Home

Home / HashiCorp / Vault Associate 002

Question list

List of questions

Question 1

(0)

The following three policies exist in Vault. What do these policies allow an organization to do?

Question 2

(0)

Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool. Which secrets engine would you recommend?

Question 3

(0)

What does the following policy do?

Question 4

(0)

To make an authenticated request via the Vault HTTP API, which header would you use?

Question 5

(0)

Which of the following are replication methods available in Vault Enterprise? Choose two correct answers.

Question 6

(0)

When an auth method is disabled all users authenticated via that method lose access.

Question 7

(0)

Which of these is not a benefit of dynamic secrets?

Question 8

(0)

Which of the following cannot define the maximum time-to-live (TTL) for a token?

Question 9

(0)

What are orphan tokens?

Question 10

(0)

To give a role the ability to display or output all of the end points under the /secrets/apps/* end point it would need to have which capability set?

Open VPLUS File

Convert VPLUS to PDF

Related questions

A developer mistakenly committed code that contained AWS S3 credentials into a public repository. You have been tasked with revoking the AWS S3 credential that was in the code. This credential was created using Vault's AWS secrets engine and the developer received the following output when requesting a credential from Vault. Which Vault command will revoke the lease and remove the credential from AWS?

What can be used to limit the scope of a credential breach?

What does the following policy do?

When looking at Vault token details, which key helps you find the paths the token is able to access?

Which statement describes the results of this command: $ vault secrets enable transit

Use this screenshot to answer the question below: Where on this page would you click to view a secret located at secret/my-secret?

The Vault encryption key is stored in Vault's backend storage.

An authentication method should be selected for a use case based on:

Where can you set the Vault seal configuration? Choose two correct answers.

When unsealing Vault, each Shamir unseal key should be entered:

Question 43 - Vault Associate 002 discussion

Report

Which of the following statements describe the secrets engine in Vault? Choose three correct answers.

A.

Some secrets engines simply store and read data

B.

Once enabled, you cannot disable the secrets engine

C.

You can build your own custom secrets engine

D.

Each secrets engine is isolated to its path

E.

A secrets engine cannot be enabled at multiple paths

Suggested answer: A, C, D

Explanation:

Secrets engines are components that store, generate, or encrypt data in Vault. They are enabled at a specific path in Vault and have their own API and configuration. Some of the statements that describe the secrets engines in Vault are:

Some secrets engines simply store and read data, such as the key/value secrets engine, which acts like an encrypted Redis or Memcached.Other secrets engines perform more complex operations, such as generating dynamic credentials, encrypting data, issuing certificates, etc1.

You can build your own custom secrets engine by using the plugin system, which allows you to write and run your own secrets engine as a separate process that communicates with Vault over gRPC.You can also use the SDK to create your own secrets engine in Go and compile it into Vault2.

Each secrets engine is isolated to its path, which means that the secrets engine cannot access or interact with other secrets engines or data outside its path. The path where the secrets engine is enabled can be customized and can have multiple segments.For example, you can enable the AWS secrets engine at aws/ or aws/prod/ or aws/dev/3.

The statements that are not true about the secrets engines in Vault are:

You can disable an existing secrets engine by using the vault secrets disable command or the sys/mounts API endpoint.When a secrets engine is disabled, all of its secrets are revoked and all of its data is deleted from the storage backend4.

A secrets engine can be enabled at multiple paths, with a few exceptions, such as the system and identity secrets engines. Each secrets engine enabled at a different path is independent and isolated from others.For example, you can enable the KV secrets engine at kv/ and secret/ and they will not share any data3.

Show Answer

asked 18/09/2024

Christian Gyssels

38 questions

User

Your answer: A B C D E

0 comments

Sorted by

Leave a comment first