AZ-500 Microsoft Azure Security Technologies

Configure a custom security policy

Practice Test

True or False: Azure Security Center allows you to modify and enforce custom security policies at the subscription level.

  • True
  • False

Answer: True.

Explanation: Azure Security Center lets you apply and customize the security policy on subscriptions. This helps in maintaining adherence to regulatory compliance standards specific to the organization.

Which of the following Azure services can be used to create and manage custom security policies? (Select all that apply)

  • a) Azure Active Directory
  • b) Azure Security Center
  • c) Azure Policy
  • d) Azure Logic Apps

Answer: b) Azure Security Center, c) Azure Policy.

Explanation: Both Azure Security Center and Azure Policy allow creation and management of custom security policies. Azure Active Directory is for identity management and Azure Logic Apps is for creating workflows.

True or False: Azure Policy can enforce organizational standards and assess compliance at scale.

  • True
  • False

Answer: True.

Explanation: Azure policy evaluates resources in Azure by comparing the properties of those resources with business rules. These business rules, described in JSON format, are known as policy definitions.

Which of the following is not a correct definition of an Azure Policy?

  • a) It is a default allow model
  • b) It is a default deny model
  • c) It’s a declarative model to describe what you want
  • d) It’s a procedural model to describe what you want

Answer: d) It’s a procedural model to describe what you want.

Explanation: Azure policy uses a declarative syntax, meaning you describe what you want and Azure Policy will make it happen.

Multiple select: For security policy in Azure, which compliance standards are available?

  • a) NIST
  • b) ISO
  • c) CIS
  • d) ITAR

Answer: a) NIST, b) ISO, c) CIS, d) ITAR

Explanation: Azure indeed provides all these compliance standards: NIST, ISO, CIS, and ITAR.

True or False: Azure policy allows you to only audit settings.

  • True
  • False

Answer: False.

Explanation: Azure policy not only audits settings, but it also helps you enforce them.

Which of the following is not a component of an Azure Policy definition?

  • a) Display Name
  • b) Description
  • c) Effect
  • d) Network Rules

Answer: d) Network Rules

Explanation: Network Rules is not a component of Azure Policy definitions. Instead, its components include Display Name, Description, and Effect, amongst others.

True or False: You can use Azure Policy and Azure Security Center together to achieve higher security.

  • True
  • False

Answer: True.

Explanation: Azure Policy provides you with the ability to create, assign and manage policies. These policies enforce different rules and effects over your resources, so those resources stay compliant with your corporate standards and service level agreements. Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads.

When a resource violates a policy effect, what actions can Azure Policy perform? (Select all that apply)

  • a) Audit
  • b) Block
  • c) Notify via Email
  • d) Change the resource to a compliant state

Answer: a) Audit, b) Block, d) Change the resource to a compliant state

Explanation: Azure Policy can perform various actions such as audit a violation, block a resource from being created, and change a resource to a compliant state automatically. However, it cannot automatically send an email notification.

True or False: Security policies are configured at the Azure Active Directory level.

  • True
  • False

Answer: False.

Explanation: Security policies are typically managed at the subscription level using the Azure Security Center or Azure Policy, not at the Azure Active Directory level.

What level of permissions do you need on a resource group to assign a policy?

  • a) Reader
  • b) Owner
  • c) Contributor
  • d) User Access Administrator

Answer: b) Owner

Explanation: In order to assign a policy, you need to be an owner or have Microsoft.Authorization/policyassignments/write permission.

True or False: Assigning policies at a higher scope overrides the policies set at a lower scope.

  • True
  • False

Answer: False.

Explanation: Generally, assignment at a child scope does not inherit or overwrite the parent scope’s assignment unless the ‘notscope’ field is used while creating it.

Which Azure service primarily deals with access control and authentication?

  • a) Azure Security Center
  • b) Azure Policy
  • c) Azure Active Directory
  • d) Azure Logic Apps

Answer: c) Azure Active Directory

Explanation: Azure Active Directory is an identity and access management service that helps control who should have access to your resources.

True or False: Security baselines in Azure are built-in policies that provide an initial set of security best practices.

  • True
  • False

Answer: True.

Explanation: Azure provides “security baselines”, which are built-in policy initiatives that provide recommendations for industry best practices, and automatically applies these best practices to your existing resources.

Which of the following policies cannot be created with Azure Policy?

  • a) Limit the types of resources that can be created.
  • b) Restrict the locations in which a resource can be created.
  • c) Restrict the type of virtual machines that can be created.
  • d) All of above can be created with Azure Policy.

Answer: d) All of above can be created with Azure Policy.

Explanation: All of these policies can be created with Azure Policy. The declarative nature of Azure Policy allows it to define very specific rules and conditions for your Azure resources.

Interview Questions

What is a custom security policy in Azure?

A custom security policy is a set of rules or conditions defined by an Azure administrator to enforce and control the security configurations of multiple Azure resources.

How can you apply a custom security policy in Azure?

A custom security policy in Azure can be applied by assigning it to a resource group, subscription, or management group.

What are the steps to create a custom security policy in Azure?

Steps include navigating to Policy in the Azure portal, clicking on Definitions, selecting + Policy Definition, providing necessary details, and defining the policy rules in JSON format.

What is the role of initiative definitions while configuring a custom security policy?

Initiative definitions simplify managing and assigning policy definitions by grouping a set of policies as a single item.

How can you see the compliance details of your custom policy in Azure?

Compliance details can be viewed from the Azure Policy Compliance page, where it shows the compliance state for each assigned policy.

What is the purpose of the “Deny” effect in Azure Policy?

The “Deny” effect in Azure Policy prevents a resource deployment if it doesn’t comply with the conditions defined in the policy.

How can you ensure that your virtual machines are using managed disks in Azure?

By creating a policy with a condition that checks if virtual machines are using managed disks and by setting the effect to “Deny” in case they are not.

Can parameters be used in custom security policies in Azure?

Yes, parameters can be used to provide values during deployment time that are included in the policy rule.

What is the use of remediation in custom security policies?

Remediation is used to automatically fix resources that are not compliant with the defined policies.

How can you create and manage policies across multiple Azure subscriptions?

By using Azure Management groups, you can manage your Azure policies across several subscriptions.

What is the “AuditIfNotExists” effect in Azure Policy?

The “AuditIfNotExists” effect returns a warning by auditing resources that should exist but don’t.

What is the ‘DeployIfNotExists’ effect in Azure Policy?

The ‘DeployIfNotExists’ ensures a specific resource is deployed if it does not already exist.

Can a custom policy in Azure have multiple conditions?

Yes, using the logical operators ‘AllOf’ and ‘AnyOf’, a custom policy can have multiple conditions.

Can Azure custom security policies be exported and imported?

Yes, custom security policies can be exported and imported by using Azure PowerShell and Azure CLI with the commands 

Export-AzPolicyDefinition

and 

New-AzPolicyDefinition

respectively.

How is compliance data for Azure policies evaluated and shown?

Azure policy compliance is evaluated and shown in the Azure Policy Compliance Blade and updated on a regular basis whenever resources are created or updated.

Related Post

AZ-500 Microsoft Azure Security Technologies

Configure security for container services

extutorials.com
AZ-500 Microsoft Azure Security Technologies

Configure backup and recovery of certificates, secrets, and keys

extutorials.com
AZ-500 Microsoft Azure Security Technologies

Configure Azure role permissions for management groups, subscriptions, resource groups, and resources

extutorials.com

Leave a Reply

Your email address will not be published. Required fields are marked *

You Missed

AZ-900 Microsoft Azure Fundamentals

Describe Azure Resource Manager and Azure Resource Manager templates (ARM templates)

AZ-900 Microsoft Azure Fundamentals

Describe virtual networking, including the purpose of Azure Virtual Networks, Azure virtual subnets, peering, Azure DNS, Azure VPN Gateway, and Azure ExpressRoute

AZ-900 Microsoft Azure Fundamentals

Describe the purpose of Azure Arc

AZ-900 Microsoft Azure Fundamentals

Identify appropriate use cases for each cloud service (IaaS, PaaS, SaaS)