HashiCorp | Vault Multiple Choice Training Exam
The Vault Associate 002 exam contains 10 sections. Below, you’ll find some recurring questions that can help you prepare for the exam.
Multiple Choice Exam
Module 1: Compare Authentication Methods
- What is a primary purpose of authentication methods in Vault?
- To manage secrets
- To revoke leases
- To encrypt data
- To verify and authorize users
- Which authentication method in Vault utilizes AWS IAM roles?
- LDAP
- Token
- AWS IAM
- TLS Certificate
- In Vault, which authentication method is commonly used for machine-to-machine communication?
- Username/Password
- Token
- AWS IAM
- LDAP
- What authentication method in Vault requires a signed X.509 certificate from a trusted CA?
- LDAP
- Token
- AWS IAM
- TLS Certificate
- Which authentication method in Vault provides short-lived tokens for temporary access?
- Username/Password
- AWS IAM
- Token
- LDAP
- What authentication method in Vault is suitable for human users?
- Username/Password
- Token
- AWS IAM
- TLS Certificate
- Which authentication method in Vault uses client-side TLS certificates?
- Username/Password
- Token
- AWS IAM
- TLS Certificate
- Which authentication method in Vault is primarily used for Kubernetes environments?
- Token
- Username/Password
- AWS IAM
- Kubernetes
- In Vault, what is the purpose of LDAP authentication?
- To authenticate using AWS IAM roles
- To generate temporary access tokens
- To authenticate machines
- To integrate with existing LDAP directories
- Which authentication method in Vault is recommended for automated processes?
- Username/Password
- Token
- AWS IAM
- LDAP
Module 2: Create Vault Policies
- What is the primary function of a Vault policy?
- To authenticate users
- To define access control rules
- To manage leases
- To generate tokens
- How are policies associated with users or tokens in Vault?
- By assigning roles
- By attaching policies directly
- By defining ACLs
- By using LDAP groups
- What language is commonly used to define Vault policies?
- JSON
- HCL (HashiCorp Configuration Language)
- YAML
- XML
- What does a Vault policy specify?
- Authentication methods
- Permissions on paths and operations
- TLS certificates
- Lease durations
- Which Vault CLI command is used to create a new policy?
- vault authenticate
- vault policy write
- vault token create
- vault lease create
- How are policies evaluated in Vault?
- Deny-by-default
- Allow-by-default
- Deny-never
- Allow-never
- What happens if a user or token is associated with multiple policies in Vault?
- Only the most permissive policy is applied
- Only the least permissive policy is applied
- Policies are merged, granting the union of permissions
- Policies are ignored
- In Vault, what is the purpose of a wildcard (*) in a policy path?
- To deny all access to the path
- To specify a particular operation
- To restrict access to certain users
- To match any subpath under the specified path
- Which of the following is a valid Vault policy statement?
- path “/secrets/*” { deny = [“read”] }
- path “secret/data/*” { capabilities = [“create”, “read”, “update”] }
- path “secrets/” { capabilities = [“read”, “write”] }
- path “/secret/” { allow = [“”] }
- What is the default behavior of Vault if a user or token has no associated policy?
- Access is granted with full permissions
- Access is denied
- Access is granted with read-only permissions
- Access is denied by default
Module 3: Assess Vault Tokens
- What is a Vault token?
- A password for accessing secrets
- An authentication mechanism
- An AWS IAM role
- A TLS certificate
- How are tokens created in Vault?
- Manually by administrators
- Automatically during authentication
- Through LDAP integration
- Via AWS IAM roles
- Which token type in Vault is meant for long-term use and can be renewed?
- Batch Tokens
- Service Tokens
- Periodic Tokens
- Batch-Orphan Tokens
- What happens when a Vault token expires?
- It is automatically renewed
- It becomes invalid and must be recreated
- It becomes orphaned
- It is revoked
- How can token renewals be managed in Vault?
- Tokens cannot be renewed
- Through AWS IAM integration
- Using the
vault token renew
command - By updating policies
- What is the purpose of token leasing in Vault?
- To increase the security of tokens
- To automatically revoke tokens after a specified period
- To limit the number of tokens per user
- To rotate encryption keys
- Which of the following token types in Vault is not renewable?
- Periodic Tokens
- Batch Tokens
- Service Tokens
- Batch-Orphan Tokens
- What is the difference between periodic tokens and service tokens?
- They are the same, just named differently
- Periodic tokens are manually created by administrators
- Periodic tokens can be renewed, while service tokens cannot
- Service tokens have shorter lease durations
- How can token revocation be initiated in Vault?
- Automatically upon expiration
- By administrators only
- By users themselves
- Through AWS IAM roles
- What is the purpose of token accessors in Vault?
- To uniquely identify tokens
- To grant access to secrets
- To authenticate users
- To revoke tokens
Module 4: Manage Vault Leases
- What is a lease in Vault?
- A time-limited credential or resource allocation
- A permanent access token
- A TLS certificate
- An AWS IAM role
- Which Vault operation can be performed on leases?
- Create
- Renew
- Authenticate
- Revoke
- How are leases associated with secrets in Vault?
- Manually by administrators
- Automatically when secrets are generated
- Through LDAP integration
- Via AWS IAM roles
- What is the default lease duration for secrets in Vault?
- 1 hour
- 1 month
- 1 day
- 1 year
- Which command is used to revoke a lease in Vault?
- vault token revoke
- vault lease delete
- vault secret revoke
- vault lease revoke
- What happens when a lease is revoked in Vault?
- The associated secret is permanently deleted
- Access to the associated secret is immediately revoked
- The lease duration is extended
- A new lease is created
- How can you renew a lease in Vault?
- By manually updating the lease duration
- By using the
vault lease renew
command - By revoking the lease and recreating it
- By updating policies
- What is the purpose of lease IDs in Vault?
- To identify users
- To uniquely identify leases
- To authenticate tokens
- To revoke leases
- In Vault, what is the difference between a lease and a token?
- There is no difference, they are synonymous
- Tokens are renewable, leases are not
- Tokens are associated with policies, leases are not
- Tokens are used for authentication, leases are used for secret access
- What happens to a secret when its associated lease expires in Vault?
- The secret is permanently deleted
- Access to the secret is revoked until manually reactivated
- The secret is invalidated and cannot be accessed
- The secret is automatically renewed
Module 5: Compare and Configure Vault Secrets Engines
- What is a secrets engine in Vault?
- A component that stores, generates, or encrypts secrets
- A user authentication mechanism
- A TLS certificate
- An AWS IAM role
- Which type of secrets engine in Vault is used for dynamic secrets?
- Transit
- AWS
- Cubbyhole
- Database
- Which secrets engine is commonly used for generating encryption keys?
- AWS
- Cubbyhole
- Transit
- Database
- In Vault, which secrets engine is suitable for managing access to cloud resources?
- Cubbyhole
- Transit
- Database
- AWS
- How can a new secrets engine be enabled in Vault?
- By updating policies
- By restarting the Vault server
- Using the
vault secrets enable
command - Through LDAP integration
- What is the purpose of dynamic secrets in Vault?
- To store long-lived secrets
- To generate short-lived credentials on demand
- To authenticate users
- To manage encryption keys
- What is a lease in the context of secrets engines in Vault?
- A permanent access token
- A TLS certificate
- An AWS IAM role
- A time-limited credential or resource allocation
- How does Vault manage revocation of dynamic secrets?
- By automatically renewing leases
- By using LDAP integration
- By revoking the associated lease
- By rotating encryption keys
- What is the purpose of mounting a secrets engine in Vault?
- To revoke all secrets associated with the engine
- To make the secrets engine accessible via a specific path
- To generate new secrets
- To authenticate users
- Which secrets engine in Vault is commonly used for generating and storing encryption keys?
- Database
- Transit
- AWS
- Transit
Module 6: Utilize Vault CLI
- Which Vault CLI command is used to authenticate against Vault?
- vault token
- vault login
- vault auth
- vault generate
- How can you read a secret from Vault using the CLI?
- vault secret read
- vault read
- vault get
- vault access
- Which command is used to write a secret to Vault?
- vault set
- vault write
- vault add
- vault create
- How can you list the enabled secrets engines in Vault?
- vault list engines
- vault secrets list
- vault engines
- vault enabled
- What command is used to revoke a token in Vault?
- vault token revoke
- vault revoke
- vault token revoke-self
- vault revoke-self
- How can you authenticate using the Vault CLI with a specific authentication method?
- By specifying the method in the
vault login
command - By using the
vault login -method=<method>
command - By setting environment variables
- By editing Vault configuration files
- By specifying the method in the
- Which command is used to create a new token in Vault?
- vault token generate
- vault token create
- vault create-token
- vault generate-token
- How can you display detailed information about a token using the Vault CLI?
- vault token info
- vault token lookup
- vault token details
- vault token describe
- What command is used to authenticate to Vault using a GitHub token?
- vault login -method=github
- vault auth github
- vault authenticate github
- vault login -method=github token=
- How can you display the current Vault CLI version?
- vault version
- vault –version
- vault -version
- vault get version
Module 7: Utilize Vault UI
- Which of the following is NOT a feature of Vault’s UI?
- Managing secrets engines
- Writing policies in HCL
- Managing tokens
- Viewing audit logs
- What authentication methods can be used with Vault’s UI?
- Token only
- Username/Password only
- Multiple methods, including token and username/password
- LDAP only
- How can you access Vault’s UI?
- By installing a separate package
- By running a separate server
- By enabling the built-in UI
- By using a web browser extension
- Which action can you perform through Vault’s UI?
- Revoking leases
- Managing lease renewals
- Creating policies
- Accessing the CLI
- In Vault’s UI, where can you view audit logs?
- Settings
- Activity tab
- Secrets tab
- Policies tab
- What permissions are required to access Vault’s UI?
- Superuser privileges
- Vault administrator privileges
- No specific permissions required
- Full access to all secrets
- How can you customize the appearance of Vault’s UI?
- By editing the Vault configuration file
- By installing plugins
- By adding custom branding and logos
- By adjusting browser settings
- Which web browsers are supported for accessing Vault’s UI?
- Internet Explorer only
- Firefox only
- Safari only
- Chrome, Firefox, and Safari
- Can you access Vault’s UI without authentication?
- Yes, it is open to the public by default
- No, authentication is always required
- It depends on Vault’s configuration
- Only if using a specific authentication method
- What is the purpose of Vault’s UI dashboard?
- To manage database secrets
- To view system logs
- To provide an overview of Vault’s status and activity
- To configure access policies
Module 8: Be Aware of the Vault API
- What does the Vault API provide?
- Programmatic access to Vault’s features
- A graphical user interface
- Token generation
- Audit logging
- Which protocol does the Vault API primarily use?
- HTTP
- HTTP(S)
- FTP
- SMTP
- How are API requests authenticated in Vault?
- Through LDAP integration
- By using AWS IAM roles
- By providing a token
- By using a username/password combination
- What HTTP method is used to read data from Vault using the API?
- POST
- GET
- PUT
- DELETE
- Which endpoint is used to interact with secrets in Vault via the API?
- /auth
- /token
- /policy
- /data
- What is the purpose of response wrapping in Vault’s API?
- To securely store secrets
- To encrypt API requests
- To validate authentication tokens
- To protect sensitive data during transit
- How can you authenticate to the Vault API using a token?
- By including the token in the request body
- By using HTTP basic authentication
- By setting the
X-Vault-Token
header - By passing the token as a URL parameter
- Which HTTP status code indicates a successful API request in Vault?
- 200
- 401
- 403
- 204
- What is the purpose of using namespaces in Vault’s API?
- To manage user accounts
- To partition data within Vault
- To define access control policies
- To create isolated environments for different teams
- How can you limit the response size when reading data from Vault’s API?
- By specifying the desired response format
- By setting a maximum request size in Vault’s configuration
- By encrypting the response data
- By using pagination parameters in the request
Module 9: Explain Vault Architecture
- What is the core component of Vault’s architecture?
- Storage backend
- API gateway
- Authentication engine
- Policy engine
- What is the purpose of the storage backend in Vault?
- Authenticating users
- Generating tokens
- Storing encrypted data
- Managing leases
- Which component is responsible for authenticating users and clients in Vault?
- Token generator
- Policy engine
- Storage backend
- Authentication engine
- How does Vault handle encryption of data at rest?
- Through LDAP integration
- Using an encryption key stored securely
- By rotating AWS IAM roles
- Through TLS certificates
- What is the role of the API gateway in Vault’s architecture?
- Storing secrets
- Authenticating users
- Exposing Vault’s features via HTTP(S) API
- Generating tokens
- How does Vault ensure high availability?
- Through replication and clustering
- By limiting access to a single instance
- By disabling encryption
- By using a single storage backend
- What is the purpose of the transit engine in Vault’s architecture?
- To authenticate users
- To manage access control policies
- To perform encryption and decryption operations
- To store and retrieve secrets
- What is the advantage of Vault’s pluggable architecture?
- It allows for customization and integration with external systems
- It reduces the need for authentication
- It simplifies data storage
- It provides built-in encryption algorithms
- What role does the barrier controller play in Vault’s architecture?
- Managing authentication tokens
- Enforcing access control policies
- Encrypting data
- Protecting sensitive data during transit and at rest
- How does Vault handle secrets during transit between clients and the server?
- Through TLS encryption
- By storing secrets in plaintext
- By rotating encryption keys
- Through LDAP integration
Module 10: Explain Encryption as a Service
- What is encryption as a service?
- A feature of Vault for managing access control
- A method for storing secrets in plaintext
- A service that provides encryption and decryption operations
- A protocol for user authentication
- How does encryption as a service differ from traditional encryption methods?
- It uses static encryption keys
- It abstracts away encryption logic into a separate service
- It requires manual key management
- It relies on external hardware modules
- What are some benefits of encryption as a service?
- Increased complexity in application architecture
- Simplified encryption integration for applications
- Lower security due to reliance on external services
- Limited scalability options
- Which components are typically involved in encryption as a service?
- Key management service, encryption service
- Database, API gateway
- LDAP server, authentication engine
- Token generator, policy engine
- How can encryption as a service improve application security?
- By storing secrets in plaintext
- By ensuring consistent encryption practices across applications
- By relying solely on perimeter security measures
- By disabling encryption for certain sensitive data types
- What role does key rotation play in encryption as a service?
- It decreases encryption performance
- It increases the risk of data loss
- It enhances security by regularly changing encryption keys
- It reduces the need for encryption
- How can encryption as a service simplify compliance with data protection regulations?
- By providing centralized key management and encryption policies
- By requiring manual encryption for each data record
- By storing encryption keys in plaintext
- By disabling encryption altogether
- What is the typical deployment model for encryption as a service?
- Single-tenant only
- Multi-tenant or single-tenant
- Multi-tenant only
- On-premises only
- How does encryption as a service contribute to data privacy?
- By encrypting data at rest and in transit
- By allowing unrestricted access to encrypted data
- By storing encryption keys in plaintext
- By disabling encryption for certain sensitive data types
- What challenges might organizations face when implementing encryption as a service?
- Increased complexity in data management
- Integration with existing systems and applications
- Decreased data security
- Reduced performance due to encryption overhead
This post is licensed under CC BY 4.0 by the author.