Microsoft Azure Architect Design (AZ-301) Practice Exam

What access method should be recommended for accessing Key Vault secrets during Azure Resource Manager deployments?

• A. An access policy for the key vault
• B. An advanced access policy for the key vault
• C. Role-based access control (RBAC)
• D. Shared access signature (SAS)

The correct answer is: Role-based access control (RBAC)

Recommending role-based access control (RBAC) for accessing Key Vault secrets during Azure Resource Manager (ARM) deployments is based on the enhanced security and management capabilities it provides. RBAC allows for finer-grained access management by enabling you to assign roles to users, groups, or applications at various scopes, including subscription, resource group, or individual resources like the Key Vault itself. This method offers better integration with Azure Active Directory, ensuring that access permissions can be controlled and audited centrally. With RBAC, permissions can be dynamically assigned or revoked, making it easy to adjust access as needed without having to manage access policies directly in the Key Vault. The flexibility of RBAC allows for the implementation of least privilege access, which is a key principle of security. In contrast, access policies for the Key Vault, whether standard or advanced, can be more rigid and may require manual updates to allow different services or users access to secrets as your deployment evolves. Shared access signatures (SAS) are mainly used with storage accounts and are not applicable to Key Vault for managing secrets, as they don’t align with the security objectives for sensitive data management. This makes RBAC the most suitable option for managing access to Key Vault secrets during ARM deployments.