Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool. Which secrets engine would you recommend?

Key/Value secrets engine version 2

What does the following policy do?

Allows a user to read data about the secret endpoint identity

Grants access for each user to a KV folder which shares their id

Grants access to a special system entity folder

Allows a user to read data about the secret endpoint identity

Nothing, this is not a valid policy

To make an authenticated request via the Vault HTTP API, which header would you use?

The x-Vault-Request HTTP Header

The X-Vault-Namespace HTTP Header

Which of these is not a benefit of dynamic secrets?

Ensures that administrators can see every password used

Supports systems which do not natively provide a method of expiring credentials

Minimizes damage of credentials leaking

Ensures that administrators can see every password used

Replaces cumbersome password rotation tools and practices

Which of the following cannot define the maximum time-to-live (TTL) for a token?

By the client system f credentials leaking

By the authentication method t natively provide a method of expiring credentials

By the client system f credentials leaking

By the mount endpoint configuration very password used

A parent token TTL e password rotation tools and practices

What are orphan tokens?

Orphan tokens do not expire when their own max TTL is reached

Orphan tokens are tokens with a use limit so you can set the number of uses when you create them

Orphan tokens are not children of their parent; therefore, orphan tokens do not expire when their parent does

Orphan tokens are tokens with no policies attached

Orphan tokens do not expire when their own max TTL is reached

You have a 2GB Base64 binary large object (blob) that needs to be encrypted. Which of the following best describes the transit secrets engine?

The transit engine is not a good solution for binaries of this size.

A data key encrypts the blob locally, and the same key decrypts the blob locally.

To process such a large blob. Vault will temporarily store it in the storage backend.

Vault will store the blob permanently. Be sure to run Vault on a compute optimized machine

The transit engine is not a good solution for binaries of this size.

How would you describe the value of using the Vault transit secrets engine?

The transit secrets engine relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault

Vault has an API that can be programmatically consumed by applications

The transit secrets engine ensures encryption in-transit and at-rest is enforced enterprise wide

Encryption for application data is best handled by a storage system or database engine, while storing encryption keys in Vault

The transit secrets engine relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault

Security requirements demand that no secrets appear in the shell history. Which command does not meet this requirement?

vault kv put secret/password value-itsasecret

generate-password | vault kv put secret/password value

vault kv put secret/password value-itsasecret

vault kv put secret/password value=@data.txt

vault kv put secret/password value-SSECRET_VALUE

What command creates a secret with the key 'my-password' and the value '53cr3t' at path 'my-secrets' within the KV secrets engine mounted at 'secret'?

vault kv put secret/my-secrets/my-password 53cr3t

vault kv write secret/my-secrets/my-password 53cr3t

vault kv write 53cr3t my-secrets/my-password

vault kv put secret/my-secrets y-password-53cr3t

What can be used to limit the scope of a credential breach?

Use of a short-lived dynamic secrets

Storage of secrets in a distributed ledger

Use of a short-lived dynamic secrets

Sharing credentials between applications

Which of the following statements describe the CLI command below?S vault login -method-1dap username-mitche11h

Generates a token which is response wrapped

You will be prompted to enter the password

By default the generated token is valid for 24 hours

Fails because the password is not provided

How many Shamir's key shares are required to unseal a Vault instance?

The threshold number of key shares

Which of these are a benefit of using the Vault Agent?

Vault Agent will manage the lifecycle of cached tokens and leases automatically

Vault Agent allows for centralized configuration of application secrets engines

Vault Agent will auto-discover which authentication mechanism to use

Vault Agent will enforce minimum levels of encryption an application can use

Vault Agent will manage the lifecycle of cached tokens and leases automatically

Which of the following describes usage of an identity group?

Consistently apply the same set of policies to a collection of entities

Limit the policies that would otherwise apply to an entity in the group

When they want to revoke the credentials for a whole set of entities simultaneously

Consistently apply the same set of policies to a collection of entities

Where does the Vault Agent store its cache?

In a file encrypted using the Vault transit secret engine

Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?

Key/Value secrets engine version 2, with TTL defined

When unsealing Vault, each Shamir unseal key should be entered:

By different administrators each connecting from different computers

Sequentially from one system that all of the administrators are in front of

By different administrators each connecting from different computers

While encrypted with each administrators PGP key

At the command line in one single command

As a best practice, the root token should be stored in which of the following ways?

Should be revoked and never stored after initial setup

Should be stored in configuration automation tooling

Should be stored in another password safe

When creating a policy, an error was thrown: Which statement describes the fix for this issue?

Replace write with create in the capabilities list

You cannot have a wildcard (' * ') in the path

You are using Vault's Transit secrets engine to encrypt your data. You want to reduce the amount of content encrypted with a single key in case the key gets compromised. How would you do this?

Periodically rotate the encryption key

Use 4096-bit RSA key to encrypt the data

Upgrade to Vault Enterprise and integrate with HSM

Periodically re-key the Vault's unseal keys

Periodically rotate the encryption key

An authentication method should be selected for a use case based on:

The auth method that best establishes the identity of the client

The cloud provider for which the client is located on

The strongest available cryptographic hash for the use case

Compatibility with the secret engine which is to be used

HashiCorp Vault Associate 002 Practice Test 1 - Free Online Exam Prep & Questions

Question 1 / 40

The following three policies exist in Vault. What do these policies allow an organization to do?

HashiCorp Vault Associate 002 image Question 1 30615 09182024192100000000

Separates permissions allowed on actions associated with the transit secret engine

Nothing, as the minimum permissions to perform useful tasks are not present

Encrypt, decrypt, and rewrap data using the transit engine all in one policy

Create a transit encryption key for encrypting, decrypting, and rewrapping encrypted data

Comment (0)

HashiCorp Vault Associate 002 Practice Test 1

Question

HashiCorp Vault Associate 002 Practice Tests

Practice Tests