Q31. Which of the following statements are true about the default policy? (Choose two.)
A. It is one of the built-in policies
B. Provides a common set of permissions and is included on all tokens by default
C. Can not be modified or deleted
D. Gives a super admin permissions, similar to a root user on a Linux machine
E. Vault upgrade will overwrite any update you made to the default policy
Answer
A, B
Q32. You are performing a high number of authentications in a short amount of time. You’re experiencing slow throughput for token generation. How would you solve this problem?
A. Increase the time-to-live on service tokens
B. Implement batch tokens
C. Establish a rate limit quota
D. Reduce the number of policies attached to the tokens
Answer
B
Q33. When looking at Vault token details, which key helps you find the paths the token is able to access?
A. Meta
B. Path
C. Policies
D. Accessor
Answer
C
Q34. A developer mistakenly committed code that contained AWS S3 credentials into a public repository. You have been tasked with revoking the AWS S3 credential that was in the code. This credential was created using Vault’s AWS secrets engine and the developer received the following output when requesting a credential from Vault.
| Key | Value |
|---|---|
| lease_id | aws/creds/s3-access/f3e92392-7d9c-09c8-c921-575d62fe80d8 |
| lease_duration | 768h |
| lease_renewable | true |
| access_key | AKIAIOWQXTLW36DV7IEA |
| secret_key | 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 |
Which Vault command will revoke the lease and remove the credential from AWS?
A. vault lease revoke aws/creds/s3-access/f3e92392-7d9c-09c8-c921-575d62fe80d8
B. vault lease revoke AKIAIOMQXTLW36DV7IEA
C. vault lease revoke f3e92392-7d9c-09c8-c921-575d62fe80d8
D. vault lease revoke access_key=AKIAIOWQXTLW36DV7IEA
Answer
A
Q35. When an auth method is disabled, all users authenticated via that method lose access.
A. True
B. False
Answer
A
Q36. An authentication method should be selected for a use case based on:
A. The auth method that best establishes the identity of the client
B. The cloud provider for which the client is located on
C. The strongest available cryptographic hash for the use case
D. Compatibility with the secret engine which is to be used
Answer
A
Q37. A web application uses Vault’s transit secrets engine to encrypt data in-transit. If an attacker intercepts the data in transit, which of the following statements are true? (Choose two.)
A. You can rotate the encryption key so that the attacker won’t be able to decrypt the data
B. The keys can be rotated and min_decryption_version moved forward to ensure this data cannot be decrypted
B. The Vault administrator would need to seal the Vault server immediately
C. Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in transit)
Answer
B, C
Q38. The Vault encryption key is stored in Vault’s backend storage.
A. True
B. False
Answer
A
Q39. Which of the following statements describe the secrets engine in Vault? (Choose three.)
A. Some secrets engines simply store and read data
B. Once enabled, you cannot disable the secrets engine
C. You can build your own custom secrets engine
D. Each secrets engine is isolated to its path
E. A secrets engine cannot be enabled at multiple paths
Answer
A, C, D
Q40. What is a benefit of response wrapping?
A. Log every use of a secret
B. Load balance secret generation across a Vault cluster
C. Provide error recovery to a secret so it is not corrupted in transit
D. Ensure that only a single party can ever unwrap the token and see what’s inside
Answer
D