Free HashiCorp VA-003-P Practice Exams

Question #1

Which of the following statements describe the secrets engine in Vault? Choose three correct answers.

A . Some secrets engines simply store and read data
B . Once enabled, you cannot disable the secrets engine
C . You can build your own custom secrets engine
D . Each secrets engine is isolated to its path
E . A secrets engine cannot be enabled at multiple paths

Correct Answer: ACD
ACD

Explanation:

Secrets engines are components that store, generate, or encrypt data in Vault. They are enabled at a specific path in Vault and have their own API and configuration.

Some of the statements that describe the secrets engines in Vault are:

Some secrets engines simply store and read data, such as the key/value secrets engine, which acts like an encrypted Redis or Memcached. Other secrets engines perform more complex operations, such as generating dynamic credentials, encrypting data, issuing certificates, etc1.

You can build your own custom secrets engine by using the plugin system, which allows you to write and run your own secrets engine as a separate process that communicates with Vault over gRPC. You can also use the SDK to create your own secrets engine in Go and compile it into Vault2.

Each secrets engine is isolated to its path, which means that the secrets engine cannot access or interact with other secrets engines or data outside its path. The path where the secrets engine is enabled can be customized and can have multiple segments. For example, you can enable the AWS secrets engine at aws/ or aws/prod/ or aws/dev/3.

The statements that are not true about the secrets engines in Vault are:

You can disable an existing secrets engine by using the vault secrets disable command or the sys/mounts API endpoint. When a secrets engine is disabled, all of its secrets are revoked and all of its data is deleted from the storage backend4.

A secrets engine can be enabled at multiple paths, with a few exceptions, such as the system and identity secrets engines. Each secrets engine enabled at a different path is independent and isolated from others. For example, you can enable the KV secrets engine at kv/ and secret/ and they will not share any data3.

Reference:

1(https://developer.hashicorp.com/vault/docs/secrets), 2(https://developer.hashicorp.com/vault/docs/secrets), 3(https://developer.hashicorp.com/vault/docs/secrets), 4(https://developer.hashicorp.com/vault/docs/secrets)

Question #2

The following three policies exist in Vault.

What do these policies allow an organization to do?

A . Separates permissions allowed on actions associated with the transit secret engine
B . Nothing, as the minimum permissions to perform useful tasks are not present
C . Encrypt, decrypt, and rewrap data using the transit engine all in one policy
D . Create a transit encryption key for encrypting, decrypting, and rewrapping encrypted data

Reveal Solution Hide Solution

Question #3

Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool.

Which secrets engine would you recommend?

A . Google Cloud Secrets Engine
B . Identity secrets engine
C . Key/Value secrets engine version 2
D . SSH secrets engine

Reveal Solution Hide Solution

Question #4

As a best practice, the root token should be stored in which of the following ways?

A . Should be revoked and never stored after initial setup
B . Should be stored in configuration automation tooling
C . Should be stored in another password safe
D . Should be stored in Vault

Reveal Solution Hide Solution

Question #5

Which of these is not a benefit of dynamic secrets?

A . Supports systems which do not natively provide a method of expiring credentials
B . Minimizes damage of credentials leaking
C . Ensures that administrators can see every password used
D . Replaces cumbersome password rotation tools and practices

Reveal Solution Hide Solution

Question #6

What are orphan tokens?

A . Orphan tokens are tokens with a use limit so you can set the number of uses when you create them
B . Orphan tokens are not children of their parent; therefore, orphan tokens do not expire when their parent does
C . Orphan tokens are tokens with no policies attached
D . Orphan tokens do not expire when their own max TTL is reached

Reveal Solution Hide Solution

Question #7

What environment variable overrides the CLI’s default Vault server address?

A . VAULT_ADDR
B . VAULT_HTTP_ADORESS
C . VAULT_ADDRESS
D . VAULT _HTTPS_ ADDRESS

Reveal Solution Hide Solution

Question #8

You are using the Vault userpass auth method mounted at auth/userpass.

How do you create a new user named "sally" with password "h0wN0wB4r0wnC0w"? This new user will need the power-users policy.

A)

B)

C)

D)

A . Option A
B . Option B
C . Option C
D . Option D

Reveal Solution Hide Solution

Question #9

Which of the following cannot define the maximum time-to-live (TTL) for a token?

A . By the authentication method t natively provide a method of expiring credentials
B . By the client system f credentials leaking
C . By the mount endpoint configuration very password used
D . A parent token TTL e password rotation tools and practices
E . System max TTL

Reveal Solution Hide Solution

Question #10

What is the Vault CLI command to query information about the token the client is currently using?

A . vault lookup token
B . vault token lookup
C . vault lookup self
D . vault self-lookup

Reveal Solution Hide Solution