Free Vault Associate 002 Sample Questions — HashiCorp Certified: Vault Associate (002)

The Vault encryption key is stored in Vault’s backend storage.

• A. True
• B. False

Which of these is not a benefit of dynamic secrets?

• A. Supports systems which do not natively provide a method of expiring credentials
• B. Minimizes damage of credentials leaking
• C. Ensures that administrators can see every password used
• D. Replaces cumbersome password rotation tools and practices

To encrypt your secret with the transit secrets engine, you must send the Base32-encoded plaintext to Vault.

• A. True
• B. False

When an auth method is disabled, all users authenticated via that method lose access.

• A. True
• B. False

Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool. Which secrets engine would you recommend?

• A. Google Cloud Secrets Engine
• B. Identity secrets engine
• C. Key/Value secrets engine version 2
• D. SSH secrets engine

Vault Agent supports which of the following? (Choose two.)

• A. Secrets Cachin
• B. Local key/value store
• C. Local replica of transit encryption key
• D. Auto-unseal Vault
• E. Auto authentication

Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?

• A. PKI
• B. Key/Value secrets engine version 2, with TTL defined
• C. Cloud KMS
• D. Transit

What command creates a secret with the key "my-password" and the value "53cr3t" at path "my-secrets" within the KV secrets engine mounted at "secret"?

• A. vault kv put secret/my-secrets/my-password 53cr3t
• B. vault kv write secret/my-secrets/my-password 53cr3t
• C. vault kv write 53cr3t my-secrets/my-password
• D. vault kv put secret/my-secrets my-password-53cr3t

Which of the following is a reason to rekey a Vault cluster? (Choose two.)

• A. keyholder joins or leaves the organization
• B. Adding additional Vault nodes to a cluster
• C. The rook token is lost
• D. compliance mandate to rotate the master key at a regular interval
• E. Upgrading Vault Community Edition to Vault Enterprise

Which Vault secret engine may be used to build your own internal certificate authority?

• A. Transit
• B. PKI
• C. PostgreSQL
• D. Generic

Which of the following are replication methods available in Vault Enterprise? (Choose two.)

• A. Cluster sharding
• B. Namespaces
• C. Performance Replication
• D. Disaster Recovery Replication

You are using Vault’s Transit secrets engine to encrypt your data. You want to reduce the amount of content encrypted with a single key in case the key gets compromised. How would you do this?

• A. Use 4096-bit RSA key to encrypt the data
• B. Upgrade to Vault Enterprise and integrate with HSM
• C. Periodically re-key the Vault's unseal keys
• D. Periodically rotate the encryption key

An organization would like to use a scheduler to track & revoke access granted to a job (by Vault) at completion. What auth-associated Vault object should be tracked to enable this behavior?

• A. Token accessor
• B. Token ID
• C. Lease ID
• D. Authentication method

You can build a high availability Vault cluster with any storage backend.

• A. True
• B. False

Which statement describes the results of this command: vault kv list secret/test?

• A. Check the status of a specific key/value secrets engine
• B. List the existing key names at the “secret/test” path
• C. Output all key/value secrets engines
• D. Output all key names from all key/value secrets engine

The mechanism to associate an authentication method with access to specific secrets is by specifying a/an:

• A. Accessor
• B. Token
• C. Policy
• D. Secret

The vault lease renew command increments the lease time from:

• A. The current time
• B. The end of the lease

What are orphan tokens?

• A. Orphan tokens are tokens with a use limit so you can set the number of uses when you create them
• B. Orphan tokens are not children of their parent; therefore, orphan tokens do not expire when their parent does
• C. Orphan tokens are tokens with no policies attached
• D. Orphan tokens do not expire when their own max TTL is reached

You are performing a high number of authentications in a short amount of time. You're experiencing slow throughput for token generation. How would you solve this problem?

• A. Increase the time-to-live on service tokens
• B. Implement batch tokens
• C. Establish a rate limit quota
• D. Reduce the number of policies attached to the tokens

Which of the following is a machine-oriented Vault authentication backend?

• A. Okta
• B. AppRole
• C. Transit
• D. GitHub