Learn the key steps to properly secure your Azure Functions by storing RSA-HSM keys in Azure Key Vault and creating an Azure App Configuration instance with the right settings. Follow Microsoft best practices to protect your serverless applications.
Table of Contents
Question
You need to secure the Azure Functions to meet the security requirements.
Which two actions should you perform? Each correct answer presents part of the solution.
A. Store the RSA-HSM key in Azure Key Vault with soft-delete and purge-protection features enabled.
B. Store the RSA-HSM key in Azure Blob storage with an immutability policy applied to the container.
C. Create a free tier Azure App Configuration instance with a new Azure AD service principal.
D. Create a standard tier Azure App Configuration instance with an assigned Azure AD managed identity.
E. Store the RSA-HSM key in Azure Cosmos DB. Apply the built-in policies for customer-managed keys and allowed locations.
Answer
A. Store the RSA-HSM key in Azure Key Vault with soft-delete and purge-protection features enabled.
D. Create a standard tier Azure App Configuration instance with an assigned Azure AD managed identity.
Explanation
Scenario: All Azure Functions must centralize management and distribution of configuration data for different environments and geographies, encrypted by using a company-provided RSA-HSM key.
Microsoft Azure Key Vault is a cloud-hosted management service that allows users to encrypt keys and small secrets by using keys that are protected by hardware security modules (HSMs).
You need to create a managed identity for your application.
To secure your Azure Functions and meet the security requirements, you should take the following two actions:
(A) Store the RSA-HSM key in Azure Key Vault with soft-delete and purge-protection features enabled.
Azure Key Vault is the recommended secure storage for cryptographic keys, secrets, and certificates. The soft-delete and purge-protection features provide an additional layer of protection against accidental or malicious deletion of your keys. This ensures that even if a key is deleted, it can be recovered within a retention period.
(D) Create a standard tier Azure App Configuration instance with an assigned Azure AD managed identity.
Azure App Configuration provides a centralized place to manage your application settings and feature flags. By creating a standard tier instance, you ensure that your configuration data is encrypted at rest and in transit. Assigning an Azure AD managed identity to the App Configuration instance allows your Azure Functions to securely access the configuration data without needing to manage secrets or connection strings.
The other options are incorrect for the following reasons:
(B) Storing the RSA-HSM key in Azure Blob storage with an immutability policy is not the recommended approach for securing cryptographic keys. Azure Key Vault is the proper service for this purpose.
(C) Creating a free tier Azure App Configuration instance with a new Azure AD service principal does not provide the necessary security features. The standard tier should be used for production scenarios.
(E) Storing the RSA-HSM key in Azure Cosmos DB is not appropriate. While Cosmos DB supports customer-managed keys and allowed locations, it is not the recommended service for storing cryptographic keys. Azure Key Vault should be used instead.
By following these best practices and leveraging Azure Key Vault and Azure App Configuration with the proper settings, you can ensure that your Azure Functions are secured and meet the required security standards.
Microsoft AZ-204 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Microsoft AZ-204 exam and earn Microsoft AZ-204 certification.