Practice VA-003 Explain Vault architecture questions with full explanations on every answer.
Start practicing
Explain Vault architecture — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A DevOps team is deploying Vault in a Kubernetes cluster. They want to ensure that when a pod starts, it can obtain a short-lived Vault token without human intervention. Which Vault architecture component should they use?
2During a performance test, Vault becomes unresponsive for several seconds when the storage backend experiences high latency. Which architectural change would best improve Vault's resilience to storage latency?
3A security engineer wants to ensure that all requests to Vault are logged for compliance. Which component must be configured?
4A company is using Vault's Integrated Storage (Raft) for high availability. During a network partition, two Vault nodes become isolated from the third. What happens to the isolated nodes?
5An administrator notices that after a Vault unseal operation, the root token is no longer usable. The audit logs show no revocations. What is the most likely cause?
6Which Vault component is responsible for encrypting data before storing it in the storage backend?
7A team wants to use Vault's AWS auth method to authenticate EC2 instances. Which architectural requirement must be met?
8A Vault cluster uses Integrated Storage. During a planned upgrade, the administrator wants to minimize downtime. Which upgrade strategy should be used?
9What is the purpose of the Seal/Unseal process in Vault architecture?
10Which TWO components are required for Vault to process client requests after startup?
11Which THREE architectural considerations are important when designing a multi-datacenter Vault deployment?
12Which TWO statements about Vault's Storage Backend are correct?
13A company deploys Vault in a production environment with three nodes using Integrated Storage (Raft). They have configured Performance Replication to a secondary datacenter. The primary datacenter experiences a complete outage. After restoring the primary, they promote the secondary to primary. However, they notice that some secrets written to the primary just before the outage are missing in the secondary. The replication status shows no errors. What is the most likely cause and correct action?
14An organization uses Vault with a Consul storage backend. They have three Vault servers and three Consul servers. During a routine maintenance, they restart all Consul servers simultaneously. After the restart, Vault becomes sealed and cannot be unsealed. The Vault logs show 'storage: error listing' and 'failed to check status'. The Consul cluster is healthy with a leader. What is the most likely cause and solution?
15A company is deploying Vault in a high-availability configuration across three data centers. They need to ensure that if the active Vault node fails, another node can take over without manual intervention. Which Vault feature should they configure?
16Which TWO of the following are valid ways to authenticate to Vault?
17A company runs Vault in a single cluster with three nodes using the Raft storage backend. The nodes are behind a load balancer that distributes traffic to all nodes. The operations team notices that occasionally, write operations (e.g., writing a secret or creating a policy) fail with a '502 Bad Gateway' error, while read operations succeed. The Vault audit logs show no errors. The load balancer health checks are configured to check the /v1/sys/health endpoint with a 200 response expected. The Vault nodes are all unsealed and the cluster is healthy. Which of the following is the most likely cause of the intermittent write failures?
18A company wants to use Vault's Key Management Secrets Engine (KMSE) to encrypt data stored in AWS S3. The security team requires that the encryption key used by Vault is never exposed to the application. Which Vault architecture component ensures that the encryption key remains within the Vault boundary and is not accessible to the application?
19Which TWO statements correctly describe Vault's storage backend and seal/unseal mechanism?
20A Vault operator runs `vault status` and sees the output above. The Vault cluster is in production and currently unresponsive to API requests. What is the most likely cause of the unresponsiveness?
21Drag and drop the steps to configure Vault's PKI secrets engine to issue certificates into the correct order.
22Match each Vault audit device to its output destination.
23A small startup wants to run Vault in a development environment with minimal operational overhead. They need to store secrets in memory only, without any persistence. Which storage backend should they choose?
24A company requires that Vault's master key be split into multiple key shares and distributed to different administrators using Shamir's Secret Sharing. They also need to ensure that Vault can automatically unseal if a majority of shares are provided but cannot rely on manual intervention. Which unseal approach should they configure?
25A large enterprise runs Vault in a high-availability cluster with integrated storage (Raft). They notice that read requests are not being evenly distributed across nodes, causing some nodes to have high load. They want to offload read operations to standby nodes. What feature should they enable to achieve this?
26An organization has two Vault clusters in different geographic regions and wants to replicate secrets from the primary cluster to the secondary cluster for disaster recovery. Which Vault replication feature should they use?
27A security team needs to audit all interactions with Vault, including requests that are denied due to policy violations. They want to ensure that even if the audit device is full, Vault does not halt operations. Which audit device configuration should they recommend?
28An operator notices that after a network partition, a Vault cluster with integrated storage (Raft) has a node that is unreachable and does not automatically rejoin. The cluster has 5 nodes with a minimum quorum of 3. What is a likely cause for the node not rejoining?
29A developer wants to authenticate to Vault using a username and password without any external identity provider. Which authentication method should be enabled?
30A Vault administrator creates a policy that grants 'read' and 'list' on 'secret/data/engineering/*' for a group. However, users in that group cannot read 'secret/data/engineering/project/db_password'. What is the most likely issue?
31During a security assessment, a penetration tester discovers that Vault's seal configuration uses a single master key stored in a file on the server. The attacker gains root access to the server and retrieves the unseal key. What is the best mitigation to prevent this scenario?
32Which TWO of the following are components of Vault's architecture? (Choose two.)
33Which THREE of the following are true regarding Vault's high availability (HA) and replication? (Choose three.)
34Which TWO of the following storage backends are capable of high availability without external dependencies? (Choose two.)
35A Vault server is configured with the above snippet. After starting, the server remains in a sealed state. Which command should the operator run to complete the initial unseal?
36Given the output from 'vault operator raft list-peers', which node(s) will become unavailable if node1 (leader) experiences a network partition away from all other nodes?
37A user has the above policy attached. What operation can the user perform on 'secret/data/production/db_password'?
38A new Vault administrator unseals Vault using a single unseal key, but the Vault remains sealed. What is the most likely cause?
39A Vault cluster has two nodes configured for HA. The active node becomes unresponsive, and the standby node takes over. However, clients cannot connect to the new active node. The firewall rules allow traffic on port 8200. What is the most likely issue?
40A Vault cluster configured with auto-unseal using AWS KMS is deployed across two availability zones. After a network partition, the standby node remains sealed while the active node is unsealed and serving requests. What is the most likely reason the standby cannot unseal?
41A company is migrating from a file storage backend to Consul. Which Vault command should be used to move the data?
42A Vault cluster uses performance replication. A performance standby node is not responding to read requests. What is the most likely cause?
43A Vault cluster uses DR replication. The primary cluster fails, and the DR secondary is promoted to primary. After promotion, some secret data written to the primary shortly before the failure is missing on the new primary. What is the most likely reason?
44A company stores static secrets in Vault and requires that all data is encrypted at rest in the storage backend. Which Vault feature provides this encryption?
45A Vault administrator notices that the audit log file on the Vault server is filling up the disk. What is the best course of action to prevent disk full issues?
46After a security incident, the Vault administrator needs to change the encryption key used to encrypt data at rest. They have already rekeyed the unseal keys. What additional step is required to ensure new secrets are encrypted with a new key?
47Which TWO are core components of Vault's architecture?
48Which THREE are requirements for a Vault High Availability (HA) cluster?
49Which TWO statements about Vault replication are correct?
50Refer to the exhibit. What seal mechanism is configured for this Vault instance?
51Refer to the exhibit. Based on the output from 'vault status', which statement is true?
52Refer to the exhibit. What operation was performed on the secret "mysecret"?
53A company requires that Vault data be continuously replicated from a primary data center to a secondary data center for disaster recovery. The secondary data center must be able to become writable in the event of a primary failure. Which Vault feature should they use?
54A Vault cluster uses Consul for HA. After a brief network partition, a standby node loses contact with the active node. What does the standby node do after a timeout?
55An organization requires that all Vault secrets be encrypted with a key derived from a hardware security module (HSM) and that the cluster can be unsealed automatically. Which seal type should they use?
56In a Vault HA cluster, which node is responsible for handling all write requests?
57A Vault administrator is configuring Consul as the storage backend. The Consul cluster will span three data centers with low latency links. Which Consul deployment is recommended for Vault to ensure data safety?
58After a failover event in a Vault HA cluster with Integrated Storage, the new active node reports a 'sealed' status incorrectly in monitoring metrics, but the cluster is still functioning correctly. What is the most likely cause?
59What is the purpose of the `storage` stanza in a Vault server configuration file?
60A Vault cluster with three nodes using Integrated Storage (Raft) is healthy with one active and two standby nodes. A network partition isolates the active node. What will happen?
61A company uses Vault Enterprise with Performance Replication. The primary cluster is in us-east-1, and a secondary cluster is in eu-west-1. Clients in eu-west-1 report that they receive stale data when reading from the local secondary cluster's active node. What is the most likely cause?
62Which TWO components are required for Vault to start and function? (Choose two.)
63Which THREE are required for Vault to encrypt data at rest? (Choose three.)
64A Vault administrator wants to minimize the impact of a single node failure in a three-node Raft cluster. Which TWO actions will help? (Choose two.)
65Refer to the exhibit. A Vault administrator configures a three-node cluster with the above configuration on all nodes (with appropriate node_id). After starting all nodes, the administrator unseals node2 and node3. Node1 remains sealed. What will be the cluster state?
66Refer to the exhibit. A Vault policy is defined as shown. A user presents a token with this policy. Which operation will be permitted?
67Refer to the exhibit. A Vault administrator starts a Vault server and receives this error. What is the most likely cause?
68A company is running Vault in production with a single active node and two standby nodes using Integrated Storage. The operations team notices that after a network partition, one of the standby nodes becomes unavailable for a few minutes. Upon recovery, the node rejoins the cluster. However, the active node's performance degrades temporarily. What is the most likely cause?
69A DevOps engineer is designing a Vault architecture for a multi-cloud environment spanning AWS, GCP, and on-premises data centers. The requirement is to have low-latency read access to secrets across all regions, and the ability to handle a full regional outage without manual intervention. Which architecture best meets these requirements?
70A security team is configuring Vault's seal mechanism. They want to ensure that in the event of a data center outage, the Vault cluster can be unsealed without human intervention, but still require approval from multiple administrators to rekey the master key. Which seal type should they use?
71A Vault cluster uses Integrated Storage with 5 nodes. After a network split, the cluster loses quorum and becomes sealed. The network is restored, but the cluster does not automatically recover. What should the administrator do to recover the cluster?
72An organization wants to use Vault's dynamic database credentials to manage MySQL access. They have multiple application servers that need to connect to different databases. What is the best practice for configuring database roles to minimize the number of Vault mounts?
73Which three characteristics are true about Vault's storage backend and seal mechanisms? (Choose three.)
74A Vault administrator wants to ensure that all secrets are encrypted at rest and in transit. Which two configurations are necessary? (Choose two.)
75A company is deploying Vault in a Kubernetes environment. Which three components are essential for a production-ready Vault on Kubernetes? (Choose three.)
76A company deploys Vault in a single data center with 3 nodes using Integrated Storage. The application team reports that secret reads are slow, with median latency of 200ms. The Vault cluster is under moderate load of 100 requests per second. The administrator checks the server metrics and sees that the Raft commit latency is low, but the HTTP request handling time is high. The Vault nodes are running on virtual machines with 4 vCPUs and 8GB RAM each. The administrator suspects that the bottleneck is due to resource contention. What should the administrator do to reduce read latency without compromising availability?
77An organization uses Vault to manage SSH access via the SSH secrets engine. They have a large number of servers, each with a unique host key. The admin configures the SSH secrets engine with a one-time password (OTP) type. Users report that sometimes they cannot authenticate to some servers because the OTP is not accepted. The admin reviews the logs and finds that the server's SSH daemon is not contacting Vault to verify the OTP. The SSH daemon is configured with the Vault SSH helper. What is the most likely cause?
78A company with strict security requirements uses Vault's Transit secrets engine to encrypt data in a microservices architecture. They have multiple applications that each require a unique encryption key. The security team wants to enforce key rotation every 30 days for all keys, and also require that keys be destroyed after they are no longer used. The application team is concerned that key rotation might cause downtime because applications need to re-encrypt data. The Vault architect needs to design a key management solution. What is the best approach?
79A startup is deploying Vault for the first time. They want to use Integrated Storage for simplicity. They plan to run Vault on three small instances. During initial setup, they start the first node and initialize Vault, obtaining the unseal keys and root token. Then they start the second node and run `vault operator raft join http://<first_node>:8200`. The second node joins successfully. They then start the third node and attempt to join, but the join command fails with an error saying 'no leader'. What is the most likely cause?
80A Vault administrator is troubleshooting an issue where after a network outage, the Vault cluster is sealed and cannot be unsealed. The cluster has 5 nodes using Integrated Storage. The administrator runs `vault status` on each node and receives 'sealed' response. The administrator suspects that the cluster lost quorum during the outage. The administrator checks the Raft configuration and finds that there are 3 voter nodes and 2 non-voter nodes. Which action should the administrator take to recover the cluster?
81A company uses Vault Enterprise with Performance Replication across two data centers. The primary data center is in us-east-1 and the secondary is in eu-west-1. They have an application that writes secrets to the primary cluster, and those secrets are replicated to the secondary cluster for read access. Recently, they noticed that some secrets written to the primary are not appearing on the secondary even after several minutes. The latency between data centers is typically 50ms. The administrator checks the replication status and sees a 'merkle sync' in progress. What is the most likely reason for the delay?
82A DevOps team is setting up a Vault cluster for the first time. They plan to use AWS KMS for auto-unseal and Consul as the storage backend. As part of the architecture, which TWO components are essential for the Vault server to start and serve requests?
83Refer to the exhibit. A developer issues a Vault CLI command to write a secret to path 'secret/data/team/billing'. What will be the outcome?
84A large e-commerce company uses Vault to manage database credentials for microservices. They have a Vault cluster of 5 nodes using Integrated Storage (Raft). To increase capacity, they add a sixth node to the cluster. Shortly after, they notice intermittent 'no leader' errors in the Vault logs, and some clients experience failures when reading secrets. The cluster was functioning correctly before the addition. What is the most likely cause and the recommended action?
The Explain Vault architecture domain covers the key concepts tested in this area of the VA-003 exam blueprint published by HashiCorp. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all VA-003 domains — no account required.
The Courseiva VA-003 question bank contains 84 questions in the Explain Vault architecture domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Explain Vault architecture domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included