Home › Azure AZ-500 › cloudcomputing › az500compstoragedb › Which Azure feature should a security engineer u…
Which Azure feature should a security engineer use to enforce 'only signed container images from a trusted ACR repository can run on this AKS cluster'?
AAzure Policy + admission controllers (Gatekeeper) on AKS + ACR Content Trust + Microsoft Defender for Containers
BSharing kubeconfig publicly
CAllowing any image from any registry to run
DDisabling Kubernetes RBAC
Answer & Solution
Correct answer: A. Azure Policy + admission controllers (Gatekeeper) on AKS + ACR Content Trust + Microsoft Defender for Containers
Policy + admission controllers + ACR trust + Defender for Containers is the AKS image-trust stack (per AZ-500 §3 AKS security). The others are insecure.
Related questions
Which Azure Storage feature should a security engineer enable to require all reads/writes Which Azure VM security feature lets a security engineer require all data passing between Which Azure SQL feature lets a security engineer enable Microsoft Entra ID-based DB loginsWhich Azure SQL feature should a security engineer enable to obscure sensitive column valuWhich Azure SQL Database feature should a security engineer recommend to encrypt sensitiveWhich Azure SQL Database feature should a security engineer enable to encrypt data at restWhich Azure storage feature lets a security engineer generate a TIME-LIMITED, scope-bound Which Azure storage authentication option should a security engineer prefer over shared-ke