Sample questions
HashiCorp Vault Associate VA-003 practice questions
Refer to the exhibit. A developer reports that a token they created using `vault token create -policy=my-policy -ttl=2h` is no longer working after 1 hour. The token lookup output shows the token details. What is the most likely cause?
Exhibit
Refer to the exhibit. ``` $ vault token lookup s.abc123 Key Value --- ----- accessor a.xyz789 creation_time 1712345678 expiration_time 1712355678 creation_ttl 2h display_name mytoken entity_id entity-uuid-123 meta map[team:dev] num_uses 0 orphan true path auth/token/create policies [default my-policy] renewable true type service ```
Trap 1: The token has num_uses set to 0, meaning it can only be used once.
num_uses=0 means unlimited use, not a single use.
Trap 2: The token is a service token and cannot be renewed.
Service tokens can be renewed; this is not the issue.
Trap 3: The token is an orphan token and requires the parent token to be…
Orphan tokens have no parent; they are independent.
- A
The token's max_ttl was set to 1h when created, and the token reached its max_ttl.
If max_ttl is less than the requested TTL, the token will expire at max_ttl, causing it to stop working after 1 hour.
- B
The token has num_uses set to 0, meaning it can only be used once.
Why wrong: num_uses=0 means unlimited use, not a single use.
- C
The token is a service token and cannot be renewed.
Why wrong: Service tokens can be renewed; this is not the issue.
- D
The token is an orphan token and requires the parent token to be valid.
Why wrong: Orphan tokens have no parent; they are independent.
A company uses Vault to manage database credentials for a production PostgreSQL cluster. The application team reports that dynamic credentials generated from the database secrets engine are being revoked before the application has finished using them. The Vault lease TTL is set to 1 hour, but the application workload sometimes runs for up to 2 hours. What is the MOST efficient way to ensure credentials remain valid for the full workload duration?
Trap 1: Set max_ttl to 2 hours on the database role.
max_ttl only sets an upper bound; the default TTL remains 1 hour unless the application explicitly requests a longer TTL.
Trap 2: Set the Vault server's default_lease_ttl to 2 hours in the server…
This changes the global default for all secrets, which could weaken security for other secrets and is not targeted.
Trap 3: Have the application manually renew the lease every 30 minutes.
Manual renewal is operationally complex and risks interruption if renewal fails; it is less efficient than adjusting the TTL.
- A
Set max_ttl to 2 hours on the database role.
Why wrong: max_ttl only sets an upper bound; the default TTL remains 1 hour unless the application explicitly requests a longer TTL.
- B
Set the Vault server's default_lease_ttl to 2 hours in the server configuration.
Why wrong: This changes the global default for all secrets, which could weaken security for other secrets and is not targeted.
- C
Increase the default_lease_ttl on the database secrets engine mount to 2 hours.
This raises the default TTL for all credentials created by this engine, matching the workload's maximum duration without code changes.
- D
Have the application manually renew the lease every 30 minutes.
Why wrong: Manual renewal is operationally complex and risks interruption if renewal fails; it is less efficient than adjusting the TTL.
An administrator runs the commands shown in the exhibit. Later, they run 'vault kv delete kv-v2/secret' and then 'vault kv undelete -versions=1 kv-v2/secret' to recover the secret. Which command must the administrator run to verify that the secret is now readable?
Exhibit
Refer to the exhibit. ``` $ vault secrets enable -path=kv-v2 kv-v2 $ vault kv put kv-v2/secret username=admin password=s3cret $ vault kv get kv-v2/secret ====== Metadata ====== Key Value --- ----- created_time 2023-01-01T00:00:00Z deletion_time n/a destroyed false version 1 ====== Data ====== Key Value --- ----- password s3cret username admin $ vault kv metadata get kv-v2/secret Key Value --- ----- cas_required false created_time 2023-01-01T00:00:00Z current_version 1 custom_metadata map[] delete_version_after 0s max_versions 0 oldest_version 0 updated_time 2023-01-01T00:00:00Z ```
Trap 1: vault kv list kv-v2/secret
This lists keys under the path, but not the secret content.
Trap 2: vault read kv-v2/data/secret
The correct path is 'kv-v2/data/secret' but the command syntax is 'vault kv get', not 'vault read' directly for KV v2.
Trap 3: vault kv metadata get kv-v2/secret
This shows metadata, not the secret data.
- A
vault kv list kv-v2/secret
Why wrong: This lists keys under the path, but not the secret content.
- B
vault read kv-v2/data/secret
Why wrong: The correct path is 'kv-v2/data/secret' but the command syntax is 'vault kv get', not 'vault read' directly for KV v2.
- C
vault kv get kv-v2/secret
After undelete, the secret is readable; this command retrieves the data.
- D
vault kv metadata get kv-v2/secret
Why wrong: This shows metadata, not the secret data.
A security administrator notices that a Vault client using AppRole authentication is generating a very large number of tokens, causing performance issues. The administrator finds that the same AppRole role is used by multiple applications. What should the administrator do to reduce the number of tokens while maintaining security?
Trap 1: Decrease the token TTL on the AppRole role
Shorter TTL means tokens expire faster but doesn't limit the rate of token generation.
Trap 2: Periodically rotate the secret ID
Rotation does not limit the number of active tokens.
Trap 3: Set secret_id_num_uses to 1 on the AppRole role
This limits the number of uses of each secret ID, not the number of tokens issued.
- A
Decrease the token TTL on the AppRole role
Why wrong: Shorter TTL means tokens expire faster but doesn't limit the rate of token generation.
- B
Periodically rotate the secret ID
Why wrong: Rotation does not limit the number of active tokens.
- C
Create separate AppRole roles for each application
This allows distinct secret IDs and token limits per application.
- D
Set secret_id_num_uses to 1 on the AppRole role
Why wrong: This limits the number of uses of each secret ID, not the number of tokens issued.
Which TWO statements correctly describe differences between AppRole and Kubernetes authentication methods?
Trap 1: Kubernetes auth requires the secret_id to be specified in a…
Kubernetes auth uses a token, not a secret_id.
Trap 2: Both AppRole and Kubernetes support response wrapping for initial…
Only AppRole supports secret_id wrapping; Kubernetes token is already short-lived.
Trap 3: AppRole tokens are always batch tokens, while Kubernetes tokens are…
Both methods can generate service tokens by default.
- A
AppRole requires a role_id and secret_id, while Kubernetes requires a service account token.
AppRole uses two components; Kubernetes uses a single token.
- B
Kubernetes auth requires the secret_id to be specified in a configuration file.
Why wrong: Kubernetes auth uses a token, not a secret_id.
- C
Kubernetes authentication uses JWT tokens that are signed by the Kubernetes API server.
The service account token is a JWT signed by the cluster.
- D
Both AppRole and Kubernetes support response wrapping for initial credentials.
Why wrong: Only AppRole supports secret_id wrapping; Kubernetes token is already short-lived.
- E
AppRole tokens are always batch tokens, while Kubernetes tokens are service tokens.
Why wrong: Both methods can generate service tokens by default.
An administrator wants to use Vault's authentication method that allows users to log in with their corporate credentials via a federated identity system. The credentials are stored in an external identity provider (IdP) and Vault should not store any passwords. Which authentication method should be configured?
Trap 1: LDAP authentication
Vault must have access to the LDAP directory and stores bind credentials.
Trap 2: Userpass authentication
Vault stores hashed passwords internally.
Trap 3: Token authentication
Token is not user authentication, it's a pre-existing credential.
- A
LDAP authentication
Why wrong: Vault must have access to the LDAP directory and stores bind credentials.
- B
OIDC authentication
Uses external IdP for authentication, no password stored in Vault.
- C
Userpass authentication
Why wrong: Vault stores hashed passwords internally.
- D
Token authentication
Why wrong: Token is not user authentication, it's a pre-existing credential.
An administrator needs to enable authentication method for human users that integrates with an existing LDAP directory. The company wants to ensure that Vault can perform group-based policy assignment based on LDAP group membership. Which configuration step is mandatory to map LDAP groups to Vault policies?
Trap 1: Set the 'upndomain' parameter to 'company.com'
This is for UPN domain, not group mapping.
Trap 2: Set the 'users' attribute to 'sAMAccountName'
This maps the username attribute, not group membership.
Trap 3: Set the 'certificate' parameter with the LDAP server certificate
This is for TLS, not group mapping.
- A
Set the 'upndomain' parameter to 'company.com'
Why wrong: This is for UPN domain, not group mapping.
- B
Set the 'users' attribute to 'sAMAccountName'
Why wrong: This maps the username attribute, not group membership.
- C
Set the 'groups' attribute to 'memberOf'
This tells Vault which LDAP attribute holds group membership.
- D
Set the 'certificate' parameter with the LDAP server certificate
Why wrong: This is for TLS, not group mapping.
A security engineer needs to choose an authentication method for a set of microservices running in a Kubernetes cluster that require short-lived secrets. The method should leverage the pod's identity. Which method is best?
Trap 1: AppRole auth
AppRole works but requires manual secret ID distribution, not leveraging pod identity.
Trap 2: Token auth
Token auth is for human users and not recommended for automated workloads.
Trap 3: LDAP auth
LDAP is for human users, not microservices.
- A
AppRole auth
Why wrong: AppRole works but requires manual secret ID distribution, not leveraging pod identity.
- B
Token auth
Why wrong: Token auth is for human users and not recommended for automated workloads.
- C
LDAP auth
Why wrong: LDAP is for human users, not microservices.
- D
Kubernetes auth
Kubernetes auth is purpose-built for pods to authenticate using service account tokens.
An organization uses the transit engine with key rotation. They want to ensure that data encrypted with an older key version can be decrypted by Vault, but only if the key has not been deleted. Which of the following must be true?
Trap 1: The key's `min_decryption_version` must be set to 1
Setting to 1 allows all versions, but this is not required; the default (0) allows all versions. More importantly, if the version is archived, it still won't decrypt.
Trap 2: The key must have the `allow_plaintext_backup` setting enabled
This setting is for backing up key material, not for decryption availability.
Trap 3: The key must have a `deletion_allowed` set to false
This prevents deletion of the entire key, but does not affect decryption of existing ciphertext.
- A
The key's `min_decryption_version` must be set to 1
Why wrong: Setting to 1 allows all versions, but this is not required; the default (0) allows all versions. More importantly, if the version is archived, it still won't decrypt.
- B
The key must have the `allow_plaintext_backup` setting enabled
Why wrong: This setting is for backing up key material, not for decryption availability.
- C
The key must have a `deletion_allowed` set to false
Why wrong: This prevents deletion of the entire key, but does not affect decryption of existing ciphertext.
- D
The key's `latest_version` must be greater than 0
Why wrong: This is always true if key exists, but doesn't ensure older versions are available.
- E
The key must not have been archived
Archived key versions are removed from the decryption set and cannot be used.
Which TWO best practices should be followed when tuning secrets engine mounts?
Trap 1: Enable audit logging on the mount to track secret access
Audit logging is enabled globally, not per-mount.
Trap 2: Set a high default lease TTL to reduce renewals
High TTLs increase risk if secrets are compromised, so low TTLs are preferred.
Trap 3: Disable the 'default' policy for the mount to restrict access
The default policy is attached to all tokens; disabling it could break functionality.
- A
Enable audit logging on the mount to track secret access
Why wrong: Audit logging is enabled globally, not per-mount.
- B
Configure 'max_lease_ttl' to limit the maximum duration secrets can be valid
This ensures even if a role requests a long TTL, it cannot exceed the mount limit.
- C
Set 'default_lease_ttl' to a low value appropriate for the secrets engine
Low default TTLs encourage rotation and reduce exposure.
- D
Set a high default lease TTL to reduce renewals
Why wrong: High TTLs increase risk if secrets are compromised, so low TTLs are preferred.
- E
Disable the 'default' policy for the mount to restrict access
Why wrong: The default policy is attached to all tokens; disabling it could break functionality.
Which THREE steps are required to configure the database secrets engine for generating dynamic credentials?
Trap 1: Configure a policy to allow users to read credentials from the role
While important for access control, it is not required for the engine to function; the engine itself works without policies.
Trap 2: Tune the engine's default TTL
Tuning is optional and can be done later; not a required step.
- A
Create a role that maps to the database user and permissions
A role defines the generated credential attributes (e.g., username template, default TTL).
- B
Configure a policy to allow users to read credentials from the role
Why wrong: While important for access control, it is not required for the engine to function; the engine itself works without policies.
- C
Configure the database connection with connection details and credentials
Vault needs connection parameters to communicate with the database.
- D
Tune the engine's default TTL
Why wrong: Tuning is optional and can be done later; not a required step.
- E
Enable the database secrets engine
First step is to mount the engine.
A Vault instance was upgraded from version 1.9 to 1.13. After the upgrade, a secrets engine mounted at 'transit/' is unresponsive and returns an error. The engine type is transit. What is the most likely cause?
Trap 1: The engine was accidentally disabled during the upgrade
Upgrades do not disable engines by default.
Trap 2: The namespace was changed during the upgrade
Namespaces are preserved during upgrades.
Trap 3: The transit engine can only be mounted at the default path…
Transit can be mounted at any path.
- A
The engine was accidentally disabled during the upgrade
Why wrong: Upgrades do not disable engines by default.
- B
The namespace was changed during the upgrade
Why wrong: Namespaces are preserved during upgrades.
- C
The transit engine can only be mounted at the default path 'transit/'
Why wrong: Transit can be mounted at any path.
- D
The plugin version is incompatible with the new Vault version
Vault 1.13 may require a newer plugin version for transit; the old plugin may not work.
An organization uses a PostgreSQL database. They configure a database secrets engine with a role that grants read-only access. However, after revoking the lease, the database user still exists. What is the most likely cause?
Trap 1: The database secrets engine does not support revocation
Database engine supports revocation; if configured correctly, it removes users.
Trap 2: The role's default_ttl is set too high
High TTL delays revocation but does not prevent it.
Trap 3: The lease duration is too long
Lease duration affects when revocation occurs, not whether it succeeds.
- A
The database secrets engine does not support revocation
Why wrong: Database engine supports revocation; if configured correctly, it removes users.
- B
The role's default_ttl is set too high
Why wrong: High TTL delays revocation but does not prevent it.
- C
The lease duration is too long
Why wrong: Lease duration affects when revocation occurs, not whether it succeeds.
- D
The revocation statement is not configured in the database connection
If no revocation statement is set, Vault cannot delete the user on lease revocation.
Refer to the exhibit. A user deletes the current version of 'secret/myapp' using 'vault kv delete secret/myapp'. What happens to the version?
Exhibit
$ vault read secret/metadata/myapp Key Value --- ----- cas_required true created_time 2023-01-01T00:00:00Z current_version 1 delete_version_after 0s max_versions 0 oldest_version 0 updated_time 2023-01-01T00:00:00Z
Trap 1: It is destroyed because cas_required is true
cas_required is for CAS operations, not destruction.
Trap 2: It is permanently deleted immediately
Delete only soft-deletes; version remains with deletion flag.
Trap 3: It is marked as deleted but can be undeleted because cas_required…
cas_required does not affect undelete.
- A
It is destroyed because cas_required is true
Why wrong: cas_required is for CAS operations, not destruction.
- B
It is deleted and can be undeleted if not destroyed
Soft delete allows undelete unless destroyed.
- C
It is permanently deleted immediately
Why wrong: Delete only soft-deletes; version remains with deletion flag.
- D
It is marked as deleted but can be undeleted because cas_required is true
Why wrong: cas_required does not affect undelete.
Which THREE of the following are true regarding Vault's high availability (HA) and replication? (Choose three.)
Trap 1: With Integrated Storage, all nodes can handle write requests
Only the leader (active node) handles writes; followers forward.
Trap 2: Disaster Recovery Replication replicates everything including…
DR Replication replicates secrets, config, and policies, but audit logs are not replicated.
- A
With Integrated Storage, all nodes can handle write requests
Why wrong: Only the leader (active node) handles writes; followers forward.
- B
In an HA cluster with Integrated Storage, only the active node can serve write requests
Standby nodes forward writes to the active node; only the active node handles writes.
- C
Performance standby nodes can serve read requests without forwarding
Performance standby nodes handle reads locally, reducing load on the active node.
- D
Performance Replication replicates mounts and auth methods but not policies
Policies are not replicated in Performance Replication; they must be manually configured on each cluster.
- E
Disaster Recovery Replication replicates everything including policies and audit logs
Why wrong: DR Replication replicates secrets, config, and policies, but audit logs are not replicated.
A Vault cluster has two nodes configured for HA. The active node becomes unresponsive, and the standby node takes over. However, clients cannot connect to the new active node. The firewall rules allow traffic on port 8200. What is the most likely issue?
Trap 1: The standby node cannot connect to the storage backend.
The active node must connect to storage, but client connections use the listener.
Trap 2: The original active node is tainted and blocking client requests.
A tainted node does not affect client connections to the new active.
Trap 3: The standby node is still sealed and cannot serve requests.
If the standby became active, it must be unsealed first.
- A
The standby node cannot connect to the storage backend.
Why wrong: The active node must connect to storage, but client connections use the listener.
- B
The TLS certificate on the standby node is not valid for the hostname clients are using.
TLS certificate mismatch causes connection failures.
- C
The original active node is tainted and blocking client requests.
Why wrong: A tainted node does not affect client connections to the new active.
- D
The standby node is still sealed and cannot serve requests.
Why wrong: If the standby became active, it must be unsealed first.
A Vault cluster configured with auto-unseal using AWS KMS is deployed across two availability zones. After a network partition, the standby node remains sealed while the active node is unsealed and serving requests. What is the most likely reason the standby cannot unseal?
Trap 1: The standby node is using the wrong AWS region configuration.
Configuration would have been correct before partition.
Trap 2: The active node consumed all available KMS API quota for the region.
KMS API quotas are rarely a limiting factor.
Trap 3: The cluster address on the standby is misconfigured.
Cluster address does not affect unseal.
- A
The standby node is using the wrong AWS region configuration.
Why wrong: Configuration would have been correct before partition.
- B
The active node consumed all available KMS API quota for the region.
Why wrong: KMS API quotas are rarely a limiting factor.
- C
The cluster address on the standby is misconfigured.
Why wrong: Cluster address does not affect unseal.
- D
The standby node cannot communicate with AWS KMS due to the network partition.
Auto-unseal requires network access to the seal provider.
Given the output from 'vault operator raft list-peers', which node(s) will become unavailable if node1 (leader) experiences a network partition away from all other nodes?
Exhibit
Refer to the exhibit. ``` $ vault operator raft list-peers Node Address State Voter ---- ------- ----- ----- node1 10.0.0.1:8201 leader true node2 10.0.0.2:8201 follower true node3 10.0.0.3:8201 follower true node4 10.0.0.4:8201 follower false node5 10.0.0.5:8201 follower false ```
Trap 1: All nodes become unavailable because node1 is the leader
The cluster can survive leader loss if quorum remains.
Trap 2: No nodes become unavailable; node1 remains leader but cannot serve…
If node1 is partitioned, it cannot communicate with the majority, so it will step down.
Trap 3: Node1, node4, and node5 become unavailable
Node4 and node5 are non-voters and not needed for quorum.
- A
Only node1 becomes unavailable; the cluster remains operational with a new leader from node2 or node3
Node1 is partitioned, but node2 and node3 (voters) can form quorum (2 out of 3) and elect a new leader.
- B
All nodes become unavailable because node1 is the leader
Why wrong: The cluster can survive leader loss if quorum remains.
- C
No nodes become unavailable; node1 remains leader but cannot serve writes
Why wrong: If node1 is partitioned, it cannot communicate with the majority, so it will step down.
- D
Node1, node4, and node5 become unavailable
Why wrong: Node4 and node5 are non-voters and not needed for quorum.
A security team is configuring Vault's seal mechanism. They want to ensure that in the event of a data center outage, the Vault cluster can be unsealed without human intervention, but still require approval from multiple administrators to rekey the master key. Which seal type should they use?
Trap 1: Shamir seals with auto-unseal using a cloud KMS.
Shamir seals require manual unseal.
Trap 2: HSM seal with a quorum of smart cards.
Still requires manual intervention.
Trap 3: Transit seal with a key that requires manual approval from a quorum…
Transit seal requires a running Vault to unseal.
- A
Shamir seals with auto-unseal using a cloud KMS.
Why wrong: Shamir seals require manual unseal.
- B
HSM seal with a quorum of smart cards.
Why wrong: Still requires manual intervention.
- C
Transit seal with a key that requires manual approval from a quorum of operators.
Why wrong: Transit seal requires a running Vault to unseal.
- D
Auto-unseal using AWS KMS with a key policy requiring multi-factor authentication for any key usage.
Auto-unseal with KMS allows automatic unseal and MFA for rekey.
A Vault administrator wants to minimize the impact of a single node failure in a three-node Raft cluster. Which TWO actions will help? (Choose two.)
Trap 1: Set `disable_clustering` to true.
Disabling clustering would prevent HA, increasing impact of a failure.
Trap 2: Use a load balancer to distribute client requests.
Load balancers improve client experience but do not affect cluster resilience.
Trap 3: Enable `performance_standby` on all nodes.
Performance standby nodes are for read scaling, not for handling node failures.
- A
Set `disable_clustering` to true.
Why wrong: Disabling clustering would prevent HA, increasing impact of a failure.
- B
Use a load balancer to distribute client requests.
Why wrong: Load balancers improve client experience but do not affect cluster resilience.
- C
Configure monitoring to detect and replace failed nodes quickly.
Proactive detection and replacement reduce the window of vulnerability.
- D
Enable `retry_join` on all nodes with addresses of peers.
Enables automatic rejoin after a node restarts.
- E
Enable `performance_standby` on all nodes.
Why wrong: Performance standby nodes are for read scaling, not for handling node failures.
A Vault administrator wants to ensure that all secrets are encrypted at rest and in transit. Which two configurations are necessary? (Choose two.)
Trap 1: Enable the `VAULT_ENCRYPT` environment variable on the Vault server.
No such environment variable.
Trap 2: Set the `encrypt` parameter on the audit device configuration.
Audit encryption is optional.
Trap 3: Configure a storage backend that supports encryption at rest, such…
Integrated Storage does not encrypt at rest without seal.
- A
Enable the `VAULT_ENCRYPT` environment variable on the Vault server.
Why wrong: No such environment variable.
- B
Enable TLS on all Vault listener configurations.
TLS encrypts data in transit.
- C
Use a seal that provides envelope encryption for the storage backend.
Seal encrypts data at rest.
- D
Set the `encrypt` parameter on the audit device configuration.
Why wrong: Audit encryption is optional.
- E
Configure a storage backend that supports encryption at rest, such as Integrated Storage.
Why wrong: Integrated Storage does not encrypt at rest without seal.
A company uses Vault to manage database credentials for its applications. The applications request a one-hour TTL for database secrets, but the database engine's default lease TTL is set to 24 hours. The Vault administrator wants to ensure that leases are revoked promptly after the applications finish using them, to minimize the window of exposure. Which approach best achieves this goal?
Trap 1: Set the default lease TTL on the database mount to 1 hour.
The default lease TTL applies to all secrets without a specific role TTL; but the role TTL overrides the default. Also, the default lease TTL is already 24h, but changing it to 1h would affect other roles that might need longer leases.
Trap 2: Increase the system's default lease TTL to 48 hours to give…
This would lengthen the lease duration, increasing the exposure window, which is the opposite of the goal.
Trap 3: Manually revoke leases after each application finishes using them.
Manual revocation is not scalable and prone to human error; automated TTL-based expiry is preferred.
- A
Set the default lease TTL on the database mount to 1 hour.
Why wrong: The default lease TTL applies to all secrets without a specific role TTL; but the role TTL overrides the default. Also, the default lease TTL is already 24h, but changing it to 1h would affect other roles that might need longer leases.
- B
Configure the database role with a TTL of 1 hour and an explicit max TTL of 2 hours.
This ensures each lease expires after 1 hour, and the explicit max TTL prevents any renewal beyond 2 hours, minimizing exposure.
- C
Increase the system's default lease TTL to 48 hours to give applications more flexibility.
Why wrong: This would lengthen the lease duration, increasing the exposure window, which is the opposite of the goal.
- D
Manually revoke leases after each application finishes using them.
Why wrong: Manual revocation is not scalable and prone to human error; automated TTL-based expiry is preferred.
A Vault operator runs `vault status` and sees the output above. The Vault cluster is in production and currently unresponsive to API requests. What is the most likely cause of the unresponsiveness?
Exhibit
Refer to the exhibit. ``` $ vault status Key Value --- ----- Seal Type shamir Initialized true Sealed true Total Shares 5 Threshold 3 Version 1.13.0 Storage Type raft Cluster Name vault-cluster-abc123 Cluster ID abc123-def456-ghi789 HA Enabled true HA Cluster https://vault-1:8201 HA Mode standby Active Node Address https://vault-2:8201 ```
Trap 1: The cluster is not initialized.
Initialized is true, so initialization is not the issue.
Trap 2: The cluster does not have HA enabled.
HA Enabled is true, so HA is enabled.
Trap 3: The cluster has no active leader.
Active Node Address shows vault-2, indicating an active leader exists.
- A
The cluster is not initialized.
Why wrong: Initialized is true, so initialization is not the issue.
- B
The cluster does not have HA enabled.
Why wrong: HA Enabled is true, so HA is enabled.
- C
The Vault cluster is sealed.
Sealed is true, meaning Vault cannot process requests until unsealed.
- D
The cluster has no active leader.
Why wrong: Active Node Address shows vault-2, indicating an active leader exists.
A company wants to use Vault's Key Management Secrets Engine (KMSE) to encrypt data stored in AWS S3. The security team requires that the encryption key used by Vault is never exposed to the application. Which Vault architecture component ensures that the encryption key remains within the Vault boundary and is not accessible to the application?
Trap 1: Vault's Cubbyhole Response Wrapping
Response wrapping secures secrets in transit, but does not prevent key exposure to the application.
Trap 2: Vault's Transit Secrets Engine
The Transit engine performs encryption/decryption but can expose the key if configured as exportable.
Trap 3: Vault's PKI Secrets Engine
PKI is for certificate management, not encryption key management.
- A
Vault's Cubbyhole Response Wrapping
Why wrong: Response wrapping secures secrets in transit, but does not prevent key exposure to the application.
- B
Vault's Key Management Secrets Engine (KMSE)
KMSE generates keys in an external KMS and uses them without exposing the key to clients.
- C
Vault's Transit Secrets Engine
Why wrong: The Transit engine performs encryption/decryption but can expose the key if configured as exportable.
- D
Vault's PKI Secrets Engine
Why wrong: PKI is for certificate management, not encryption key management.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.