Exam AZ-204 All QuestionsBrowse all questions from this exam
Go to Exam
Question 216

You are developing several microservices to deploy to a new Azure Kubernetes Service cluster. The microservices manage data stored in Azure Cosmos DB and Azure Blob storage. The data is secured by using customer-managed keys stored in Azure Key Vault.

You must automate key rotation for all Azure Key Vault keys and allow for manual key rotation. Keys must rotate every three months. Notifications of expiring keys must be sent before key expiry.

You need to configure key rotation and enable key expiry notifications.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

    Correct Answer: A, D

    To configure key rotation and enable key expiry notifications in Azure Key Vault, you should create and configure a new Azure Event Grid instance and create and configure a key rotation policy during key creation. Azure Event Grid can be used to trigger notifications when a key is about to expire, ensuring timely alerts. Additionally, setting up a key rotation policy during key creation allows for automated key rotations at specified intervals, such as every three months, meeting the requirement for both automated and manual key rotation.

Discussion
abcdxOptions: AD

A&D for sure! https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation

halfwayOptions: AD

Key rotation policy and Event Grid notification

paunski7Options: BD

B & D To configure key rotation and enable key expiry notifications for Azure Key Vault, you should perform the following two actions: B. Configure Azure Key Vault alerts: Configure alerts for when a key is expiring, so that you can receive notifications before the key expiry. You can configure these alerts in Azure Key Vault using Azure Monitor, which sends an email or a webhook notification to a recipient or service when the key is about to expire. You can specify the notification threshold in terms of days, so you can receive alerts, for example, seven days before the key expiry. C. Create and assign an Azure Key Vault access policy: Create and assign an access policy for your Azure Key Vault that allows your microservices to perform key rotations manually, and automated key rotations using a key rotation script. You can create and assign access policies for Azure Key Vault through the Azure portal or the Azure CLI. These actions enable you to configure key rotation and notifications for key expiry.

paunski7

Options A and D are not relevant to the solution. Azure Event Grid is a service that allows you to react to events in Azure services by routing them to different endpoints, but it is not required for key rotation or notifications for Azure Key Vault. Key rotation policies are not created during key creation, but rather they are created and applied to existing keys.

smariussorin

https://learn.microsoft.com/en-us/azure/key-vault/general/event-grid-tutorial check documentation:". When one of the secrets in the key vault is about to expire (defined as 30 days before expiration date), Event Grid is notified of the status change and makes an HTTP POST to the endpoint. " is A & D

ProtossOR89144

That's the example for a key to access event grid... Webapp access cosmosdb and blob storage. I think paunski7 is right

dy0917

Key vault alerts use to monitor health issues. After you start to use Azure Key Vault to store your production secrets, it's important to monitor the health of your key vault to make sure that your service operates as intended.

CiupazOptions: BD

For me, B and D for sure.

macobuziOptions: AD

We can use the Key Rotation Policy in Azure Key Vault combined with Event Grid to trigger sending notification when a secret in the key vault is about to expire. https://learn.microsoft.com/en-us/azure/key-vault/general/event-grid-tutorial

130nk3r5Options: BD

B. Configure Azure Key Vault alerts. To receive notifications of expiring keys, you need to configure Azure Key Vault alerts. You can set up alerts for key expiration events, which will notify you before the key expires. D. Create and configure a key rotation policy during key creation. To automate key rotation, you need to create and configure a key rotation policy when creating the keys in Azure Key Vault. You can set the rotation interval to three months, as required, and also allow for manual key rotation.

nekkilodeonOptions: BC

B & C are correct Alerts for notifications and Access policies for storage acess to existing keys

CarlosTheBoldest

I thought as you and I was wrong :) "As you start to scale your service, the number of requests sent to your key vault will rise. This rise has a potential to increase the latency of your requests. In extreme cases, it can cause your requests to be throttled and affect the performance of your service. You also need to know if your key vault is sending an unusual number of error codes, so you can quickly handle any problems with an access policy or firewall configuration." So the KV alert is used to raised alerts when it begin to send too many errors or receive too many petitions https://learn.microsoft.com/en-us/azure/key-vault/general/alert