Q61. How would you describe the value of using the Vault transit secrets engine?
A. Vault has an API that can be programmatically consumed by applications
B. The transit secrets engine ensures encryption in-transit and at-rest is enforced enterprise wide
C. Encryption for application data is best handled by a storage system or database engine, while storing encryption keys in Vault
D. The transit secrets engine relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault
Answer
D
Q62. What is the Vault CLI command to query information about the token the client is currently using?
A. vault lookup token
B. vault token lookup
C. vault lookup self
D. vault self lookup
Answer
B
Q63. Which of the following is a machine-oriented Vault authentication backend?
A. Okta
B. AppRole
C. Transit
D. GitHub
Answer
B
Q64. Security requirements demand that no secrets appear in the shell history. Which command does not meet this requirement?
A. generate-password | vault kv put secret/password value=-
B. vault kv put secret/password value=itsasecret
C. vault kv put secret/password [email protected]
D. vault kv put secret/password value=$SECRET_VALUE
Answer
B
Q65. You can build a high availability Vault cluster with any storage backend.
A. True
B. False
Answer
B
Q66. What command creates a secret with the key “my-password” and the value “53cr3t” at path “my-secrets” within the KV secrets engine mounted at “secret”?
A. vault kv put secret/my-secrets/my-password 53cr3t
B. vault kv write secret/my-secrets/my-password 53cr3t
C. vault kv write 53cr3t my-secrets/my-password
D. vault kv put secret/my-secrets my-password-53cr3t
Answer
D
Q67. What can be used to limit the scope of a credential breach?
A. Storage of secrets in a distributed ledger
B. Enable audit logging
C. Use of a short-lived dynamic secrets
D. Sharing credentials between applications
Answer
C
Q68. What environment variable overrides the CLI’s default Vault server address?
A. VAULT_ADDR
B. VAULT_HTTP_ADDRESS
C. VAULT_ADDRESS
D. VAULT_HTTPS_ADDRESS
Answer
A
Q69. Which of the following statements describe the CLI command below?
$ vault login -method=ldap username=mitchellh
A. Generates a token which is response wrapped
B. You will be prompted to enter the password
C. By default, the generated token is valid for 24 hours
D. Fails because the password is not provided
Answer
D
Q70. The following three policies exist in Vault. What do these policies allow an organization to do?
path "transit/encrypt/my_app_key" {
capabilities = ["update"]
}
path "transit/decrypt/my_app_key" {
capabilities = ["update"]
}
path "transit/keys/my_app_key" {
capabilities = ["read"]
}
path "transit/rewrap/my_app_key" {
capabilities = ["update"]
}
A. Separates permissions allowed on actions associated with the transit secret engine
B. Nothing, as the minimum permissions to perform useful tasks are not present
C. Encrypt decrypt, and rewrap data using the transit engine all in one policy
D. Create a transit encryption key for encrypting, decrypting, and rewrapping encrypted data
Answer
A