

huhezculynvhzaljgs

Professor is back :)))

edengoforit

File access must restrict access by IP, protocol, and Azure AD rights. Auditing of the file updates and transfers must be enabled to comply with General Data Protection Regulation (GDPR). The file updates must be read-only, stored in the order in which they occurred, include only create, update, delete, and copy operations, and be retained for compliance reasons.

1CY1

Answer : C) SAS, B) change feed. Going to go with SAS. There still does not seem to be access to blob storage even in Premium with managed identity. At least I cannot find it.

cool_tool

RBAC change feed

ning

Correct, file access is AD User based rights. IP and Protocol, can be configured separately

st0rmtrooperx

Got this on Dec 16th, 2022. Scored 921 and answered SAS token and change feed.

Kuna_Lambo

managed identity change feed

inputoutput

According to the diagram, blob storage is accessed from Azure CDN. Azure CDN doesn't support authentication with managed identity. I think the correct answer is Shared Access Token. https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support

Kuna_Lambo

Thanks, I think you are right.

rdemontis

Exactly, and using a managed identity you can't restrict access by IP as requested. User delegation SAS is the right choice in this case (you need AAD integration) and change feed is the service designed for file audits. https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-change-feed?tabs=azure-portal

kwaazaar

But RBAC is supported on file shares too. It needs Azure AD Domain Services, I think.

jay158

See the arrow -- Flow is from Storage to CDN. Diagram does not show, how Storage is populated. No one will populate storage via CDN

OPT_001122

SAS change feed

Eltooth

SAS token change feed

applepie

An example of Access storage blobs using an Azure CDN custom domain It's using SAS. https://learn.microsoft.com/en-us/azure/cdn/cdn-storage-custom-domain-https

aragones

Got this 2023-05-12. Make sure to prepare VanArsdel Inc Canada study case

coffecold

RBAC and change feed. why RBAC? Triggering keywords for me are "Azure AD" and "restrict File Access". It seems that some kind of authorization is set for groups.

kozchris

Answer: SAS/Change Feed From problem description: "Security - File access must restrict access by IP, protocol, and Azure AD rights." The keyword here is IP. From https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support "With a SAS, you can define various parameters of access to a blob, such as start and expiry times, permissions (read/write), and IP ranges. " SAS is from AD so you get the AD rights. For Change Feed see: https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-change-feed?tabs=azure-portal

leonidn

Agree on RBAC. Change feed The change feed provides ordered, guaranteed, durable, immutable, read-only log of these changes. https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-change-feed?tabs=azure-portal

Vmwarevirtual

Appeared the exam I toke at 27-5-2023 I chose SAS and change feed https://docs.microsoft.com/en-us/azure/cdn/cdn-sas-storage-support https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-change-feed?tabs=azure-portal

AzureDJ

shared access signature (SAS) token change feed