👉Get Full PDF
| Question.41 You have a data warehouse in Azure Synapse Analytics. You need to ensure that the data in the data warehouse is encrypted at rest. What should you enable? A. Advanced Data Security for this database B. Transparent Data Encryption (TDE) C. Secure transfer required D. Dynamic Data Masking |
41. Click here to View Answer
Answer:
B
Explanation:
Azure SQL Database currently supports encryption at rest for Microsoft-managed service side and client-side encryption
scenarios.
Support for server encryption is currently provided through the SQL feature called Transparent Data Encryption. Client-
side encryption of Azure SQL Database data is supported through the Always Encrypted feature.
Reference:
https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest
| Question.42 DRAG DROP You have an Azure Synapse Analytics SQL pool named Pool1 on a logical Microsoft SQL server named Server1. You need to implement Transparent Data Encryption (TDE) on Pool1 by using a custom key named key1. Which five actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:  |
42. Click here to View Answer
Answer:
Explanation:
Step 1: Assign a managed identity to Server1
You will need an existing Managed Instance as a prerequisite.
Step 2: Create an Azure key vault and grant the managed identity permissions to the vault Create Resource and setup Azure
Key Vault.
Step 3: Add key1 to the Azure key vault
The recommended way is to import an existing key from a .pfx file or get an existing key from the vault. Alternatively,
generate a new key directly in Azure Key Vault.
Step 4: Configure key1 as the TDE protector for Server1
Provide TDE Protector key Step 5: Enable TDE on Pool1
Reference: https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/scripts/transparent-data-encryption-byok-
powershell
| Question.43 HOTSPOT You are designing an Azure Synapse Analytics dedicated SQL pool. Groups will have access to sensitive data in the pool as shown in the following table.  You have policies for the sensitive data. The policies vary be region as shown in the following table.  You have a table of patients for each region. The tables contain the following potentially sensitive columns.  You are designing dynamic data masking to maintain compliance. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point. Hot Area:  |
43. Click here to View Answer
Answer:
Explanation:
Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/dynamic-data-masking-overview
| Question.44 HOTSPOT You have an Azure subscription that contains an Azure Data Lake Storage account. The storage account contains a data lake named DataLake1. You plan to use an Azure data factory to ingest data from a folder in DataLake1, transform the data, and land the data in another folder. You need to ensure that the data factory can read and write data from any folder in the DataLake1 file system. The solution must meet the following requirements: Minimize the risk of unauthorized user access.  Use the principle of least privilege. Minimize maintenance effort.   How should you configure access to the storage account for the data factory? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:  |
44. Click here to View Answer
Answer:
Explanation:
Box 1: Azure Active Directory (Azure AD)
On Azure, managed identities eliminate the need for developers having to manage credentials by providing an identity for the
Azure resource in Azure AD and using it to obtain Azure Active Directory (Azure AD) tokens.
Box 2: a managed identity
A data factory can be associated with a managed identity for Azure resources, which represents this specific data factory.
You can directly use this managed identity for Data Lake Storage Gen2 authentication, similar to using your own service
principal. It allows this designated factory to access and copy data to or from your Data Lake Storage Gen2.
Note: The Azure Data Lake Storage Gen2 connector supports the following authentication types.
Account key authentication
Service principal authentication
Managed identities for Azure resources authentication
Reference: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
https://docs.microsoft.com/en-us/azure/data-factory/connector-azure-data-lake-storage
| Question.45 You are designing an Azure Synapse Analytics dedicated SQL pool. You need to ensure that you can audit access to Personally Identifiable Information (PII). What should you include in the solution? A. column-level security B. dynamic data masking C. row-level security (RLS) D. sensitivity classifications |
45. Click here to View Answer
Answer:
D
Explanation:
Data Discovery & Classification is built into Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse
Analytics. It provides basic capabilities for discovering, classifying, labeling, and reporting the sensitive data in your
databases.
Your most sensitive data might include business, financial, healthcare, or personal information. Discovering and classifying
this data can play a pivotal role in your organization’s information-protection approach. It can serve as infrastructure for:
Helping to meet standards for data privacy and requirements for regulatory compliance.
Various security scenarios, such as monitoring (auditing) access to sensitive data.
Controlling access to and hardening the security of databases that contain highly sensitive data.
Reference:
https://docs.microsoft.com/en-us/azure/azure-sql/database/data-discovery-and-classification-overview