Home › Azure AZ-500 › cloudcomputing › az500compstoragedb › Which AKS feature should a security engineer use…
Which AKS feature should a security engineer use to give pods authenticated access to Azure Key Vault WITHOUT mounting service-principal secrets in the pod filesystem?
AHardcoding service-principal secrets in environment variables
BGranting Owner to every pod
CDisabling RBAC on the cluster
DMicrosoft Entra Workload Identity on AKS (federating K8s service accounts to Entra identities with short-lived OIDC tokens)
Answer & Solution
Correct answer: D. Microsoft Entra Workload Identity on AKS (federating K8s service accounts to Entra identities with short-lived OIDC tokens)
Workload Identity federates K8s SAs to Entra (per AZ-500 §3 AKS auth). The other options are textbook insecurity.
Related questions
Which Azure Storage feature should a security engineer enable to require all reads/writes Which Azure VM security feature lets a security engineer require all data passing between Which Azure SQL feature lets a security engineer enable Microsoft Entra ID-based DB loginsWhich Azure SQL feature should a security engineer enable to obscure sensitive column valuWhich Azure SQL Database feature should a security engineer recommend to encrypt sensitiveWhich Azure SQL Database feature should a security engineer enable to encrypt data at restWhich Azure storage feature lets a security engineer generate a TIME-LIMITED, scope-bound Which Azure storage authentication option should a security engineer prefer over shared-ke