AZ-500 Question #244: Real Exam Question with Answer & Explanation

Question

You are working for an organization as an Azure administrator. The keys for Azure Service Bus are stored and accessed by Azure Key Vault used by several applications that organization is using. The keys are manually regenerated and stored in the key vault and this process is a little time taking. What would be your step of action if you want to configure Azure to rotate the keys automatically?

Options

• ASet the keys to auto rotate with an expiration date of 6 months.
• BUse a scheduled task and PowerShell to expire the keys and generate new ones.
• CGrant each application permission to rotate the keys.
• DUse an Automation account and a runbook to rotate keys.

Explanation

To automatically rotate Azure Service Bus keys stored in Azure Key Vault, create an Azure Automation account with a runbook that programmatically handles the key regeneration in Service Bus and updates the Key Vault secret.

Common mistakes.

• A. Setting an expiration date on a Key Vault secret only marks it as expired; it does not automatically trigger the regeneration of the Service Bus key or update the secret with a new value.
• B. A scheduled task is an on-premises concept; in Azure, an Automation account with a scheduled runbook provides the cloud-native equivalent for automating tasks.
• C. Granting applications permission to rotate keys would delegate this sensitive task to potentially multiple applications, which is not a secure or centralized approach for managing key rotation.

Concept tested. Automated key rotation using Azure Automation and Key Vault

Reference. https://learn.microsoft.com/en-us/azure/key-vault/secrets/tutorial-rotation

No community discussion yet for this question.