The correct answer is Azure Key Vault.

Azure Key Vault is a purpose built secret management service that stores connection strings and credentials and enforces access control and auditing. You can configure your deployment to retrieve secrets from Azure Key Vault at runtime using a managed identity or access policies so the person who runs the deployment does not need direct permission to read the secrets.

Azure Resource Manager parameter file is incorrect because parameter files are used to pass values into templates and can expose secrets to anyone who can view the file or the deployment inputs. The parameter file is not a centralized secret store with access controls like Azure Key Vault.

Azure Storage table is incorrect because it is a general purpose NoSQL store and it is not designed for secure secret management. It does not provide the secret lifecycle, access policies, and key protection that Azure Key Vault provides.

appsettings.prod.json is incorrect because it is a configuration file and embedding credentials there can leak secrets through source control or deployments. It is not a managed secret store with enforced access controls.

web.config file is incorrect because it is also a configuration file for .NET applications and placing secrets there makes them visible to anyone with file access. It lacks centralized secret management features that Azure Key Vault offers.

Full AWS Practitioner Certification Question