Understanding Blob Storage Security and Access Control in Azure is essential for managing and protecting data. This section covers configuring shared access signatures (SAS), Azure Active Directory (AAD) authentication, and role-based access control (RBAC) for optimal blob storage security.
MCQs on Configuring Shared Access Signatures (SAS) (1-10)
What is a primary purpose of using a Shared Access Signature (SAS) in Azure Blob Storage?
A) To provide limited access to blob storage resources
B) To backup data to another location
C) To encrypt blob data
D) To delete data permanently
Which of the following permissions is NOT available with a SAS token?
A) Read
B) Write
C) Share
D) Delete
A user wants to create a SAS token with read-only permissions. Which permissions should be set in the SAS configuration?
A) Read only
B) Write only
C) Read and write
D) Delete only
For which of the following can a SAS token provide access?
A) Only blob storage
B) Only Azure virtual machines
C) Blob, queue, and table storage
D) Only Azure SQL Database
When creating a SAS token, what does the expiry time specify?
A) The time the token was generated
B) The period after which the token will expire
C) The creation time of the blob
D) The server time zone
What does a SAS token enable users to avoid?
A) Sharing their storage account keys
B) Creating a new storage account
C) Configuring RBAC for every user
D) Using HTTPS for secure access
What parameter is used in a SAS token to specify which resource types are accessible?
A) Permissions
B) Start time
C) Resource type
D) Signature
What does the “signed IP” parameter in a SAS token do?
A) Limits access to specific IP addresses
B) Increases the validity period of the token
C) Encrypts the token for added security
D) Binds the token to a specific user
Which type of SAS is recommended for accessing Azure resources from a public application?
A) Service SAS
B) Account SAS
C) User delegation SAS
D) Managed SAS
What is required to generate a User Delegation SAS?
A) Storage account key
B) Azure AD credentials
C) SAS token permissions
D) IP restrictions
MCQs on Using Azure Active Directory (AAD) for Authentication (11-20)
Which advantage does Azure Active Directory (AAD) provide when used for blob storage authentication?
A) Enables IP-based restrictions
B) Uses temporary storage keys
C) Uses role-based permissions without requiring storage account keys
D) Provides free storage capacity
In which situation would you use Azure AD authentication for blob storage?
A) When requiring anonymous access
B) For applications requiring specific user permissions
C) To reduce storage costs
D) When using only virtual machines
Which tool is commonly used to assign user permissions in Azure AD for blob storage?
A) Azure Monitor
B) Azure Portal
C) Visual Studio
D) PowerShell only
What is the primary identifier for a user within Azure AD?
A) Storage account name
B) User principal name (UPN)
C) SAS token ID
D) Blob access key
Which of the following is required for an application to use Azure AD authentication with blob storage?
A) Storage account key
B) Service principal or managed identity
C) SAS token with read permissions
D) IP-based restrictions
How does Azure AD ensure secure authentication to blob storage?
A) By creating a unique blob key
B) By assigning permissions through RBAC
C) By using a storage account access key
D) By enabling public access
When an Azure AD token is used for authentication, how is it renewed?
A) It automatically renews after one day
B) It renews manually using a SAS token
C) It expires based on the session duration or refresh token settings
D) It is configured by the user
Which type of identity is commonly used for an application to authenticate with Azure AD to access blob storage?
A) IP-based identity
B) Service principal or managed identity
C) SAS token identity
D) User identity only
What role must be assigned to a user in Azure AD to allow read-only access to blob storage?
A) Blob Data Contributor
B) Blob Data Reader
C) Storage Account Owner
D) Storage Administrator
Which factor improves security when using Azure AD over storage account keys?
A) Tokens are automatically generated with high security
B) Role-based access and no need to share account keys
C) It provides storage account encryption
D) AAD only supports read-only access
MCQs on Role-Based Access Control (RBAC) for Blob Storage (21-30)
What is the purpose of Role-Based Access Control (RBAC) in Azure blob storage?
A) To monitor usage of blob storage
B) To assign permissions based on specific roles
C) To create storage accounts automatically
D) To provide free access to users
Which role in RBAC allows full access to manage blob storage contents?
A) Blob Data Contributor
B) Blob Data Reader
C) Blob Owner
D) Storage Account Reader
What does the Blob Data Contributor role allow a user to do?
A) View storage account settings
B) Delete storage accounts
C) Read, write, and delete blob data
D) Only read data from blob storage
Which RBAC role is ideal for users who only need read access to blob storage?
A) Blob Data Contributor
B) Blob Data Reader
C) Storage Account Contributor
D) Storage Admin
How is RBAC different from SAS in blob storage?
A) RBAC uses access keys, while SAS uses passwords
B) RBAC is account-wide, while SAS can be scoped to specific resources
C) SAS requires Azure AD, RBAC does not
D) RBAC is temporary, SAS is permanent
Which tool in Azure allows you to configure RBAC for blob storage?
A) Azure Storage Explorer
B) Azure Portal
C) Visual Studio
D) PowerShell only
What is the advantage of assigning roles using RBAC rather than sharing storage account keys?
A) RBAC automatically encrypts data
B) RBAC roles provide more control and less risk of key exposure
C) Storage account keys are easier to manage
D) It allows full access without restrictions
In RBAC, which of the following permissions does the Blob Data Owner role grant?
A) Read-only access to blob data
B) Access to manage blob data and assign roles
C) Access to only monitor blob data
D) Access to view billing information
When assigning RBAC roles, what scope levels can you specify?
A) Management group, subscription, resource group, and individual resource
B) Only at the resource level
C) Only for the storage account level
D) Subscription level only
How is access granted to users in RBAC compared to using SAS tokens?
A) RBAC grants temporary access, SAS grants permanent access
B) RBAC is linked to Azure AD roles, SAS is independent
C) SAS requires IP restrictions, RBAC does not
D) RBAC grants access by sharing account keys directly
Answers Table
QNo
Answer (Option with the text)
1
A) To provide limited access to blob storage resources
2
C) Share
3
A) Read only
4
C) Blob, queue, and table storage
5
B) The period after which the token will expire
6
A) Sharing their storage account keys
7
C) Resource type
8
A) Limits access to specific IP addresses
9
C) User delegation SAS
10
B) Azure AD credentials
11
C) Uses role-based permissions without requiring storage account keys
12
B) For applications requiring specific user permissions
13
B) Azure Portal
14
B) User principal name (UPN)
15
B) Service principal or managed identity
16
B) By assigning permissions through RBAC
17
C) It expires based on the session duration or refresh token settings
18
B) Service principal or managed identity
19
B) Blob Data Reader
20
B) Role-based access and no need to share account keys
21
B) To assign permissions based on specific roles
22
A) Blob Data Contributor
23
C) Read, write, and delete blob data
24
B) Blob Data Reader
25
B) RBAC is account-wide, while SAS can be scoped to specific resources
26
B) Azure Portal
27
B) RBAC roles provide more control and less risk of key exposure
28
B) Access to manage blob data and assign roles
29
A) Management group, subscription, resource group, and individual resource
30
B) RBAC is linked to Azure AD roles, SAS is independent