AZURE CYBERSECURITY ARCHITECT
(SC-100) EXAM REVIEW |284
QUESTIONS AND 100% CORRECT
ANSWERS
Azure Arc - CORRECT ANSWER- simplifies governance and management by
delivering a consistent multi-cloud and on-premises management platform
Azure Policy - CORRECT ANSWER- helps to enforce organizational standards and to
assess compliance at-scale. Through its compliance dashboard
Zero Trust Architecture - CORRECT ANSWER- Uses the device, and user trust claims
to gate access to organizational data and resources
Unified operations solutions - CORRECT ANSWER-
RBAC vs Azure policy - CORRECT ANSWER-
Security continuous improvement /collaboration - CORRECT ANSWER- Azure logic
apps, defender for cloud, Microsoft graph security, Sentinel
indicators of compromise (IOCs) - CORRECT ANSWER- individually known malicious
events that indicate that a network or device has already been breached
Secure Score - CORRECT ANSWER- Driven by Azure policy with compliance and
guardrails
In Guest w/Azure Policy - CORRECT ANSWER- Uses DSC for Windows and Chef for
Linux
Azure Blueprint Components - CORRECT ANSWER- Includes and applies Azure
Policy, Resource groups, RBAC, and templates that can be linked to subscription
Azure Blueprints - CORRECT ANSWER- Enables cloud architects and central
information technology groups to define a repeatable set of Azure resources that
implements and adheres to an organization's standards, patterns, and requirements
Encryption at rest - CORRECT ANSWER- * Platform managed key (PMK)
* Custom managed key (CMK) (you rotate)
,Azure Gen2 VM's Added Security - CORRECT ANSWER- UEFI gives us TPM, Trusted
Launch
Azure Confidential Computing - CORRECT ANSWER- The protection of data in use by
performing computations in a hardware-based Trusted Execution Environment (TEE).
Basically encryption RAM and CPU
SGX Enclaves - CORRECT ANSWER- Confidential Computing: Enclaves are secured
portions of the hardware's processor and memory. You can't view data or code inside
the enclave, even with a debugger
Trusted Execution Environment (TEE) - CORRECT ANSWER- a general computation
environment that provides additional security properties such as access to keys,
memory encryption, etc.
Just In Time (JIT) - CORRECT ANSWER- AAD PIM feature, requires P2, feature of
Defender for server allows this for VM to workload
System-assigned managed identity - CORRECT ANSWER- have their lifecycle tied to
the resource that created them
User-assigned managed identity - CORRECT ANSWER- can be used on multiple
resources.
Azure Resource Manager (ARM) - CORRECT ANSWER- Control plane in Azure
AAD - CORRECT ANSWER- Microsoft's cloud-based identity and access management
service. It provides single sign-on authentication, conditional access, password-less and
multifactor authentication, automated user provisioning
AAD B2C - CORRECT ANSWER- customer identity and access management (CIAM)
solution capable of supporting millions of users and billions of authentications per day
RESTful API endpoints - CORRECT ANSWER- Enables multifactor authentication
(MFA) and role-based access control (RBAC), enable identity verification and proofing,
improve security with bot detection and fraud protection, and meet Payment Services
Directive 2 (PSD2) Secure Customer Authentication (SCA) requirements.
Entitlement management - CORRECT ANSWER- create access packages that users
can request as they join different teams/projects and that assign them access to the
associated resources (such as applications, SharePoint sites, group memberships)
- CORRECT ANSWER-
Conditional Access - CORRECT ANSWER- is used as the policy engine for a Zero
Trust architecture that covers both policy definition and policy enforcement
, Components of zero trust - CORRECT ANSWER-
Best practice conditional access policies - CORRECT ANSWER- structure policies
related to common access needs and bundle a set of access needs in a persona for a
group of users who have the same needs
Personas - CORRECT ANSWER- identity types that share common enterprise
attributes, responsibilities, experiences, objectives, and access
You can enable MFA on AD roles using two methods - CORRECT ANSWER- Role
settings in Privileged Identity Management,
Conditional Access
Automated investigation and response (AIR) - CORRECT ANSWER- * 365 Defender
product
* determine if threat requires action
* taking remediation actions
Azure firewall categories in Azure diagnostics - CORRECT ANSWER- AzureFirewall:
Network Rule, DnsProxy, ApplicationRule, ThreatIntelLogs
Risk management activities fall into 4 phases - CORRECT ANSWER- identification,
assessment, response, and monitoring and reporting
Cloud Infrastructure Entitlement Management (CIEM) - CORRECT ANSWER- a
workflow grants access to infrastructure entitlements and prevents privileged creep
Rapid modernization plan (RAMP) - CORRECT ANSWER- Consists of:
Separate and manage privileged accounts, Improve credential management experience
Azure key vault premium - CORRECT ANSWER- Ability to store keys in HSM
Azure Security Benchmark (ASB) - CORRECT ANSWER- Evaluate security posture of
workloads
Azure landing zone's - CORRECT ANSWER- enable application migration,
modernization, and innovation at enterprise-scale
Each identified risk is assessed using three metrics - CORRECT ANSWER- impact,
likelihood, and control deficiency
Five disciplines of cloud governance - CORRECT ANSWER-
To ensure proper governance you can use - CORRECT ANSWER- Azure policy and
Azure blueprints
(SC-100) EXAM REVIEW |284
QUESTIONS AND 100% CORRECT
ANSWERS
Azure Arc - CORRECT ANSWER- simplifies governance and management by
delivering a consistent multi-cloud and on-premises management platform
Azure Policy - CORRECT ANSWER- helps to enforce organizational standards and to
assess compliance at-scale. Through its compliance dashboard
Zero Trust Architecture - CORRECT ANSWER- Uses the device, and user trust claims
to gate access to organizational data and resources
Unified operations solutions - CORRECT ANSWER-
RBAC vs Azure policy - CORRECT ANSWER-
Security continuous improvement /collaboration - CORRECT ANSWER- Azure logic
apps, defender for cloud, Microsoft graph security, Sentinel
indicators of compromise (IOCs) - CORRECT ANSWER- individually known malicious
events that indicate that a network or device has already been breached
Secure Score - CORRECT ANSWER- Driven by Azure policy with compliance and
guardrails
In Guest w/Azure Policy - CORRECT ANSWER- Uses DSC for Windows and Chef for
Linux
Azure Blueprint Components - CORRECT ANSWER- Includes and applies Azure
Policy, Resource groups, RBAC, and templates that can be linked to subscription
Azure Blueprints - CORRECT ANSWER- Enables cloud architects and central
information technology groups to define a repeatable set of Azure resources that
implements and adheres to an organization's standards, patterns, and requirements
Encryption at rest - CORRECT ANSWER- * Platform managed key (PMK)
* Custom managed key (CMK) (you rotate)
,Azure Gen2 VM's Added Security - CORRECT ANSWER- UEFI gives us TPM, Trusted
Launch
Azure Confidential Computing - CORRECT ANSWER- The protection of data in use by
performing computations in a hardware-based Trusted Execution Environment (TEE).
Basically encryption RAM and CPU
SGX Enclaves - CORRECT ANSWER- Confidential Computing: Enclaves are secured
portions of the hardware's processor and memory. You can't view data or code inside
the enclave, even with a debugger
Trusted Execution Environment (TEE) - CORRECT ANSWER- a general computation
environment that provides additional security properties such as access to keys,
memory encryption, etc.
Just In Time (JIT) - CORRECT ANSWER- AAD PIM feature, requires P2, feature of
Defender for server allows this for VM to workload
System-assigned managed identity - CORRECT ANSWER- have their lifecycle tied to
the resource that created them
User-assigned managed identity - CORRECT ANSWER- can be used on multiple
resources.
Azure Resource Manager (ARM) - CORRECT ANSWER- Control plane in Azure
AAD - CORRECT ANSWER- Microsoft's cloud-based identity and access management
service. It provides single sign-on authentication, conditional access, password-less and
multifactor authentication, automated user provisioning
AAD B2C - CORRECT ANSWER- customer identity and access management (CIAM)
solution capable of supporting millions of users and billions of authentications per day
RESTful API endpoints - CORRECT ANSWER- Enables multifactor authentication
(MFA) and role-based access control (RBAC), enable identity verification and proofing,
improve security with bot detection and fraud protection, and meet Payment Services
Directive 2 (PSD2) Secure Customer Authentication (SCA) requirements.
Entitlement management - CORRECT ANSWER- create access packages that users
can request as they join different teams/projects and that assign them access to the
associated resources (such as applications, SharePoint sites, group memberships)
- CORRECT ANSWER-
Conditional Access - CORRECT ANSWER- is used as the policy engine for a Zero
Trust architecture that covers both policy definition and policy enforcement
, Components of zero trust - CORRECT ANSWER-
Best practice conditional access policies - CORRECT ANSWER- structure policies
related to common access needs and bundle a set of access needs in a persona for a
group of users who have the same needs
Personas - CORRECT ANSWER- identity types that share common enterprise
attributes, responsibilities, experiences, objectives, and access
You can enable MFA on AD roles using two methods - CORRECT ANSWER- Role
settings in Privileged Identity Management,
Conditional Access
Automated investigation and response (AIR) - CORRECT ANSWER- * 365 Defender
product
* determine if threat requires action
* taking remediation actions
Azure firewall categories in Azure diagnostics - CORRECT ANSWER- AzureFirewall:
Network Rule, DnsProxy, ApplicationRule, ThreatIntelLogs
Risk management activities fall into 4 phases - CORRECT ANSWER- identification,
assessment, response, and monitoring and reporting
Cloud Infrastructure Entitlement Management (CIEM) - CORRECT ANSWER- a
workflow grants access to infrastructure entitlements and prevents privileged creep
Rapid modernization plan (RAMP) - CORRECT ANSWER- Consists of:
Separate and manage privileged accounts, Improve credential management experience
Azure key vault premium - CORRECT ANSWER- Ability to store keys in HSM
Azure Security Benchmark (ASB) - CORRECT ANSWER- Evaluate security posture of
workloads
Azure landing zone's - CORRECT ANSWER- enable application migration,
modernization, and innovation at enterprise-scale
Each identified risk is assessed using three metrics - CORRECT ANSWER- impact,
likelihood, and control deficiency
Five disciplines of cloud governance - CORRECT ANSWER-
To ensure proper governance you can use - CORRECT ANSWER- Azure policy and
Azure blueprints
