Using Customer-Managed Keys (CMK) for Greater Flexibility in Azure AI Solutions
Question
Your cognitive services resource is encrypted by default using Microsoft managed encryption keys.
However, you are tasked to use customer-managed keys (CMK) instead of using the default method for greater flexibility.
Review the statements given below and select the ones that are true.(Choose three statements)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answers: B, C and E.
Option A is incorrect because “soft delete” and “do not purge” properties need to be enabled using Powershell or CLI in the key vault, while using CMK for encryption in a cognitive resource.
Option B is correct.
One of the methods you can use is to use the URI value from Key Identifier in the key settings of the key vault.
In order to set up CMK, you pass this value to the Key URI field in the encryption blade.
Option C is correct because you can only store customer-managed keys in the key vault.
Additionally, the key vault, AD tenant and Cognitive Resource should be in the same Azure region.
Option D is incorrect because when keys are rotated, the new key URI or key value from the key vault must be updated.
Option E is correct because this is an alternate CMK method using which you can encrypt the Cognitive resource.
Reference:
To learn more about Cognitive services encryption using CMK, use the link given below:
The three true statements are:
B. Use a URI value from Key Identifier to use it in Key URI of Cognitive resource. C. Azure key vault must be used for storing CMK. E. Use a key from the key vault for customer-managed keys.
A. To recover data, disable "soft delete" and "do not purge" properties: This statement is incorrect as it is not related to the task of using customer-managed keys. "Soft delete" and "do not purge" properties are used to recover deleted resources and have no relation to the encryption of the cognitive services resource.
B. Use a URI value from Key Identifier to use it in Key URI of Cognitive resource: This statement is correct. To use customer-managed keys in a cognitive services resource, you need to provide a URI value from Key Identifier and use it in the Key URI of the cognitive resource. This URI value identifies the key that should be used to encrypt the cognitive services resource.
C. Azure key vault must be used for storing CMK: This statement is correct. Azure Key Vault is a secure storage service that allows you to store and manage cryptographic keys, certificates, and secrets. When using customer-managed keys for a cognitive services resource, the keys must be stored in Azure Key Vault.
D. While rotating the key, an update to the Cognitive resource is not required: This statement is incorrect. When you rotate a customer-managed key in Azure Key Vault, you need to update the key URI of the cognitive services resource to point to the new key. This is necessary for the cognitive services resource to use the new key for encryption.
E. Use a key from the key vault for customer-managed keys: This statement is correct. When using customer-managed keys for a cognitive services resource, you must use a key from Azure Key Vault. Azure Key Vault provides a secure and reliable way to store and manage cryptographic keys, which are used for customer-managed encryption of cognitive services resources.
