CCNA Explain Vault architecture Questions

9 of 84 questions · Page 2/2 · Explain Vault architecture · Answers revealed

76
MCQmedium

A Vault administrator is troubleshooting an issue where after a network outage, the Vault cluster is sealed and cannot be unsealed. The cluster has 5 nodes using Integrated Storage. The administrator runs `vault status` on each node and receives 'sealed' response. The administrator suspects that the cluster lost quorum during the outage. The administrator checks the Raft configuration and finds that there are 3 voter nodes and 2 non-voter nodes. Which action should the administrator take to recover the cluster?

A.Manually unseal all nodes simultaneously.
B.Use `vault operator raft remove-peer` to remove the non-voter nodes.
C.Use `vault operator raft recover` on one of the non-voter nodes.
D.Use `vault operator raft recover` on a voter node to create a new cluster.
AnswerD

Raft recover on a voter node restores quorum.

Why this answer

When a Vault cluster with Integrated Storage loses quorum (more than half of voter nodes are unavailable), the cluster cannot unseal because Raft requires a quorum of voters to elect a leader and process operations. Since all 5 nodes are sealed and the cluster has 3 voters, the outage likely caused the loss of at least 2 voters, breaking quorum. The correct recovery procedure is to use `vault operator raft recover` on a voter node, which creates a new single-node cluster with the existing data, allowing the administrator to then unseal and rejoin other nodes.

Exam trap

HashiCorp often tests the distinction between voter and non-voter roles in Raft; the trap here is assuming that any node can be used for recovery, when in fact only a voter node can bootstrap a new cluster because non-voters lack the quorum-critical state.

How to eliminate wrong answers

Option A is wrong because manually unsealing all nodes simultaneously does not restore Raft quorum; the cluster still lacks a leader and cannot process operations. Option B is wrong because `vault operator raft remove-peer` is used to remove a peer from the Raft configuration when the node is unreachable but quorum still exists; here quorum is lost, so the command will fail or be ineffective. Option C is wrong because `vault operator raft recover` must be run on a voter node, not a non-voter; non-voters do not participate in quorum and cannot bootstrap a new cluster.

77
MCQeasy

A Vault cluster uses Consul for HA. After a brief network partition, a standby node loses contact with the active node. What does the standby node do after a timeout?

A.It becomes the active node.
B.It seals itself.
C.It continues to serve requests.
D.It replicates data from the storage backend.
AnswerB

Standby nodes seal themselves after losing contact with the active node to maintain data consistency.

Why this answer

In a Vault cluster using Consul for high availability, only the active node serves requests. When a standby node loses contact with the active node due to a network partition, it cannot verify the active node's health or its own leadership status. After a configurable timeout (default 10 seconds), the standby node seals itself to prevent serving stale or inconsistent data, ensuring data integrity and security.

Exam trap

The trap here is that candidates assume a standby node will automatically take over as active during a partition, but Vault prioritizes safety over availability by sealing the standby to avoid split-brain scenarios.

How to eliminate wrong answers

Option A is wrong because Vault uses a leader election mechanism via Consul; a standby node cannot become active without confirming the previous active node is down, and during a network partition it cannot safely assume leadership. Option C is wrong because only the active node serves client requests; standby nodes are passive and do not handle any API or unseal operations. Option D is wrong because replication from the storage backend is a background process handled by the active node; standby nodes do not initiate replication and sealing halts all operations, including replication.

78
MCQmedium

A Vault cluster uses performance replication. A performance standby node is not responding to read requests. What is the most likely cause?

A.Performance replication is not configured on this cluster.
B.The firewall is blocking inbound traffic to the standby node.
C.The performance standby node is sealed.
D.the performance standby node cannot connect to the primary for writes.
AnswerA

Without replication, a standby cannot serve read requests.

Why this answer

Performance replication must be explicitly configured on a Vault cluster to enable performance standby nodes. If performance replication is not configured, the cluster cannot have performance standby nodes that serve read requests, so the node would not respond to reads. This is the most likely cause because the question states the cluster 'uses performance replication' but the node is not responding, implying the configuration is missing or incorrect.

Exam trap

HashiCorp often tests the misconception that performance standby nodes are automatically available in any replicated setup, but they require explicit configuration of performance replication, not just standard replication or DR replication.

How to eliminate wrong answers

Option B is wrong because a firewall blocking inbound traffic would prevent all requests to the standby node, not just read requests, and the question specifies only read requests are failing. Option C is wrong because if the performance standby node were sealed, it would not respond to any requests (reads or writes), and the question only mentions read requests failing. Option D is wrong because performance standby nodes do not handle writes; they only serve read requests from the primary's replicated data, so an inability to connect to the primary for writes is irrelevant to read request failures.

79
MCQmedium

Refer to the exhibit. What seal mechanism is configured for this Vault instance?

A.AWS KMS auto-unseal
B.HSM seal via PKCS#11
C.Shamir seal with default shares
D.No seal; Vault is in insecure mode
AnswerA

The seal block specifies AWS KMS.

Why this answer

The exhibit shows a Vault instance configured with `seal "awskms"` and a `region` and `kms_key_id` specified. This indicates that AWS KMS is used as the auto-unseal mechanism, where Vault delegates the unsealing process to AWS Key Management Service, eliminating the need for manual Shamir key shares.

Exam trap

HashiCorp often tests the distinction between default Shamir sealing and external auto-unseal mechanisms; the trap here is that candidates see a Vault configuration and assume it uses the default Shamir seal, missing the explicit `seal "awskms"` directive that overrides it.

How to eliminate wrong answers

Option B is wrong because HSM seal via PKCS#11 requires a hardware security module and configuration with `seal "pkcs11"`, not the `awskms` seal shown in the exhibit. Option C is wrong because Shamir seal with default shares is the default seal mechanism when no external seal is configured, but the exhibit explicitly shows `seal "awskms"`, overriding the default. Option D is wrong because Vault never runs in an insecure mode; it always requires a seal mechanism, and the exhibit confirms a seal is configured.

80
MCQeasy

A security engineer wants to ensure that all requests to Vault are logged for compliance. Which component must be configured?

A.Secrets Engine
B.Storage Backend
C.Audit Device
D.Auth Method
AnswerC

Logs all requests to Vault.

Why this answer

An audit device is the Vault component responsible for logging all requests and responses to a specified destination (e.g., syslog, file, socket). It must be enabled and configured to meet compliance requirements for recording every interaction with Vault. Without an audit device, Vault does not generate any persistent logs of API calls.

Exam trap

HashiCorp often tests the distinction between components that perform actions (secrets engines, auth methods) versus components that record actions (audit devices), leading candidates to confuse a functional component with a logging component.

How to eliminate wrong answers

Option A is wrong because a secrets engine (e.g., KV, AWS, database) manages the lifecycle of secrets but does not log requests; it is a target for operations, not a logging mechanism. Option B is wrong because a storage backend (e.g., Consul, Raft, file) persists Vault's encrypted data and configuration but does not capture request/response audit trails. Option D is wrong because an auth method (e.g., token, LDAP, OIDC) authenticates users or machines but does not produce compliance logs of subsequent Vault operations.

81
Multi-Selectmedium

Which THREE are required for Vault to encrypt data at rest? (Choose three.)

Select 3 answers
A.Audit device
B.Barrier encryption key
C.Storage backend
D.Seal mechanism
E.Authentication method
AnswersB, C, D

The key used to encrypt and decrypt data stored in the backend.

Why this answer

The barrier encryption key is the master key used to encrypt and decrypt the Vault data encryption key (DEK), which in turn encrypts all data written to the storage backend. Without this key, Vault cannot protect data at rest because the DEK would be stored in plaintext. It is a fundamental component of Vault's security architecture, ensuring that even if the storage backend is compromised, the data remains encrypted.

Exam trap

HashiCorp often tests the misconception that authentication methods or audit devices are involved in data encryption at rest, when in fact they serve orthogonal purposes (identity verification and logging, respectively) and are not part of the encryption pipeline.

82
Multi-Selecteasy

A DevOps team is setting up a Vault cluster for the first time. They plan to use AWS KMS for auto-unseal and Consul as the storage backend. As part of the architecture, which TWO components are essential for the Vault server to start and serve requests?

Select 2 answers
A.A public CA certificate
B.A storage backend
C.A configured seal mechanism
D.A 4096-bit encryption key
E.A load balancer
AnswersB, C

Vault requires a storage backend to persist secrets and configuration; Consul serves this purpose.

Why this answer

A configured seal (B) and a storage backend (D) are mandatory for Vault to start. The seal protects the master key, and the storage backend persists data. The other options are not strictly necessary for startup.

83
MCQmedium

A Vault administrator notices that the audit log file on the Vault server is filling up the disk. What is the best course of action to prevent disk full issues?

A.Disable audit logging to reduce disk usage.
B.Switch to a syslog audit device.
C.Increase the disk size of the Vault server.
D.Configure the file audit device with log rotation.
AnswerD

Rotation manages disk space effectively.

Why this answer

Option D is correct because configuring log rotation on the file audit device allows the Vault server to automatically archive or delete old audit logs based on size or time thresholds, preventing the disk from filling up while retaining necessary audit data. This is the recommended approach in Vault for managing disk space without disabling security auditing or relying on external infrastructure changes.

Exam trap

HashiCorp often tests the misconception that disabling or redirecting audit logs is an acceptable solution for disk management, when in fact the correct approach is to manage log growth through rotation while maintaining audit functionality.

How to eliminate wrong answers

Option A is wrong because disabling audit logging removes the ability to track and monitor all API requests and operations, which is a critical security requirement for compliance and forensic analysis. Option B is wrong because switching to a syslog audit device does not inherently prevent disk full issues; it simply redirects logs to an external syslog server, which could still fill up its own disk or cause log loss if the syslog server is unavailable. Option C is wrong because increasing disk size is a temporary, reactive fix that does not address the root cause of unbounded log growth and may not be feasible in all environments.

84
Multi-Selecthard

Which three characteristics are true about Vault's storage backend and seal mechanisms? (Choose three.)

Select 3 answers
A.Auto-unseal using a cloud KMS eliminates the need for unseal keys entirely.
B.Consul as a storage backend requires Consul's own gossip protocol for leader election.
C.The Shamir seal requires multiple unseal keys to be entered before Vault can operate.
D.HSM seals can be used to auto-unseal Vault while also providing a hardware root of trust.
E.Integrated Storage uses Raft consensus and can be used in production for both HA and DR.
AnswersC, D, E

Shamir splits the master key into shards.

Why this answer

Option C is correct because the Shamir seal splits the master key into multiple key shares, requiring a threshold number of these shares to be entered during the unseal process before Vault can decrypt its data encryption key and become operational. This ensures that no single individual can unseal Vault, providing a distributed trust model.

Exam trap

HashiCorp often tests the misconception that auto-unseal eliminates unseal keys entirely, when in fact it only automates the unseal process while still relying on an encrypted master key stored in the storage backend.

← PreviousPage 2 of 2 · 84 questions total

Ready to test yourself?

Try a timed practice session using only Explain Vault architecture questions.