AZ-500 Question #356: Real Exam Question with Answer & Explanation

Question

Hotspot Question You have an Azure subscription that contains the following resources: - An Azure key vault - An Azure SQL database named Database1 - Two Azure App Service web apps named AppSrv1 and AppSrv2 that are configured to use system-assigned managed identities and access Database1 You need to implement an encryption solution for Database1 that meets the following requirements: - The data in a column named Discount in Database1 must be encrypted so that only AppSrv1 can decrypt the data. - AppSrv1 and AppSrv2 must be authorized by using managed identities to obtain cryptographic keys. How should you configure the encryption settings for Database1? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point Answer:

Options

• __typehotspot
• variantdropdown

Explanation

This question tests knowledge of Azure SQL Database encryption options, specifically distinguishing between Transparent Data Encryption (TDE) with customer-managed keys and Always Encrypted with column-level encryption to restrict decryption to specific application identities.

Approach. For the Discount column that only AppSrv1 should decrypt, you must use Always Encrypted with a Column Encryption Key (CEK) stored in Azure Key Vault, because Always Encrypted performs client-side encryption meaning only the application (AppSrv1) with access to the Column Master Key (CMK) in Key Vault can decrypt the data - the database engine itself cannot. For authorizing both AppSrv1 and AppSrv2 to obtain cryptographic keys via managed identities, you configure Azure Key Vault access policies (or RBAC) granting each app's system-assigned managed identity the appropriate Key Vault permissions (Get/WrapKey/UnwrapKey). The Transparent Data Encryption (TDE) protector should use a customer-managed key in Azure Key Vault to satisfy enterprise key management, but TDE encrypts the entire database at rest and does not restrict column-level access between applications. Always Encrypted is the correct choice for column-level access restriction where only AppSrv1 can decrypt the Discount column.

Concept tested. Azure SQL Database encryption strategies: Always Encrypted (column-level, client-side encryption using CMK/CEK stored in Azure Key Vault with managed identity access) versus Transparent Data Encryption (database-level at-rest encryption). The key distinction is that Always Encrypted restricts decryption to specific clients holding the Column Master Key, while TDE encrypts the entire database transparently without application-level access control.

Reference. https://learn.microsoft.com/en-us/azure/azure-sql/database/always-encrypted-azure-key-vault-configure

No community discussion yet for this question.