Free Microsoft Cybersecurity SC-100 Actual Exam Questions - Question 12 Discussion
HOTSPOT You have an Azure subscription. You plan to implement Azure Synapse Analytics SQL dedicated pools and SQL serverless pools. You need to recommend a solution to provide additional encryption-at-rest security for each type of pool. The solution must use customer-managed keys, whenever possible. What should you recommend for each pool type? To answer, drag the appropriate recommendations to the correct pool types. Each recommendation may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point. 
I agree dedicated pools definitely support customer-managed keys through Azure Key Vault, so that one’s straightforward. For serverless pools, I think you have to go with service-managed keys because they don’t currently support CMK encryption. Since the question says “whenever possible,” using CMK for dedicated and default for serverless fits best. Trying to use CMK for serverless pools isn’t really practical given the current limitations.
Dedicated pools support CMK with Key Vault; serverless pools stick with service-managed keys.
For dedicated pools, customer-managed keys via Azure Key Vault make sense since they support CMK encryption. Serverless pools don’t support CMK directly, so using the default Microsoft-managed keys is the fallback here.
For the dedicated pools, using customer-managed keys through Azure Key Vault is definitely the way to go since that’s supported and lets you control the encryption keys. For the serverless pools though, since they don’t support customer-managed keys currently, you have to stick with the default service-managed keys for encryption-at-rest. The question says “whenever possible,” so that means try CMK only if it’s supported. Since serverless pools don’t have that option yet, service-managed keys are the fallback. This fits with what I’ve seen in Azure documentation on Synapse encryption options.
Dedicated pools can use customer-managed keys through Azure Key Vault, which fits their CMK support. Serverless pools don’t support CMK yet, so they rely on service-managed keys by default.
For dedicated pools, customer-managed keys via Azure Key Vault make sense. Serverless pools don’t support CMK yet, so default service-managed keys are your only option there. This matches how Azure handles encryption for these services differently.
This one’s tricky cause it mixes dedicated and serverless pools, which have different encryption options. For dedicated SQL pools, you can usually use customer-managed keys with Azure Key Vault for encryption-at-rest, so that’d be the way to go. Serverless pools, on the other hand, don’t currently support customer-managed keys for encryption-at-rest, so you’re limited to the platform-managed keys they provide by default. So I guess recommend CMK for dedicated and default encryption (no CMK) for serverless. Not sure if they accept that though since they might want something dragged into both sp