SC-100 Question #30: Real Exam Question with Answer & Explanation

Question

You are designing security for an Azure landing zone. Your company identifies the following compliance and privacy requirements: - Encrypt cardholder data by using encryption keys managed by the company. - Encrypt insurance claim files by using encryption keys hosted on- premises. Which two configurations meet the compliance and privacy requirements? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Options

• AStore the insurance claim data in Azure Blob storage encrypted by using customer-provided keys.
• BStore the cardholder data in an Azure SQL database that is encrypted by using keys stored in
• CStore the insurance claim data in Azure Files encrypted by using Azure Key Vault Managed HSM.
• DStore the cardholder data in an Azure SQL database that is encrypted by using Microsoft-

Explanation

{"question_number": 4, "correct_answer": "A, B", "explanation": "Two requirements must be met: (1) cardholder data encrypted with company-managed keys, and (2) insurance claim files encrypted with on-premises keys. Option B addresses requirement 1 - Azure SQL with Transparent Data Encryption (TDE) using Customer-Managed Keys (CMK) stored in Azure Key Vault means the company controls the encryption keys, satisfying 'keys managed by the company.' Option A addresses requirement 2 - Azure Blob Storage with customer-provided keys allows the client to supply encryption keys from their own on-premises infrastructure per-request, satisfying 'keys hosted on-premises.' Option C (Azure Files with Azure Key Vault Managed HSM) hosts keys in Azure, not on-premises. Option D uses Microsoft-managed keys, which are not company-controlled and fail both requirements.", "generated_by": "claude-sonnet", "llm_judge_score": 4}

No community discussion yet for this question.