Question No. 1

You have a 2GB Base64 binary large object (blob) that needs to be encrypted. Which of the following best describes the transit secrets engine?

AA data key encrypts the blob locally, and the same key decrypts the blob locally.

BTo process such a large blob. Vault will temporarily store it in the storage backend.

CVault will store the blob permanently. Be sure to run Vault on a compute optimized machine

DThe transit engine is not a good solution for binaries of this size.

Show Answer

Correct Answer: D

The transit secrets engine is not a good solution for binaries of this size, because it is designed to handle cryptographic functions on data in-transit, not data at-rest. The transit secrets engine does not store any data sent to it, so it would require sending the entire 2GB blob to Vault for encryption or decryption, which would be inefficient and impractical. A better solution would be to use the transit secrets engine to generate a data key, which is a high-entropy key that can be used to encrypt or decrypt data locally. The data key can be returned in plaintext or wrapped by another key, depending on the use case. This way, the transit secrets engine only handles the encryption or decryption of the data key, not the data itself, and the data can be stored in any primary data store.Reference:Transit - Secrets Engines | Vault | HashiCorp Developer,Encryption as a service: transit secrets engine | Vault | HashiCorp Developer

Question No. 2

You have been tasked with writing a policy that will allow read permissions for all secrets at path secret/bar. The users that are assigned this policy should also be able to list the secrets. What should this policy look like?

A.

B.

C.

D.

AOption A

BOption B

COption C

DOption D

Show Answer

Correct Answer: C

This policy would allow read permissions for all secrets at path secret/bar, as well as list permissions for the secret/bar/ path.The list permission is required to be able to see the names of the secrets under a given path1. The wildcard () character matches any number of characters within a single path segment, while the slash (/) character matches the end of the path2. Therefore, the policy would grant read access to any secret that starts with secret/bar/, such as secret/bar/foo or secret/bar/baz, but not to secret/bar itself. To grant list access to secret/bar, the policy needs to specify the exact path with a slash at the end.This policy follows the principle of least privilege, which means that it only grants the minimum permissions necessary for the users to perform their tasks3.

The other options are not correct because they either grant too much or too little permissions. Option A would grant both read and list permissions to all secrets under secret/bar, which is more than what is required. Option B would grant list permissions to all secrets under secret/bar, but only read permissions to secret/bar itself, which is not what is required. Option D would use an invalid character (+) in the policy, which would cause an error.

Policy Syntax | Vault | HashiCorp Developer

Policies | Vault | HashiCorp Developer

Question No. 3

Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?

APKI

BKey/Value secrets engine version 2, with TTL defined

CCloud KMS

DTransit

Show Answer

Correct Answer: A

The PKI secrets engine is designed to support the use case of reducing and ultimately removing the use of long lived X.509 certificates. The PKI secrets engine can generate dynamic X.509 certificates on demand, with short time-to-live (TTL) and automatic revocation. This eliminates the need for manual processes of generating, signing, and rotating certificates, and reduces the risk of certificate compromise or misuse. The PKI secrets engine can also act as a certificate authority (CA) or an intermediate CA, and can integrate with external CAs or CRLs.The PKI secrets engine can issue certificates for various purposes, such as TLS, SSH, code signing, email encryption, etc.Reference: https://developer.hashicorp.com/vault/docs/secrets/pki1, https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets

Question No. 4

Which of the following vault lease operations uses a lease _ id as an argument? Choose two correct answers.

Arenew

Brevoke -prefix

Ccreate

Ddescribe

Erevoke

Show Answer

Correct Answer: A, E

The vault lease operations that use a lease_id as an argument are renew and revoke. The renew operation allows a client to extend the validity of a lease associated with a secret or a token. The revoke operation allows a client to terminate a lease immediately and invalidate the secret or the token. Both operations require a lease_id as an argument to identify the lease to be renewed or revoked. The lease_id can be obtained from the response of reading a secret or creating a token, or from the vault lease list command. The other operations, revoke-prefix, create, and describe, do not use a lease_id as an argument. The revoke-prefix operation allows a client to revoke all secrets or tokens generated under a given prefix. The create operation allows a client to create a new lease for a secret. The describe operation allows a client to view information about a lease, such as its TTL, policies, and metadata.Reference:Lease, Renew, and Revoke | Vault | HashiCorp Developer,vault lease - Command | Vault | HashiCorp Developer

Question No. 5

Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool. Which secrets engine would you recommend?

AGoogle Cloud Secrets Engine

BIdentity secrets engine

CKey/Value secrets engine version 2

DSSH secrets engine

Show Answer

Correct Answer: A

The Google Cloud Secrets Engine is the best option for the DevOps team to provision VMs in GCP via a CICD pipeline and integrate Vault to protect the credentials used by the tool. The Google Cloud Secrets Engine can dynamically generate GCP service account keys or OAuth tokens based on IAM policies, which can be used to authenticate and authorize the CICD tool to access GCP resources. The credentials are automatically revoked when they are no longer used or when the lease expires, ensuring that the credentials are short-lived and secure. The DevOps team can configure rolesets or static accounts in Vault to define the scope and permissions of the credentials, and use the Vault API or CLI to request credentials on demand.The Google Cloud Secrets Engine also supports generating access tokens for impersonated service accounts, which can be useful for delegating access to other service accounts without storing or managing their keys1.

The Identity Secrets Engine is not a good option for this use case, because it does not generate GCP credentials, but rather generates identity tokens that can be used to access other Vault secrets engines or namespaces2.The Key/Value Secrets Engine version 2 is also not a good option, because it does not generate dynamic credentials, but rather stores and manages static secrets that the user provides3.The SSH Secrets Engine is not a good option either, because it does not generate GCP credentials, but rather generates SSH keys or OTPs that can be used to access remote hosts via SSH4.

Google Cloud - Secrets Engines | Vault | HashiCorp Developer

Identity - Secrets Engines | Vault | HashiCorp Developer

KV - Secrets Engines | Vault | HashiCorp Developer

SSH - Secrets Engines | Vault | HashiCorp Developer

Free HashiCorp Vault-Associate Exam Actual Questions

The questions for Vault-Associate were last updated On Nov 20, 2024