Q41. Which of the following describes the Vault’s auth method component?
A. It verifies a client against an internal or external system, and generates a token with the appropriate policies attached
B. It verifies a client against an internal or external system, and generates a token with root policy
C. It is responsible for durable storage of client tokens
D. It dynamically generates a unique set of secrets with appropriate permissions attached
Answer
A
Q42. Which Vault secret engine may be used to build your own internal certificate authority?
A. Transit
B. PKI
C. PostgreSQL
D. Generic
Answer
B
Q43. Which of the following statements are true about Vault policies? (Choose two.)
A. The default policy can not be modified
B. You must use YAML to define policies
C. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault
D. Vault must be restarted in order for a policy change to take an effect
E. Policies deny by default (empty policy grants no permission)
Answer
C, E
Q44. An organization would like to use a scheduler to track & revoke access granted to a job (by Vault) at completion.
What auth-associated Vault object should be tracked to enable this behavior?
A. Token accessor
B. Token ID
C. Lease ID
D. Authentication method
Answer
A
Q45. Which statement describes the results of this command: $ vault secrets enable transit?
A. Enables the transit secrets engine at transit path
B. Requires a root token to execute the command successfully
C. Enables the transit secrets engine at secret path
D. Fails due to missing -path parameter
E. Fails because the transit secrets engine is enabled by default
Answer
A
Q46. Which of these options does not allow the creation of a root token?
A. By using batch tokens
B. By using another root token
C. The initial root token generated at the vault operator init time
D. By using vault operator generate-root with the permission of a quorum of unseal key holders
Answer
A
Q47. You manage two Vault dusters: “vaultduster1.acme.corp” and “vaultduster2.acme.corp”. You want to write a secret to the first Vaultcluster vaultcluster1.acme.corp and run vault kv put secret/foo value=‘bar’. The command times out and the error references the Vault cluster, “vaultcluster2.acme.corp”.
You run the command again with the following address flag:
vault kv put -address=‘https://vaultcluster1.acme.corp’ secret/foo value=‘bar’
The command completes successfully. You find that the terminal session defines the environment variable VAULT_ADDR=‘https://vaultcluster2.acxe.corp:8200’
Why was the second attempt successful?
A. Environment variables take precedence over flags
B. VAULT_CLUSTER_ADDR needs to be provided
C. Flags take precedence over environment variables
D. Vault listener is misconfigured
Answer
C
Q48. The ‘alpha’ secrets are stored in the team-based paths using this convention: secret/
Which Vault policy would not allow reading paths with the word “beta” in them, such as secrets/team01/beta?
A.
path "secrets/*" {
capabilities = ["read"]
} B.
path "secrets/+/alpha" {
capabilities = ["read"]
} C.
path "alpha" {
capabilities = ["read"]
} D. None of the above
Answer
C
Q49. Which statement describes the results of this command: vault kv list secret/test?
A. Check the status of a specific key/value secrets engine
B. List the existing key names at the “secret/test” path
C. Output all key/value secrets engines
D. Output all key names from all key/value secrets engine
Answer
B
Q50. Where can you set the Vault seal configuration? (Choose two.)
A. Cloud Provider KMS
B. Vault CLI
C. Vault configuration file
D. Environment variables
E. Vault API
Answer
C, D