Skip to Content

AZ-900: Which Azure Service Should Be Used to Ensure Sensitive Data Is Encrypted at Rest?

By: Author Alex Lim

Posted on

Categories Exam

Home » Exam

Which Azure service should you use to ensure sensitive data is encrypted at rest in the cloud? Learn how Azure Key Vault provides secure key management and encryption for compliance and data protection.

Table of Contents

Question

A company wants to ensure that its sensitive data stored in Azure is encrypted at rest. Which service should they use?

A. Azure Security Center
B. Azure Active Directory
C. Azure Key Vault
D. Azure Monitor
E. Azure Sentinel

Answer

C. Azure Key Vault

Explanation

Azure Key Vault securely stores and manages encryption keys, secrets, and certificates used for encrypting Azure data.

The most appropriate Azure service for ensuring sensitive data stored in Azure is encrypted at rest is Azure Key Vault.

  • Central Role in Encryption at Rest: Azure Key Vault is the recommended solution for securely storing and managing the encryption keys used to protect data at rest across Azure services. It provides centralized, secure key storage, access control, and management, ensuring that only authorized users and services can access the keys required for encryption and decryption.
  • Integration with Azure Services: Many Azure services, including Azure Storage, Azure SQL Database, and Azure Disk Encryption, support customer-managed keys stored in Azure Key Vault. This allows organizations to control and audit access to encryption keys, meeting strict compliance and regulatory requirements.
  • Key Management Features: Azure Key Vault supports both software-protected and hardware security module (HSM)-protected keys, key rotation, auditing, and granular access policies. This enables organizations to implement advanced encryption models, such as envelope encryption, where a key encryption key (KEK) in Key Vault protects the data encryption keys (DEKs) used by Azure services.
  • Compliance and Security: By using Azure Key Vault, organizations can enforce least-privilege access, maintain audit logs, and ensure that encryption keys are never exposed outside secure boundaries. This aligns with best practices for data protection and compliance frameworks such as FIPS 140-2, PCI DSS, and GDPR.

Azure Key Vault is specifically designed to securely store and manage encryption keys, secrets, and certificates. It enables organizations to control access to encryption keys used for encrypting sensitive data at rest in Azure, providing a unified, secure, and compliant key management solution.

Microsoft Azure Fundamentals AZ-900 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft Azure Fundamentals AZ-900 exam and earn Microsoft Azure Fundamentals AZ-900 certification.