Q71. Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool. Which secrets engine would you recommend?
A. Google Cloud Secrets Engine
B. Identity secrets engine
C. Key/Value secrets engine version 2
D. SSH secrets engine
Answer
A
Q72. Which of these is not a benefit of dynamic secrets?
A. Supports systems which do not natively provide a method of expiring credentials
B. Minimizes damage of credentials leaking
C. Ensures that administrators can see every password used
D. Replaces cumbersome password rotation tools and practices
Answer
C
Q73. Which of the following cannot define the maximum time-to-live (TTL) for a token?
A. By the authentication method
B. By the client system
C. By the mount endpoint configuration
D. A parent token TTL
E. System max TTL
Answer
B
Q74. What are orphan tokens?
A. Orphan tokens are tokens with a use limit so you can set the number of uses when you create them
B. Orphan tokens are not children of their parent; therefore, orphan tokens do not expire when their parent does
C. Orphan tokens are tokens with no policies attached
D. Orphan tokens do not expire when their own max TTL is reached
Answer
B
Q75. To give a role the ability to display or output all of the end points under the /secrets/apps/* end point it would need to have which capability set?
A. update
B. read
C. sudo
D. list
E. None of the above
Answer
D
Q76. You have been tasked with writing a policy that will allow read permissions for all secrets at path secret/bar. The users that are assigned this policy should also be able to list the secrets. What should this policy look like?
A.
path "secret/bar/*" {
capabilities = ["read", "list"]
} B.
path "secret/bar/*" {
capabilities = ["list"]
}
path "secret/bar/" {
capabilities = ["read"]
} C.
path "secret/bar/*" {
capabilities = ["read"]
}
path "secret/bar/" {
capabilities = ["list"]
} D.
path "secret/bar/+" {
capabilities = ["read", "list"]
} Answer
D
Q77. How many Shamir’s key shares are required to unseal a Vault instance?
A. All key shares
B. A quorum of key shares
C. One or more keys
D. The threshold number of key shares
Answer
D
Q78. Which of these are benefits of using the Vault Agent?
A. Vault Agent allows for centralized configuration of application secrets engines
B. Vault Agent will auto-discover which authentication mechanism to use
C. Vault Agent will enforce minimum levels of encryption an application can use
D. Vault Agent will manage the lifecycle of cached tokens and leases automatically
Answer
D
Q79. Which of the following describes usage of an identity group?
A. Limit the policies that would otherwise apply to an entity in the group
B. When they want to revoke the credentials for a whole set of entities simultaneously
C. Audit token usage
D. Consistently apply the same set of policies to a collection of entities
Answer
D
Q80. Vault supports which type of configuration for source limited token?
A. Cloud-bound tokens
B. Domain-bound tokens
C. CIDR-bound tokens
D. Certificate-bound tokens
Answer
C