Q51. Which of the following vault lease operations uses a lease_id as an argument? (Choose two.)
A. renew
B. revoke -prefix
C. create
D. describe
E. revoke
Answer
A, E
Q52. An organization wants to authenticate an AWS EC2 virtual machine with Vault to access a dynamic database secret. The only authentication method which they can use in this case is AWS.
A. True
B. False
Answer
B
Q53. You are using Vault’s Transit secrets engine to encrypt your data. You want to reduce the amount of content encrypted with a single key in case the key gets compromised. How would you do this?
A. Use 4096-bit RSA key to encrypt the data
B. Upgrade to Vault Enterprise and integrate with HSM
C. Periodically re-key the Vault’s unseal keys
D. Periodically rotate the encryption key
Answer
D
Q54. What does the following policy do?
path "secret/data/{{identity.entity.id}}/*" {
capabilities = ["create", "update", "read", "delete"]
}
path "secret/metadata/{{identity.entity.id}}/*" {
capabilities = ["list"]
} A. Grants access for each user to a KV folder which shares their id
B. Grants access to a special system entity folder
C. Allows a user to read data about the secret endpoint identity
D. Nothing, this is not a valid policy
Answer
A
Q55. To make an authenticated request via the Vault HTTP API, which header would you use?
A. The X-Vault-Token HTTP Header
B. The X-Vault-Request HTTP Header
C. The Content-Type HTTP Header
D. The X-Vault-Namespace HTTP Header
Answer
A
Q56. Which of the following replication methods are available in Vault Enterprise? (Choose two.)
A. Cluster sharding
B. Namespaces
C. Performance Replication
D. Disaster Recovery Replication
Answer
C, D
Q57. The key/value v2 secrets engine is enabled at secret/. See the following policy:
path "secret/data/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/data/super-secret" {
capabilities = ["deny"]
} Which of the following operations are permitted by this policy? (Choose two.)
A. vault kv get secret/webapp1
B. vault kv put secret/webapp1 apikey-“ABCDEFGHIDK123W”
C. vault kv metadata get secret/webapp1
D. vault kv delete secret/super-secret
E. vault kv list secret/super-secret
Answer
A, B
Q58. You are using the Vault userpass auth method mounted at auth/userpass. How do you create a new user named “sally” with password “h0wN0wB4r0wnC0w”? This new user will need the power-users policy.
A.
vault put auth/userpass/users/sally \
password=h0wN0wB4r0wnC0w \
policies=power-users B.
vault write userpass/sally \
password=h0wN0wB4r0wnC0w \
policies=power-users C.
vault kv write userpass/sally \
password=h0wN0wB4r0wnC0w \
policies=power-users D.
vault write auth/userpass/users/sally \
password=h0wN0wB4r0wnC0w \
policies=power-users Answer
D
Q59. The vault lease renew command increments the lease time from:
A. The current time
B. The end of the lease
Answer
A
Q60. You have a 2GB Base64 binary large object (blob) that needs to be encrypted. Which of the following best describes the transit secrets engine?
A. A data key encrypts the blob locally, and the same key decrypts the blob locally.
B. To process such a large blob. Vault will temporarily store it in the storage backend.
C. Vault will store the blob permanently. Be sure to run Vault on a compute optimized machine.
D. The transit engine is not a good solution for binaries of this size.
Answer
A