Microsoft AZ-500 시험

Question No : 1

HOTSPOT
You are configuring just in time (JIT) VM access to a set of Azure virtual machines.
You need to grant users PowerShell access to the virtual machine by using JIT VM access.
What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

답을 확인하기

정답:


Explanation:

Question No : 2

You are troubleshooting a security issue for an Azure Storage account.
You enable the diagnostic logs for the storage account.
What should you use to retrieve the diagnostics logs?

• A.the Security & Compliance admin center
• B.SQL query editor in Azure
• C.File Explorer in Windows
• D.AzCopy

답을 확인하기

정답:
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

Question No : 3

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center for the centralized policy management of three Azure subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create an initiative and an assignment that is scoped to a management group.
Does this meet the goal?

• A.Yes
• B.No

답을 확인하기

정답:
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/governance/policy/overview

Question No : 4

You have an Azure web app named webapp1.
You need to configure continuous deployment for webapp1 by using an Azure Repo.
What should you create first?

• A.an Azure Application Insights service
• B.an Azure DevOps organizations
• C.an Azure Storage account
• D.an Azure DevTest Labs lab

답을 확인하기

정답:
Explanation:
To use Azure Repos, make sure your Azure DevOps organization is linked to your Azure subscription.
Reference: https://docs.microsoft.com/en-us/azure/app-service/deploy-continuous-deployment

Question No : 5

HOTSPOT
You have an Azure subscription that contains an Azure key vault named Vault1.
On January 1, 2019, Vault1 stores the following secrets.



Which can each secret be used by an application? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

답을 확인하기

정답:


Explanation:
Box 1: Never
Password1 is disabled.
Box 2: Only between March 1, 2019 and May 1,
Password2:



Reference: https://docs.microsoft.com/en-us/powershell/module/azurerm.keyvault/set-azurekeyvaultsecretattribute

Question No : 6

You have an Azure subscription named Sub1 that contains the Azure key vaults shown in the following table:



In Sub1, you create a virtual machine that has the following configurations:
✑ Name: VM1
✑ Size: DS2v2
✑ Resource group: RG1
✑ Region: West Europe
✑ Operating system: Windows Server 2016
You plan to enable Azure Disk Encryption on VM1.
In which key vaults can you store the encryption key for VM1?

• A.Vault1 or Vault3 only
• B.Vault1, Vault2, Vault3, or Vault4
• C.Vault1 only
• D.Vault1 or Vault2 only

답을 확인하기

정답:
Explanation:
In order to make sure the encryption secrets don’t cross regional boundaries, Azure Disk Encryption needs the Key Vault and the VMs to be co-located in the same region. Create and use a Key Vault that is in the same region as the VM to be encrypted.
Reference: https://docs.microsoft.com/en-us/azure/security/azure-security-disk-encryption-prerequisites

Question No : 7

You have an Azure subscription that contains the virtual machines shown in the following table.



From Azure Security Center, you turn on Auto Provisioning.
You deploy the virtual machines shown in the following table.



On which virtual machines is the Log Analytics agent installed?

• A.VM3 only
• B.VM1 and VM3 only
• C.VM3 and VM4 only
• D.VM1, VM2, VM3, and VM4

답을 확인하기

정답:
Explanation:
When automatic provisioning is On, Security Center provisions the Log Analytics Agent on all supported Azure VMs and any new ones that are created.
Supported Operating systems include: Ubuntu 14.04 LTS (x86/x64), 16.04 LTS (x86/x64), and 18.04 LTS (x64) and Windows Server 2008 R2, 2012, 2012 R2, 2016, version 1709 and 1803
Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

Question No : 8

You have 10 virtual machines on a single subnet that has a single network security group (NSG).
You need to log the network traffic to an Azure Storage account.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

• A.Install the Network Performance Monitor solution.
• B.Enable Azure Network Watcher.
• C.Enable diagnostic logging for the NS
• D.Enable NSG flow logs.
• E.Create an Azure Log Analytics workspace.

답을 확인하기

정답:
Explanation:
A network security group (NSG) enables you to filter inbound traffic to, and outbound traffic from, a virtual
machine (VM). You can log network traffic that flows through an NSG with Network Watcher's NSG flow log capability.
Steps include:
Create a VM with a network security group
Enable Network Watcher and register the Microsoft.Insights provider
Enable a traffic flow log for an NSG, using Network Watcher's NSG flow log capability
Download logged data
View logged data
Reference: https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal

Question No : 9

You have an Azure subscription named Sub1 that contains the virtual machines shown in the following table.



You need to ensure that the virtual machines in RG1 have the Remote Desktop port closed until an authorized user requests access.
What should you configure?

• A.Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
• B.an application security group
• C.Azure Active Directory (Azure AD) conditional access
• D.just in time (JIT) VM access

답을 확인하기

정답:
Explanation:
Just-in-time (JIT) virtual machine (VM) access can be used to lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
Note: When just-in-time is enabled, Security Center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the just-in-time solution.
When a user requests access to a VM, Security Center checks that the user has Role-Based Access Control (RBAC) permissions that permit them to successfully request access to a VM. If the request is approved, Security Center automatically configures the Network Security Groups (NSGs) and Azure Firewall to allow inbound traffic to the selected ports and requested source IP addresses or ranges, for the amount of time that was specified. After the time has expired, Security Center restores the NSGs to their previous states. Those connections that are already established are not being interrupted, however.
Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-just-in-time

Question No : 10

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center for the centralized policy management of three Azure subscriptions.
You use several policy definitions to manage the security of the subscriptions.
You need to deploy the policy definitions as a group to all three subscriptions.
Solution: You create a policy initiative and assignments that are scoped to resource groups.
Does this meet the goal?

• A.Yes
• B.No

답을 확인하기

정답:
Explanation:
Instead use a management group.
Management groups in Microsoft Azure solve the problem of needing to impose governance policy on more than one Azure subscription simultaneously.
Reference: https://4sysops.com/archives/apply-governance-policy-to-multiple-azure-subscriptions-with-managementgroups/

Question No : 11

HOTSPOT
You create resources in an Azure subscription as shown in the following table.



VNET1 contains two subnets named Subnet1 and Subnet2. Subnet1 has a network ID of 10.0.0.0/24.
Subnet2 has a network ID of 10.1.1.0/24.
Contoso1901 is configured as shown in the exhibit. (Click the Exhibit tab.)



For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

답을 확인하기

정답:


Explanation:
Box 1: Yes
Access from Subnet1 is allowed.
Box 2: No
No access from Subnet2 is allowed.
Box 3: Yes
Access from IP address 193.77.10.2 is allowed.

Question No : 12

You plan to deploy Azure container instances.
You have a containerized application that validates credit cards. The application is comprised of two containers: an application container and a validation container.
The application container is monitored by the validation container. The validation container performs security checks by making requests to the application container and waiting for responses after every transaction.
You need to ensure that the application container and the validation container are scheduled to be deployed together. The containers must communicate to each other only on ports that are not externally exposed.
What should you include in the deployment?

• A.application security groups
• B.network security groups (NSGs)
• C.management groups
• D.container groups

답을 확인하기

정답:
Explanation:
Azure Container Instances supports the deployment of multiple containers onto a single host using a container group. A container group is useful when building an application sidecar for logging, monitoring, or any other configuration where a service needs a second attached process.
Reference: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-container-groups

Question No : 13

You have 15 Azure virtual machines in a resource group named RG1.
All virtual machines run identical applications.
You need to prevent unauthorized applications and malware from running on the virtual machines.
What should you do?

• A.Apply an Azure policy to RG1.
• B.From Azure Security Center, configure adaptive application controls.
• C.Configure Azure Active Directory (Azure AD) Identity Protection.
• D.Apply a resource lock to RG1.

답을 확인하기

정답:
Explanation:
Adaptive application control is an intelligent, automated end-to-end application whitelisting solution from Azure Security Center. It helps you control which applications can run on your Azure and non-Azure VMs (Windows and Linux), which, among other benefits, helps harden your VMs against malware. Security Center uses machine learning to analyze the applications running on your VMs
and helps you apply the specific whitelisting rules using this intelligence.
Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application

Question No : 14

You have an Azure subscription that contains the virtual networks shown in the following table.



The subscription contains the virtual machines shown in the following table.



On NIC1, you configure an application security group named ASG1.
On which other network interfaces can you configure ASG1?

• A.NIC2 only
• B.NIC2, NIC3, NIC4, and NIC5
• C.NIC2 and NIC3 only
• D.NIC2, NIC3, and NIC4 only

답을 확인하기

정답:
Explanation:
Only network interfaces in NVET1, which consists of Subnet11 and Subnet12, can be configured in ASG1, as all network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in.
Reference: https://azure.microsoft.com/es-es/blog/applicationsecuritygroups/

Question No : 15

HOTSPOT
You have a network security group (NSG) bound to an Azure subnet.
You run Get-AzureRmNetworkSecurityRuleConfig and receive the output shown in the following exhibit.



Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

답을 확인하기

정답:


Explanation:
Box 1: able to connect to East US 2
The StorageEA2Allow has DestinationAddressPrefix {Storage/EastUS2}
Box 2: dropped
Reference: https://docs.microsoft.com/en-us/azure/virtual-network/manage-network-security-group