HashiCorp HashiCorp Certifications VA-002-P Questions & Answers

• Question 111:

  Beyond encryption and decryption of data, which of the following is not a function of the Vault transit secrets engine?

  A. generate hashes and HMACs of data

  B. sign and verify data

  C. act as a source of random bytes

  D. store the encrypted data securely in Vault for retrieval

  Correct Answer: D

  Vault doesn't store the data sent to the secrets engine. The transit secrets engine handles cryptographic functions on data-in-transit. It can also be viewed as "cryptography as a service" or "encryption as a service". The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.

• Question 112:

  Given the policy below, what would the user be able to access?

  1.

  path "*" {

  2.

  capabilities = ["create", "update", "read", "list", "delete", "sudo"]

  3.

  }

  A. anything they want to within Vault

  B. ability to enable a secret engine at the path *

  C. only make changes to policies

  D. nothing, since the policy doesn't specify any specific paths

  Correct Answer: A

  All interactions with Vault are done through its pathing structure. If you create a policy with a wildcard, you are giving them access to any path within Vault

• Question 113:

  You've decided to use AWS KMS to automatically unseal Vault on private EC2 instances. After deploying your Vault cluster, and running vault operator init, Vault responds with an error and cannot be unsealed. You've determined that the subnet you've deployed Vault into doesn't have internet access. What can you do to enable Vault to communicate with AWS KMS in the most secure way?

  A. ask the networking team to provide Vault with inbound access from the internet

  B. deploy Vault in a public subnet and provide the Vault nodes with public IP addresses

  C. add a VPC endpoint

  D. change the permissions on the Internet Gateway to allow the Vault nodes to communicate over the Internet

  Correct Answer: C

  In this particular question, a VPC endpoint can provide private connectivity to an AWS service without having to traverse the public internet. This way you hit a private endpoint for the service rather than connecting to the public endpoint. This is more of an AWS-type question, but the underlying premise still holds regardless of where your Vault cluster is deployed. If you use a public cloud KMS solution, such as AWS KMS, Azure Key Vault, GCP Cloud KMS, or AliCloud KMS, your Vault cluster will need the ability to communicate with that service to unseal itself.

• Question 114:

  True or False:

  Similar to how Vault works with databases and cloud providers, the Active Directory secrets engine

  dynamically generates the account and password for the requesting Vault client.

  A. False

  B. True

  Correct Answer: A

  The Active Directory secrets engine rotates Active Directory passwords dynamically. It does not, however, dynamically generate the AD account. The AD account must exist prior to configuring it in Vault. If it does not, the configuration will fail, stating that the account doesn't exist. Reference link:- https:// www.vaultproject.io/docs/secrets/ad

• Question 115:

  If a client is currently assigned the following policy, what additional policy can be added to ensure they cannot access the data stored at secret/apps/confidential but still, read all other secrets?

  A. path "secret/apps/confidential/*" { capabilities = ["deny"] }

  B. path "secret/apps/*" { capabilities = ["deny"] }

  C. path "secret/apps/confidential" { capabilities = ["deny"] }

  D. path "secret/apps/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "secret/*" { capabilities = ["read", "deny"] }

  Correct Answer: C

  "Deny" capability generally takes precedence over "allow" capability. Therefore, if you add the correct deny statement, the user will be able to read all secrets except for the data stored at secret/apps/confidential

• Question 116:

  True or False:

  When using the transit secrets engine, setting the min_decryption_version will determine the minimum key

  length of the data key (i.e., 2048, 4096, etc.)

  A. False

  B. True

  Correct Answer: A

  The Transit engine supports the versioning of keys. Key versions that are earlier than a key's specified min_decryption_version gets archived, and the rest of the key versions belong to the working set. This is a performance consideration to keep key loading fast, as well as a security consideration: by disallowing decryption of old versions of keys, found ciphertext corresponding to obsolete (but sensitive) data can not be decrypted by most users, but in an emergency, the min_decryption_version can be moved back to allow for legitimate decryption. Reference link:- https://www.vaultproject.io/docs/secrets/transit

• Question 117:

  Which of the following Vault policies will allow a Vault client to read a secret stored at secrets/applications/ app01/api_key?

  A. path "secrets/applications/+/api_*" { capabilities = ["read"] }

  B. path "secrets/applications/" { capabilities = ["read"] allowed_parameters = { "certificate" = [] } }

  C. path "secrets/*" { capabilities = ["list"] }

  D. path "secrets/applications/app01/api_key" { capabilities = ["update", "list"] }

  Correct Answer: A

  Wildcards and path segments can be used to allow access to a broader set of secrets rather than having to call out each individual secret itself. None of the other policies will allow a client to actually read the data stored at the path secrets/applications/app01/api_key

• Question 118:

  You've set up multiple Vault clusters, one on-premises which is intended to be the primary cluster, and the second cluster in AWS, which was deployed to be used for performance replication. After enabling replication, developers complain that all the data they've stored in the AWS Vault cluster is missing. What happened?

  A. the data was moved to a recovery path after replication was enabled. Use the vault secrets move command to move the data back to its intended location

  B. there is a certificate mismatch after replication was enabled since Vault replication generates its own TLS certificates to ensure nodes are trusted entities

  C. the data was automatically copied to the primary cluster after replication was enabled since all writes are always forwarded to the primary cluster

  D. all of the data on the secondary cluster was deleted after replication was enabled

  Correct Answer: D

  Replication relies on having a shared keyring between primary and secondaries and a shared

  understanding of the data store state.

  As soon as replication is enabled, all of the secondary's existing data will be destroyed, which is

  irrevocable.

  Generally, activating as a secondary will be the first thing that is done upon setting up a new cluster for

  replication.

  Hence, create a backup first if there is a slight chance that you would need this existing storage in the

  future.

  Reference link:- https://www.hashicorp.com/resources/setting-up-configuring-performance- replication/

• Question 119:

  When configuring Vault replication and monitoring its status, you keep seeing something called 'WALs'. What are WALs?

  A. wake after lan

  B. warning of allocated logs

  C. write-ahead log

  D. write along logging

  Correct Answer: C

  Reference links:https://learn.hashicorp.com/vault/day-one/monitor-replication https://www.vaultproject.io/docs/internals/ replication

• Question 120:

  After logging into the Vault UI, a user complains that they cannot enable Replication. Why would the replication configuration be missing?

  A. replication wasn't configured in the Vault configuration file

  B. replication hasn't been enabled

  C. Vault is running an open-source version

  D. replication configuration isn't available in the UI

  Correct Answer: C

  Replication is not available in open-source versions of Vault. It is an enterprise feature.