DRAG DROP -
You need to create an Azure Cosmos DB account that will use encryption keys managed by your organization.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Select and Place:
Step 1: Create an Azure key vault and enable purge protection
Using customer-managed keys with Azure Cosmos DB requires you to set two properties on the Azure Key Vault instance that you plan to use to host your encryption keys: Soft Delete and Purge Protection.
Step 2: Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed Key (Enter key URI), and enter the key URI
Data stored in your Azure Cosmos account is automatically and seamlessly encrypted with keys managed by Microsoft (service-managed keys). Optionally, you can choose to add a second layer of encryption with keys you manage (customer-managed keys).
Step 3: Add an Azure Key Vault access policy to grant permissions to the Azure Cosmos DB principal
Add an access policy to your Azure Key Vault instance
Step 4: Generate a new key in the Azure key vault
Generate a key in Azure Key Vault
Reference:
https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
Step 1 Create an Azure Key vault and enable purge protection Step 2 Add an Azure Key Vault access policy to grant permission to the Azure Cosmos DB principal Step 3 Generate a new key in Azure Key Vault Step 4 Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed key (Enter Key URI), and enter the key URI
this solution is correct. Check documentation here: https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
Perfect. Microsoft.DocumentDB Resouce Provider to be registerd and then all the steps mentioned here.
Step 1: Create an Azure key vault and enable purge protection Step 2: Generate a new key in the Azure key vault Step 3: Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed Key (Enter key URI), and enter the key URI Step 4: Add an Azure Key Vault access policy to grant permissions to the Azure Cosmos DB principal
this make sense. checked the documentation in the url below https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
retracting my feedback here instead go for the solution below Step 1 Create an Azure Key vault and enable purge protection Step 2 Add an Azure Key Vault access policy to grant permission to the Azure Cosmos DB principal Step 3 Generate a new key in Azure Key Vault Step 4 Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed key (Enter Key URI), and enter the key URI
retracting my feedback here instead go for the solution below Step 1 Create an Azure Key vault and enable purge protection Step 2 Add an Azure Key Vault access policy to grant permission to the Azure Cosmos DB principal Step 3 Generate a new key in Azure Key Vault Step 4 Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed key (Enter Key URI), and enter the key URI
The Cosmos DB account must be created as last step using previous created key. MS docs states that: "When you create a new Azure Cosmos DB account from the Azure portal, choose Customer-managed key in the Encryption step. In the Key URI field, paste the URI/key identifier of the Azure Key Vault key that you copied from the previous step" https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
Step 1: Create an Azure key vault and enable purge protection Step 2: Add an Azure Key Vault access policy to grant permissions to the Azure Cosmos DB principal (doesn't have to actually exist yet) Step 3: Generate a new key in the Azure key vault Step 4: Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed Key (Enter key URI), and enter the key URI https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-cmk
right sequence looks like this : Step 1 Create an Azure Key vault and enable purge protection Step 2 Generate a new key in Azure Key Vault Step 3 Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed key (Enter Key URI), and enter the key URI Step 4 Add an Azure Key Vault access policy to grant permission to the Azure Cosmos DB principal In discussions there is confusion going on whether step 4 should come above step 3 etc..but unless we dont create a cosmos DB resource , how can we create key vault access policy and grant permission to cosmos DB principal.so step 4 should be last
These are the correct steps: Step 1 Create an Azure Key vault and enable purge protection Step 2 Generate a new key in Azure Key Vault Step 3 Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed key (Enter Key URI), and enter the key URI Step 4 Add an Azure Key Vault access policy to grant permission to the Azure Cosmos DB principal You cannot add the key URI before you've even created the key so creating the Cosmos DB account AND inserting the key uri before the key even exists does not make sense. Also, you cannot add an access policy for a resource that does not exist yet so adding the access policy to the key vault before you even created the cosmos DB account does not make sense.
Step 1:Create an Azure key vault and enable purge protection Step 2:Add an Azure Key Vault access policy to grant permissions to the Azure Cosmos DB principal Step 3:Generate a new key in the Azure key vault Step 4:Create a new Azure Cosmos DB account, set Data Encryption to Customer-managed Key (Enter key URI), and enter the key URI