Design security solutions for infrastructure
Drill 20 practice questions focused entirely on Design security solutions for infrastructure for the Microsoft SC-100 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
A retail company runs its e-commerce platform on Azure Kubernetes Service (AKS). The security architect must design controls that (1) prevent deployment of container images with known critical vulnerabilities, (2) detect runtime threats such as web shell activity and crypto-mining inside running pods, and (3) enforce Kubernetes hardening recommendations like blocking privileged containers. The solution should minimize custom tooling and integrate with the organization's existing Defender for Cloud posture. Which combination of controls best meets these requirements?
A retail company runs Windows and Linux servers across on-premises datacenters, AWS EC2, and GCP Compute Engine. The security architect must ensure all these servers receive consistent security posture assessment, machine configuration baselines, and vulnerability findings surfaced in Microsoft Defender for Cloud, while minimizing the number of separate agents and management planes. Which foundational design decision enables this unified server posture across all environments?
A financial services company is deploying an Azure OpenAI Service instance to build an internal document-analysis assistant. The security architect must ensure that the service is not exposed to the public internet, that developer applications authenticate without long-lived API keys, and that all prompt and completion traffic stays on the corporate network. Which combination of controls should the architect specify?
A financial services company runs production workloads across Azure and AWS. Security architects need a Defender for Cloud design that: (1) applies the Microsoft Cloud Security Benchmark to both clouds, (2) provides agentless discovery of exposed secrets stored on VM disks and in container environments, and (3) flags a scored regulatory gap when a storage account or S3 bucket allows public network access. The team wants to minimize the number of Defender plans they must enable while still meeting all three requirements. Which combination of Defender for Cloud capabilities should they enable?
A retailer runs an e-commerce platform on Azure App Service (Linux Web App for Containers) and pulls images from Azure Container Registry. The security architect must design a posture and workload protection solution that continuously assesses the platform's TLS configuration, requires the App Service to use a system-assigned managed identity for connecting to Azure SQL (eliminating stored connection strings), and produces prioritized recommendations against a recognized security benchmark. Which approach best meets all three requirements with the least custom development?
A retailer runs 400 Azure VMs across production and dev subscriptions. The security architect must design a posture solution that continuously assesses OS vulnerabilities and detects installed software risks without deploying or maintaining an agent on each VM, while keeping licensing cost minimal for the dev subscription that does not require runtime threat detection. Which design meets these requirements?
A retail company runs workloads across Azure, AWS, and GCP. The security architect must select a Defender for Cloud posture management capability that provides contextual risk analysis — combining vulnerabilities, internet exposure, sensitive data, and lateral movement into prioritized attack paths across all three clouds. The organization already receives the free Foundational CSPM features and multicloud connectors are configured. Which capability must be enabled to meet this requirement?
A financial services company deploys web workloads to Azure App Service using CI/CD pipelines hosted in both GitHub and Azure DevOps. Security architects want a single view in Microsoft Defender for Cloud that correlates code-level findings (exposed secrets, insecure IaC templates, vulnerable dependencies) with the runtime cloud resources those pipelines deploy, so they can prioritize fixing the source of misconfigurations rather than only the deployed resources. Which Defender for Cloud capability should they implement to meet this requirement?
A retail company runs a fleet of internet-facing Azure VMs that host administrative and legacy management services. The security architect wants to reduce the exposed attack surface for RDP and SSH management ports while allowing occasional, audited administrator access. Separately, the architect needs a recommendation engine that continuously analyzes actual traffic flows to propose tighter Network Security Group (NSG) rules that lock down other application ports to only the source IP ranges observed communicating with the VMs. Which Microsoft Defender for Cloud capabilities should the architect specify to meet BOTH requirements respectively?
A financial services company runs a customer-facing web application backed by Azure Key Vault (for API secrets), Azure SQL Database, and Azure Storage accounts (holding uploaded documents). Recent penetration testing found that an attacker who compromised the app tier could enumerate secrets and download blobs without triggering any alert. The security architect must recommend a Microsoft Defender for Cloud configuration that provides threat detection specifically for anomalous data-plane access to these PaaS services — such as unusual secret retrieval patterns and atypical blob access from suspicious IPs. Which approach best meets this requirement?
A retail company runs a customer-facing web application on Azure App Service, with backend microservices on Azure Kubernetes Service and product data in Azure SQL Database. The security architect must design continuous posture management that measures the environment against a vendor-neutral baseline of foundational security controls (identity, network, data protection, logging), automatically reflects new Azure resources as they are deployed, and produces prioritized remediation guidance mapped to control domains. Which approach best meets these requirements with the least custom engineering?
A retail company runs 400 Windows and Linux VMs across Azure and AWS. Security leadership wants the architecture to (1) continuously assess each server's OS configuration against a recognized hardening standard, (2) surface deviations as actionable recommendations that roll up into a single organization-wide posture metric, and (3) do so without deploying a separate third-party configuration tool. Which design should the architect specify?
A retail company uses Microsoft Defender for Cloud across 40 subscriptions. The CISO wants the security team to prioritize remediation work that will most efficiently raise the organization's overall Secure Score. An analyst notices that Defender for Cloud groups many individual recommendations together and assigns points at a higher level. The team wants to understand how Secure Score is calculated so they can target the highest-impact effort. Which statement correctly describes how Defender for Cloud Secure Score is computed and how the team should prioritize?
A retail company runs workloads across Azure, AWS, and on-premises datacenters connected via Azure Arc. The security architect must design a posture management approach that produces a single, weighted percentage score reflecting how well the organization is following prescriptive security controls across all three environments, so leadership can track measurable improvement over quarterly review cycles. The solution must be based on the Microsoft cloud security benchmark control set and drive prioritized configuration recommendations. Which capability should the architect designate as the primary metric for this reporting requirement?
A security architect manages a hybrid estate: Azure subscriptions, an AWS organization with 12 accounts, and a GCP organization. Leadership wants a single, prioritized posture management view that scores all three clouds against a consistent baseline of security controls, surfaces cross-cloud attack paths, and lets teams track remediation progress over time. The architect must recommend the design with the least custom engineering effort. Which approach should the architect recommend?
Contoso runs a customer-facing API on Azure App Service, a set of Azure Functions (Consumption plan) that process order events, and an Azure SQL Database. The security architect wants continuous vulnerability assessment, threat detection for anomalous data-plane activity on the database, and runtime alerts for the serverless compute — all surfaced in Microsoft Defender for Cloud. Which combination of Defender plans should be enabled to meet these requirements with the least configuration overhead?
A retail company operates a public-facing web application on Azure App Service that lets customers upload documents (invoices, receipts) into an Azure Blob Storage container. A downstream automated workflow processes each uploaded file. Security architects are concerned that attackers could upload malware that would later be executed or distributed through the processing pipeline. They want an Azure-native capability that automatically inspects uploaded content and can trigger a quarantine or block action before the file is processed, without requiring the developers to build a custom scanning service. Which solution should the architect recommend?
A financial services company runs public-facing web APIs across Azure App Service, AWS Elastic Beanstalk, and an on-premises Kubernetes cluster. The security architect must design a unified posture management approach that continuously assesses these heterogeneous web workloads against a consistent set of security controls (encryption in transit, minimum TLS versions, secure configuration), reports findings in a single portal, and maps them to an internal benchmark. Which design meets these requirements with the least custom tooling?
A retail company runs microservices on Azure Kubernetes Service (AKS) and pushes images to Azure Container Registry (ACR) through a CI/CD pipeline. Security architects require that vulnerable container images be identified before deployment and that images with critical, fixable vulnerabilities be blocked from being deployed into the cluster. They want to minimize custom tooling and rely on native Microsoft capabilities. Which combination of Defender for Cloud capabilities should the architects specify?
A financial services company has grown through several acquisitions. The CISO is concerned that acquired business units have deployed internet-facing assets—domains, subdomains, public IPs, and web applications—that are unknown to the central security team and are not enrolled in Defender for Cloud. Leadership wants a solution that continuously discovers these unmanaged, externally exposed assets from an outside-in (attacker's) perspective, without requiring agents or prior knowledge of the assets. Which capability should the security architect recommend?
More SC-100 practice
Keep going with the other Microsoft Cybersecurity Architect Expert domains, or take a full timed mock exam.
← Back to SC-100 overview