Home › Azure AZ-104 › cloudcomputing › az104storage › Which combination of features encrypts a storage…
Which combination of features encrypts a storage account at rest using customer-managed keys with rotation and audit?
ACustomer-managed keys (CMK) stored in Azure Key Vault, with rotation handled via Key Vault policies
BNo encryption — rely on Conditional Access
CServer-side encryption with Microsoft-managed keys only (no rotation controls)
DHardcoding encryption keys into the storage account name
Answer & Solution
Correct answer: A. Customer-managed keys (CMK) stored in Azure Key Vault, with rotation handled via Key Vault policies
CMK in Key Vault gives the customer rotation, access policies, and audit through Key Vault logs. Microsoft-managed keys are the default but don't give per-key control. No encryption / hardcoded keys don't meet the requirement.
Related questions
Which lifecycle management feature in Azure Blob Storage automatically tiers down infrequeAn organisation needs immutable storage that satisfies financial regulatory requirements (Which Azure storage feature lets multiple users see the SAME file changes in near-real-timAn organisation has 500 TB of data to upload to Azure but only 100 Mbps of internet. WhichWhich Azure tool synchronises files between an on-premises Windows server and an Azure FilWhich Azure storage type is designed for high-IOPS workloads (e.g. SQL Server log files) aWhich Azure feature lets you grant temporary, scoped access to a Blob URL (e.g. download fWhich Azure storage replication option keeps 6 copies of data — 3 in the primary region an