Practice free →
HomeAzure AZ-104cloudcomputingaz104storage › Which combination of features encrypts a storage…

Which combination of features encrypts a storage account at rest using customer-managed keys with rotation and audit?

ACustomer-managed keys (CMK) stored in Azure Key Vault, with rotation handled via Key Vault policies
BNo encryption — rely on Conditional Access
CServer-side encryption with Microsoft-managed keys only (no rotation controls)
DHardcoding encryption keys into the storage account name
Answer & Solution
Correct answer: A. Customer-managed keys (CMK) stored in Azure Key Vault, with rotation handled via Key Vault policies
CMK in Key Vault gives the customer rotation, access policies, and audit through Key Vault logs. Microsoft-managed keys are the default but don't give per-key control. No encryption / hardcoded keys don't meet the requirement.
Solve this in the app — Azure AZ-104 practice & 24k+ MCQs →
Related questions