Table of Contents
Learn why Shared Access Signatures (SAS) are the optimal solution for providing temporary, time-limited access to Azure Storage content for AZ-500 exam. Understand how SAS tokens control access duration, permissions, and scope compared to permanent storage account keys.
Question
You need to provide the user access to download the digital content from your Storage Account. You need to ensure that the download is only available for 24 hours. What should you choose?
A. Storage Account Firewall
B. Shared Key (storage account key)
C. Storage Blob Data Reader RBAC role
D. Shared Access Signatures (SAS)
Answer
D. Shared Access Signatures (SAS)
Explanation
The correct answer is D. Shared Access Signatures (SAS) provide the precise time-based access control required for this scenario, allowing you to grant temporary download permissions that automatically expire after exactly 24 hours.
SAS tokens offer a variety of controls to limit time and scope of access, where shared keys off the equivalent of root access forever.
A Shared Access Signature is a URI that grants restricted access rights to Azure Storage resources. SAS tokens are designed specifically for scenarios requiring granular, time-limited access control. They contain all the information needed to authorize access, including permissions, duration, and scope, embedded within the token itself.
Key SAS Features for Time-Limited Access
- Expiration Time: SAS tokens include a mandatory expiration date and time. Once this threshold is reached, the token becomes invalid and cannot be used to access the resource. This automatic expiration eliminates the need for manual revocation.
- Start Time (Optional): You can configure a SAS token to become valid only at a future date and time, providing additional control over when access begins.
- Granular Permissions: SAS tokens can be configured with specific permissions such as read-only, write, delete, or list, ensuring users can only perform authorized operations.
- Resource Scope: Access can be limited to specific containers, blobs, or even blob prefixes, preventing access to other storage account resources.
Why Other Options Are Incorrect
Storage Account Firewall (A): This controls which IP addresses or networks can access the storage account but does not provide time-based access control or user-specific permissions. It’s a network-level security measure, not an authorization mechanism.
Shared Key (B): Storage account keys provide full, permanent access to the entire storage account with all permissions. They cannot be configured to expire automatically and represent a significant security risk if distributed to external users.
Storage Blob Data Reader RBAC Role (C): While this role provides appropriate read permissions, RBAC assignments are persistent and do not automatically expire. Removing the role assignment after 24 hours would require manual intervention, making it impractical for temporary access scenarios.
SAS Token Types
For this scenario, you would typically use a Service SAS token, which provides access to specific resources within a single Azure Storage service (Blob, Queue, Table, or File). The token would be configured with read permissions, a 24-hour expiration time, and scoped to the specific blobs or containers containing the digital content.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.