The Tamilalt Corporation wants to use Azure Key Vault to encrypt the cloud resources, apps, and solutions they use on Azure. This is to ensure that security requirements are met.

The Tamilalt Corporation wants to use Azure Key Vault to encrypt the cloud resources, apps, and solutions they use on Azure. This is to ensure that security requirements are met.

 

Which of the following statements about Azure Key Vault is TRUE? (Select all that apply.)

A) Azure Key Vaults and Key Vault objects that were accidentally deleted can only be recovered from the Azure portal.

B) When a service threshold is exceeded, Azure Key Vault limits any further requests from that client for a period of time and returns an HTTP status code 408 (Request Timeout).

C) A backup of a key taken from a key vault in one Azure location can be restored to a key vault in another Azure location if both key vaults belong to the same Azure subscription.

D) Exchange Online and SharePoint Online are trusted services that can access the Azure Key Vault if the Allow trusted services option is enabled.

E) If an Azure region is down and unavailable, the requests made to an Azure Key Vault in that region are automatically routed (failed over) to a secondary region, and all requests are processed.

Explanation

The following statements are true:

• A backup of a key taken from a key vault in one Azure location can be restored to a key vault in another Azure location if both key vaults belong to the same Azure subscription. Both Azure locations would also have to be in the same geographical location.

• Exchange Online and SharePoint Online are trusted services that can access the Azure Key Vault if the Allow trusted services option is enabled.

The following services are trusted services that can access the Azure Key Vault if the Allow trusted services option is enabled:

• Azure Virtual Machines deployment service

• Azure Resource Manager template deployment service

• Azure Disk Encryption volume encryption service

• Azure Backup

• Exchange Online and SharePoint Online

• Azure Information Protection

• Azure App Service

• Azure SQL Database

• Azure Storage

• Azure Data Lake Storage

• Azure Databricks

Azure Key Vaults and Key Vault objects that were accidentally deleted CAN NOT be recovered from the Azure portal. They can only be recovered through the CLI or PowerShell.

Azure Key Vault supports the Throttling feature to limit the number of concurrent calls to prevent the overuse of resources. Key Vault limits any further requests from that client for a period of time after a service threshold is exceeded. When this happens, an HTTP status code 429 (too many requests) is issued by the Key Vault and the requests fail. These failed requests count towards the throttle limits tracked by Key Vault.

If an Azure region is down and unavailable, the requests made to an Azure Key Vault in that region are automatically routed (failed over) to a secondary region, but the key vault will be in read-only mode. Only the following requests are supported:

• List key vaults

• Get properties of key vaults

• List secrets

• Get secrets

• List keys

• Get (properties of) keys

• Encrypt

• Decrypt

• Wrap

• Unwrap

• Verify

• Sign

• Backup.

 

Objective:

Describe security, privacy, compliance, and trust

Sub-Objective:

Describe Azure security features

References:

• Microsoft Azure > Key Vault > Azure Key Vault soft-delete overview
• Microsoft Azure > Key Vault > Azure Key Vault security worlds and geographic boundaries
• Microsoft Azure > Key Vault > Azure Key Vault throttling guidance
• Microsoft Azure > Key Vault > Azure Key Vault availability and redundancy
• Microsoft Azure > Key Vault > Virtual network service endpoints for Azure Key Vault