HashiCorp HashiCorp Certifications VA-002-P Questions & Answers

• Question 101:

  In regards to using a K/V v2 secrets engine, select the three correct statements below: (select three)

  A. issuing a vault kv destroy statement permanently deletes a single version of a secret

  B. issuing a vault kv destroy statement deletes all versions of a secret

  C. issuing a vault kv delete statement permanently deletes the secret

  D. issuing a vault kv metadata delete statement permanently deletes the secret

  E. issuing a vault kv delete statement performs a soft delete

  Correct Answer: ADE

  The kv delete command is like a soft delete which deletes the data for the provided path in the key/value secrets engine. If using K/V Version 2, its versioned data will not be fully removed, but marked as deleted and will no longer be available for normal get requests. The kv destroy command permanently removes the specified versions' data from the key/value secrets engine. If no key exists at the path, no action is taken. It

  does not deletes all versions of a secret.

  The kv metadata delete command deletes all versions and metadata for the provided key.

• Question 102:

  When administering Vault on a day-to-day basis, why is logging in with the root token, as shown below, a bad idea? (select two).

  

  A. the root token isn't a secure way of logging into Vault

  B. the root token is attached to the root policy, which likely provides too many privileges to a user

  C. the root token should be revoked and not used on a day-to-day basis

  D. It's easier to just use the root token than to configure additional auth methods

  Correct Answer: BC

  The root token should never be used on a day-to-day basis and should always be revoked once a permanent auth method has been configured.

• Question 103:

  True or False: When encrypting data with the transit secrets engine, Vault always stores the ciphertext in a dedicated KV store along with the associated encryption key.

  A. False

  B. True

  Correct Answer: A

  Vault doesn't store the data sent to the secrets engine. The transit secrets engine handles cryptographic functions on data-in-transit. It can also be viewed as "cryptography as a service" or "encryption as a service". The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes. Reference link:- https://www.vaultproject.io/docs/secrets/transit

• Question 104:

  Given the following screenshot, how many secrets engines have been enabled?

  

  A. 4

  B. 3

  C. 5

  D. 2

  Correct Answer: B

  The Cubbyhole secret engine is a default secrets engine that is enabled by default for each Vault user.

• Question 105:

  From the options below, select the benefits of using a batch token over a service token. (select three)

  A. no storage cost for token creation

  B. lightweight and scalable

  C. can be a root token

  D. used for ephemeral, high-performance workloads

  E. has accessors

  Correct Answer: ABD

  Service Tokens Service tokens are what users will generally think of as "normal" Vault tokens. They support all features, such as renewal, revocation, creating child tokens, and more. They are correspondingly heavyweight to create and track. Batch Tokens Batch tokens are encrypted blobs that carry enough information for them to be used for Vault actions, but they require no storage on disk to track them. As a result, they are extremely lightweight and scalable but lack most of the flexibility and features of service tokens. Reference link:- https://www.vaultproject.io/docs/ concepts/tokens

• Question 106:

  What type of policy is shown below?

  1.

  key_prefix "vault/" {

  2.

  policy = "write"

  3.

  }

  4.

  node_prefix "" {

  5.

  policy = "write"

  6.

  }

  7.

  service "vault" {

  8.

  policy = "write"

  9.

  }

  10.

  agent_prefix "" {

  11.

  policy = "write"

  12.

  }

  13.

  session_prefix "" {

  14.

  policy = "write"

  15.

  }

  A. Vault policy allowing access to certain paths

  B. Consul ACL policy for a Vault node

  C. Consul configuration policy to enable Consul features

  D. Vault token policy is written for a user

  Correct Answer: B

  If using ACLs in Consul, you'll need appropriate permissions. For Consul 0.8, these policies will work for most use-cases, assuming that your service name is vault and the prefix being used is vault/Consul ACLs should always be enabled when using Consul as a storage backend. This policy allows Vault to communicate to the required services hosted on Consul. Reference link:- https://www.vaultproject.io/docs/ configuration/storage/consul

• Question 107:

  From the options below, select the benefits of using the PKI (certificates) secrets engine: (select three)

  A. TTLs on Vault certs are longer to ensure certificates are valid for a longer period of time

  B. Vault can act as an intermediate CA

  C. reducing, or eliminating certificate revocations

  D. reduces time to get a certificate by eliminating the need to generate a private key and CSR

  Correct Answer: BCD

  Reference link:- https://www.vaultproject.io/docs/secrets/pki

• Question 108:

  Select the policies below that permit you to create a new entry of foo=bar at the path /secrets/apps/ my_secret (select two)

  A. path "secrets/apps/my_secret" { capabilities = ["create"] allowed_parameters = { "foo" = [] } }

  B. path "secrets/+/my_secret" { capabilities = ["create"] allowed_parameters = { "*" = ["bar"] } }

  C. path "secrets/apps/my_secret" { capabilities = ["update"] }

  D. path "secrets/apps/*" { capabilities = ["create"] allowed_parameters = { "foo" = ["bar", "zip"] } }

  Correct Answer: AB

  Setting a parameter with a value of the empty list allows the parameter to contain any value. Setting a parameter with a value of a populated list allows the parameter to contain only those values. If any keys are specified, all non-specified parameters will be denied unless the parameter "*" is set to an empty array, which will allow all other parameters to be modified. Parameters with specific values will still be restricted to those values.

• Question 109:

  By default, how long does the transit secrets engine store the resulting ciphertext?

  A. 24 hours

  B. 32 days

  C. transit does not store data

  D. 30 days

  Correct Answer: C

  Vault does NOT store any data encrypted via the transit/encrypt endpoint. The output you received is the ciphertext. You can store this ciphertext at the desired location (e.g. MySQL database) or pass it to another application.

• Question 110:

  What is the proper command to enable the AWS secrets engine at the default path?

  A. vault enable secrets aws

  B. vault secrets aws enable

  C. vault secrets enable aws

  D. vault enable aws secrets engine

  Correct Answer: C

  The command format for enabling Vault features is vault , therefore the correct answer would be vault secrets enable aws