Microsoft Azure Architect Design (AZ-301) Practice Exam

What is the recommended method for providing an encryption key for Azure Kubernetes Services (AKS) security?

• A. Secrets
• B. Azure Storage Service Encryption
• C. A Kubernetes deployment YAML file
• D. ConfigureMap

The correct answer is: Secrets

Using Secrets to provide an encryption key for Azure Kubernetes Services (AKS) is the best practice because Secrets are specifically designed to handle sensitive information such as passwords, OAuth tokens, SSH keys, and encryption keys. They are stored in a base64-encoded format and provide a built-in mechanism for protecting confidential data within the cluster. When using Secrets, Kubernetes automatically manages and controls access to this sensitive data using Role-Based Access Control (RBAC). This means that only authorized users and applications can retrieve and use those Secrets, increasing the overall security posture of the application and the cluster. Additionally, Secrets can be injected into pods as environment variables or mounted as files, which simplifies the process for applications to access the keys without exposing them in the application code or configuration files. In contrast, the other options are less suitable for encryption key management within AKS. Azure Storage Service Encryption pertains to encrypting data at rest in Azure Storage and does not specifically address the management of keys within a Kubernetes environment. A Kubernetes deployment YAML file could technically include sensitive data as part of the deployment configuration, but this is not secure since the file would typically be stored in a version control system or shared among team members, risking exposure. ConfigMaps are designed to manage non-sensitive configuration