Microsoft Azure Security Technologies (AZ-500)

What action can successfully revoke all access to an Azure Storage account that has undergone unauthorized access attempts?

• A. Create a new stored access policy
• B. Renew all shared access signatures (SAS)
• C. Regenerate the Azure storage account access keys
• D. Add another layer of encryption to the account

The correct answer is: Regenerate the Azure storage account access keys

Regenerating the Azure storage account access keys is an effective action to revoke all access to an Azure Storage account that has faced unauthorized access attempts. Each Azure Storage account has two access keys that are used for authentication and access to the account resources. When these keys are regenerated, any existing connections or clients that were authenticated using the old keys will lose access immediately, effectively cutting off any potentially malicious access that was based on those keys. This method is a comprehensive way to ensure that access is revoked because it affects all services and applications that rely on the storage account's keys, rendering any compromised keys useless. Clients that wish to regain access will need to be updated with the new keys. In contrast, creating a new stored access policy or renewing shared access signatures would limit or alter access, but would not completely eliminate access and could still allow unauthorized users to retain some level of access until those policies or signatures expire or are specifically revoked. Adding another layer of encryption increases security but does not directly revoke access to the account; unauthorized users may still be able to access data if they have valid access keys. Therefore, regenerating the storage account access keys is the most effective action for completely revoking access.