Table of Contents
What security feature prevents accidental exposure of secrets in Azure App Configuration?
Learn how to use a read-only resource lock on Azure App Configuration to prevent accidental modifications and reduce the risk of unauthorized changes or exposure of sensitive settings and secret references.
Question
You want to prevent accidental exposure of sensitive secrets in App Configuration. What security feature should you enable?
A. Key Vault Firewall Rules
B. Azure App Configuration Feature Flags
C. Key Vault Soft Delete and Purge Protection
D. App Configuration Read-Only Lock
Answer
D. App Configuration Read-Only Lock
Explanation
A read-only lock on Azure App Configuration prevents modifications, reducing the risk of accidental exposure or unauthorized changes to sensitive configuration settings. For more information, please refer to the “Secure app configuration data by using App Configuration or Azure Key Vault – Demo” lecture.
An App Configuration Read-Only Lock is the most effective feature for preventing accidental exposure or modification of sensitive settings. This is a type of Azure Resource Lock, which is a fundamental governance feature in Azure.
How Read-Only Locks Work
A ReadOnly lock, when applied to a resource like an Azure App Configuration store, makes the resource and its contents immutable. Even users with high-level permissions (such as Owner or Contributor) are prevented from performing any write or delete operations on the locked resource.
In the context of App Configuration, this means:
- No new key-values can be created.
- Existing key-values (including Key Vault references) cannot be modified or deleted.
- The configuration store itself cannot be deleted.
By applying this lock, you create a powerful administrative safeguard. To make any changes, an authorized user must first deliberately remove the lock. This two-step process significantly reduces the risk of accidental changes that could lead to an application malfunction or the exposure of a sensitive secret, such as mistakenly overwriting a Key Vault reference with a hardcoded value.
Analysis of Incorrect Options
A. Key Vault Firewall Rules. These rules control network access to the Azure Key Vault itself, specifying which IP addresses or virtual networks can connect. While crucial for securing the vault, they do not prevent an authorized user from accidentally modifying the configuration data within the App Configuration store.
B. Azure App Configuration Feature Flags. Feature flags are a specific type of key-value pair used to manage application functionality dynamically. They are part of the data stored in App Configuration, not a security mechanism to protect the store itself from modification.
C. Key Vault Soft Delete and Purge Protection. These are critical features for protecting secrets inside the Key Vault from accidental or malicious deletion. They allow for recovery of deleted secrets but do not prevent someone from modifying the reference to that secret in the separate App Configuration service.
Microsoft Security Solutions Capabilities certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Security Solutions Capabilities exam and earn Microsoft Security Solutions Capabilities certificate.