"Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of new and existing data is prevented for a period of three years."
Answer is B
Well, we have two separate requirements for this question;
1: Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of new and existing data is prevented for a period of three years.
2: On-premises users and services must be able to access the Azure Storage account that will host the data in App1.
The question is;
"You migrate App1 to Azure.
You need to ensure that the data storage for App1 meets the security and compliance requirements.
What should you do?"
RBAC would surely handle the bullet 2. But I think this question is actually suggesting that the storage needs immutability enabled so 'modification of new and existing data is prevented...'.
To me, the access policy would handle the requirement of both objectives. It will prevent the modification of data, but still allow the users to access the storage account. So I would choose 'B' for this question.
I think, 1,Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of new and existing data is prevented for a period of three years.
2,On-premises users and services must be able to access the Azure Storage account that will host the data in App1.
3,Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.
these three items belong to security and compliance requirement.
It can be met with security settings - shared access signature - allow permissions and expiry date of storage account. So answer should be B.
If the question is to meet the authentication and authorization requirements, the answer should be A. If it's to meet the Security and Compliance Requirements, the answer should be B, IMHO
I don't know if this applies but it does lend to the answer possibly being correct. On https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/howto-assign-access-portal
Use Azure RBAC to assign a managed identity access to another resource
After you've enabled managed identity on an Azure resource, such as an Azure VM or Azure virtual machine scale set:
Sign in to the Azure portal using an account associated with the Azure subscription under which you have configured the managed identity.
Navigate to the desired resource on which you want to modify access control. In this example, we are giving an Azure virtual machine access to a storage account, so we navigate to the storage account.
Select Access control (IAM).
Select Add > Add role assignment to open the Add role assignment page.
Select the role and managed identity. For detailed steps, see Assign Azure roles using the Azure portal.
I'm not so sure. The provided answer/explanation of A seems pretty compelling.
Maybe the process of elimination might help here. Answer B saids "Create an access policy for the blob service". This pretty much translates to use shared access signatures (SAS tokens). But this is contradictory to the requirement which saids "To access the resources in Azure, App1 must use the managed identity of the virtual machines that will host the app." SAS tokens aren't tied to IDs (except user delegated SAS, but I don't think that's what they're after here). RBAC, on the other hand, is 100% tied to a credential, such as the aforementioned managed identity. So all in all, I vote for A, "Create Azure RBAC assignments."
The question says you need to meet the security and compliance requirements
'Access to the public endpoint of the Azure Storage account that will host the App1 data must be prevented.'
On this basis I think an access policy will fit the solution.
User delegation SAS and stored access policy would seem to do it.
https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview
https://docs.microsoft.com/en-us/rest/api/storageservices/create-user-delegation-sas
https://docs.microsoft.com/en-us/rest/api/storageservices/define-stored-access-policy
https://docs.microsoft.com/en-us/rest/api/storageservices/set-container-acl
Only policy will do.
"Once App1 is migrated to Azure, you must ensure that new data can be written to the app, and the modification of new and existing data is prevented for a period of three years.
Answer is B
This section is not available anymore. Please use the main Exam Page.AZ-304 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Ario
Highly Voted 3 years, 7 months agosyu31svc
Highly Voted 3 years, 6 months agomarda304
3 years, 1 month agoLillyLiver
2 years, 9 months agoDylanCoffee
Most Recent 2 years, 4 months agosapien45
2 years, 10 months agovuphongtran
3 years agomegapokerbum
3 years, 1 month agotherealss
3 years, 2 months agoAxial30z
3 years, 1 month agoicedog
3 years, 2 months agoyyuryyucicuryyforme
3 years, 3 months agochina5000
3 years, 3 months agomassnonn
3 years, 3 months agomtk93
3 years, 3 months agoDpejic
3 years, 4 months agoDpejic
3 years, 4 months agoSeijkoh
3 years, 4 months agotteesstt
3 years, 6 months ago