HashiCorp Vault Associate VA-003 (VA-003) — Questions 451514

514 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQeasy

A developer wants to encrypt data using Vault's transit engine but does not want to base64 encode the ciphertext after encryption. What is the recommended way to handle this?

A.The ciphertext is always base64 encoded, so the client must decode it after receiving
B.Use the `/transit/encrypt` endpoint with `base64=false`
C.Set the `plaintext` parameter to the raw bytes
D.Use the `ciphertext` parameter
E.Use the `plaintext` parameter directly without base64 encoding
AnswerA

Correct: output is always base64.

Why this answer

Option A is correct because the Vault Transit Secrets Engine always returns ciphertext as a base64-encoded string, regardless of whether the input plaintext was base64-encoded or raw. The API specification requires the client to decode the base64 ciphertext after receiving it if the original plaintext was raw bytes. There is no parameter to disable base64 encoding of the ciphertext output.

Exam trap

HashiCorp often tests the misconception that you can set a `base64=false` parameter to get raw ciphertext, but the Vault API strictly enforces base64 encoding on both input and output for the transit engine.

How to eliminate wrong answers

Option B is wrong because the `/transit/encrypt` endpoint does not support a `base64=false` parameter; the ciphertext is always base64-encoded by design. Option C is wrong because the `plaintext` parameter must be base64-encoded; passing raw bytes will cause an error or unexpected behavior. Option D is wrong because the `ciphertext` parameter is used for decryption, not encryption.

Option E is wrong because the `plaintext` parameter always expects base64-encoded input, not raw bytes.

452
MCQeasy

A startup wants to use Vault to manage MySQL database credentials for their development environment. They have a single MySQL database and require that each application gets unique, short-lived credentials that are automatically rotated. The operations team enabled the database secrets engine, configured the MySQL connection, and created a role with a TTL of 1 hour. However, when an application requests credentials using the role, Vault returns an error: 'No more available leases on this role'. The team checks the role's configuration and sees that the 'max_ttl' is set to 1 hour and 'default_ttl' is also 1 hour. What is the most likely cause of this error?

A.The database secrets engine is not enabled at the expected path; the role is pointing to a different engine.
B.The application is not using a valid token to authenticate to Vault, so the request is rejected.
C.The role has a 'max_leases' parameter set to a low value (e.g., 5) that has been exceeded. Increase the 'max_leases' on the role.
D.The TTL values are too short; applications are requesting new credentials too frequently and exhausting a hidden limit. Increase the TTL.
AnswerC

If the role limits concurrent leases, once exceeded, new requests are denied until some leases are revoked.

Why this answer

Option C is correct because the error 'No more available leases on this role' indicates that the role has a finite number of leases it can issue, controlled by the 'max_leases' parameter. When this limit is reached, Vault refuses to issue new credentials until existing leases expire or are revoked. The role's TTL and max_ttl being both 1 hour does not cause this error; rather, the exhaustion of the lease count does.

Exam trap

HashiCorp often tests the distinction between TTL-based limits and lease-count limits; the trap here is that candidates confuse 'max_ttl' (maximum duration of a lease) with 'max_leases' (maximum number of concurrent leases), leading them to incorrectly adjust TTL values instead of the lease count parameter.

How to eliminate wrong answers

Option A is wrong because if the secrets engine were not enabled at the expected path, the error would be something like 'path not found' or 'no handler for route', not a lease exhaustion error. Option B is wrong because an invalid token would result in a 'permission denied' or 'token not found' error, not a lease-specific error. Option D is wrong because increasing TTL would actually reduce the frequency of lease creation, not solve the exhaustion of a fixed lease count; the error is about a limit on the number of concurrent leases, not their duration.

453
MCQhard

An organization uses Vault with AWS IAM auth. After rotating the AWS IAM role credentials, users are unable to authenticate with Vault. The Vault audit logs show 'permission denied' for the AWS auth method. What is the most likely cause?

A.The IAM role trust policy was not updated after credential rotation
B.The Vault token TTL expired
C.The client token used for AWS auth is revoked
D.The AWS secret engine is disabled
AnswerA

The trust policy must allow the new credentials to assume the role.

Why this answer

When AWS IAM role credentials are rotated, the trust policy attached to the IAM role must be updated to reflect the new credentials (access key and secret key) that Vault uses to call the AWS STS API. If the trust policy still references the old credentials, Vault's AWS auth method cannot validate the login request, resulting in a 'permission denied' error in the audit logs. This is the most likely cause because the rotation directly breaks the trust relationship between Vault and AWS.

Exam trap

HashiCorp often tests the misconception that credential rotation only affects the client's AWS credentials, not the trust relationship between Vault and AWS, leading candidates to incorrectly choose token-related options like B or C.

How to eliminate wrong answers

Option B is wrong because a Vault token TTL expiry would cause authentication failures for subsequent requests using that token, not for the initial AWS auth method login itself, and the audit log would show a different error (e.g., 'token expired'). Option C is wrong because the client token used for AWS auth is the temporary token returned by the AWS auth method after successful login; if it were revoked, the error would occur after authentication, not during the AWS auth method call. Option D is wrong because if the AWS secret engine were disabled, the audit log would show an 'engine disabled' or 'path not found' error, not a 'permission denied' error specific to the AWS auth method.

454
MCQhard

A Vault cluster is sealed. An operator attempts to renew a lease but gets an error. What is the most likely error?

A.Vault is sealed
B.Upstream error
C.Permission denied
D.Lease not found
AnswerA

Vault returns an error indicating it is sealed when trying to perform operations.

Why this answer

When Vault is sealed, it cannot process any operations, including lease renewal. The error would indicate the sealed state.

455
Multi-Selecthard

Which THREE architectural considerations are important when designing a multi-datacenter Vault deployment?

Select 3 answers
A.Use a single storage backend across datacenters
B.Deploy a single Vault cluster spanning datacenters
C.Use separate storage backends per datacenter
D.Enable Performance Replication for local reads
E.Enable Disaster Recovery Replication for failover
AnswersC, D, E

Ensures isolation and reduces latency.

Why this answer

Option C is correct because in a multi-datacenter Vault deployment, each datacenter must have its own independent storage backend to avoid a single point of failure and to ensure that a failure in one datacenter does not corrupt or disrupt the storage layer of another. Vault’s architecture requires that each cluster manages its own storage backend (e.g., Consul, Integrated Storage, or Raft) to maintain data isolation and consistency within that datacenter.

Exam trap

HashiCorp often tests the misconception that a single Vault cluster or storage backend can be stretched across datacenters, but the correct design requires separate clusters and storage backends per datacenter, with replication handling cross-datacenter data flow.

456
Multi-Selectmedium

Which THREE are appropriate use cases for Vault's Transit secrets engine?

Select 3 answers
A.Providing cryptographic offloading for applications running in untrusted environments
B.Generating and managing TLS certificates for internal services
C.Storing and retrieving static secrets like API keys
D.Performing signing and verification operations (e.g., for digital signatures)
E.Encrypting sensitive fields in a database without exposing encryption keys to the application
AnswersA, D, E

Transit allows secure crypto operations without exposing keys to the application.

Why this answer

Option A is correct because the Transit secrets engine performs encryption and decryption operations entirely on the server side, never exposing the encryption keys to the client. This allows applications running in untrusted environments to offload cryptographic processing securely, as the keys remain within Vault's encrypted storage and are never transmitted to or stored by the application.

Exam trap

HashiCorp often tests the distinction between Transit (encryption as a service) and other secrets engines like PKI (certificates) and KV (static secrets), so candidates mistakenly associate Transit with any cryptographic task, including certificate management or secret storage.

457
MCQhard

A user receives 'permission denied' when running 'vault write secret/data/myapp value=123'. The user's token has a policy that includes 'path "secret/data/*" { capabilities = ["read", "list"] }'. What is the most likely cause?

A.The user is not authenticated.
B.The path requires create or update capability.
C.The secret engine is not mounted.
D.The token is expired.
AnswerB

D is correct: write requires create or update, but policy only has read and list.

Why this answer

The user's policy grants only 'read' and 'list' capabilities on the path 'secret/data/*'. The 'vault write' command requires either 'create' or 'update' capability (or both) on the path. Since the policy lacks these capabilities, Vault returns a 'permission denied' error, even though the token is valid and the secret engine is mounted.

Exam trap

HashiCorp often tests the distinction between capabilities required for different operations (read/list vs. create/update/delete), leading candidates to assume that any valid token with any capabilities on the path can write, when in fact the policy must explicitly include 'create' or 'update'.

How to eliminate wrong answers

Option A is wrong because the user received a 'permission denied' error, not an 'authentication required' error; the token is present and valid, but lacks the necessary capabilities. Option C is wrong because if the secret engine were not mounted, the error would be 'no secret engine mounted at secret/' or 'path not found', not 'permission denied'. Option D is wrong because an expired token would return an 'invalid token' or 'token expired' error, not a 'permission denied' error.

458
MCQmedium

An organization uses AppRole with secret_id generation via the Vault API. Security policy requires that each secret_id can be used only once and must expire after 1 hour. Which configuration option should be set on the AppRole role to enforce this?

A.secret_id_num_uses=1
B.secret_id_num_uses=1, secret_id_ttl=1h
C.secret_id_ttl=1h
D.secret_id_num_uses=1, secret_id_ttl=60m
AnswerB

Both settings together ensure single use and expiry.

Why this answer

Option B is correct because the security policy requires both single-use (secret_id_num_uses=1) and a 1-hour expiration (secret_id_ttl=1h). In Vault's AppRole authentication, secret_id_num_uses controls how many times a secret_id can be used, and secret_id_ttl sets the time-to-live. Setting both ensures the secret_id is invalidated after one use or after one hour, whichever comes first, meeting the policy exactly.

Exam trap

HashiCorp often tests the requirement to combine both parameters when a policy mandates both single-use and TTL, leading candidates to pick a single-parameter option (A or C) or to confuse the TTL format (D) as the primary error.

How to eliminate wrong answers

Option A is wrong because it only sets secret_id_num_uses=1, which enforces single-use but does not enforce the 1-hour expiration, leaving the secret_id potentially valid indefinitely until used. Option C is wrong because it only sets secret_id_ttl=1h, which enforces expiration but does not limit the number of uses, allowing the secret_id to be reused multiple times within the hour. Option D is wrong because while it sets both parameters, it uses '60m' instead of '1h'; although functionally equivalent, the question specifies '1 hour' and the correct Vault syntax for the TTL is '1h' (or '60m' is acceptable but less canonical), and more importantly, the option is listed as 'secret_id_ttl=60m' which is technically correct but the exam expects the exact format '1h' as shown in the correct answer.

459
Multi-Selectmedium

Which TWO of the following are valid uses of the Vault API for managing leases? (Choose two.)

Select 2 answers
A.PUT /v1/sys/leases/revoke with body {"lease_id": "abc123"}
B.GET /v1/sys/leases/renew/abc123
C.POST /v1/sys/leases/renew/abc123
D.PUT /v1/sys/leases/renew with body {"lease_id": "abc123"}
E.GET /v1/sys/leases/revoke/abc123
AnswersA, D

Correct endpoint and method.

Why this answer

Option A is correct because the Vault API uses a PUT request to `/v1/sys/leases/revoke` with a JSON body containing the `lease_id` to revoke a specific lease. This is the standard method for lease revocation as documented in the Vault API specification. Option D is correct because renewing a lease also requires a PUT request to `/v1/sys/leases/renew` with the `lease_id` in the request body, matching the expected API pattern for state-changing operations.

Exam trap

HashiCorp often tests the distinction between using path parameters versus request body for lease IDs, and the requirement for PUT over GET for state-changing operations, leading candidates to mistakenly select GET endpoints or incorrect URL patterns.

460
Multi-Selecteasy

A Vault operator is crafting a policy for a new application. Which two of the following are valid capabilities in a Vault policy path statement? (Select two.)

Select 2 answers
A.modify
B.sudo
C.patch
D.encrypt
E.list
AnswersB, E

sudo is a valid capability that allows performing privileged operations.

Why this answer

The valid capabilities are sudo and list. Modify, patch, and encrypt are not standard Vault policy capabilities.

461
MCQmedium

A company uses Vault to issue tokens for short-lived tasks. They have configured a token role with 'period' set to 30 minutes and 'explicit_max_ttl' set to 24 hours. Tokens are created using the role and are expected to be renewed every 30 minutes by the tasks. However, after a few renewals, the Vault audit logs show that a token was renewed but then immediately expired. The task that was using the token failed. What is the most likely reason for this behavior?

A.The token reached its 'explicit_max_ttl' of 24 hours, and renewal is no longer possible.
B.The token was created by a root token and root tokens are not subject to periodic renewal.
C.The token was a batch token and batch tokens cannot be renewed at all.
D.The token was an orphan token and cannot be renewed more than a few times.
AnswerA

Correct: Periodic tokens cannot exceed explicit_max_ttl; after 24 hours, renewal fails and token expires.

Why this answer

Periodic tokens have a maximum TTL that cannot be exceeded. The 'period' defines how long the token lives before it needs renewal. When a token is renewed, the new TTL is set to the less of the period and the remaining time until the max TTL.

If the token reaches the maximum TTL, renewal will fail or the token will expire. Option A is correct because the explicit_max_ttl caps the total lifetime. Option B is incorrect because orphan status does not cause immediate expiry after renewal.

Option C is incorrect because root tokens bypass many controls but not necessarily max TTL. Option D is incorrect because batch tokens are not renewable by design.

462
MCQhard

Refer to the exhibit. An application uses this policy to access Vault. The application is able to read database credentials from `database/creds/my-role`. However, attempts to list all roles at `database/roles/` fail. What is the most likely cause?

A.The path `database/roles/` is not a valid path for listing roles
B.The database secrets engine is not enabled
C.The policy does not allow the 'list' capability on the path `database/roles/`
D.The application needs the 'sudo' capability to list roles
AnswerC

The glob `database/roles/*` does not cover the exact path; need explicit `database/roles/` with list.

Why this answer

The policy grants 'read' capability on `database/creds/my-role` but does not include the 'list' capability on `database/roles/`. In Vault, listing requires an explicit 'list' capability in the policy, even if 'read' is allowed on sub-paths. Without 'list', the API call to `LIST database/roles/` returns a permission denied error.

Exam trap

HashiCorp often tests the distinction between 'read' and 'list' capabilities, trapping candidates who assume that read access on sub-paths implies the ability to list the parent path.

How to eliminate wrong answers

Option A is wrong because `database/roles/` is a valid path for listing roles when the database secrets engine is enabled; Vault uses a standard endpoint for listing. Option B is wrong because the application can read credentials from `database/creds/my-role`, which proves the database secrets engine is enabled and mounted. Option D is wrong because the 'sudo' capability is not required for listing roles; 'sudo' is used for privileged operations like modifying policies or enabling engines, not for standard listing.

463
MCQhard

A Vault operator runs the command shown in the exhibit and wants to renew the lease before it expires. The operator has a valid token. What must be true for the renewal to succeed?

A.The operator must first revoke the lease and re-issue it to obtain a longer TTL.
B.The token's 'explicit_max_ttl' must be at least as long as the lease's remaining TTL.
C.The 'max_ttl' parameter in the database role must be increased to allow renewal.
D.The operator can renew the lease by running 'vault lease renew database/creds/my-role/abc123'.
AnswerD

Since the lease is renewable and the token is valid, a simple renew command will succeed and extend the lease.

Why this answer

Option C is correct because the lease is renewable (renewable: true) and the operator has a valid token, so simply calling 'vault lease renew' with the lease ID will succeed. Option A is wrong because the token's 'explicit_max_ttl' is not directly checked; the token must be valid and have appropriate permissions. Option B is wrong because there is no such parameter; the renewal is subject to the role's max TTL.

Option D is wrong because the lease's remaining TTL is not a limiting factor for a single renewal; the max TTL constraint is separate.

464
MCQhard

A company requires that Vault data be continuously replicated from a primary data center to a secondary data center for disaster recovery. The secondary data center must be able to become writable in the event of a primary failure. Which Vault feature should they use?

A.Performance Replication
B.Consul as storage backend
C.Performance Standby
D.Disaster Recovery Replication
AnswerD

DR replication mirrors all data and allows promotion of the secondary cluster to primary for failover.

Why this answer

Disaster Recovery (DR) Replication is the correct choice because it provides asynchronous replication of Vault data (including configuration, policies, and secrets) from a primary cluster to a secondary cluster. In the event of a primary failure, the secondary cluster can be promoted to become writable, ensuring business continuity. This feature is specifically designed for disaster recovery scenarios where the secondary site must be able to take over write operations.

Exam trap

HashiCorp often tests the distinction between Performance Replication and Disaster Recovery Replication, where candidates mistakenly choose Performance Replication because they confuse read scaling with disaster recovery failover capabilities.

How to eliminate wrong answers

Option A is wrong because Performance Replication is designed for low-latency read scaling across geographically distributed clusters, but the secondary cluster remains read-only and cannot be promoted to writable in a disaster. Option B is wrong because Consul as a storage backend is a storage configuration, not a replication feature; it does not provide built-in continuous replication or failover to a writable secondary. Option C is wrong because Performance Standby nodes are read-only and intended to offload read requests from the active leader, not to serve as a writable disaster recovery target.

465
MCQmedium

The token was created 12 hours ago and has not been used yet. What will happen if the token is not used or renewed?

A.It can be renewed indefinitely if used
B.It will expire when the number of uses reaches 0
C.It will expire immediately because it was not used within 12 hours
D.It will expire in 12 hours
AnswerD

The current TTL is 12h, so without renewal, it expires in 12 hours.

Why this answer

Option A is correct because the ttl is 12h, so the token will expire in 12 hours. Option B is wrong because the token does not expire immediately after creation; it has a TTL. Option C is wrong because although renewable is true, it must be renewed before expiry.

Option D is wrong because num_uses is 5, but the token will still expire after TTL.

466
MCQhard

An application uses a periodic token with period=24h. The application renews every 12h. After 48h, the token is still valid. After 72h, the token is still valid. What is the maximum lifetime of this periodic token?

A.Unlimited (as long as it keeps renewing)
B.72h
C.48h
D.24h
AnswerA

Periodic tokens have no max TTL and can be renewed indefinitely.

Why this answer

Periodic tokens have no max TTL; they can be renewed indefinitely as long as renewal occurs within the period (24h). Thus, the token can last forever if renewed in time.

467
MCQeasy

A developer needs a token that can be used only 5 times and must expire after 24 hours, regardless of the number of uses. Which token creation method should be used to enforce these constraints?

A.Create a token directly with num_uses=5
B.Use a token role with num_uses=5 and ttl=24h
C.Create a token directly with ttl=24h
D.Create a periodic token with period set to 24h
AnswerB

Token roles allow explicit limits on both number of uses and time-to-live.

Why this answer

Option B is correct because token roles allow setting num_uses and ttl, which can be used together to enforce both limits. Option A is wrong because using the root token is insecure and doesn't enforce limits. Option C is wrong because setting num_uses alone doesn't enforce time limit.

Option D is wrong because setting ttl alone doesn't enforce use limit.

468
Matchingmedium

Match each Vault response wrapping feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lifetime of the wrapping token

Single-use token to unwrap response

Token-scoped storage for wrapped data

Retrieve the original response

Why these pairings

These are key aspects of response wrapping.

469
MCQmedium

A developer has a policy that grants 'create' capability on path 'secret/data/team/*'. They successfully create a new secret using 'vault kv put secret/data/team/db', but when they try to update the same secret with new data, they get a permission denied error. What is the most likely cause?

A.The developer does not have the 'create' capability on the parent path.
B.The policy does not include the 'update' capability, which is required for modifying existing secrets.
C.The policy needs the 'list' capability on the path.
D.The developer's token lacks the 'sudo' capability for updates.
AnswerB

KV v2 requires separate 'update' capability for modifications.

Why this answer

Option B is correct because in KV v2, creating a new secret requires the 'create' capability, while updating an existing secret requires the 'update' capability. The policy only grants 'create', so updates fail. Option A is incorrect because the developer already created a secret.

Option C is incorrect; 'list' is not needed for updates. Option D is incorrect; 'sudo' is not required.

470
MCQhard

After rotating the 'payment-key', Vault successfully decrypts data encrypted with the old key (v1). What is the most likely reason the decryption succeeded?

A.The old key version is retained and used for decryption when the ciphertext references that version.
B.The old key version is automatically deleted after rotation, but the ciphertext contains the key version and is decrypted by the new key.
C.The ciphertext contains the original plaintext, so decryption simply extracts it.
D.The plaintext is stored in Vault during encryption, so decryption retrieves the stored plaintext.
AnswerA

Vault retains old key versions for decryption, and the ciphertext includes the version identifier, allowing decryption with the appropriate key.

Why this answer

A is correct because Vault uses key versioning: when a key is rotated, the old key version (v1) is retained for decryption purposes. The ciphertext includes metadata referencing the key version used for encryption, so Vault automatically selects the correct old key version to decrypt data encrypted before rotation. This ensures backward compatibility without re-encrypting existing data.

Exam trap

HashiCorp often tests the misconception that key rotation invalidates old ciphertext, but the trap here is that candidates assume the old key is deleted or replaced, when in fact Vault retains it for decryption based on ciphertext metadata.

How to eliminate wrong answers

Option B is wrong because Vault does not automatically delete the old key version after rotation; it retains it for decryption, and the new key cannot decrypt data encrypted with the old key due to different cryptographic material. Option C is wrong because ciphertext does not contain the original plaintext; it contains encrypted data that requires the correct key and algorithm to decrypt. Option D is wrong because Vault does not store plaintext during encryption; it only stores ciphertext and metadata, and decryption is a cryptographic operation, not a retrieval of stored plaintext.

471
Multi-Selecthard

Which TWO of the following are valid ways to authenticate to Vault?

Select 2 answers
A.SAML 2.0
B.GitHub personal access token
C.Kubernetes auth
D.LDAP authentication
E.AWS EC2 instance metadata
AnswersC, D

Kubernetes auth is a built-in auth method.

Why this answer

Kubernetes auth is a valid Vault authentication method that allows Kubernetes service accounts to authenticate to Vault using a JSON Web Token (JWT) and a service account token. It is a first-class auth method in Vault, designed for dynamic, short-lived credentials in containerized environments.

Exam trap

HashiCorp often tests the distinction between 'auth methods' and 'login mechanisms' — candidates confuse external identity provider integrations (like SAML) with native Vault auth methods, or assume any cloud metadata can be used directly for authentication.

472
MCQhard

A Vault policy includes the following statement: path "secret/data/+/app" { capabilities = ["read"] }. Which paths would match this policy? (Assume KV v2)

A.secret/data/team-a/app/db
B.secret/data/team-a/team-b/app
C.secret/data/app
D.secret/data/team-a/app
AnswerD

Team-a is one segment, matching the +.

Why this answer

Option A is correct. The '+' glob matches exactly one path segment. So 'secret/data/team-a/app' has one segment between 'data/' and '/app', matching.

Option B has two segments, so no match. Option C has no segment. Option D has an additional segment after app, so no match.

473
MCQmedium

Refer to the exhibit. A user with this policy can successfully read credentials but cannot renew the lease. What is the missing capability?

A.'list' on sys/leases/.
B.'renew' on the secret path.
C.'sudo' on sys/leases/.
D.'update' on sys/leases/renew.
AnswerD

This capability is required to perform lease renewal.

Why this answer

The user can read credentials but cannot renew the lease because the policy grants 'read' and 'list' capabilities on the secret path, but renewing a lease requires the 'update' capability on the 'sys/leases/renew' endpoint. This endpoint is used to extend the lifetime of a lease, and without 'update' access, the renewal request is denied.

Exam trap

HashiCorp often tests the distinction between capabilities on the secret path versus the system lease path, leading candidates to mistakenly think 'read' or 'list' on the secret path is sufficient for renewal.

How to eliminate wrong answers

Option A is wrong because 'list' on 'sys/leases/' allows listing active leases but does not grant the ability to renew a specific lease; renewal requires a different endpoint and capability. Option B is wrong because 'renew' is not a valid capability in Vault's policy language; capabilities are 'create', 'read', 'update', 'delete', 'list', and 'sudo', and the renewal action is mapped to 'update' on the 'sys/leases/renew' path. Option C is wrong because 'sudo' on 'sys/leases/' provides elevated privileges for certain operations but does not specifically grant the 'update' capability needed for lease renewal; 'sudo' is a modifier that bypasses ACL checks but still requires the appropriate capability on the endpoint.

474
MCQmedium

A Vault administrator is troubleshooting an issue where after a network outage, the Vault cluster is sealed and cannot be unsealed. The cluster has 5 nodes using Integrated Storage. The administrator runs `vault status` on each node and receives 'sealed' response. The administrator suspects that the cluster lost quorum during the outage. The administrator checks the Raft configuration and finds that there are 3 voter nodes and 2 non-voter nodes. Which action should the administrator take to recover the cluster?

A.Manually unseal all nodes simultaneously.
B.Use `vault operator raft remove-peer` to remove the non-voter nodes.
C.Use `vault operator raft recover` on one of the non-voter nodes.
D.Use `vault operator raft recover` on a voter node to create a new cluster.
AnswerD

Raft recover on a voter node restores quorum.

Why this answer

When a Vault cluster with Integrated Storage loses quorum (more than half of voter nodes are unavailable), the cluster cannot unseal because Raft requires a quorum of voters to elect a leader and process operations. Since all 5 nodes are sealed and the cluster has 3 voters, the outage likely caused the loss of at least 2 voters, breaking quorum. The correct recovery procedure is to use `vault operator raft recover` on a voter node, which creates a new single-node cluster with the existing data, allowing the administrator to then unseal and rejoin other nodes.

Exam trap

HashiCorp often tests the distinction between voter and non-voter roles in Raft; the trap here is assuming that any node can be used for recovery, when in fact only a voter node can bootstrap a new cluster because non-voters lack the quorum-critical state.

How to eliminate wrong answers

Option A is wrong because manually unsealing all nodes simultaneously does not restore Raft quorum; the cluster still lacks a leader and cannot process operations. Option B is wrong because `vault operator raft remove-peer` is used to remove a peer from the Raft configuration when the node is unreachable but quorum still exists; here quorum is lost, so the command will fail or be ineffective. Option C is wrong because `vault operator raft recover` must be run on a voter node, not a non-voter; non-voters do not participate in quorum and cannot bootstrap a new cluster.

475
MCQhard

An organization uses the AWS secrets engine to generate IAM users for each application. They want to ensure that if a Vault server is compromised, the attacker cannot use the AWS secrets engine configuration to gain access to the AWS account. Which additional security measure should be implemented?

A.Enable Vault's seal wrapping to encrypt the engine configuration
B.Store the AWS access key used by the engine in a separate Vault instance
C.Use a dedicated Vault server for the AWS engine
D.Use a non-root IAM user with minimal privileges for the engine and restrict the engine's role policies to the minimum needed
AnswerD

This limits what the attacker can do with the engine's credentials.

Why this answer

Option D is correct because the core principle of least privilege ensures that even if the Vault server is compromised, the attacker can only perform actions allowed by the minimal IAM policy attached to the non-root user. This limits the blast radius, preventing the attacker from gaining full administrative access to the AWS account. The AWS secrets engine uses the configured IAM credentials to create temporary IAM users, so restricting those credentials to only the necessary permissions is the most effective mitigation.

Exam trap

HashiCorp often tests the misconception that encryption or isolation (seal wrapping, separate instances) is sufficient to protect against credential abuse, when in reality the underlying IAM permissions are the critical control.

How to eliminate wrong answers

Option A is wrong because seal wrapping encrypts the engine configuration at rest and in transit, but it does not limit the permissions of the underlying AWS credentials; if the Vault server is compromised, the attacker can still use the decrypted credentials to perform any action allowed by the IAM policy. Option B is wrong because storing the AWS access key in a separate Vault instance does not prevent an attacker who compromises the primary Vault server from using the engine's configuration to call the AWS API; the attacker would still have access to the credentials via the engine's storage backend. Option C is wrong because using a dedicated Vault server for the AWS engine does not reduce the risk; if that dedicated server is compromised, the attacker still has full access to the AWS credentials configured in the engine.

476
MCQhard

A Vault cluster has several policies. One policy, "app-policy", contains: path "secret/data/app/*" { capabilities = ["create", "update"] }. Another policy, "admin-policy", includes: path "secret/data/app/db" { capabilities = ["deny"] }. A token is attached with both policies. Can the token write to "secret/data/app/db"?

A.No, because the paths conflict.
B.No, because deny takes precedence over allow.
C.Yes, because policies are additive.
D.Yes, because the first policy allows create/update.
AnswerB

Deny always takes precedence, so the token cannot write to that path.

Why this answer

Option B is correct. In Vault, deny statements override any other capabilities regardless of policy ordering. Therefore, the explicit deny on the specific path prevents the write, even though the first policy allows create/update.

477
MCQeasy

An engineer wants to list all tokens associated with a specific token accessor. Which API endpoint should be used?

A.auth/token/lookup-accessor
B.auth/token/accessors/
C.auth/token/lookup
D.auth/token/list
AnswerA

This returns token details for the given accessor.

Why this answer

The endpoint auth/token/lookup-accessor returns token information including the token's properties and policies, but not the token value. It can be used to look up token details by accessor. Option A is wrong because auth/token/lookup looks up by token value.

Option C is wrong because auth/token/list lists accessors, not lookup by accessor. Option D is wrong because auth/token/accessors/ is not a valid path.

478
MCQhard

A company uses HashiCorp Vault in production to manage secrets for its microservices. One microservice, 'order-svc', authenticates via AppRole and receives a service token with a TTL of 24 hours and a max TTL of 48 hours. Over the past few days, operations teams report that 'order-svc' fails to renew its token after approximately 23 hours, causing authentication failures. The token lookup shows the token is still alive with about 1 hour of TTL remaining, but renewal attempts return a 'permission denied' error. The Vault audit logs show the renewal request is reaching Vault and being denied. The token's policies include 'path "auth/token/renew-self" { capabilities = ["update"] }'. The token was created with the default options. What is the most likely cause of this failure?

A.The token's parent token has been revoked, making it an orphan
B.The token is a batch token and cannot be renewed
C.The token has already been renewed up to its max TTL, so further renewal would exceed the max
D.The token's num_uses has reached zero
AnswerC

The max TTL of 48 hours has been nearly reached after multiple renewals, so the next renewal is denied.

Why this answer

Option A is correct. The token's explicit max TTL is 48 hours, but the token was created 23 hours ago, so the remaining max TTL is 25 hours. However, the renewal request reduces the remaining max TTL? Actually renewal extends the TTL by the specified increment but cannot exceed max TTL.

If the token was renewed multiple times already, it may have consumed most of the max TTL, and the last renewal attempt would push it above the max, resulting in a permission denied error. The error 'permission denied' indicates the token's capabilities are not sufficient or the operation is not allowed due to max TTL constraints. Option B is wrong because the token is not a batch token (it's service).

Option C is wrong because num_uses=0 means unlimited uses. Option D is wrong because the token is not orphan.

479
MCQeasy

A junior administrator is writing a shell script that will be used by other team members to retrieve static secrets from Vault. The secrets are stored in the KV v2 secrets engine mounted at `secret/`. One particular secret, `credentials`, is located under the path `secret/data/credentials`. The administrator has already authenticated using the Vault CLI with a token that has read access specifically to that path. The environment variables `VAULT_ADDR` and `VAULT_TOKEN` are set correctly to point to the Vault server at `https://vault.example.com:8200` and the valid token. The script needs to run the correct command to retrieve the secret and output its key-value pairs for use by an application. Which command should the administrator include in the script?

A.vault kv get secret/data/credentials
B.vault read secret/data/credentials
C.vault read secret/credentials
D.vault kv get secret/credentials
AnswerD

Correct command; the CLI abstracts the /data/ prefix for KV v2 engines.

Why this answer

Option C is correct because `vault kv get secret/credentials` is the standard CLI command for retrieving secrets from a KV v2 engine. It automatically maps to the API path `secret/data/credentials`. Option A uses `vault read` with an incomplete path.

Option B is technically valid but not the idiomatic CLI command; the exam expects `vault kv get`. Option D appends an extra `/data/` resulting in a non-existent path.

480
Multi-Selecteasy

A policy must allow a user to write a new version of an existing secret in a KV v2 secrets engine. Which TWO capabilities are required on the 'data/' path?

Select 2 answers
A.delete
B.list
C.read
D.update
E.create
AnswersD, E

C is needed to overwrite an existing secret.

Why this answer

To write a new version of an existing secret in a KV v2 secrets engine, the user needs the 'update' capability on the 'data/' path. This is because the KV v2 API uses a POST/PATCH request to the 'data/' endpoint to create a new version of an existing secret, and the 'update' capability grants permission to modify existing data. The 'create' capability is also required because if the secret does not exist, the same endpoint call will create it, and the policy must allow both creation and update for a seamless write operation.

Exam trap

HashiCorp often tests the misconception that 'write' is a separate capability in KV v2, but in reality, writing a new version requires both 'create' and 'update' because the same API call handles both new and existing secrets.

481
MCQeasy

A DevOps engineer creates the configuration above. After testing, they notice that the generated database credentials are not being revoked after the TTL expires. What is the most likely cause?

A.The creation_statements do not include the REVOKE command
B.The role definition has a syntax error in the creation_statements
C.The database configuration uses a connection_url with template variables but provides static admin credentials, not root rotation
D.The secrets engine is enabled at a path other than 'database/'
AnswerC

Without root credentials rotation, Vault cannot revoke dynamically created users because it uses the same admin credentials to manage them. The root credentials should be rotated first.

Why this answer

Option C is correct because the database secrets engine requires root credential rotation to enable automatic revocation of generated credentials. When the `connection_url` uses template variables like `{{username}}` and `{{password}}` but the admin credentials are static (not rotated via `rotate_root`), Vault cannot track the actual root password. Without root rotation, Vault lacks the ability to execute `REVOKE` commands after TTL expiry because it cannot authenticate to the database with the current root credentials to perform cleanup.

Exam trap

HashiCorp often tests the misconception that `creation_statements` control both creation and revocation, or that the secrets engine path affects functionality, when the real issue is the missing root rotation step that enables Vault to maintain a valid admin session for cleanup operations.

How to eliminate wrong answers

Option A is wrong because the `creation_statements` are used to create the database user, not to revoke it; revocation is handled by the `revocation_statements` field in the role definition, and the absence of `REVOKE` in `creation_statements` is irrelevant. Option B is wrong because a syntax error in `creation_statements` would cause the role to fail at user creation, not silently fail to revoke credentials after TTL expiry. Option D is wrong because the secrets engine path does not affect credential revocation behavior; Vault can manage revocation regardless of the mount path as long as the engine is properly configured.

482
Multi-Selectmedium

Which TWO of the following are valid use cases for the Transit secrets engine? (Select exactly 2.)

Select 2 answers
A.Signing and verifying data
B.Encrypting data in transit without exposing the encryption key
C.Storing encryption keys
D.Storing encrypted data at rest
E.Managing X.509 certificates
AnswersA, B

Transit supports signing and verification operations.

Why this answer

The Transit secrets engine is designed to perform cryptographic operations on data without exposing the encryption keys to the client. Option A is correct because the engine supports signing and verifying data using HMAC or asymmetric keys, allowing clients to verify integrity and authenticity without handling the private key. Option B is correct because the engine can encrypt data in transit (e.g., via API calls) while the encryption key remains securely stored within Vault, never leaving the server.

Exam trap

HashiCorp often tests the distinction between 'performing cryptographic operations' (Transit) and 'storing secrets or keys' (KV), so the trap here is that candidates confuse the Transit engine's ability to store keys internally with the use case of storing keys for external retrieval.

483
MCQmedium

A security team wants to issue tokens that can be used for exactly 10 API calls, after which they must be renewed. Which two token parameters should be set on the token role?

A.period and num_uses
B.ttl and renewable
C.ttl and num_uses
D.num_uses and renewable
AnswerD

num_uses limits the uses, and renewable allows renewal after the limit is reached.

Why this answer

Option D is correct: num_uses=10 restricts to 10 uses, and renewable=true allows renewal after the uses are exhausted (if the user requests renewal before the token expires). Option A is wrong because period is for periodic tokens, not for limited use. Option B is wrong because ttl alone does not limit uses.

Option C is wrong because ttl and num_uses together would not allow renewal after uses exhausted without renewable being true.

484
MCQeasy

An admin needs to store a configuration value that is unique to each Vault client and must not be shared. Which secrets engine should they use?

A.Cubbyhole
B.AWS
C.KV v2 at a client-specific path
D.Transit
AnswerA

Cubbyhole provides per-token isolated storage.

Why this answer

The Cubbyhole secrets engine creates a private, ephemeral storage space that is scoped to the requesting token. Each token gets its own isolated cubbyhole, and no other client or token can read or write to it, even with root privileges. This makes it the only built-in engine that guarantees a configuration value is unique to each Vault client and cannot be shared.

Exam trap

HashiCorp often tests the misconception that KV v2 with strict ACLs provides the same isolation as Cubbyhole, but the trap is that KV v2 is path-based and policy-dependent, whereas Cubbyhole is inherently token-scoped and cannot be accessed by any other token, even with root privileges.

How to eliminate wrong answers

Option B is wrong because the AWS secrets engine is designed to generate dynamic AWS IAM credentials or manage static AWS secrets, and it has no concept of per-client isolation — any client with the correct policy can access the same path. Option C is wrong because KV v2 at a client-specific path relies on ACL policies to restrict access, but it does not enforce token-scoped isolation; a misconfigured policy or a token with broader permissions could read another client's path, and the data persists even after the token expires. Option D is wrong because the Transit engine handles encryption and decryption operations (e.g., encrypting data in transit or at rest) and does not store configuration values at all; it is a cryptographic operations engine, not a storage engine.

485
MCQhard

A security policy requires that encryption keys used in transit must never leave Vault's memory. However, development teams need to perform encryption offline in CI/CD pipelines. How can this be accomplished?

A.Use exportable keys and export them
B.Use Vault's transit encrypt with context
C.Use Vault's ciphertext rewrap
D.Use Vault's datakey endpoint to get a wrapped key that can be unwrapped offline
E.It is not possible; keys must stay in Vault
AnswerD

The datakey response includes a ciphertext that can be decrypted later to retrieve the data key for local encryption.

Why this answer

Option D is correct because Vault's `datakey` endpoint generates a data encryption key (DEK) that is wrapped by a Vault-managed key. The wrapped DEK can be safely stored and used offline in CI/CD pipelines, while the unwrapped key material never leaves Vault's memory — the DEK is unwrapped only when needed, and the wrapping key remains in Vault. This satisfies the policy requirement that encryption keys used in transit must never leave Vault's memory, as the DEK itself is not a transit key but a data key that can be used offline.

Exam trap

The trap here is that candidates may think offline encryption is impossible if keys cannot leave Vault, but Vault's datakey endpoint provides a wrapped key that can be used offline without exposing the underlying transit key.

How to eliminate wrong answers

Option A is wrong because exportable keys would allow the raw key material to leave Vault's memory, directly violating the security policy. Option B is wrong because Vault's transit encrypt with context only encrypts data within Vault's memory; it does not provide a wrapped key for offline use in CI/CD pipelines. Option C is wrong because ciphertext rewrap is used to rotate encryption keys without decrypting data, not to provide offline encryption capabilities.

Option E is wrong because Vault's datakey endpoint provides a mechanism to achieve offline encryption while keeping the wrapping key secure in Vault.

486
MCQmedium

This Vault agent configuration section is incomplete. What is missing for the AWS auto-auth method to function correctly?

A.The configuration needs a 'region' parameter
B.The role name 'my-role' is invalid
C.The method type should be 'iam' instead of 'aws'
D.AWS credentials must be provided via environment variables or instance metadata
AnswerD

Vault's AWS auth method requires AWS credentials to authenticate to the AWS API.

Why this answer

Option D is correct because the AWS auth method in Vault requires valid AWS credentials to authenticate against AWS STS. These credentials can be provided via environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) or automatically retrieved from instance metadata when running on an EC2 instance. Without them, Vault cannot sign the STS request to verify the caller's identity, causing authentication to fail.

Exam trap

HashiCorp often tests the misconception that the AWS auth method requires explicit IAM credentials in the Vault configuration file, when in fact credentials are provided by the client at authentication time, not stored in the server configuration.

How to eliminate wrong answers

Option A is wrong because the 'region' parameter is optional for the AWS auth method; Vault can infer the region from the instance metadata or environment variable AWS_DEFAULT_REGION. Option B is wrong because 'my-role' is a valid role name; the role name is arbitrary and does not need to match any AWS resource name. Option C is wrong because 'aws' is the correct method type for the AWS auth method; 'iam' is not a valid Vault auth method type—the AWS auth method uses IAM principals internally but is configured as type 'aws'.

487
MCQeasy

A Vault cluster uses Consul for HA. After a brief network partition, a standby node loses contact with the active node. What does the standby node do after a timeout?

A.It becomes the active node.
B.It seals itself.
C.It continues to serve requests.
D.It replicates data from the storage backend.
AnswerB

Standby nodes seal themselves after losing contact with the active node to maintain data consistency.

Why this answer

In a Vault cluster using Consul for high availability, only the active node serves requests. When a standby node loses contact with the active node due to a network partition, it cannot verify the active node's health or its own leadership status. After a configurable timeout (default 10 seconds), the standby node seals itself to prevent serving stale or inconsistent data, ensuring data integrity and security.

Exam trap

The trap here is that candidates assume a standby node will automatically take over as active during a partition, but Vault prioritizes safety over availability by sealing the standby to avoid split-brain scenarios.

How to eliminate wrong answers

Option A is wrong because Vault uses a leader election mechanism via Consul; a standby node cannot become active without confirming the previous active node is down, and during a network partition it cannot safely assume leadership. Option C is wrong because only the active node serves client requests; standby nodes are passive and do not handle any API or unseal operations. Option D is wrong because replication from the storage backend is a background process handled by the active node; standby nodes do not initiate replication and sealing halts all operations, including replication.

488
MCQmedium

A Vault cluster uses performance replication. A performance standby node is not responding to read requests. What is the most likely cause?

A.Performance replication is not configured on this cluster.
B.The firewall is blocking inbound traffic to the standby node.
C.The performance standby node is sealed.
D.the performance standby node cannot connect to the primary for writes.
AnswerA

Without replication, a standby cannot serve read requests.

Why this answer

Performance replication must be explicitly configured on a Vault cluster to enable performance standby nodes. If performance replication is not configured, the cluster cannot have performance standby nodes that serve read requests, so the node would not respond to reads. This is the most likely cause because the question states the cluster 'uses performance replication' but the node is not responding, implying the configuration is missing or incorrect.

Exam trap

HashiCorp often tests the misconception that performance standby nodes are automatically available in any replicated setup, but they require explicit configuration of performance replication, not just standard replication or DR replication.

How to eliminate wrong answers

Option B is wrong because a firewall blocking inbound traffic would prevent all requests to the standby node, not just read requests, and the question specifies only read requests are failing. Option C is wrong because if the performance standby node were sealed, it would not respond to any requests (reads or writes), and the question only mentions read requests failing. Option D is wrong because performance standby nodes do not handle writes; they only serve read requests from the primary's replicated data, so an inability to connect to the primary for writes is irrelevant to read request failures.

489
MCQmedium

Refer to the exhibit. What seal mechanism is configured for this Vault instance?

A.AWS KMS auto-unseal
B.HSM seal via PKCS#11
C.Shamir seal with default shares
D.No seal; Vault is in insecure mode
AnswerA

The seal block specifies AWS KMS.

Why this answer

The exhibit shows a Vault instance configured with `seal "awskms"` and a `region` and `kms_key_id` specified. This indicates that AWS KMS is used as the auto-unseal mechanism, where Vault delegates the unsealing process to AWS Key Management Service, eliminating the need for manual Shamir key shares.

Exam trap

HashiCorp often tests the distinction between default Shamir sealing and external auto-unseal mechanisms; the trap here is that candidates see a Vault configuration and assume it uses the default Shamir seal, missing the explicit `seal "awskms"` directive that overrides it.

How to eliminate wrong answers

Option B is wrong because HSM seal via PKCS#11 requires a hardware security module and configuration with `seal "pkcs11"`, not the `awskms` seal shown in the exhibit. Option C is wrong because Shamir seal with default shares is the default seal mechanism when no external seal is configured, but the exhibit explicitly shows `seal "awskms"`, overriding the default. Option D is wrong because Vault never runs in an insecure mode; it always requires a seal mechanism, and the exhibit confirms a seal is configured.

490
MCQmedium

Refer to the exhibit. What is the purpose of the -field=ciphertext flag in this command?

A.It sets the ciphertext field for encryption.
B.It enables field-level encryption.
C.It specifies the encryption key name.
D.It outputs the command result to a file named ciphertext.
E.It instructs Vault to only return the ciphertext field from the response.
AnswerE

This is the correct behavior of the -field flag.

Why this answer

The `-field=ciphertext` flag in a Vault command instructs the CLI to extract and return only the value of the `ciphertext` key from the JSON response object. This is a standard Vault output filtering mechanism that allows users to isolate a specific field without parsing the full response, which is especially useful in scripting and automation.

Exam trap

HashiCorp often tests the distinction between output filtering (`-field`) and actual encryption configuration, leading candidates to confuse the flag with setting encryption parameters or enabling field-level encryption.

How to eliminate wrong answers

Option A is wrong because the flag does not set or configure the ciphertext field for encryption; it filters the output to show only that field. Option B is wrong because field-level encryption is a separate concept involving encrypting individual data fields within a record, not a CLI output filter. Option C is wrong because the encryption key name is specified via a different parameter (e.g., `-key` or `key_name`), not the `-field` flag.

Option D is wrong because the `-field` flag does not redirect output to a file; file output is achieved with shell redirection (`>`) or the `-output` flag.

491
MCQeasy

A security engineer wants to ensure that all requests to Vault are logged for compliance. Which component must be configured?

A.Secrets Engine
B.Storage Backend
C.Audit Device
D.Auth Method
AnswerC

Logs all requests to Vault.

Why this answer

An audit device is the Vault component responsible for logging all requests and responses to a specified destination (e.g., syslog, file, socket). It must be enabled and configured to meet compliance requirements for recording every interaction with Vault. Without an audit device, Vault does not generate any persistent logs of API calls.

Exam trap

HashiCorp often tests the distinction between components that perform actions (secrets engines, auth methods) versus components that record actions (audit devices), leading candidates to confuse a functional component with a logging component.

How to eliminate wrong answers

Option A is wrong because a secrets engine (e.g., KV, AWS, database) manages the lifecycle of secrets but does not log requests; it is a target for operations, not a logging mechanism. Option B is wrong because a storage backend (e.g., Consul, Raft, file) persists Vault's encrypted data and configuration but does not capture request/response audit trails. Option D is wrong because an auth method (e.g., token, LDAP, OIDC) authenticates users or machines but does not produce compliance logs of subsequent Vault operations.

492
Multi-Selectmedium

Which THREE are required for Vault to encrypt data at rest? (Choose three.)

Select 3 answers
A.Audit device
B.Barrier encryption key
C.Storage backend
D.Seal mechanism
E.Authentication method
AnswersB, C, D

The key used to encrypt and decrypt data stored in the backend.

Why this answer

The barrier encryption key is the master key used to encrypt and decrypt the Vault data encryption key (DEK), which in turn encrypts all data written to the storage backend. Without this key, Vault cannot protect data at rest because the DEK would be stored in plaintext. It is a fundamental component of Vault's security architecture, ensuring that even if the storage backend is compromised, the data remains encrypted.

Exam trap

HashiCorp often tests the misconception that authentication methods or audit devices are involved in data encryption at rest, when in fact they serve orthogonal purposes (identity verification and logging, respectively) and are not part of the encryption pipeline.

493
MCQeasy

An administrator wants to write a secret 'myapp' with value 'password=pass123' to the KV v2 secret engine mounted at 'secret/'. Which command should they use?

A.vault kv write secret/myapp password=pass123
B.vault kv create secret/myapp password=pass123
C.vault kv put secret/myapp password=pass123
D.vault write secret/myapp password=pass123
AnswerC

This is the correct syntax for KV v2 put.

Why this answer

Option C is correct because `vault kv put` is the proper command to write or update a secret in the KV v2 secrets engine. The KV v2 engine requires the `put` subcommand to create or overwrite a secret at the specified path, and the syntax `vault kv put secret/myapp password=pass123` correctly writes the key-value pair to the path `secret/myapp` under the mounted engine at `secret/`.

Exam trap

HashiCorp often tests the distinction between KV v1 (`vault write`) and KV v2 (`vault kv put`) commands, and the trap here is that candidates mistakenly use the generic `vault write` command (which works for KV v1 but not for KV v2) or invent non-existent subcommands like `write` or `create` under `vault kv`.

How to eliminate wrong answers

Option A is wrong because `vault kv write` is not a valid subcommand; the KV v2 engine uses `put` for writing secrets, not `write`. Option B is wrong because `vault kv create` is not a valid subcommand; the KV v2 engine does not have a `create` subcommand—secrets are written with `put` and optionally checked for existence with `get` or `metadata`. Option D is wrong because `vault write` targets the generic Vault API endpoint (used for KV v1 or other backends) and does not use the KV v2-specific subcommand structure; for KV v2, the correct CLI approach is `vault kv put`.

494
MCQhard

A team has set up automatic key rotation on a transit key. After rotation, encrypted data that was encrypted with the previous key version can no longer be decrypted. What is the most likely cause?

A.The key was deleted
B.The key's min_decryption_version is set too high
C.The key's min_encryption_version is set too high
D.The team used the 'rewrap' operation incorrectly
E.The key is not exportable
AnswerB

If min_decryption_version is higher than the version used for encryption, decryption requests are rejected.

Why this answer

Option B is correct because the `min_decryption_version` setting on a key in a key management system (such as AWS KMS or GCP Cloud KMS) controls the minimum key version that can be used to decrypt ciphertext. If this value is set too high (e.g., to the current version), older key versions are effectively disabled for decryption, causing any data encrypted with a previous key version to become undecryptable. This is a common misconfiguration when automating key rotation without properly managing version policies.

Exam trap

HashiCorp often tests the distinction between `min_encryption_version` and `min_decryption_version`, trapping candidates who confuse the two or assume that key rotation automatically invalidates old decryption capabilities.

How to eliminate wrong answers

Option A is wrong because deleting the key would make all data encrypted with any version of that key permanently undecryptable, not just data encrypted with the previous version. Option C is wrong because `min_encryption_version` controls which key version can be used for new encryption operations, not decryption of existing ciphertext. Option D is wrong because the `rewrap` operation (e.g., `ReEncrypt` in AWS KMS) is used to re-encrypt data under a new key version without exposing plaintext; using it incorrectly would not cause decryption failures for data encrypted with the previous version.

Option E is wrong because the exportability of a key affects whether the key material can be exported from the service, not whether ciphertext can be decrypted using the key versions stored within the service.

495
MCQmedium

Refer to the exhibit. After executing these commands, what is the expected behavior?

A.The key is automatically rotated every 30 days
B.The ciphertext is base64 encoded, and the plaintext is base64 decoded automatically
C.The decryption command requires the key version to be specified
D.The encryption operation will fail because the key type 'aes256-gcm96' is incorrect
AnswerB

Transit expects base64-encoded inputs and outputs base64-encoded results.

Why this answer

Option B is correct because the Vault transit secrets engine, when configured with `auto_decode` enabled, automatically base64-decodes the ciphertext returned from encryption operations and base64-encodes plaintext before decryption. The command `vault write -f transit/keys/my-key/encrypt/orders` with the `auto_decode` parameter set to `true` ensures that the output ciphertext is base64-encoded for safe transport, and the corresponding decryption operation will automatically base64-decode the input ciphertext before processing.

Exam trap

HashiCorp often tests the misconception that key rotation in Vault is time-based by default, when in fact it requires explicit action or configuration, and that the `auto_decode` feature is about automatic encoding/decoding rather than a security property of the ciphertext.

How to eliminate wrong answers

Option A is wrong because key rotation in Vault is not automatic based on time; it requires explicit `vault write -f transit/keys/my-key/rotate` commands or a configured rotation period via `rotation_period`, not a default 30-day auto-rotation. Option C is wrong because the decryption command does not require the key version to be specified; Vault automatically uses the latest key version for decryption unless a specific version is explicitly provided via the `ciphertext` field or the `version` parameter. Option D is wrong because `aes256-gcm96` is a valid key type in Vault's transit secrets engine, representing AES-256 encryption with GCM and a 96-bit nonce, so the encryption operation will succeed.

496
Multi-Selecteasy

Which TWO of the following are features of the AWS secrets engine compared to the Azure secrets engine?

Select 2 answers
A.Supports federation via SAML with Azure AD
B.Provides native integration with Azure Key Vault for key management
C.Allows connection to AWS via IAM instance profiles
D.Can generate IAM users with custom policies
E.Can generate STS temporary credentials for cross-account access
AnswersD, E

AWS secrets engine creates IAM users and attaches policies.

Why this answer

Option D is correct because the AWS secrets engine can dynamically generate IAM users with custom policies attached, allowing fine-grained access control for applications. Option E is correct because the engine can generate STS temporary credentials for cross-account access, enabling secure, time-limited access to AWS resources in different accounts.

Exam trap

HashiCorp often tests the distinction between the AWS and Azure secrets engines, and the trap here is confusing the AWS engine's ability to generate IAM users and STS tokens with Azure-specific features like SAML federation or Key Vault integration.

497
MCQmedium

An organization uses Kubernetes pods to access Vault. They want to avoid hardcoding any secrets in the pod definition. Which authentication method should they use?

A.LDAP
B.Kubernetes
C.Username & Password
D.AppRole
AnswerB

Kubernetes auth uses the pod's service account token, no hardcoded secrets.

Why this answer

The Kubernetes authentication method is correct because it allows pods to authenticate to Vault using their service account token, which is automatically mounted into the pod. This eliminates the need to hardcode any secrets in the pod definition, as Vault verifies the token against the Kubernetes API server and issues a temporary Vault token based on the pod's identity.

Exam trap

HashiCorp often tests the misconception that AppRole is the best choice for automated workloads, but the trap here is that AppRole still requires a SecretID to be stored somewhere (e.g., a Kubernetes Secret), whereas Kubernetes auth uses the pod's own identity to eliminate any hardcoded secrets entirely.

How to eliminate wrong answers

Option A is wrong because LDAP authentication requires a username and password or LDAP bind credentials, which would still need to be stored in the pod definition or an external secret store, defeating the purpose of avoiding hardcoded secrets. Option C is wrong because Username & Password authentication requires embedding static credentials in the pod definition or environment variables, directly violating the requirement to avoid hardcoding secrets. Option D is wrong because AppRole requires a RoleID and a SecretID; while the RoleID can be injected via annotations, the SecretID is a sensitive credential that must be stored securely (e.g., in a Kubernetes secret), which still involves hardcoding or managing secrets outside Vault's native pod identity integration.

498
Multi-Selectmedium

Which TWO of the following are valid capabilities that can be specified in a Vault policy?

Select 2 answers
A.create
B.write
C.sudo
D.rename
E.update
AnswersA, E

'create' is a valid capability.

Why this answer

In Vault policies, capabilities define the allowed actions on paths. The `create` capability permits creating new data at a path without needing to read existing data, which is distinct from `update` that allows modifying existing data. Both `create` and `update` are valid, separate capabilities in Vault's policy system.

Exam trap

HashiCorp often tests the distinction between `write` (which is not a valid capability) and the correct pair `create` and `update`, leading candidates to incorrectly select `write` as a catch-all for data modification.

499
Multi-Selecteasy

Which TWO statements about batch tokens are true?

Select 2 answers
A.They are lightweight and support a high creation rate.
B.They cannot be used with a use-limit.
C.They support explicit max TTL.
D.They have a TTL.
E.They are renewable.
AnswersA, D

Batch tokens are designed for high throughput and are lightweight.

Why this answer

Batch tokens are lightweight and support a high creation rate, and they have a TTL (which cannot be renewed). They do not support explicit max TTL (they have TTL and no renewal), and they can have a use-limit.

500
Multi-Selecteasy

A DevOps team is setting up a Vault cluster for the first time. They plan to use AWS KMS for auto-unseal and Consul as the storage backend. As part of the architecture, which TWO components are essential for the Vault server to start and serve requests?

Select 2 answers
A.A public CA certificate
B.A storage backend
C.A configured seal mechanism
D.A 4096-bit encryption key
E.A load balancer
AnswersB, C

Vault requires a storage backend to persist secrets and configuration; Consul serves this purpose.

Why this answer

A configured seal (B) and a storage backend (D) are mandatory for Vault to start. The seal protects the master key, and the storage backend persists data. The other options are not strictly necessary for startup.

501
MCQeasy

Refer to the exhibit. A user wants to write a secret 'db_password' with value 's3cret' to this secrets engine. Which CLI command should be used?

A.vault write shared/db_password value=s3cret
B.vault write shared/data/db_password value=s3cret
C.vault write shared/metadata/db_password value=s3cret
D.vault write shared/config/db_password value=s3cret
AnswerB

C is correct: KV v2 uses data/ prefix.

Why this answer

Option B is correct because in Vault's KV v2 secrets engine, secrets are stored under the 'data' path. The correct CLI command to write a secret is 'vault write shared/data/db_password value=s3cret', which targets the data endpoint for the secret 'db_password' in the 'shared' mount.

Exam trap

HashiCorp often tests the distinction between KV v1 and v2 paths, and the trap here is that candidates assume the secret can be written directly to the mount path (e.g., 'shared/db_password') without the '/data/' prefix, which only works in KV v1.

How to eliminate wrong answers

Option A is wrong because 'vault write shared/db_password' targets the root of the mount, not the data path, and KV v2 requires the '/data/' prefix to write secret data. Option C is wrong because 'vault write shared/metadata/db_password' is used for metadata operations (like configuring versions or deletion settings), not for writing the secret value itself. Option D is wrong because 'vault write shared/config/db_password' is not a valid path; 'config' is used for engine configuration (e.g., max versions), not for individual secrets.

502
MCQmedium

A Vault administrator notices that the audit log file on the Vault server is filling up the disk. What is the best course of action to prevent disk full issues?

A.Disable audit logging to reduce disk usage.
B.Switch to a syslog audit device.
C.Increase the disk size of the Vault server.
D.Configure the file audit device with log rotation.
AnswerD

Rotation manages disk space effectively.

Why this answer

Option D is correct because configuring log rotation on the file audit device allows the Vault server to automatically archive or delete old audit logs based on size or time thresholds, preventing the disk from filling up while retaining necessary audit data. This is the recommended approach in Vault for managing disk space without disabling security auditing or relying on external infrastructure changes.

Exam trap

HashiCorp often tests the misconception that disabling or redirecting audit logs is an acceptable solution for disk management, when in fact the correct approach is to manage log growth through rotation while maintaining audit functionality.

How to eliminate wrong answers

Option A is wrong because disabling audit logging removes the ability to track and monitor all API requests and operations, which is a critical security requirement for compliance and forensic analysis. Option B is wrong because switching to a syslog audit device does not inherently prevent disk full issues; it simply redirects logs to an external syslog server, which could still fill up its own disk or cause log loss if the syslog server is unavailable. Option C is wrong because increasing disk size is a temporary, reactive fix that does not address the root cause of unbounded log growth and may not be feasible in all environments.

503
MCQmedium

A user receives an error 'invalid ciphertext' when trying to decrypt data. The ciphertext was created by another Vault instance. What is the most likely issue?

A.Different key names
B.The Vault instance is sealed
C.Different key types
D.The ciphertext includes key version info that doesn't match
E.The user lacks permissions to decrypt
AnswerD

Transit ciphertext is tied to a specific key version; if that version is missing, decryption fails.

Why this answer

Option D is correct because Vault's transit secrets engine appends key version information to the ciphertext by default. When decrypting, Vault checks that the key version embedded in the ciphertext matches a version of the key that exists in the destination Vault instance. If the ciphertext was created by a different Vault instance with a different key version history, the version embedded in the ciphertext will not correspond to any known key version, causing the 'invalid ciphertext' error.

Exam trap

HashiCorp often tests the misconception that 'invalid ciphertext' errors are caused by permission issues or key name mismatches, when in fact the error is specifically triggered by a version mismatch in the ciphertext header that prevents the decryption key from being derived.

How to eliminate wrong answers

Option A is wrong because the error 'invalid ciphertext' is not caused by key name mismatches; a key name mismatch would result in a 'key not found' or 'permission denied' error, not an invalid ciphertext error. Option B is wrong because a sealed Vault instance cannot perform any cryptographic operations at all, so the user would receive a 'Vault is sealed' error, not an 'invalid ciphertext' error. Option C is wrong because different key types (e.g., AES256-GCM96 vs.

ChaCha20-Poly1305) would cause a decryption failure, but Vault would typically return a 'key type mismatch' or 'unsupported key type' error, not a generic 'invalid ciphertext' error. Option E is wrong because insufficient permissions would result in a 'permission denied' or 'forbidden' HTTP 403 error, not an 'invalid ciphertext' error, which is a cryptographic validation failure.

504
MCQhard

A DevOps team uses Vault's transit engine to encrypt secrets in CI/CD pipelines. They report that encryption operations are failing with 'permission denied' errors. The team has a policy granting 'create' and 'update' capabilities on the transit key path. What is the most likely missing capability?

A.The 'read' capability is missing.
B.The 'encrypt' capability is missing.
C.The 'delete' capability is missing.
D.The 'list' capability is missing.
AnswerB

Encrypt capability is required for encryption operations.

Why this answer

The Vault transit engine uses distinct capabilities for key management versus data operations. 'Create' and 'update' allow managing the key itself (e.g., creating or rotating the key), but encryption of data requires the 'encrypt' capability on the transit key path. Without 'encrypt', the API call to encrypt data fails with a 'permission denied' error, even if the key exists and is properly configured.

Exam trap

HashiCorp often tests the misconception that 'write' or 'create' capabilities on a key path implicitly grant the ability to encrypt data, when in fact Vault requires explicit 'encrypt' and 'decrypt' capabilities for data-plane operations.

How to eliminate wrong answers

Option A is wrong because 'read' capability allows retrieving key metadata or configuration, not performing encryption operations; missing 'read' would cause a different error (e.g., 'permission denied' on read requests, not encrypt). Option C is wrong because 'delete' capability is for removing the key entirely, which is unrelated to encrypting data; its absence would not affect encryption operations. Option D is wrong because 'list' capability is for enumerating keys under a path, not for encrypting data; missing 'list' would only block listing operations, not encryption.

505
MCQeasy

An organization wants to encrypt data at rest in a cloud storage bucket. They plan to use Vault's transit engine to generate a data key and then encrypt the data locally. Which transit endpoint should they use to get a data key?

A.POST /v1/transit/datakey/plaintext/my-key
B.POST /v1/transit/encrypt/my-key
C.POST /v1/transit/decrypt/my-key
D.POST /v1/transit/datakey/ciphertext/my-key
AnswerA

Returns both plaintext and ciphertext data key.

Why this answer

The correct endpoint to retrieve a data key that can be used for local client-side encryption is POST /v1/transit/datakey/plaintext/my-key. This endpoint returns both the plaintext data key (for local encryption) and the ciphertext version of the key (for secure storage alongside the encrypted data). The 'plaintext' in the path indicates that the response includes the key in plaintext form, which is necessary for performing encryption locally.

Exam trap

HashiCorp often tests the distinction between 'datakey/plaintext' and 'datakey/ciphertext' endpoints, where candidates mistakenly choose the ciphertext-only endpoint thinking it provides the key for local encryption, but it actually omits the plaintext key required for that purpose.

How to eliminate wrong answers

Option B is wrong because POST /v1/transit/encrypt/my-key is used to encrypt an existing piece of data using Vault's transit engine, not to generate a new data key. Option C is wrong because POST /v1/transit/decrypt/my-key is used to decrypt ciphertext that was previously encrypted by the transit engine, not to generate a data key. Option D is wrong because POST /v1/transit/datakey/ciphertext/my-key returns only the ciphertext version of the data key, not the plaintext key needed for local encryption; this endpoint is used when the client only needs to store the key and does not need to perform local encryption.

506
MCQhard

A Vault administrator configures an AWS secrets engine role with credential_type=iam_user and attaches a policy that allows creating EC2 instances. A developer generates credentials and uses them to launch an EC2 instance. Later the lease expires and Vault revokes the IAM user. What happens to the EC2 instance?

A.The instance continues to run because IAM user revocation does not affect running instances
B.The instance fails with a permission error
C.The instance is immediately terminated
D.The instance is stopped after a grace period
AnswerA

Correct; the instance uses its instance profile.

Why this answer

When Vault revokes an IAM user, it deletes the IAM user credentials, but this does not affect resources already launched by that user. The EC2 instance runs under its own instance profile and is not tied to the IAM user's session after launch. AWS does not retroactively terminate or stop instances based on IAM user revocation; the instance continues to run until explicitly stopped or terminated.

Exam trap

HashiCorp often tests the misconception that revoking IAM credentials will immediately impact running resources, but in AWS, IAM revocation only affects future API calls, not existing instances.

How to eliminate wrong answers

Option B is wrong because the instance does not fail with a permission error — the instance's runtime operations rely on its attached IAM role (if any) or the instance's own metadata, not the original IAM user's credentials. Option C is wrong because AWS does not immediately terminate instances when the launching IAM user is revoked; there is no such lifecycle dependency. Option D is wrong because there is no grace period or automatic stop mechanism triggered by IAM user revocation — the instance remains running indefinitely.

507
MCQhard

A Vault cluster has a token with the following policy: path "secret/data/dev/*" { capabilities = ["read", "list"] }. The token is used to read a secret at "secret/data/dev/password". The read succeeds. Later, the token tries to read "secret/data/prod/password". What happens?

A.Fails with a system error.
B.Succeeds because token has read capability on all secrets.
C.Succeeds because the token can list and read any path.
D.Fails because the token needs an explicit policy for "secret/data/prod/".
AnswerD

The token's policy only covers "dev/*", not "prod/*".

Why this answer

The token does not have permissions on the "secret/data/prod/" path, so the read fails with a permission denied error.

508
MCQmedium

A SaaS startup uses Vault to manage secrets for their microservices architecture. They have enabled the KV v2 secrets engine at 'secret/' and the database secrets engine at 'database/'. Developers often need to read application configuration from 'secret/app/config' and database credentials from 'database/creds/app-role'. Recently, the security team mandated that all secrets must be encrypted at rest using Vault's seal mechanism. They configured Vault to use AWS KMS as the seal. After enabling the seal, they noticed that reading from 'secret/app/config' still works, but reading from 'database/creds/app-role' returns an error: 'Error making API request: Code: 500. Errors: * 1 error occurred: * failed to decrypt data'. What is the most likely cause?

A.The database engine requires a separate seal configuration.
B.The database engine configuration is stored in a different location that is not sealed.
C.The AWS KMS key has been rotated and Vault cannot access the old key.
D.The database engine uses a separate encryption key that was not re-wrapped after changing the seal configuration.
AnswerD

The database engine may have its own key for encrypting credentials, which needs re-wrapping.

Why this answer

Option D is correct because when the seal configuration is changed (e.g., from the default Shamir seal to AWS KMS), the database secrets engine's encrypted storage (which includes its own encryption key used to protect dynamic credentials) must be re-wrapped with the new seal. Vault's KV v2 engine stores data encrypted with the same seal, but reading existing static secrets works because they are decrypted on-the-fly using the new seal. However, the database engine's internal key material was encrypted under the old seal and was not re-wrapped, causing decryption failures when Vault attempts to use it to generate credentials.

Exam trap

The trap here is that candidates assume all secrets engines use the same encryption path and will automatically work after a seal change, but Vault requires explicit re-wrapping of engine-specific key material that was encrypted under the previous seal.

How to eliminate wrong answers

Option A is wrong because the database engine does not require a separate seal configuration; all secrets engines in Vault share the same seal mechanism configured at the Vault cluster level. Option B is wrong because the database engine configuration is stored within Vault's encrypted storage (the same backend as KV v2), not in a separate unsealed location; the error is due to key material encrypted under the old seal, not a different storage location. Option C is wrong because rotating the AWS KMS key would cause Vault to be unable to unseal at all (the master key would be lost), but the error occurs only for database credentials while KV reads still work, indicating the seal itself is functional but the database engine's internal key was not re-wrapped.

509
Multi-Selectmedium

Which TWO statements correctly describe differences between AppRole and Kubernetes authentication methods?

Select 2 answers
A.AppRole requires a secret ID, while Kubernetes auth does not require any secret.
B.Kubernetes auth can only be used within the same cluster as Vault, while AppRole can be used remotely.
C.Both support response wrapping for secure delivery of credentials.
D.Kubernetes auth authenticates using a service account JWT token, whereas AppRole uses a RoleID and SecretID.
E.AppRole supports CIDR restrictions on the secret ID, but Kubernetes auth does not.
AnswersD, E

Correct key difference.

Why this answer

Option D is correct because Kubernetes authentication works by having Vault validate a Kubernetes service account JWT token against the Kubernetes TokenReview API, while AppRole authentication requires a RoleID (which identifies the role) and a SecretID (which acts as a credential). The SecretID can be a generated value or a wrapped response, but the JWT token in Kubernetes auth is the sole credential presented to Vault.

Exam trap

HashiCorp often tests the misconception that Kubernetes auth requires no secret at all, when in fact the JWT token is a secret credential, and that AppRole cannot be used remotely, when both methods can operate across network boundaries if properly configured.

510
Multi-Selectmedium

Which THREE are valid operations in the Vault transit secrets engine? (Choose three.)

Select 3 answers
A.issue
B.revoke
C.rewrap
D.decrypt
E.encrypt
AnswersC, D, E

Rewrap updates ciphertext to a newer key version.

Why this answer

The Vault transit secrets engine provides encryption as a service, and its core operations are encrypt, decrypt, rewrap, and datakey generation. Rewrap is valid because it decrypts ciphertext and re-encrypts it with the latest key version without exposing the plaintext to the caller, maintaining security during key rotation.

Exam trap

HashiCorp often tests candidates by mixing terms from different Vault secrets engines (e.g., PKI 'issue/revoke' with transit 'encrypt/decrypt') to see if you can distinguish the specific operations each engine supports.

511
MCQmedium

A security administrator wants to create a policy that allows a service to renew its own token and list its own token capabilities, but not create new tokens. Which policy statements should be included?

A.path "auth/token/renew-self" { capabilities = ["update"] }; path "auth/token/capabilities-self" { capabilities = ["read"] }
B.path "auth/token/renew-self" { capabilities = ["create"] }; path "auth/token/lookup-self" { capabilities = ["read"] }
C.path "auth/token/renew-self" { capabilities = ["update"] }; path "auth/token/capabilities-self" { capabilities = ["update"] }
D.path "auth/token/renew" { capabilities = ["update"] }; path "auth/token/capabilities" { capabilities = ["read"] }
AnswerA

This is correct: renew-self uses update, capabilities-self uses read.

Why this answer

Option B is correct because it uses the correct endpoints and capabilities: update for renew-self and read for capabilities-self. Option A uses update for capabilities-self, which is wrong. Option C uses create for renew-self, which is incorrect.

Option D uses non-self endpoints giving broader privileges.

512
MCQhard

An application's token is failing to renew, and the logs show 'token not renewable'. The token was created with a TTL of 24h and no explicit max TTL. What is the most likely cause?

A.The token was created with the renewable flag set to false
B.The token has been renewed too many times, exceeding its TTL
C.The token accessor is invalid
D.The token's max TTL has been reached
AnswerA

If renewable=false, Vault rejects renewal requests.

Why this answer

If the token was created with a TTL but not explicitly marked as renewable, the token's renewable flag is false by default for service tokens. Option A is wrong because token accessors are used for lifecycle actions but don't affect renewability. Option B is wrong because TTL extension happens on renewal, not the cause of failure.

Option D is wrong because max TTL would only affect renewals beyond that limit, not prevent all renewals.

513
Drag & Dropmedium

Drag and drop the steps to perform a Vault disaster recovery using the replication feature into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Initialize clusters, enable primary replication, generate token, enable secondary, promote if needed.

514
Multi-Selecthard

Which three characteristics are true about Vault's storage backend and seal mechanisms? (Choose three.)

Select 3 answers
A.Auto-unseal using a cloud KMS eliminates the need for unseal keys entirely.
B.Consul as a storage backend requires Consul's own gossip protocol for leader election.
C.The Shamir seal requires multiple unseal keys to be entered before Vault can operate.
D.HSM seals can be used to auto-unseal Vault while also providing a hardware root of trust.
E.Integrated Storage uses Raft consensus and can be used in production for both HA and DR.
AnswersC, D, E

Shamir splits the master key into shards.

Why this answer

Option C is correct because the Shamir seal splits the master key into multiple key shares, requiring a threshold number of these shares to be entered during the unseal process before Vault can decrypt its data encryption key and become operational. This ensures that no single individual can unseal Vault, providing a distributed trust model.

Exam trap

HashiCorp often tests the misconception that auto-unseal eliminates unseal keys entirely, when in fact it only automates the unseal process while still relying on an encrypted master key stored in the storage backend.

Page 6

Page 7 of 7

All pages