Q1. Why might an application be mapped to an identity entity?
A. To prohibit Vault administrators from revoking tokens associated with that application
B. To get around cloud license limitations
C. To allow an application deployed with multiple authentication methods have a consistent set of policies
D. To allow the same application in one cloud to access already provisioned Vault tokens for that application in another cloud
Answer
C
Q2. Unsealing a single Vault server in a cluster unseals all Vault servers in that cluster.
A. True
B. False
Answer
B
Q3. Which endpoint can be used to list all tokens?
A. /kv/secrets
B. /auth/token/list
C. /secrets/kv
D. /auth/token/accessors
Answer
D
Q4. The mechanism to associate an authentication method with access to specific secrets is by specifying a/an:
A. Accessor
B. Token
C. Policy
D. Secret
Answer
C
Q5. You are managing a Vault implementation that has been integrated with Azure SQL database to provide dynamic credentials. You have created a role that will provide database credentials for database administrators (DBAs) to use for managing their database in Azure SQL. A DBA has requested a new credential by issuing the following Vault CLI command: vault read azuresql/creds/dba_access. The following output is returned:
Key | Value |
---|---|
lease_id | azuresql/creds/dba_access/2e5b1e0b-a081-c7e1-5622-39f58e79a719 |
lease_duration | 1h0m0s |
lease_renewable | true |
password | A1a-48w04t1xzw1s33z3 |
username | v-token-dba_access-tr2t4x9pxvq1z8878s9s-1513446795 |
The DBA has completed their work and would like to proactively remove the credential now that their work is complete.
Which of the following commands should the DBA execute?
A. vault delete azuresql/creds/dba_access
B. vault lease revoke v-token-dba_acccss-tr2t4x9pxvqlz8878s9s-1513446795
C. vault delete azuresql/creds/dba_access/2e5b1e0b-a081-c7el-5622-39f58e79a7l9
D. vault lease revoke azuresql/creds/dba_access/2e5b1e0b-a081-c7el-5622-39f58e79a719
Answer
D
Q6. One of the benefits of using the Vault transit secrets engine is its ability to easily rotate encryption keys. Which of these is true regarding key rotation?
A. Vault automatically rotates the encryption key based on a set period
B. Vault can rotate encryption keys, but cannot enforce restrictions about the minimum encryption key version
C. Vault does not maintain the versioned keyring
D. Encryption keys can be rotated manually by a user, or by an automated process which invokes the key rotation API
Answer
D
Q7. What is not a function provided by Vault’s transit secret engine?
A. Generating random bytes
B. Encrypting data
C. Storing ciphertext data
D. Verifying signed data
E. None of the above
Answer
C
Q8. A user issues the following cURI command to encrypt data using the transit engine and the Vault API:
curl \
--header "X-Vault-Token: c4f280f6-fdb2-18eb-89d3-589e2e834cdb" \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/transit/encrypt/my-key
Which payload.json file has the correct contents?
A.
{
"data": {
"plaintext": "dGh1IHG1aWNrIGJybduIGZveA=="
}
}
B.
{
"plaintext": "dGh1IHG1aWNrIGJybduIGZveA=="
}
C.
{
"ciphertext": "vault:v1:abcdefgh"
}
D.
{
"data": {
"ciphertext": "vault:v1:abcdefgh"
}
}
Answer
B
Q9. Which of the following storage backends supports high availability?
A. Azure Storage Container
B. Manta
C. Amazon S3
D. Consul
Answer
D
Q10. Which command will generate a new transit key?
A. vault put transit/keys/my-key
B. vault create -f transit/keys/my-key
C. vault write -f transit/keys/my-key
D. vault create transit/keys/my-key
Answer
C