Developing Solutions for Microsoft Azure (AZ-204) Practice Exam

What is the most flexible and secure practice for using shared access signatures (SAS)?

• A. Always use HTTPS
• B. Implement a user delegation SAS
• C. Associate SAS tokens with a stored access policy
• D. Use only read permissions in SAS

The correct answer is: Associate SAS tokens with a stored access policy

The most flexible and secure practice for using shared access signatures (SAS) is to associate SAS tokens with a stored access policy. By associating SAS tokens with a stored access policy, you gain increased control over the permissions and expiration times of the SAS. A stored access policy allows you to define the permissions, start and expiry times, and can be modified or revoked at any time without needing to update the SAS tokens themselves. This means that if there's ever a need to change permissions or revoke access, you can do so effectively by modifying the policy rather than regenerating new SAS tokens, enhancing both security and management. Using only read permissions in a SAS can limit functionality unnecessarily, especially if further write or delete permissions may be required in the future. While ensuring the use of HTTPS is crucial for secure transmission of SAS tokens, it does not directly relate to the flexibility of SAS usage in application development. Implementing a user delegation SAS is also secure but typically focuses on providing permissions based on the Azure Active Directory identity rather than maximizing flexibility through effective policy management. Thus, the association of SAS tokens with stored access policies embodies both flexibility in managing access permissions and secure control over the scope of those permissions.