Home

Home / HashiCorp / Vault Associate 002

Question list

List of questions

Question 1

(0)

The following three policies exist in Vault. What do these policies allow an organization to do?

Question 2

(0)

Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool. Which secrets engine would you recommend?

Question 3

(0)

What does the following policy do?

Question 4

(0)

To make an authenticated request via the Vault HTTP API, which header would you use?

Question 5

(0)

Which of the following are replication methods available in Vault Enterprise? Choose two correct answers.

Question 6

(0)

When an auth method is disabled all users authenticated via that method lose access.

Question 7

(0)

Which of these is not a benefit of dynamic secrets?

Question 8

(0)

Which of the following cannot define the maximum time-to-live (TTL) for a token?

Question 9

(0)

What are orphan tokens?

Question 10

(0)

To give a role the ability to display or output all of the end points under the /secrets/apps/* end point it would need to have which capability set?

Open VPLUS File

Convert VPLUS to PDF

Related questions

A developer mistakenly committed code that contained AWS S3 credentials into a public repository. You have been tasked with revoking the AWS S3 credential that was in the code. This credential was created using Vault's AWS secrets engine and the developer received the following output when requesting a credential from Vault. Which Vault command will revoke the lease and remove the credential from AWS?

What can be used to limit the scope of a credential breach?

What does the following policy do?

When looking at Vault token details, which key helps you find the paths the token is able to access?

Which statement describes the results of this command: $ vault secrets enable transit

Use this screenshot to answer the question below: Where on this page would you click to view a secret located at secret/my-secret?

The Vault encryption key is stored in Vault's backend storage.

An authentication method should be selected for a use case based on:

Where can you set the Vault seal configuration? Choose two correct answers.

When unsealing Vault, each Shamir unseal key should be entered:

Question 44 - Vault Associate 002 discussion

Report

What is a benefit of response wrapping?

A.

Log every use of a secret

B.

Load balanc secret generation across a Vault cluster

C.

Provide error recovery to a secret so it is not corrupted in transit

D.

Ensure that only a single party can ever unwrap the token and see what's inside

Suggested answer: D

Explanation:

Response wrapping is a feature that allows Vault to take the response it would have sent to a client and instead insert it into the cubbyhole of a single-use token, returning that token instead. The client can then unwrap the token and retrieve the original response. Response wrapping has several benefits, such as providing cover, malfeasance detection, and lifetime limitation for the secret data. One of the benefits is to ensure that only a single party can ever unwrap the token and see what's inside, as the token can be used only once and cannot be unwrapped by anyone else, even the root user or the creator of the token.This provides a way to securely distribute secrets to the intended recipients and detect any tampering or interception along the way5.

The other options are not benefits of response wrapping:

Log every use of a secret: Response wrapping does not log every use of a secret, as the secret is not directly exposed to the client or the network.However, Vault does log the creation and deletion of the response-wrapping token, and the client can use the audit device to log the unwrapping operation6.

Load balance secret generation across a Vault cluster: Response wrapping does not load balance secret generation across a Vault cluster, as the secret is generated by the Vault server that receives the request and the response-wrapping token is bound to that server.However, Vault does support high availability and replication modes that can distribute the load and improve the performance of the cluster7.

Provide error recovery to a secret so it is not corrupted in transit: Response wrapping does not provide error recovery to a secret so it is not corrupted in transit, as the secret is encrypted and stored in the cubbyhole of the token and cannot be modified or corrupted by anyone. However, if the token is lost or expired, the secret cannot be recovered either, so the client should have a backup or retry mechanism to handle such cases.

Show Answer

asked 18/09/2024

fabio josca

34 questions

User

Your answer: A B C D

0 comments

Sorted by

Leave a comment first