Table of Contents
What Is Microsoft’s Recommended Method for Securely Rolling Storage Account Keys?
For AZ-500 exam, discover why Azure Key Vault is Microsoft’s recommended service for the secure, automated rotation of Azure Storage account keys. Learn how this native feature eliminates manual effort and custom scripting.
Question
Microsoft recommends Shared Keys should be rolled automatically using which of the following?
A. Azure Automation
B. Azure Key Vault
C. Logic Apps
D. Azure Functions
Answer
B. Azure Key Vault
Explanation
The correct answer is B. Azure Key Vault. Microsoft’s official recommendation is to use the native integration between Azure Key Vault and Azure Storage for the automated rotation of shared access keys.
Microsoft recommends automating rolling of storage account keys exclusively with Key Vault.
The Key Vault Managed Storage Account Feature
Azure Key Vault includes a built-in feature specifically designed to manage the lifecycle of storage account keys. Instead of requiring you to write custom scripts, Key Vault can be configured to connect directly to a storage account and manage its keys on your behalf.
How Automated Rotation Works with Key Vault
- Managed Storage Account Configuration: You configure your storage account as a “managed storage account” within Key Vault. This grants Key Vault the necessary permissions (via its own managed identity) to manage the keys of that storage account.
- Rotation Policy: You define a key rotation policy directly in Key Vault. This policy specifies the rotation frequency (e.g., every 90 days) and which key should be active after rotation.
- Automated Regeneration: Based on the policy, Key Vault will automatically regenerate the non-active storage account key. For example, if your application is using key1, Key Vault will regenerate key2.
- Application Integration: The best practice is for applications to retrieve the storage account connection string or key directly from Key Vault using a managed identity. This way, the application never has the key hardcoded. When the key is rotated in the storage account, the application simply fetches the new, valid key from Key Vault on its next request, ensuring a seamless, zero-downtime transition.
Why Other Options Are Not Recommended
While it is technically possible to write scripts to rotate keys using Azure Automation, Logic Apps, or Azure Functions, these approaches are not recommended by Microsoft for several reasons:
A. Azure Automation, C. Logic Apps, D. Azure Functions: All these options require you to write and maintain custom code. This code would need high-level permissions to manage storage account keys, creating a new security risk. You would be responsible for handling errors, managing state, and ensuring the script’s own credentials are secure. This is essentially rebuilding a complex and security-sensitive feature that already exists natively in Key Vault.
Using Azure Key Vault abstracts away all this complexity, providing a secure, reliable, and auditable solution for storage account key rotation that aligns with security best practices.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.