Exam SC-100 topic 2 question 21 discussion

NO is correct answer

Landing zones are not only networking. Designing a proper authentication flow is also important, and in zero trust, no credentials should be unnattended. Thats why using key vault and managed identities are important thin.gs when designing a zero trust architecture. My answer is YES

should be able to store certificates for secure connection in kv or am i missing something?

Azure KeyVault is part of a Zero trust strategy securing applications connectivity. Although a managed identity would be a better solution, Key Vault is a valid solution for this purpouse. Node.js for Mongo DB support this type of authentication as well. https://learn.microsoft.com/en-us/azure/service-connector/how-to-integrate-cosmos-db?tabs=dotnet

This is about secure connectivity. Key Vault is not a networking solution.

Do not require Key vault

The answer is No. Key Vault is for data security whereas Private Link is for Network Security. https://learn.microsoft.com/en-us/training/modules/specify-requirements-securing-saas-paas-iaas-services/3-specify-security-requirements-web-workloads

you need to focus on what is exactly being asked and that is: "to secure the connection between the web app and the database." So the answer is B - No

Managed identity is the best way to secure connection between Azure services in this case cosmos DB and ASE

got this in exam 6oct23. passed with 896 marks. I answered B

B is the correct answer. The question is about securing the connection not about secure access. Key Vault will give you secure access...

key vault also supports the "use least privilege access " principle, so yes

Considering the general overview of Azure Key Vault states a clear "note" on Zero Trust, I'd assume this answer should be "YES". E.g. Data protection, including key management, supports the "use least privilege access" principle. https://learn.microsoft.com/en-us/azure/key-vault/general/overview Got to be YES right??

My suggested answer is B, no. Question being: Provide recommendations to secure the connection between the web app and the database. The solution must follow the Zero Trust model Zero Trust model guiding principle: Assume breach, Verify explicitly, Use least privilege. Note that here the main point is about "secure the connection", which tend more towards network controls based "assumed breach prevention" rather than attack on credentials "verify explicitly". Asking on the opposite side, if we secure the network connectivity between web and DB tier but using credentials that is not stored in Azure vault, does it necessarily raise risks? To a certain extend, if the relevant credentials are kept safe, I would think it does not raise a difference if store in vault or not, more importantly there is a secure network connectivity between the web and DB. Plus the fact this is a continued series question where "private endpoint" seems to be the most "correct" answer. Hope it explains.

B CORRECT

ChatGPT: A. Yes, implementing Azure Key Vault to store credentials is a recommended solution to secure the connection between the web app and the MongoDB database, and it meets the goal of following the Zero Trust model.

It asks for "secure connection" which is not the same thing as storing the key securely! so it would be B