HashiCorp HashiCorp Certifications VAULT-ASSOCIATE Questions & Answers

• Question 11:

  To give a role the ability to display or output all of the end points under the /secrets/apps/* end point it would need to have which capability set?

  A. update

  B. read

  C. sudo

  D. list

  E. None of the above

  Correct Answer: C

  To give a role the ability to display or output all of the end points under the /secrets/apps/* end point, it would need to have the list capability set. The list capability allows a role to perform any operation on any path in Vault, including reading, writing, deleting, and listing. The list capability is required for roles that need to access sensitive data or perform administrative tasks in Vault. The other capabilities are not relevant for this scenario, as they only allow specific operations on specific paths or secrets engines. References: Policies | Vault | HashiCorp Developer, token capabilities - Command | Vault | HashiCorp Developer

• Question 12:

  The key/value v2 secrets engine is enabled at secret/ See the following policy:

  

  Which of the following operations are permitted by this policy? Choose two correct answers.

  A. vault kv get secret/webapp1

  B. vault kv put secret/webapp1 apikey-"ABCDEFGHI] K123M"

  C. vault kv metadata get secret/webapp1

  D. vault kv delete secret/super-secret

  E. vault kv list secret/super-secret

  Correct Answer: AC

  The policy shown in the image is:

  path "secret/data/webapp1" { capabilities = ["create", "read", "update", "delete", "list"] } path "secret/data/super-secret" { capabilities = ["deny"] } This policy grants or denies access to the key/value v2 secrets engine mounted at secret/

  according to the following rules:

  The path "secret/data/webapp1" has the capabilities of "create", "read", "update", "delete", and "list". This means that the policy allows performing any of these operations on the secrets stored under this path. The data/ prefix is used to

  access the actual secret data in the key/value v2 secrets engine5. Therefore, the policy permits the operation of vault kv get secret/webapp1, which reads the secret data at secret/data/webapp16.

  The path "secret/data/super-secret" has the capability of "deny". This means that the policy denies performing any operation on the secrets stored under this path. The policy overrides any other policy that might grant access to this path.

  Therefore, the policy does not permit the operations of vault kv delete secret/super-secret and vault kv list secret/super-secret, which delete and list the secret data at secret/data/super-secret respectively6. The policy does not explicitly define

  any rules for the path "secret/metadata". The metadata/ prefix is used to access the metadata of the secrets in the key/value v2 secrets engine, such as the number of versions, the deletion status, the creation time, etc5. By default, if the

  policy grants any of the capabilities of "create", "read", "update", or "delete" on the data/ path, it also grants the same capabilities on the corresponding metadata/ path7. Therefore, the policy permits the operation of vault kv metadata get

  secret/webapp1, which reads the metadata of the secret at secret/metadata/webapp18.

  References: 5(https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2), [6]6, 7(https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2), [8]8

• Question 13:

  Vault supports which type of configuration for source limited token?

  A. Cloud-bound tokens

  B. Domain-bound tokens

  C. CIDR-bound tokens

  D. Certificate-bound tokens

  Correct Answer: C

  Vault supports CIDR-bound tokens, which are tokens that can only be used from a specific set of IP addresses or network ranges. This is a way to limit the scope and exposure of a token in case it is compromised or leaked. CIDR-bound tokens can be created by specifying the bound_cidr_list parameter when creating or updating a token role, or by using the -bound-cidr option when creating a token using the vault token create command. CIDR-bound tokens can also be created by some auth methods, such as AWS or Kubernetes, that can automatically bind the tokens to the source IP or network of the client. References: Token - Auth Methods | Vault | HashiCorp Developer, vault token create

  -Command | Vault | HashiCorp Developer

• Question 14:

  Your organization has an initiative to reduce and ultimately remove the use of long lived

  A. 509 certificates. Which secrets engine will best support this use case?

  B. PKI

  C. Key/Value secrets engine version 2, with TTL defined

  D. Cloud KMS

  E. Transit

  Correct Answer: A

  The PKI secrets engine is designed to support the use case of reducing and ultimately removing the use of long lived X.509 certificates. The PKI secrets engine can generate dynamic X.509 certificates on demand, with short time-to-live (TTL) and automatic revocation. This eliminates the need for manual processes of generating, signing, and rotating certificates, and reduces the risk of certificate compromise or misuse. The PKI secrets engine can also act as a certificate authority (CA) or an intermediate CA, and can integrate with external CAs or CRLs. The PKI secrets engine can issue certificates for various purposes, such as TLS, SSH, code signing, email encryption, etc. References: https://developer.hashicorp.com/vault/docs/secrets/pki1, https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic- secrets

• Question 15:

  A user issues the following cURL command to encrypt data using the transit engine and the Vault AP:

  

  Which payload.json file has the correct contents?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: C

  The payload.json file that has the correct contents is C. This file contains a JSON object with a single key, "plaintext", and a value that is the base64-encoded string of the data to be encrypted. This is the format that the Vault API expects for

  the transit encrypt endpoint1. The other files are not correct because they either have the wrong key name, the wrong value format, or the wrong JSON syntax.

  References:

  Encrypt Data - Transit Secrets Engine | Vault | HashiCorp Developer

• Question 16:

  Security requirements demand that no secrets appear in the shell history. Which command does not meet this requirement?

  A. generate-password | vault kv put secret/password value

  B. vault kv put secret/password value-itsasecret

  C. vault kv put secret/password [email protected]

  D. vault kv put secret/password value-SSECRET_VALUE

  Correct Answer: B

  The command that does not meet the security requirement of not having secrets appear in the shell history is B. vault kv put secret/password value-itsasecret. This command would store the secret value "itsasecret" in the key/value secrets

  engine at the path secret/password, but it would also expose the secret value in the shell history, which could be accessed by other users or malicious actors. This is not a secure way of storing secrets in Vault.

  The other commands are more secure ways of storing secrets in Vault without revealing them in the shell history. A. generate-password | vault kv put secret/password value would use a pipe to pass the output of the generate-password

  command, which could be a script or a tool that generates a random password, to the vault kv put command, which would store the password in the key/value secrets engine at the pathsecret/password. The password would not be visible in

  the shell history, only the commands. C. vault kv put secret/password [email protected] would use the @ syntax to read the secret value from a file named data.txt, which could be encrypted or protected by file permissions, and store it in the

  key/value secrets engine at the path secret/password. The file name would be visible in the shell history, but not the secret value. D. vault kv put secret/password value- SSECRET_VALUE would use the -S syntax to read the secret value

  from the environment variable SECRET_VALUE, which could be set and unset in the shell session, and store it in the key/value secrets engine at the path secret/password. The environment variable name would be visible in the shell history,

  but not the secret value.

  References:

  [Write Secrets | Vault | HashiCorp Developer]

• Question 17:

  The following three policies exist in Vault. What do these policies allow an organization to do?

  

  A. Separates permissions allowed on actions associated with the transit secret engine

  B. Nothing, as the minimum permissions to perform useful tasks are not present

  C. Encrypt, decrypt, and rewrap data using the transit engine all in one policy

  D. Create a transit encryption key for encrypting, decrypting, and rewrapping encrypted data

  Correct Answer: C

  The three policies that exist in Vault are: admins: This policy grants full access to all secrets and operations in Vault. It can be used by administrators or operators who need to manage all aspects of Vault. default: This policy grants access to all secrets and operations in Vault except for those that require specific policies. It can be used as a fallback policy when no other policy matches. transit: This policy grants access only to the transit secrets engine, which handles cryptographic functions on data in-transit. It can be used by applications or services that need to encrypt or decrypt data using Vault. These policies allow an organization to perform useful tasks such as: Encrypting, decrypting, and rewrapping data using the transit engine all in one policy: This policy grants access to both the transit secrets engine and the default policy, which allows performing any operation on any secret in Vault. Creating a transit encryption key for encrypting, decrypting, and rewrapping encrypted data: This policy grants access only to the transit secrets engine and its associated keys, which are used for encrypting and decrypting data in transit using AES-GCM with a 256-bit AES key or other supported key types. Separating permissions allowed on actions associated with the transit secret engine: This policy grants access only to specific actions related to the transit secrets engine, such as creating keys or wrapping requests. It does not grant access to other operations or secrets in Vault.

• Question 18:

  You are using the Vault userpass auth method mounted at auth/userpass. How do you create a new user named "sally" with password "h0wN0wB4r0wnC0w"? This new user will need the power-users policy.

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: D

  To create a new user named "sally" with password "h0wN0wB4r0wnC0w" and the power-users policy, you would use the Vault userpass auth method mounted at auth/userpass. You would use the following command: "vault write auth/

  userpass/users/sally password=h0wN0wB4r0wnC0w policies=power-users". This command would create a new user named "sally" with the specified password and policy.

  References:

  [Userpass Auth Method | Vault | HashiCorp Developer] [Create Vault policies | Vault | HashiCorp Developer]

• Question 19:

  To make an authenticated request via the Vault HTTP API, which header would you use?

  A. The X-Vault-Token HTTP Header

  B. The x-Vault-Request HTTP Header

  C. The Content-Type HTTP Header

  D. The X-Vault-Namespace HTTP Header

  Correct Answer: A

  To make an authenticated request via the Vault HTTP API, you need to use the X-Vault-Token HTTP Header or the Authorization HTTP Header using the Bearer scheme. The token is a string that represents your identity and permissions in Vault. You can obtain a token by using an authentication method, such as userpass, approle, aws, etc. The token can also be a root token, which has unlimited access to Vault, or a wrapped token, which is a response

  wrapping token that can be used to unwrap the actual token. The token must be sent with every request to Vault that requires authentication, except for the unauthenticated endpoints, such as sys/init, sys/seal-status, sys/unseal, etc. The

  token is used by Vault to verify your identity and enforce the policies that grant or deny access to various paths and operations. References:

  https://developer.hashicorp.com/vault/api-docs3,

  https://developer.hashicorp.com/vault/docs/concepts/tokens4, https://developer.hashicorp.com/vault/docs/concepts/auth5

• Question 20:

  How would you describe the value of using the Vault transit secrets engine?

  A. Vault has an API that can be programmatically consumed by applications

  B. The transit secrets engine ensures encryption in-transit and at-rest is enforced enterprise wide

  C. Encryption for application data is best handled by a storage system or database engine, while storing encryption keys in Vault

  D. The transit secrets engine relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault

  Correct Answer: D

  The transit secrets engine relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault. The transit secrets engine provides encryption as a service, which means that it performs cryptographic operations on data in-transit without storing any data. This allows developers to delegate the responsibility of managing encryption keys and algorithms to Vault operators, who can define and enforce policies on the transit secrets engine. This way, developers can focus on their application logic and data, while Vault handles the encryption and decryption of data in a secure and scalable manner. References: Transit - Secrets Engines | Vault | HashiCorp Developer, Encryption as a service: transit secrets engine | Vault | HashiCorp Developer