Manage certificates, secrets, and keys

Practice Test

True or False: Azure Key Vault can store unencrypted keys, certificates, and secrets.

• False

Answer: False

Explanation: Azure Key Vault stores encrypted keys, certificates, and secrets. It’s designed to securely store these critical elements and restrict access to them.

What can be used to automate the renewal and lifetime management of certificates stored in Azure Key Vault?

• A) Azure Auto Renew
• B) Azure Secret Manager
• C) Azure Managed Certificates
• D) Azure Key Manager

Answer: C) Azure Managed Certificates

Explanation: Azure Managed Certificates enables automatic renewal and lifetime management of certificates stored in Azure Key Vault.

True or False: Azure Key Vault only supports software-protected keys.

• False

Answer: False

Explanation: Azure Key Vault supports both software-protected and hardware-security-module-protected (HSM) keys.

Which of these is not a recommended best practice for managing secrets and keys in Microsoft Azure?

• A) Regular rotation of secrets and keys
• B) Storing keys and secrets in plain text files
• C) Using Azure Key Vault for storing secrets
• D) Limiting access to secrets and keys to only those who need it

Answer: B) Storing keys and secrets in plain text files

Explanation: Secrets and keys must always be encrypted and stored securely, not in plain text files. Azure Key Vault is a secure and recommended storage.

True or False: Azure Key Vault can be integrated with other Azure services to protect sensitive data.

• True

Answer: True

Explanation: Azure Key Vault can be integrated with services such as Azure Container Instances, Azure Functions, and more to secure sensitive data like connection strings and API keys.

Which Azure feature allows for lifecycle management of keys?

• A) Azure Security Center
• B) Azure Key Vault
• C) Azure Virtual Machine
• D) Azure Active Directory

Answer: B) Azure Key Vault

Explanation: Azure Key Vault provides a secure mechanism for lifecycle operations like key rotation, enabling & disabling keys, and setting expiration date.

True or False: Azure Key Vault’s hardware-security-module (HSM)-protected keys cannot be exported.

• True

Answer: True

Explanation: HSM-protected keys in Azure Key Vault provides additional security features by preventing the keys from ever leaving the HSM, which means they cannot be exported.

In Azure Key Vault, the two types of access permissions are Key Permissions and Secret Permissions. True or False?

• True

Answer: True

Explanation: In Azure Key Vault, you configure two types of access permissions: Key Permissions, which apply to keys, and Secret Permissions, which apply to secrets.

When using Azure Key Vault, what method should be used to gain application access to keys, secrets, and certificates?

• A) Azure AD user authentication
• B) Azure AD application authentication
• C) Use of Connection Strings
• D) Azure Managed Identities

Answer: D) Azure Managed Identities

Explanation: Azure Managed Identities is recommended as it eliminates the need for developers having to manage credentials.

Key Vault Audit Event logs can be stored in a Log Analytics Workspace. True or False?

• True

Answer: True

Explanation: Azure Key Vault audit logs can be streamed to an Event Hub or a Log Analytics Workspace to ensure data is accessible and archived according to your organization’s practices.

Interview Questions

What is the purpose of Azure Key Vault?

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys. Key Vault service can be used to manage these secrets centrally.

How does an Azure Key Vault ensure confidentiality and integrity of the stored keys?

Azure Key Vault ensures confidentiality and integrity by encrypting the keys and secrets using keys from Hardware Security Modules (HSMs).

What does Azure Key Vault do with Cryptographic keys?

Azure Key Vault can create and control, and provides secure access to tokens, passwords, certificates, API keys, and other secrets.

Name some features of the Azure Key Vault service?

Features of Azure Key Vault service includes secret management, key management, certificate management, and storing secrets backed by Hardware Security Modules(HSMs).

How do you enable logging for Key Vault?

Logging for Key Vault can be enabled through Azure Monitor which collects data from various sources such as applications, infrastructure components, Logical Azure SQL databases etc.

Can the Azure Key Vault be accessed by a user assigned with correct access policy?

Yes, the Azure Key Vault can be accessed by a user or application through authentication provided they are assigned with the correct access policy.

What is the Azure Key Vault REST API?

The Azure Key Vault REST API is a set of APIs that provides HTTP interface to Azure Key Vault, allowing developers to access, update and delete keys, secrets and certificates.

What is the purpose of using Azure Key Vault with .NET core?

Azure Key Vault can be used with .NET core for managing application secrets. It ensures that sensitive data is not checked into the source code and secure secret delivery at run time.

What is the maximum life time of a Key in Azure Key Vault?

The maximum lifetime of a key in Azure Key Vault is unlimited, it can last until it gets manually deleted.

How can you retrieve a secret from Azure Key Vault using Azure CLI?

You can retrieve a secret from Azure Key Vault using Azure CLI by using the following command:

az keyvault secret show --name mySecret --vault-name myKeyVault

.

Name some ways to monitor Azure Key Vault activity?

Azure Key Vault activity can be monitored using Azure Monitor logs, Azure Security Center or Azure Event Hub.

What is Azure Dedicated HSM?

Azure Dedicated HSM is a service that you can use to transfer, store, and manage cryptographic keys in Azure using your own Hardware Security Modules (HSMs).

What key types are supported by Azure Key Vault?

Azure Key Vault supports two types of keys: software-protected and hardware security module (HSM)-protected.

What is Azure Managed HSM?

Azure Managed HSM is a fully managed, highly available, single-tenant, and high-throughput service that provides cryptographic key storage in Azure and can be used to protect the keys using FIPS 140-2 Level 3 validated HSMs.

What is the purpose of access policies in Azure Key Vault?

Access policies in Azure Key Vault defines the permissions that users or service principals have with specific vaults and secrets. The policies control what users can do with the secrets inside the key vault.