AZ-500 Question #433: Real Exam Question with Answer & Explanation

Question

Hotspot Question You have an Azure subscription that contains two users named User1 and User2 and the blob containers shown in the following table. Policy1 is configured as shown in the following exhibit. You assign the roles for storage1 as shown in the following table. The storage1 account has the following shared access signature (SAS) named SAS1: - Allowed services: Blob - Allowed resource types: Container - Allowed permissions: Read, Write, List, Add, Create - Blob versioning permissions: enables deletion of versions - Allowed blob index permissions: Read/Write - Starr and expiry date/time: - Start: 12/1/2021 - End: 12/31/2021 For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Answer:

Options

• __typehotspot
• variantdropdown

Explanation

This hotspot question assesses understanding of Azure Storage Shared Access Signatures (SAS), specifically their defined permissions and validity periods, and how they apply to user actions.

Approach. The correct approach involves evaluating each statement based solely on the properties of 'SAS1' as described in the question text. The existence of 'Policy1' in the exhibit is a red herring, as the question does not state that 'SAS1' references 'Policy1'. When a SAS does not explicitly reference a stored access policy, it operates as an 'ad-hoc' SAS with its own defined permissions and validity.

Based on the question text, 'SAS1' has the following properties:

• Allowed permissions: Read, Write, List, Add, Create
• Validity period: From 12/1/2021 to 12/31/2021
• Allowed resource types: Container (meaning it grants permissions at the container level)

Let's analyze each statement:

1. Statement: When using SAS1, User1 can write to container2 on December 5, 2021.

   • Permissions: SAS1 includes 'Write' permission, which is required for this action.
   • Date: December 5, 2021, falls within the SAS1 validity period (12/1/2021 to 12/31/2021).
   • Conclusion: Yes, User1 can write. (Matches correct answer 'Yes').

2. Statement: When using SAS1, User2 can write to container1 on December 20, 2021.

   • Permissions: SAS1 includes 'Write' permission.
   • Date: December 20, 2021, falls within the SAS1 validity period.
   • Conclusion: Yes, User2 can write. (Matches correct answer 'Yes').

3. Statement: When using SAS1, User1 can read from container2 on January 10, 2022.

   • Permissions: SAS1 includes 'Read' permission, which is required for this action.
   • Date: January 10, 2022, falls outside the SAS1 validity period (which ends on 12/31/2021).
   • Conclusion: No, User1 cannot read. (Matches correct answer 'No').

Common mistakes.

• common_mistake. A common mistake would be to incorrectly assume that 'SAS1' is governed by 'Policy1'. If one were to apply the permissions and validity of 'Policy1' (Read only, valid 12/15/2021 - 12/31/2021) to 'SAS1', the answers would change significantly:

• If Policy1 applied to SAS1:
  • Statement 1 (Write on Dec 5): Would be 'No' because 'Write' permission is not granted by Policy1 and Dec 5 is outside Policy1's start date.
  • Statement 2 (Write on Dec 20): Would be 'No' because 'Write' permission is not granted by Policy1.
  • Statement 3 (Read on Jan 10): Would be 'No' because Jan 10 is outside Policy1's end date.

This leads to all 'No' answers, which contradicts the provided correct solution. This confirms that 'Policy1' is a distractor and that 'SAS1' should be evaluated based on its explicitly stated ad-hoc properties.

Another mistake might be to consider the Azure RBAC roles of User1 and User2, which were mentioned as being in a missing table. However, the question specifically asks 'When using SAS1...', indicating that the SAS token's permissions are the determining factor, not the users' direct RBAC assignments to the storage account itself.

Concept tested. Azure Storage Shared Access Signatures (SAS), including:

• Understanding the difference between ad-hoc SAS and SAS that references a Stored Access Policy.
• Evaluating the effective permissions granted by a SAS.
• Determining the validity of a SAS based on its start and expiry times.

No community discussion yet for this question.