DRAG DROP -
You have an Azure Key Vault that contains an encryption key named key1.
You plan to create a Log Analytics workspace that will store logging data.
You need to encrypt the workspace by using key1.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Customer-Managed key provisioning steps (assuming there already is an Azure Key Vault):
Step 1: Enable soft delete for the key vault.
The Azure Key Vault must be configured as recoverable, to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both Soft delete and Purge protection should be enabled.
Step 2: Create a Log Analytics cluster.
Clusters uses managed identity for data encryption with your Key Vault. Configure identity type property to SystemAssigned when creating your cluster to allow access to your Key Vault for "wrap" and "unwrap" operations.
Step 3: Grant permissions to the key vault.
Grant Key Vault permissions.
Create Access Policy in Key Vault to grants permissions to your cluster. These permissions are used by the underlay cluster storage. Open your Key Vault in
Azure portal and click Access Policies then + Add Access Policy to create a policy with these settings:
Key permissionsג€"select Get, Wrap Key and Unwrap Key.
Etc.
1. Creating cluster
2. Granting permissions to your Key Vault
3. Updating cluster with key identifier details
4. Linking workspaces
Step 4: Link workspace -
Link workspace to cluster.
This step should be performed only after the cluster provisioning. If you link workspaces and ingest data prior to the provisioning, ingested data will be dropped and won't be recoverable.
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys
Why do we need soft delete? I was thinking... 1. Register the Azure subscription to allow cluster creation. 2. Create a Log Analytics cluster. 3. Grant permissions to the key vault. 4. Link the workspace.
We already have Keyvault, why do we need to create an Azure Subs then? Enabling soft delete sounds more logical, I guess
Yes, we already have Keyvault and while creating Keyvault, the Soft Delete is enable, we cant change here. So this step "Enabling soft delete" is impossible
This Keyvault could have been created before the deprecating of soft deletion optional enabling. There is a guide how to enable soft deletion for existing Keyvaults. https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-change Anyway, we already have some subscription because we already have Keyvault.
From azure portal: "The ability to turn off soft delete via the Azure Portal has been deprecated. You can create a new key vault with soft delete off for a limited time using CLI / PowerShell / REST API. The ability to create a key vault with soft delete disabled will be fully deprecated by the end of the year."
Not able to find any reference to "Register the Azure subscription to allow cluster creation."
here is the referance: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-dedicated-clusters?tabs=cli Cluster creation triggers resource allocation and provisioning. This operation can take a few hours to complete. Dedicated cluster is billed once provisioned regardless data ingestion and it's recommended to prepare the deployment to expedite the provisioning and workspaces link to cluster. Verify the following: A list of initial workspace to be linked to cluster is identified You have permissions to subscription intended for the cluster and any workspace to be linked
Yes correct. according to below link https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-dedicated-clusters?tabs=cli explanation is follows Cluster creation triggers resource allocation and provisioning. This operation can take a few hours to complete. Dedicated cluster is billed once provisioned regardless data ingestion and it's recommended to prepare the deployment to expedite the provisioning and workspaces link to cluster. Verify the following: A list of initial workspace to be linked to cluster is identified You have permissions to subscription intended for the cluster and any workspace to be linked nothing to do with soft delete here
Correct https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal
this question appeared on today's (20/06/23) exam.selected below order. scored 955. should be correct! cheers 1. Register the Azure subscription to allow cluster creation. 2. Create a Log Analytics cluster. 3. Grant permissions to the key vault. 4. Link the workspace.
@Pamban - Could you share other questions also and any lab related quiz? And how many from examtopics?
1. Enable soft delete for key vault 2. Create log analytics cluster 3. Grant permissions to key vault 4. Link the workspace https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal#customer-managed-key-provisioning-steps - Creating Azure Key Vault and storing key - Creating cluster - Granting permissions to your Key Vault - Updating cluster with key identifier details - Linking workspaces https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal#storing-encryption-key-kek The Azure Key Vault must be configured as recoverable, to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both Soft delete and Purge protection should be enabled.
Whats the relevance of soft delete here? It doesnt mention the type of key we are using.
GTP: Here are the four steps in sequence: Grant permissions to the key vault - c Register the Azure subscription to allow cluster creation - b Create a Log Analytics cluster - d Link the workspace to the key vault - a Explanation: To encrypt the Log Analytics workspace using the key1 encryption key in Azure Key Vault, you need to perform the following four steps: Grant permissions to the key vault: You need to grant the Log Analytics workspace access to the key1 encryption key in Azure Key Vault to be able to use it for encryption. Register the Azure subscription to allow cluster creation: You need to register your Azure subscription to allow the creation of a Log Analytics cluster. Create a Log Analytics cluster: You need to create a Log Analytics cluster in your Azure subscription. Link the workspace to the key vault: Once the Log Analytics cluster is created, you need to link it to the key1 encryption key in Azure Key Vault to enable encryption of data in the workspace.
GTP: You can switch the order of steps b and c, so the revised sequence of actions would be: Register the Azure subscription to allow cluster creation - b Grant permissions to the key vault - c Create a Log Analytics cluster - d Link the workspace to the key vault - a Explanation: You can first register your Azure subscription to allow the creation of a Log Analytics cluster and then grant permissions to the key vault. This order will not impact the outcome of the steps as both are independent of each other. So, you can switch the order of steps b and c based on your preference. After registering the Azure subscription and granting permissions to the key vault, you can create a Log Analytics cluster, and then link the workspace to the key vault to enable encryption of data in the workspace.
Bing: To encrypt a Log Analytics workspace by using an encryption key named key1 stored in an Azure Key Vault, you should perform the following actions in sequence: Register the Azure subscription to allow cluster creation (b) Create a Log Analytics cluster (d) Grant permissions to the key vault © Link the workspace (a) Note that these actions should be performed in the correct order to achieve the desired result.
Pasting in LLM answers from ChatGTP etc is really dumb if you are just copy and pasting the exam question as a prompt, because they will have ingested the contents of this website and there is a good chance it is just feeding back comments on here from 6 months ago. Better results would be from using a prompt that isn't a copy and past of the exam question, so there is a better chance is pulls from MS documentation rather than internet comments.
got this in 02 March 2023 exams. scored 870 marks.
Got this Feb 2023
Answer is correct and explanation provided supports it
Agreed upon that, answer is correct Creating Azure Key Vault and storing key(*) Creating cluster Granting permissions to your Key Vault (Updating cluster with key identifier details --> not given in answer) Linking workspaces (*)"You can verify this configuration under properties in your Key Vault, both Soft delete and Purge protection should be enabled." https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal#customer-managed-key-provisioning-steps. https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal#storing-encryption-key-kek
Given answer is correct https://learn.microsoft.com/en-us/azure/key-vault/general/soft-delete-overview
Soft Delete must be enabled as per microsoft link https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-dedicated-clusters?tabs=azure-portal The Azure Key Vault must be configured as recoverable, to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both Soft delete and Purge protection should be enabled.
Based on the Microsoft link https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys?tabs=portal (Check the Storage encryption key section) The Azure Key Vault must be configured as recoverable, to protect your key and the access to your data in Azure Monitor. You can verify this configuration under properties in your Key Vault, both Soft delete and Purge protection should be enabled.
Answer is correct. Because Soft Delete is not default. You have to enable it at first.