Why This Cheat Sheet Matters for AZ-500
This cheat sheet covers the most important Key Vault & Encryption concepts tested on the AZ-500 (Azure Security Engineer Associate) certification exam. It contains 2 sections with 8 key points that you should memorize before exam day. Use this as a quick-reference guide during your final review sessions.
2Sections
8Key Points
Encryption
- At-rest: Storage Service Encryption (SSE) with Microsoft or customer-managed keys.
- In-transit: TLS 1.2 enforced; disable older TLS versions.
- TDE: Transparent Data Encryption for Azure SQL (automatic, always-on).
- Always Encrypted: client-side encryption for sensitive columns (SSN, credit cards).
Key Vault
- Access model: RBAC (recommended) or vault access policies.
- Soft delete: 7-90 day retention for deleted vaults and objects.
- Purge protection: prevents permanent deletion during retention period.
- Key rotation: automate with Event Grid notifications and Azure Functions.
Practice Key Vault & Encryption Questions
Put your knowledge to the test with practice questions.
Azure Quick Reference Tips
Azure services follow consistent naming patterns that help with exam recall. Resource Manager (ARM) templates use JSON, while Bicep provides a cleaner DSL for infrastructure as code. Remember that Azure resources are organised in a hierarchy: Management Groups → Subscriptions → Resource Groups → Resources.