HOTSPOT
-
You have an Azure subscription that contains the key vaults shown in the following table.
The subscription contains the users shown in the following table.
On June 1, you perform the following actions:
• Delete a key named key1 from KeyVault1.
• Delete a secret named secret1 from KeyVault2.
For each of the following statements, select Yes If the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
I thought that it would be Yes No No Box1: Yes Admin1 is Key Vault Contributor on KeyVault1, in which has 10 days to retain deleted vaults, and Key1 from KeyVault1 was deleted on Jun 1st. Hence on Jun 5th, Admin1 can recover Key1 Box2: No On Jun 1st, secret1 has already been deleted. Hence it cannot be purged again on Jun 12th Box3: No KeyVault1 has 10 days to retain deleted vaults, and Key1 from KeyVault1 was deleted on Jun 1st. Hence on Jun 17th it cannot be recovered
i agree box 3 should be No - based on only 10 days of retention.
Box 2 No indeed but it is because of the secret officer not having rights to recover just to view. Microsoft.KeyVault/deletedVaults/read
You are correct. Thanks for pointing that out.
Secrets officer has all permissions except to manage permissions
For some further clarification on Box2. It is still No but my previous reasoning was wrong. Seret1 can be purged after deletion since it is not purge-protected. But Microsoft states in the doc as below that To purge a secret in the soft-deleted state, a service principal must be granted an additional "purge" access policy permission. The purge access policy permission is not granted by default to any service principal including key vault and subscription owners and must be deliberately set. By requiring an elevated access policy permission to purge a soft-deleted secret, it reduces the probability of accidentally deleting a secret. https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview
This is regardless of if purge protection is enabled or not.
https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-recovery?tabs=azure-powershell#prerequisites The user will need the following permissions (at subscription level) to perform operations on soft-deleted vaults: - Microsoft.KeyVault/locations/deletedVaults/purge/action Purge a soft deleted key vault
1st option should be No Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#key-vault-contributor
Y - within 10 days N - purge protection enabled so no, also Secrets officer has not enough permission N - more than 15 days have passed, so already deleted and not possible to recover anymore
correction to 2) purge protection is not enabled, still not enough permission tho
nvm 2 is Y, Keyvault secrets officer is able to purge a secret
y, y, n is correct Admin 1 can recover KEY 1 on June 5 because they are a KEY VAULT CONTRIBUTOR, who is allowed to recover keys, and the date falls within the 10 day retention period for that KEY VAULT1. Admin 2 can PURGE Secret1 on June 12 from KEY VAULT2 because the secret will still be in SOFT-DELETE state until June 15. The retention period for it is 15 days. To PURGE is not to DELETE. Delete is deleting the secret from the key vault and putting it in SOFT-DELETE state. Purging is equivalent to emptying a recycle bin in Windows. A KEY VAULT SECRETS OFFICER can delete and purge secrets. Admin 3, although a KEY VAULT ADMIN, cannot recover KEY1 on June 17th because it is past the 10 day Retention period for for Key Vault1.
Contributors have no access to the data plane go and test it lab please
1;Y KV Contributor has rights to recover keys, and the key is still in soft delete. 2;Y KV Secrets Officer has rights to purge keys, and purge protection is disabled. 3;N Key has been purged after 15 days.
You're all wrong. Box 1: No Key Vault Contributor does NOT have data plane permissions. Box 2: Yes Purge protection is disabled. Box 3: No Retention period has passed. Retention period applies to BOTH the vault and the objects.
By default Soft delete is enabled 1. No : The key1 is still in the recyvcle bin but Admin1 is Key vault Contributor (Perform only management operations and can't manage permissions) he can't recover the key 2. Yes, the Secret1 is still in the recycle bin, Admin2 is Key Vault Secret Officers (can manage all data operation about secrets) and Purge protection is disabled so yes he can delete the secret, if purge protection was enabled on key Vault2, he will not be able to purge the secrets 3. Key1 is no more in the recycle bin because the period of retention was only 10 days after the deletion and we are at the 17 of June, so nobody can recover this key at this date
3. is No (forgot to mention it)
NO NO NO The Key Vault Contributor role is for management plane operations only to manage key vaults. It does not allow access to keys, secrets and certificates.
NO YES NO 1- Key Vault Contributor has only permissions on management plane not data plane 2- secret officer has total control on secrets. Do not confuse with "to purge we need an elevation of permissions", it is true but it is for access policy model. We are in RBAC model 3- It is already deleted, nothing to recover
For Azure Key vault by Default Soft delete is enabled, for the first statement Admin1 has Key Vault contributor role which is for management plane that is why this role is not enough for recover key from vault, answer is No for the first option. Admin2 is officer he/she can do whatever wants and here purge protection is disabled that is why Admin2 will be abele to purge but if it would be enabled then this would be No as well, however now this is Yes for option 2. For the option 3rd we have Admin3 who is Key Vault Admin and can work with data plane operations, admin3 recover keys until 11th of June as retention is 10 days and we have deleted on June 1 so this will be the NO as well. All in all, answer is No, Yes, No.
Y N N Helpdesk Administrator Can reset passwords for non-administrators and Helpdesk Administrators. Password Administrator Can reset passwords for non-administrators and Password Administrators.
Explanation: Box1: Yes Admin1 is Key Vault Contributor on KeyVault1, in which has 10 days to retain deleted vaults, and Key1 from KeyVault1 was deleted on Jun 1st. Hence on Jun 5th, Admin1 can recover Key1 Box2: No On Jun 1st, secret1 has already been deleted. Hence it cannot be purged again on Jun 12th Box3: No KeyVault1 has 10 days to retain deleted vaults, and Key1 from KeyVault1 was deleted on Jun 1st. Hence on Jun 17th it cannot be recovered
Key Vault Contributor Lets you manage key vaults, but not access to them. 1st option NO Key Vault Secrets Officer Perform any action on the secrets of a key vault, except manage permissions. it's within the timeframe so Yes (tested in lab Key Vault Secrets Officer can recover secrets only) Key Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets Purge protection keeps the key in recovery state for 90 days (tested in lab) so Yes
NYN Key Vault Administrator Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets Purge protection keeps the key in recovery state for 90 days (tested in lab) so No Editing this
Tested it And Result is: NO YES NO. While testing make sure only mentioned role you assign not less not more.
YNN, 2nd box is No cuz no enough permissions to do purge
1. When soft-delete is enabled, resources marked as deleted resources are retained for a specified period (90 days by default). 2. Purge protection is an optional Key Vault behavior and is not enabled by default. Purge protection can only be enabled once soft-delete is enabled. Therefore the third option is Yes. The key can be recovered for 90 days. The question says that key1 was deleted. Not that it was purged after the purge protection period. https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview
Y - within 10 days N - purge protection enabled so no, also Secrets officer has not enough permission N - more than 15 days have passed, so already deleted and not possible to recover anymore
YES = ADMIN 1 CAN RECOVER AS PURGE PROTECTION IS ON AND THE 10 DAYS HAVE NOT PASSED. NO = PURGE PROTECTION IS DISABLED NO = THE 10 DAYS HAVE PASSED AND THE KEY IS UNRECOVERABLE