最新的Microsoft Implementing End-to-End Security Controls for Cloud and AI Workloads - SC-500免費考試真題
問題1
You have an Azure virtual network that contains 100 virtual machines and an Azure Firewall instance named FW1.
All the traffic from the virtual machines is routed through FW1.
You need to ensure that FW1 allows access to only a URL of updates.contoso.com and blocks all other outbound traffic.
What should you use?
You have an Azure virtual network that contains 100 virtual machines and an Azure Firewall instance named FW1.
All the traffic from the virtual machines is routed through FW1.
You need to ensure that FW1 allows access to only a URL of updates.contoso.com and blocks all other outbound traffic.
What should you use?
正確答案: C
說明:(僅 PDFExamDumps 成員可見)
問題2
Hotspot Question
You have an Azure subscription.
You need to create and deploy an Azure policy that meets the following requirements:
- When a new virtual machine is deployed, automatically install a
custom security extension.
- Trigger an autogenerated remediation task for non-compliant virtual
machines to install the extension.
What should you include in the policy? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hotspot Question
You have an Azure subscription.
You need to create and deploy an Azure policy that meets the following requirements:
- When a new virtual machine is deployed, automatically install a
custom security extension.
- Trigger an autogenerated remediation task for non-compliant virtual
machines to install the extension.
What should you include in the policy? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正確答案:
問題3
Drag and Drop Question
You have three internet-facing Azure App Service web apps named App1, App2, and App3. Each app uses built-in authentication. App2 hosts a backend API.
Some corporate users can sign in to App2, even though they should NOT be able to use the API.
You need to restrict App2 access to assigned Microsoft Entra users and groups.
What should you configure for App2? To answer, drag the appropriate configurations to the correct methods. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Drag and Drop Question
You have three internet-facing Azure App Service web apps named App1, App2, and App3. Each app uses built-in authentication. App2 hosts a backend API.
Some corporate users can sign in to App2, even though they should NOT be able to use the API.
You need to restrict App2 access to assigned Microsoft Entra users and groups.
What should you configure for App2? To answer, drag the appropriate configurations to the correct methods. Each configuration may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
正確答案:
問題4
You use Azure Virtual Network Manager to manage multiple virtual networks in a network group named Group1.
You discover that the virtual machines in Group1 are accessible from the internet by using TCP port 3389.
You need to block inbound TCP 3389 from the internet across all the virtual networks in Group1.
The solution must minimize administrative effort.
What should you use?
You use Azure Virtual Network Manager to manage multiple virtual networks in a network group named Group1.
You discover that the virtual machines in Group1 are accessible from the internet by using TCP port 3389.
You need to block inbound TCP 3389 from the internet across all the virtual networks in Group1.
The solution must minimize administrative effort.
What should you use?
正確答案: D
說明:(僅 PDFExamDumps 成員可見)
問題5
Hotspot Question
You have an Azure Container Instances container group named CGI that has a DNS name of cg1.contoso.com. CG1 has the following configurations:
- A Linux container named container1 that serves HTTPS over TCP port
443 and hosts an application named App1
- A Linux container named contained that listens on TCP port 5000 and
is accessed only by App1
- A public IP address
A security review finds that external clients can reach TCP port 5000 by using the public IP address of CG1.
You need to meet the following requirements:
- Ensure that the external clients can access container1 only by using
TCP port 443.
- Ensure that container1 can continue to access contained.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hotspot Question
You have an Azure Container Instances container group named CGI that has a DNS name of cg1.contoso.com. CG1 has the following configurations:
- A Linux container named container1 that serves HTTPS over TCP port
443 and hosts an application named App1
- A Linux container named contained that listens on TCP port 5000 and
is accessed only by App1
- A public IP address
A security review finds that external clients can reach TCP port 5000 by using the public IP address of CG1.
You need to meet the following requirements:
- Ensure that the external clients can access container1 only by using
TCP port 443.
- Ensure that container1 can continue to access contained.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正確答案:
問題6
You have an Azure key vault named KV1 that uses role-based access control (RBAC) authorization. KV1 stores database connection strings for an Azure App Service web app named App1.
You enable a firewall on KV1 and allow access to KV1 from only the virtual network that contains App1.
You need to ensure that App1 can retrieve secrets from KV1 without using credentials stored in the application configuration.
What should you create?
You have an Azure key vault named KV1 that uses role-based access control (RBAC) authorization. KV1 stores database connection strings for an Azure App Service web app named App1.
You enable a firewall on KV1 and allow access to KV1 from only the virtual network that contains App1.
You need to ensure that App1 can retrieve secrets from KV1 without using credentials stored in the application configuration.
What should you create?
正確答案: C
說明:(僅 PDFExamDumps 成員可見)
問題7
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have an Amazon Web Services (AWS) account connected to Defender for Cloud that has the Defender Cloud Security Posture Management (CSPM) plan enabled.
You need to identify the potential impact of security incidents that exploit multiple risks reported by Defender CSPM.
What should you use?
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have an Amazon Web Services (AWS) account connected to Defender for Cloud that has the Defender Cloud Security Posture Management (CSPM) plan enabled.
You need to identify the potential impact of security incidents that exploit multiple risks reported by Defender CSPM.
What should you use?
正確答案: D
說明:(僅 PDFExamDumps 成員可見)
問題8
Case Study 1 - Contoso, Ltd.
Overview
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.
Contoso has a hybrid environment that contains on-premises servers connected to Azure, a Microsoft 365 E5 subscription, and an Azure subscription named Sub1.
Existing Environment. Microsoft Entra tenant
Contoso has a Microsoft Entra tenant named contoso.com that contains the users shown in the following table.
Existing Environment. On-premises environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest that syncs with contoso.com. The forest contains a server named Server1 that runs Windows Server.
Existing Environment. Azure subscription
Sub1 contains the storage accounts shown in the following table.
Sub1 contains the virtual networks shown in the following table.
Sub1 contains the virtual machines shown in the following table.
The network interface of VM1 is associated with an application security group named ASG1.
Sub1 contains the resources shown in the following table.
Vault1 stores the objects shown in the following table.
Existing Environment. Privileged Identity Management (PIM) configuration You manage privileged roles by using Privileged Identity Management (PIM). The PIM role settings are configured as shown in the following table.
Existing Environment. Microsoft Sentinel configuration
Contoso has a Microsoft Sentinel workspace that contains the following tables.
Requirements. Planned changes
Contoso plans to implement the following changes:
- Integrate AKS1 with Vault1.
- Enable Microsoft Entra Kerberos authentication for all supported
storage.
- Configure auditing for sql1 by using the Azure portal and store audit logs in a centralized location.
Requirements. Technical requirements
Contoso identifies the following technical requirements:
- Protect Server1 by using file integrity monitoring.
- Protect AKS1 by using Microsoft Defender for Cloud.
- Configure Microsoft Sentinel to retain data for the maximum supported duration without changing the tier.
- Store objects used for authentication and encryption in Vault1 and
ensure that Vault1 regenerates the objects every 30 days, whenever
possible.
Hotspot Question
User1 has requested to use the AI Administrator role.
Which approvers can approve the request, and how long will User1 be an AI administrator after the role is approved? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Case Study 1 - Contoso, Ltd.
Overview
Contoso, Ltd. is a consulting company that has a main office in San Francisco and a branch office in Dallas.
Contoso has a hybrid environment that contains on-premises servers connected to Azure, a Microsoft 365 E5 subscription, and an Azure subscription named Sub1.
Existing Environment. Microsoft Entra tenant
Contoso has a Microsoft Entra tenant named contoso.com that contains the users shown in the following table.
Existing Environment. On-premises environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest that syncs with contoso.com. The forest contains a server named Server1 that runs Windows Server.
Existing Environment. Azure subscription
Sub1 contains the storage accounts shown in the following table.
Sub1 contains the virtual networks shown in the following table.
Sub1 contains the virtual machines shown in the following table.
The network interface of VM1 is associated with an application security group named ASG1.
Sub1 contains the resources shown in the following table.
Vault1 stores the objects shown in the following table.
Existing Environment. Privileged Identity Management (PIM) configuration You manage privileged roles by using Privileged Identity Management (PIM). The PIM role settings are configured as shown in the following table.
Existing Environment. Microsoft Sentinel configuration
Contoso has a Microsoft Sentinel workspace that contains the following tables.
Requirements. Planned changes
Contoso plans to implement the following changes:
- Integrate AKS1 with Vault1.
- Enable Microsoft Entra Kerberos authentication for all supported
storage.
- Configure auditing for sql1 by using the Azure portal and store audit logs in a centralized location.
Requirements. Technical requirements
Contoso identifies the following technical requirements:
- Protect Server1 by using file integrity monitoring.
- Protect AKS1 by using Microsoft Defender for Cloud.
- Configure Microsoft Sentinel to retain data for the maximum supported duration without changing the tier.
- Store objects used for authentication and encryption in Vault1 and
ensure that Vault1 regenerates the objects every 30 days, whenever
possible.
Hotspot Question
User1 has requested to use the AI Administrator role.
Which approvers can approve the request, and how long will User1 be an AI administrator after the role is approved? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正確答案:
問題9
You have an Azure Storage account named storage1 that contains Azure Files shares.
You have an application named App1 that uses a system-assigned managed identity to access the shares.
Administrators access the shares by using storage account keys.
You need to ensure that App1 access the shares without using the storage account keys.
What should you do on storage1?
You have an Azure Storage account named storage1 that contains Azure Files shares.
You have an application named App1 that uses a system-assigned managed identity to access the shares.
Administrators access the shares by using storage account keys.
You need to ensure that App1 access the shares without using the storage account keys.
What should you do on storage1?
正確答案: B
說明:(僅 PDFExamDumps 成員可見)