ExamGecko
Home / HashiCorp / Vault Associate 002
Ask Question

HashiCorp Vault Associate 002 Practice Test - Questions Answers, Page 3

Question list
Search

Question 21

Report
Export
Collapse

What can be used to limit the scope of a credential breach?

Storage of secrets in a distributed ledger
Storage of secrets in a distributed ledger
Enable audit logging
Enable audit logging
Use of a short-lived dynamic secrets
Use of a short-lived dynamic secrets
Sharing credentials between applications
Sharing credentials between applications
Suggested answer: C

Explanation:

Using a short-lived dynamic secrets can help limit the scope of a credential breach by reducing the exposure time of the secrets. Dynamic secrets are generated on-demand by Vault and automatically revoked when they are no longer needed. This way, the credentials are not stored in plain text or in a static database, and they can be rotated frequently to prevent unauthorized access. Dynamic secrets also provide encryption as a service, which means that they perform cryptographic operations on data in-transit without storing any data. This adds an extra layer of security and reduces the risk of data leakage or tampering.Reference:Dynamic secrets | Vault | HashiCorp Developer,What are dynamic secrets and why do I need them? - HashiCorp

asked 18/09/2024
Meriem Jlassi
36 questions

Question 22

Report
Export
Collapse

What environment variable overrides the CLI's default Vault server address?

VAULT_ADDR
VAULT_ADDR
VAULT_HTTP_ADORESS
VAULT_HTTP_ADORESS
VAULT_ADDRESS
VAULT_ADDRESS
VAULT _HTTPS_ ADDRESS
VAULT _HTTPS_ ADDRESS
Suggested answer: B

Explanation:

The environment variable VAULT_ADDR overrides the CLI's default Vault server address. The VAULT_ADDR environment variable specifies the address of the Vault server that is used to communicate with Vault from other applications or processes. By setting this variable, you can avoid hard-coding the Vault server address in your code or configuration files, and you can also use different addresses for different environments or scenarios. For example, you can use a local development server for testing purposes, and a production server for deploying your application.Reference:Commands (CLI) | Vault | HashiCorp Developer,Vault Agent - secrets as environment variables | Vault | HashiCorp Developer

asked 18/09/2024
Achref hellal
33 questions

Question 23

Report
Export
Collapse

Which of the following statements describe the CLI command below?

S vault login -method-1dap username-mitche11h

Generates a token which is response wrapped
Generates a token which is response wrapped
You will be prompted to enter the password
You will be prompted to enter the password
By default the generated token is valid for 24 hours
By default the generated token is valid for 24 hours
Fails because the password is not provided
Fails because the password is not provided
Suggested answer: A

Explanation:

The CLI command vault login -method ldap username=mitchellh generates a token that is response wrapped. This means that the token contains a base64-encoded response wrapper, which is a JSON object that contains information about the token, such as its policies, metadata, and expiration time. The response wrapper is used to verify the authenticity and integrity of the token, and to prevent replay attacks. The response wrapper also allows Vault to automatically renew the token when it expires, or to revoke it if it is compromised. The -method ldap option specifies that the authentication method is LDAP, which requires a username and password to be provided. The username mitchellh is an example of an LDAP user name, and the password will be hidden when entered.Reference:Vault CLI Reference | Vault | HashiCorp Developer,Vault CLI Reference | Vault | HashiCorp Developer

asked 18/09/2024
Mercedes Gonzalez Riera
39 questions

Question 24

Report
Export
Collapse

You have been tasked with writing a policy that will allow read permissions for all secrets at path secret/bar. The users that are assigned this policy should also be able to list the secrets. What should this policy look like?

Suggested answer: C

Explanation:

This policy would allow read permissions for all secrets at path secret/bar, as well as list permissions for the secret/bar/ path.The list permission is required to be able to see the names of the secrets under a given path1. The wildcard () character matches any number of characters within a single path segment, while the slash (/) character matches the end of the path2. Therefore, the policy would grant read access to any secret that starts with secret/bar/, such as secret/bar/foo or secret/bar/baz, but not to secret/bar itself. To grant list access to secret/bar, the policy needs to specify the exact path with a slash at the end.This policy follows the principle of least privilege, which means that it only grants the minimum permissions necessary for the users to perform their tasks3.

The other options are not correct because they either grant too much or too little permissions. Option A would grant both read and list permissions to all secrets under secret/bar, which is more than what is required. Option B would grant list permissions to all secrets under secret/bar, but only read permissions to secret/bar itself, which is not what is required. Option D would use an invalid character (+) in the policy, which would cause an error.

Policy Syntax | Vault | HashiCorp Developer

Policy Syntax | Vault | HashiCorp Developer

Policies | Vault | HashiCorp Developer

asked 18/09/2024
Michele Valvason
40 questions

Question 25

Report
Export
Collapse

When using Integrated Storage, which of the following should you do to recover from possible data loss?

Failover to a standby node
Failover to a standby node
Use snapshot
Use snapshot
Use audit logs
Use audit logs
Use server logs
Use server logs
Suggested answer: B

Explanation:

Integrated Storage is a Raft-based storage backend that allows Vault to store its data internally without relying on an external storage system. It also enables Vault to run in high availability mode with automatic leader election and failover. However, Integrated Storage is not immune to data loss or corruption due to hardware failures, network partitions, or human errors. Therefore, it is recommended to use the snapshot feature to backup and restore the Vault data periodically or on demand. A snapshot is a point-in-time capture of the entire Vault data, including the encrypted secrets, the configuration, and the metadata. Snapshots can be taken and restored using the vault operator raft snapshot command or the sys/storage/raft/snapshot API endpoint. Snapshots are encrypted and can only be restored with a quorum of unseal keys or recovery keys.Snapshots are also portable and can be used to migrate data between different Vault clusters or storage backends.Reference: https://developer.hashicorp.com/vault/docs/concepts/integrated-storage1, https://developer.hashicorp.com/vault/docs/commands/operator/raft/snapshot2, https://developer.hashicorp.com/vault/api-docs/system/storage/raft/snapshot3

asked 18/09/2024
Hayat Hassan
44 questions

Question 26

Report
Export
Collapse

How many Shamir's key shares are required to unseal a Vault instance?

All key shares
All key shares
A quorum of key shares
A quorum of key shares
One or more keys
One or more keys
The threshold number of key shares
The threshold number of key shares
Suggested answer: D

Explanation:

Shamir's Secret Sharing is a cryptographic algorithm that allows a secret to be split into multiple parts, called key shares, such that a certain number of key shares are required to reconstruct the secret. The number of key shares and the threshold number are configurable parameters that depend on the desired level of security and availability. Vault uses Shamir's Secret Sharing to protect its master key, which is used to encrypt and decrypt the data encryption key that secures the Vault data. When Vault is initialized, it generates a master key and splits it into a configured number of key shares, which are then distributed to trusted operators. To unseal Vault, the threshold number of key shares must be provided to reconstruct the master key and decrypt the data encryption key.This process ensures that no single operator can access the Vault data without the cooperation of other key holders.Reference: https://developer.hashicorp.com/vault/docs/concepts/seal4, https://developer.hashicorp.com/vault/docs/commands/operator/init5, https://developer.hashicorp.com/vault/docs/commands/operator/unseal6

asked 18/09/2024
Yedron Rojas Acosta
49 questions

Question 27

Report
Export
Collapse

Which of these are a benefit of using the Vault Agent?

Vault Agent allows for centralized configuration of application secrets engines
Vault Agent allows for centralized configuration of application secrets engines
Vault Agent will auto-discover which authentication mechanism to use
Vault Agent will auto-discover which authentication mechanism to use
Vault Agent will enforce minimum levels of encryption an application can use
Vault Agent will enforce minimum levels of encryption an application can use
Vault Agent will manage the lifecycle of cached tokens and leases automatically
Vault Agent will manage the lifecycle of cached tokens and leases automatically
Suggested answer: D

Explanation:

Vault Agent is a client daemon that provides the following features:

Auto-Auth - Automatically authenticate to Vault and manage the token renewal process for locally-retrieved dynamic secrets.

API Proxy - Allows Vault Agent to act as a proxy for Vault's API, optionally using (or forcing the use of) the Auto-Auth token.

Caching - Allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens. The agent also manages the renewals of the cached tokens and leases.

Templating - Allows rendering of user-supplied templates by Vault Agent, using the token generated by the Auto-Auth step.

Process Supervisor Mode - Runs a child process with Vault secrets injected as environment variables.

One of the benefits of using the Vault Agent is that it will manage the lifecycle of cached tokens and leases automatically. This means that the agent will handle the token renewal and revocation logic, as well as the lease renewal and revocation logic for the secrets that are cached by the agent. This reduces the burden on the application developers and operators, and ensures that the tokens and secrets are always valid and up-to-date.Reference:Vault Agent | Vault | HashiCorp Developer,Caching - Vault Agent | Vault | HashiCorp Developer

asked 18/09/2024
Michael Wheeler
32 questions

Question 28

Report
Export
Collapse

Which of the following describes usage of an identity group?

Limit the policies that would otherwise apply to an entity in the group
Limit the policies that would otherwise apply to an entity in the group
When they want to revoke the credentials for a whole set of entities simultaneously
When they want to revoke the credentials for a whole set of entities simultaneously
Audit token usage
Audit token usage
Consistently apply the same set of policies to a collection of entities
Consistently apply the same set of policies to a collection of entities
Suggested answer: D

Explanation:

An identity group is a collection of entities that share some common attributes. An identity group can have one or more policies attached to it, which are inherited by all the members of the group. An identity group can also have subgroups, which can further refine the policies and attributes for a subset of entities.

One of the use cases of an identity group is to consistently apply the same set of policies to a collection of entities. For example, an organization may have different teams or departments, such as engineering, sales, or marketing. Each team may have its own identity group, with policies that grant access to the secrets and resources that are relevant to their work. By creating an identity group for each team, the organization can ensure that the entities belonging to each team have the same level of access and permissions, regardless of which authentication method they use to log in to Vault.Reference:Identity: entities and groups | Vault | HashiCorp Developer,vault_identity_group | Resources | hashicorp/vault | Terraform | Terraform Registry

asked 18/09/2024
Romsat Sertec
36 questions

Question 29

Report
Export
Collapse

Vault supports which type of configuration for source limited token?

Cloud-bound tokens
Cloud-bound tokens
Domain-bound tokens
Domain-bound tokens
CIDR-bound tokens
CIDR-bound tokens
Certificate-bound tokens
Certificate-bound tokens
Suggested answer: C

Explanation:

Vault supports CIDR-bound tokens, which are tokens that can only be used from a specific set of IP addresses or network ranges. This is a way to limit the scope and exposure of a token in case it is compromised or leaked. CIDR-bound tokens can be created by specifying the bound_cidr_list parameter when creating or updating a token role, or by using the -bound-cidr option when creating a token using the vault token create command. CIDR-bound tokens can also be created by some auth methods, such as AWS or Kubernetes, that can automatically bind the tokens to the source IP or network of the client.Reference:Token - Auth Methods | Vault | HashiCorp Developer,vault token create - Command | Vault | HashiCorp Developer

asked 18/09/2024
harinder giri
33 questions

Question 30

Report
Export
Collapse

Where does the Vault Agent store its cache?

In a file encrypted using the Vault transit secret engine
In a file encrypted using the Vault transit secret engine
In the Vault key/value store
In the Vault key/value store
In an unencrypted file
In an unencrypted file
In memory
In memory
Suggested answer: D

Explanation:

The Vault Agent stores its cache in memory, which means that it does not persist the cached tokens and secrets to disk or any other storage backend. This makes the cache more secure and performant, as it avoids exposing the sensitive data to potential attackers or unauthorized access. However, this also means that the cache is volatile and will be lost if the agent process is terminated or restarted. To mitigate this, the agent can optionally use a persistent cache file to restore the tokens and leases from a previous agent process. The persistent cache file is encrypted using a key derived from the agent's auto-auth token and a nonce, and it is stored in a user-specified location on disk.Reference:Caching - Vault Agent | Vault | HashiCorp Developer,Vault Agent Persistent Caching | Vault | HashiCorp Developer

asked 18/09/2024
Marcos Davila
32 questions
Total 57 questions
Go to page: of 6