Ask Question
Vault Associate 002: HashiCorp Certified: Vault Associate (002)
Related questions
You have been tasked with writing a policy that will allow read permissions for all secrets at path secret/bar. The users that are assigned this policy should also be able to list the secrets. What should this policy look like?
This policy would allow read permissions for all secrets at path secret/bar, as well as list permissions for the secret/bar/ path.The list permission is required to be able to see the names of the secrets under a given path1. The wildcard () character matches any number of characters within a single path segment, while the slash (/) character matches the end of the path2. Therefore, the policy would grant read access to any secret that starts with secret/bar/, such as secret/bar/foo or secret/bar/baz, but not to secret/bar itself. To grant list access to secret/bar, the policy needs to specify the exact path with a slash at the end.This policy follows the principle of least privilege, which means that it only grants the minimum permissions necessary for the users to perform their tasks3.
The other options are not correct because they either grant too much or too little permissions. Option A would grant both read and list permissions to all secrets under secret/bar, which is more than what is required. Option B would grant list permissions to all secrets under secret/bar, but only read permissions to secret/bar itself, which is not what is required. Option D would use an invalid character (+) in the policy, which would cause an error.
Policy Syntax | Vault | HashiCorp Developer
Policy Syntax | Vault | HashiCorp Developer
Policies | Vault | HashiCorp Developer
A developer mistakenly committed code that contained AWS S3 credentials into a public repository. You have been tasked with revoking the AWS S3 credential that was in the code. This credential was created using Vault's AWS secrets engine and the developer received the following output when requesting a credential from Vault.
Which Vault command will revoke the lease and remove the credential from AWS?
Unlock Premium Member
Use this screenshot to answer the question below:
Where on this page would you click to view a secret located at secret/my-secret?
A user issues the following cURL command to encrypt data using the transit engine and the Vault AP:
Which payload.json file has the correct contents?
An authentication method should be selected for a use case based on:
What can be used to limit the scope of a credential breach?
Using a short-lived dynamic secrets can help limit the scope of a credential breach by reducing the exposure time of the secrets. Dynamic secrets are generated on-demand by Vault and automatically revoked when they are no longer needed. This way, the credentials are not stored in plain text or in a static database, and they can be rotated frequently to prevent unauthorized access. Dynamic secrets also provide encryption as a service, which means that they perform cryptographic operations on data in-transit without storing any data. This adds an extra layer of security and reduces the risk of data leakage or tampering.Reference:Dynamic secrets | Vault | HashiCorp Developer,What are dynamic secrets and why do I need them? - HashiCorp
What does the following policy do?
This policy allows a user to read data about the secret endpoint identity. The policy grants the user the ability to create, update, read, and delete data in the ''secret/data/{identity.entity.id}'' path. Additionally, the user is allowed to list data in the ''secret/metadata/{identity.entity.id}'' path. This policy is useful for users who need to access information about the secret endpoint identity.
The secret endpoint identity is a feature of the Identity Secrets Engine, which allows Vault to generate identity tokens that can be used to access other Vault secrets engines or namespaces. The identity tokens are based on the entity and group information of the user or machine that authenticates with Vault. The entity is a unique identifier for the user or machine, and the group is a collection of entities that share some common attributes. The identity tokens can carry metadata and policies that are associated with the entity and group.
The ''secret/data/{identity.entity.id}'' path is where the user can store and retrieve data that is related to the secret endpoint identity. For example, the user can store some configuration or preferences for the secret endpoint identity in this path. The ''secret/metadata/{identity.entity.id}'' path is where the user can list the metadata of the data stored in the ''secret/data/{identity.entity.id}'' path. For example, the user can list the version, creation time, deletion time, and destroy time of the data in this path.
[Identity - Secrets Engines | Vault | HashiCorp Developer]
[KV - Secrets Engines | Vault | HashiCorp Developer]
Which statement describes the results of this command: $ vault secrets enable transit
Where does the Vault Agent store its cache?
The Vault Agent stores its cache in memory, which means that it does not persist the cached tokens and secrets to disk or any other storage backend. This makes the cache more secure and performant, as it avoids exposing the sensitive data to potential attackers or unauthorized access. However, this also means that the cache is volatile and will be lost if the agent process is terminated or restarted. To mitigate this, the agent can optionally use a persistent cache file to restore the tokens and leases from a previous agent process. The persistent cache file is encrypted using a key derived from the agent's auto-auth token and a nonce, and it is stored in a user-specified location on disk.Reference:Caching - Vault Agent | Vault | HashiCorp Developer,Vault Agent Persistent Caching | Vault | HashiCorp Developer
Which of these is not a benefit of dynamic secrets?
Dynamic secrets are generated on-demand by Vault and have a limited time-to-live (TTL). They do not ensure that administrators can see every password used, as they are often encrypted and ephemeral. The benefits of dynamic secrets are:
They support systems that do not natively provide a method of expiring credentials, such as databases, cloud providers, SSH, etc. Vault can revoke the credentials when they are no longer needed or when the lease expires.
They minimize the damage of credentials leaking, as they are short-lived and can be easily rotated or revoked. If a credential is compromised, the attacker has a limited window of opportunity to use it before it becomes invalid.
They replace cumbersome password rotation tools and practices, as Vault can handle the generation and revocation of credentials automatically and securely. This reduces the operational overhead and complexity of managing secrets.
Export
If you didn't receive an email within 5 minutes, you should submit a support request to [email protected].
|
BASIC - 1 Month
$
10
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PLUS - 2 Months
$
15
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
PRO - 6 Months
$
40
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
|
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Full latest questions
No CAPTCHA
New Updates
Export to VPLUS
Export to PDF - All questions
Team support
Practice Tests
Selling illegal goods, money scams etc.
Serious attack on a group.
Harassing an individual (including doxing)
Threatening or glorifying violence or serious harm, including self-harm
Nudity/Sexual content
Sexually explicit or suggestive imagery or writing involving minors
Sexually explicit or suggestive imagery or writing involving non-consenting adults or non-humans
Reusing content without attribution (link and blockquotes)
Not in English or has very bad formatting, grammar, and spelling
Author's credential is offensive, spam, or impersonation
Ex. Illegal content, incomplete question...
Question