Home › Azure AZ-204 › cloudcomputing › az204storage › An app must encrypt user-uploaded blobs using a …
An app must encrypt user-uploaded blobs using a key the customer controls, rotates, and audits via Azure Key Vault. Which encryption mode applies?
ANo encryption at rest
BCustomer-managed keys (CMK) stored in Azure Key Vault
CHardcoding an AES key in the application source
DMicrosoft-managed keys with no per-key control
Answer & Solution
Correct answer: B. Customer-managed keys (CMK) stored in Azure Key Vault
CMK in Key Vault gives rotation + access policies + audit. Microsoft-managed keys are the default but no per-key control. No encryption fails the requirement. Hardcoded keys leak immediately.
Related questions
Cosmos DB's Change Feed emits document changes in order. Which scenario is its CANONICAL uWhich Azure storage feature lets you fire an Azure Function when a new blob is uploaded?What is the trade-off when using Cosmos DB session consistency (the default)?Which Cosmos DB feature lets a single container handle a sudden 10x traffic burst WITHOUT Which Azure storage feature continuously replicates blobs to a paired region for region-diWhich Azure storage feature lets you grant a client temporary download access to a specifiWhich Cosmos DB concept determines the physical sharding strategy — how documents are distWhat is Cosmos DB's consistency model that guarantees clients see writes in the same globa