CCNA Vault Architecture Questions

75 of 84 questions · Page 1/2 · Vault Architecture topic · Answers revealed

1
MCQeasy

A small startup wants to run Vault in a development environment with minimal operational overhead. They need to store secrets in memory only, without any persistence. Which storage backend should they choose?

A.Integrated Storage (Raft) backend
B.In-memory storage backend
C.Consul storage backend
D.File storage backend
AnswerB

In-memory backend stores secrets only in RAM, with no persistence.

Why this answer

The in-memory storage backend stores all data in RAM with no persistence to disk, making it ideal for development environments where secrets must be lost on restart and operational overhead must be minimized. It requires no configuration, no external dependencies, and no data management, perfectly matching the requirement for minimal overhead and memory-only storage.

Exam trap

HashiCorp often tests the misconception that Integrated Storage (Raft) is the default or simplest backend, but candidates must recognize that Raft is persistent and requires cluster management, whereas the in-memory backend is the only option that guarantees zero persistence and minimal overhead.

How to eliminate wrong answers

Option A is wrong because Integrated Storage (Raft) is a persistent, highly available backend that writes data to disk and requires a cluster of nodes, adding operational overhead and violating the 'no persistence' requirement. Option C is wrong because the Consul storage backend relies on an external Consul cluster for persistence and high availability, introducing additional infrastructure and operational complexity. Option D is wrong because the File storage backend persists data to the filesystem on disk, which contradicts the requirement for memory-only storage with no persistence.

2
Multi-Selecteasy

Which TWO of the following storage backends are capable of high availability without external dependencies? (Choose two.)

Select 2 answers
A.File storage backend
B.Integrated Storage (Raft)
C.In-memory storage backend with replication
D.Consul storage backend
E.MySQL storage backend
AnswersB, C

Raft provides HA natively within Vault.

Why this answer

Integrated Storage (Raft) is correct because it provides a fully internal consensus-based storage backend that does not rely on any external system. Raft manages Vault's data directly across a cluster of nodes, ensuring high availability through leader election and log replication without needing Consul, etcd, or any other external dependency.

Exam trap

HashiCorp often tests the distinction between 'high availability' and 'external dependency' — candidates mistakenly think that any backend supporting HA qualifies, but the trap is that Consul and MySQL require separate, external infrastructure to achieve that HA, whereas Integrated Storage and in-memory with replication are self-contained within Vault.

3
MCQmedium

A company is using Vault's Integrated Storage (Raft) for high availability. During a network partition, two Vault nodes become isolated from the third. What happens to the isolated nodes?

A.The two isolated nodes continue to serve requests, the third stops
B.All three nodes automatically rejoin after partition
C.All three nodes continue to serve requests
D.The two isolated nodes stop serving requests
AnswerA

The two nodes have quorum; the isolated third does not.

Why this answer

In Vault Integrated Storage (Raft), a quorum of nodes (majority) is required to maintain cluster leadership and serve requests. During a network partition where two nodes are isolated from the third, the two nodes form a majority (2 out of 3) and can continue to serve requests, while the isolated third node loses quorum and stops serving requests to prevent split-brain. This behavior is enforced by the Raft consensus algorithm, which requires a majority for any write or read operations to ensure consistency.

Exam trap

HashiCorp often tests the misconception that all nodes in a partitioned cluster stop serving requests, but the correct understanding is that only the minority side (nodes that lose quorum) stop, while the majority side continues to operate normally.

How to eliminate wrong answers

Option B is wrong because Raft does not automatically rejoin nodes after a partition; manual intervention or network restoration is required, and the isolated node will remain in a non-voting state until it can re-establish connectivity and catch up with the leader's log. Option C is wrong because if all three nodes continued to serve requests during a partition, it would lead to split-brain scenarios with inconsistent data, which Raft explicitly prevents by requiring a quorum. Option D is wrong because the two isolated nodes form a majority (2 out of 3) and therefore continue to serve requests; only the minority node (the single isolated node) stops serving requests.

4
MCQeasy

Refer to the exhibit. What operation was performed on the secret "mysecret"?

A.Write
B.Read
C.Delete
D.List
AnswerB

The operation field is 'read'.

Why this answer

The exhibit shows a Vault CLI command that retrieves the value of a secret at the path 'secret/mysecret'. The 'vault read' command is used to read data from Vault's key-value store, returning the stored value. Since the command 'vault read secret/mysecret' is executed, the operation performed is a Read, making option B correct.

Exam trap

HashiCorp often tests the distinction between 'vault read' and 'vault list', where candidates confuse listing keys under a path with reading the actual secret value, leading them to incorrectly select 'List' instead of 'Read'.

How to eliminate wrong answers

Option A is wrong because 'Write' would correspond to a 'vault write' command, which stores or updates a secret, not retrieves it. Option C is wrong because 'Delete' would require a 'vault delete' command, which removes the secret from the path. Option D is wrong because 'List' would use a 'vault list' command, which enumerates keys under a path, not retrieve a specific secret's value.

5
MCQeasy

A user has the above policy attached. What operation can the user perform on 'secret/data/production/db_password'?

A.Update the metadata of the secret
B.Read the secret
C.Delete the secret
D.Write a new version of the secret
AnswerB

Read capability is explicitly granted.

Why this answer

The policy grants 'read' capability on 'secret/data/production/db_password'. In Vault's KV Secrets Engine v2, the 'read' capability allows retrieving the secret data and its metadata. Therefore, the user can read the secret, which includes both the data and metadata.

Option B is correct because the policy explicitly allows the read operation on that path.

Exam trap

HashiCorp often tests the distinction between capabilities on the data path versus the metadata path, tricking candidates into thinking 'read' on the data path allows modifying metadata when it only allows reading it.

How to eliminate wrong answers

Option A is wrong because 'update metadata' requires the 'update' capability on the metadata path, not just 'read'. Option C is wrong because 'delete' requires the 'delete' capability, which is not granted by the policy. Option D is wrong because writing a new version requires the 'create' or 'update' capability, neither of which is present in the policy.

6
MCQhard

A large enterprise runs Vault in a high-availability cluster with integrated storage (Raft). They notice that read requests are not being evenly distributed across nodes, causing some nodes to have high load. They want to offload read operations to standby nodes. What feature should they enable to achieve this?

A.Enable performance standby nodes
B.Configure a load balancer with a round-robin algorithm
C.Enable read replicas on standby nodes
D.Increase the number of Raft nodes to distribute reads
AnswerA

Performance standby nodes can serve read requests and handle authentication, distributing the load.

Why this answer

Performance standby nodes are a Vault Enterprise feature designed to handle read requests without participating in the Raft consensus write quorum. By enabling this, read operations are offloaded to standby nodes, distributing the load evenly and reducing the burden on the active cluster nodes. This directly addresses the uneven read distribution and high load on specific nodes.

Exam trap

HashiCorp often tests the misconception that a standard load balancer or adding more Raft nodes can solve read distribution issues, but the correct solution is the Vault Enterprise-specific performance standby nodes feature, which is designed exactly for this purpose.

How to eliminate wrong answers

Option B is wrong because configuring a load balancer with round-robin does not change Vault's internal read distribution; all nodes still handle reads equally, and without performance standby nodes, standby nodes do not serve read requests in a Raft cluster. Option C is wrong because Vault does not support read replicas; this is a database concept, not applicable to Vault's integrated storage architecture. Option D is wrong because increasing the number of Raft nodes only adds more nodes to the write quorum, which can actually increase write latency and does not offload reads to standby nodes—all Raft nodes still participate in read handling equally.

7
MCQmedium

A team wants to use Vault's AWS auth method to authenticate EC2 instances. Which architectural requirement must be met?

A.Each EC2 instance must have an IAM role attached
B.Vault must have AWS API credentials configured
C.Vault must be deployed on an EC2 instance in the same region
D.Vault must be able to reach the AWS metadata endpoint
AnswerD

Vault verifies instance identity via metadata.

Why this answer

The AWS auth method in Vault authenticates EC2 instances by verifying the instance's identity via the AWS metadata endpoint (http://169.254.169.254/latest/meta-data/). Vault must be able to reach this endpoint to retrieve the instance's PKCS7 signature, instance ID, and account ID, which are used to validate the instance's IAM role and ensure it matches the configured auth role. Without network access to the metadata endpoint, Vault cannot perform the cryptographic verification required for authentication.

Exam trap

HashiCorp often tests the misconception that Vault requires AWS API credentials or an IAM role for the AWS auth method, when in fact it only needs network access to the EC2 metadata endpoint to perform identity verification.

How to eliminate wrong answers

Option A is wrong because while an IAM role is typically used to bind the instance to a Vault role, it is not a strict architectural requirement; the AWS auth method can also use the instance's AMI ID or account ID for binding, and the instance does not need an IAM role attached if other identity parameters are used. Option B is wrong because Vault does not need AWS API credentials for the AWS auth method; it relies on the EC2 instance's metadata endpoint to verify the instance's identity, and AWS credentials are only required for the AWS secrets engine, not the auth method. Option C is wrong because Vault does not need to be deployed on an EC2 instance in the same region; it only needs network connectivity to the EC2 instance's metadata endpoint, which is accessible from any network path that can reach the instance's link-local address.

8
MCQhard

A Vault cluster uses Integrated Storage. During a planned upgrade, the administrator wants to minimize downtime. Which upgrade strategy should be used?

A.Upgrade all nodes at once
B.Perform a rolling upgrade one node at a time
C.Stop all nodes, upgrade, then start
D.Add new upgraded nodes then remove old ones
AnswerB

Maintains quorum and availability.

Why this answer

Integrated Storage (Raft-based) requires a quorum of nodes to maintain cluster availability. A rolling upgrade, where each node is upgraded one at a time, ensures that the cluster never loses quorum (more than half of the nodes remain online and functional), minimizing downtime while the upgrade proceeds.

Exam trap

HashiCorp often tests the misconception that stopping all nodes or upgrading all at once is acceptable for a clustered system, but the trap is that candidates overlook the critical requirement of maintaining Raft quorum to avoid cluster unavailability and potential data loss.

How to eliminate wrong answers

Option A is wrong because upgrading all nodes at once would temporarily remove all nodes from the cluster, causing a complete loss of quorum and total downtime until the upgrade finishes. Option C is wrong because stopping all nodes before upgrading eliminates the cluster entirely, resulting in maximum downtime and no high availability during the process. Option D is wrong because adding new upgraded nodes then removing old ones is a blue/green deployment strategy that is not natively supported by Integrated Storage without manual reconfiguration and data rebalancing, and it introduces unnecessary complexity and risk of data inconsistency.

9
MCQeasy

What is the purpose of the Seal/Unseal process in Vault architecture?

A.To delete old secrets
B.To rotate the encryption key
C.To back up the storage backend
D.To enable Vault to process requests
AnswerD

Unsealing allows Vault to decrypt the master key and serve requests.

Why this answer

The Seal/Unseal process in Vault is a security mechanism that protects the encryption key used to encrypt data at rest. When Vault starts, it is in a sealed state and cannot process any requests until it is unsealed by providing a threshold number of unseal keys (shards). Unsealing decrypts the master key in memory, allowing Vault to access the storage backend and serve API requests.

Option D is correct because the primary purpose is to enable Vault to process requests after a secure startup.

Exam trap

HashiCorp often tests the misconception that Seal/Unseal is about key rotation or backup, when in reality it is a startup security gate that prevents Vault from processing requests until the master key is decrypted in memory.

How to eliminate wrong answers

Option A is wrong because deleting old secrets is handled by secret lifecycle policies, TTLs, or manual revocation, not by the Seal/Unseal process. Option B is wrong because encryption key rotation is a separate operation (e.g., using `vault rotate` or automatic key rotation policies) and does not involve the unsealing workflow. Option C is wrong because backing up the storage backend is an operational task (e.g., snapshotting the file system or database) and is unrelated to the cryptographic unsealing mechanism.

10
MCQeasy

An organization has two Vault clusters in different geographic regions and wants to replicate secrets from the primary cluster to the secondary cluster for disaster recovery. Which Vault replication feature should they use?

A.Cluster replication
B.Active Directory replication
C.Disaster Recovery (DR) replication
D.Performance replication
AnswerC

DR replication replicates all data including secrets, policies, and configuration for failover.

Why this answer

Disaster Recovery (DR) replication is the correct Vault feature for replicating secrets from a primary cluster to a secondary cluster in a different geographic region for disaster recovery. DR replication copies all data, including secrets, policies, and tokens, in a one-way direction from primary to secondary, ensuring the secondary cluster can be promoted if the primary fails. This is distinct from performance replication, which is designed for load distribution and allows writes on both sides.

Exam trap

HashiCorp often tests the distinction between DR replication and Performance replication, trapping candidates who confuse the two by assuming Performance replication can also serve as a disaster recovery solution, when in fact it allows writes on both sides and is not designed for failover scenarios.

How to eliminate wrong answers

Option A is wrong because 'Cluster replication' is not a Vault feature; Vault uses 'Replication' as a core feature with specific modes (DR and Performance), and there is no standalone 'Cluster replication' mode. Option B is wrong because Active Directory replication is a Microsoft technology for synchronizing directory data across domain controllers, not a Vault feature. Option D is wrong because Performance replication is intended for scaling read operations across clusters in different datacenters, allowing writes on both sides, which is not suitable for a strict disaster recovery scenario where a single authoritative primary is required.

11
Matchingmedium

Match each Vault audit device to its output destination.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Writes to a local file

Sends to system syslog

Sends to a TCP or UDP endpoint

Publishes to Kafka topic

Why these pairings

These are audit devices for logging Vault requests.

12
MCQmedium

A Vault cluster with three nodes using Integrated Storage (Raft) is healthy with one active and two standby nodes. A network partition isolates the active node. What will happen?

A.The two standby nodes will seal themselves.
B.The two standby nodes remain in standby state.
C.The two standby nodes elect a new leader and continue writing.
D.The cluster becomes read-only until the active node rejoins.
AnswerC

With a majority, the nodes can elect a new leader and the cluster remains writable.

Why this answer

In a Vault cluster with Integrated Storage (Raft), a majority of nodes (quorum) is required to maintain leadership and process write operations. When the active node is isolated, the two remaining standby nodes still constitute a majority (2 out of 3). They will hold a new leader election using the Raft consensus algorithm, elect a new active node, and continue accepting write requests.

The isolated node, upon reconnection, will be treated as a follower and replicate data from the new leader.

Exam trap

HashiCorp often tests the misconception that losing the active node forces the cluster into read-only or standby mode, but the key is understanding that Raft's majority-based quorum allows the remaining nodes to elect a new leader and continue operations.

How to eliminate wrong answers

Option A is wrong because standby nodes do not seal themselves due to a network partition; sealing is a manual or policy-driven action, not an automatic response to loss of connectivity. Option B is wrong because the two standby nodes, forming a majority, will not remain in standby state; they will initiate a leader election and promote one to active. Option D is wrong because the cluster does not become read-only; as long as a majority of nodes can communicate, writes can continue, and the Raft protocol ensures consistency even during partitions.

13
MCQmedium

A company wants to use Vault's Key Management Secrets Engine (KMSE) to encrypt data stored in AWS S3. The security team requires that the encryption key used by Vault is never exposed to the application. Which Vault architecture component ensures that the encryption key remains within the Vault boundary and is not accessible to the application?

A.Vault's Cubbyhole Response Wrapping
B.Vault's Key Management Secrets Engine (KMSE)
C.Vault's Transit Secrets Engine
D.Vault's PKI Secrets Engine
AnswerB

KMSE generates keys in an external KMS and uses them without exposing the key to clients.

Why this answer

Option B is correct because the Key Management Secrets Engine (KMSE) is specifically designed to allow Vault to act as a key management service (KMS) for external cloud providers like AWS. When configured, the actual encryption key is generated and stored within the AWS KMS service, and Vault only holds a key reference or a key ID. The application never receives the raw encryption key; instead, it requests encryption/decryption operations from Vault, which forwards them to AWS KMS, ensuring the key never leaves the Vault boundary.

Exam trap

HashiCorp often tests the misconception that the Transit Secrets Engine keeps the key hidden from the application, but in reality, Transit allows key export if the policy grants read access, whereas KMSE delegates key management to an external KMS where the key is never exposed to Vault or the application.

How to eliminate wrong answers

Option A is wrong because Cubbyhole Response Wrapping is a mechanism for securely delivering secrets to a client by wrapping them in a one-time-use token; it does not prevent the application from accessing the underlying encryption key after unwrapping. Option C is wrong because the Transit Secrets Engine performs encryption and decryption operations within Vault using a key that is stored in Vault's backend, but the application could potentially retrieve the key if it has sufficient permissions (e.g., via the 'read' capability on the key path), which violates the requirement that the key never be exposed. Option D is wrong because the PKI Secrets Engine is used for generating and managing X.509 certificates, not for encrypting data with a key that remains hidden from the application.

14
MCQeasy

A company is migrating from a file storage backend to Consul. Which Vault command should be used to move the data?

A.vault operator rekey
B.vault operator unseal
C.vault operator migrate
D.vault operator init
AnswerC

Migrates data from one storage backend to another.

Why this answer

The `vault operator migrate` command is specifically designed to move Vault data from one storage backend to another, such as from a file storage backend to Consul. It handles the safe transfer of all encrypted data, including secrets, policies, and tokens, while ensuring consistency and minimal downtime during the migration process.

Exam trap

HashiCorp often tests the distinction between storage backend migration and other operator tasks, so candidates mistakenly choose `vault operator rekey` or `vault operator init` because they associate 'moving data' with key management or initialization rather than the dedicated migration command.

How to eliminate wrong answers

Option A is wrong because `vault operator rekey` is used to generate new unseal keys and change the key shares/threshold, not to migrate data between storage backends. Option B is wrong because `vault operator unseal` is used to unseal a Vault instance by providing a key share, not for moving data. Option D is wrong because `vault operator init` initializes a new Vault instance, generating the initial root token and unseal keys, but does not perform any data migration.

15
Multi-Selectmedium

Which THREE are requirements for a Vault High Availability (HA) cluster?

Select 3 answers
A.Standby nodes must be able to serve read requests.
B.A load balancer in front of all nodes.
C.A shared storage backend accessible by all nodes.
D.The active node must be able to handle all requests.
E.Standby nodes must forward requests to the active node.
AnswersC, D, E

All nodes must read/write to the same storage.

Why this answer

Option C is correct because Vault HA clusters require a shared storage backend (e.g., Consul, Integrated Storage, or Raft) that all nodes can access to maintain consistent state. Without shared storage, standby nodes cannot synchronize data or take over seamlessly if the active node fails.

Exam trap

HashiCorp often tests the misconception that standby nodes can serve read requests or that a load balancer is mandatory for HA, but Vault's architecture explicitly requires standby nodes to be passive and a load balancer to be optional.

16
MCQhard

A company with strict security requirements uses Vault's Transit secrets engine to encrypt data in a microservices architecture. They have multiple applications that each require a unique encryption key. The security team wants to enforce key rotation every 30 days for all keys, and also require that keys be destroyed after they are no longer used. The application team is concerned that key rotation might cause downtime because applications need to re-encrypt data. The Vault architect needs to design a key management solution. What is the best approach?

A.Use the Transit engine's key rotation capability with versioning and configure applications to use the latest key version for encryption, while keeping old versions for decryption.
B.Manually rotate keys every 30 days and update applications with new key IDs.
C.Set the key TTL to 30 days and configure Vault to automatically re-encrypt data when keys are rotated.
D.Use a single key for all applications and rotate it by creating a new key and deleting the old one.
AnswerA

Versioning allows seamless rotation.

Why this answer

Option A is correct because Vault's Transit secrets engine supports key rotation with versioning, where each rotation creates a new key version while retaining older versions for decryption. This allows applications to always encrypt using the latest version (via the `encrypt` endpoint) and decrypt using any previous version (via the `decrypt` endpoint), ensuring zero downtime during rotation. The security team's requirement for key destruction after disuse can be met by trimming or deleting old key versions once all data encrypted with them is re-encrypted.

Exam trap

HashiCorp often tests the misconception that key rotation in Vault automatically re-encrypts existing ciphertext, when in fact the Transit engine only creates new key versions and relies on applications to re-encrypt data separately.

How to eliminate wrong answers

Option B is wrong because manually rotating keys and updating application configurations with new key IDs introduces operational overhead and potential downtime, as applications would need to be redeployed or restarted to use the new key, violating the zero-downtime requirement. Option C is wrong because Vault's Transit engine does not support automatic re-encryption of existing ciphertext when a key is rotated; the `key TTL` parameter controls key expiration, not automatic data re-encryption, and old ciphertext remains decryptable only if the old key version is retained. Option D is wrong because using a single key for all applications violates the requirement for unique encryption keys per application, and deleting the old key immediately after rotation would break decryption of any data still encrypted with that key, causing data loss.

17
MCQhard

An administrator notices that after a Vault unseal operation, the root token is no longer usable. The audit logs show no revocations. What is the most likely cause?

A.The root token's TTL expired during unseal
B.The root token was revoked during unseal
C.The root token's policy was removed
D.The root token was stored in memory only and lost on seal
AnswerD

Root tokens are often not persisted; they are lost when Vault seals.

Why this answer

When a Vault node is sealed, all in-memory data, including the root token, is wiped. The root token is not persisted to storage by default; it is only stored in memory after initialization or unseal. If the token was not explicitly persisted (e.g., via a recovery key or a generated token with a storage backend), it is lost upon seal, making it unusable after a subsequent unseal operation.

Exam trap

HashiCorp often tests the misconception that the root token is persisted across seal/unseal cycles, when in fact it is ephemeral and only exists in memory after initialization or unseal.

How to eliminate wrong answers

Option A is wrong because the root token typically has no TTL by default (it is non-expiring unless explicitly set), and the unseal operation does not affect TTL expiration. Option B is wrong because audit logs show no revocations, and the unseal process does not automatically revoke the root token; revocation is an explicit administrative action. Option C is wrong because the root token is associated with the root policy, which cannot be removed or modified; the root policy is built into Vault and is immutable.

18
Multi-Selectmedium

Which TWO components are required for Vault to process client requests after startup?

Select 2 answers
A.Audit Device
B.A policy
C.Unseal key shares
D.A secrets engine
E.An enabled auth method
AnswersC, E

Required to unseal Vault.

Why this answer

C is correct because Vault starts in a sealed state and requires a threshold of unseal key shares to reconstruct the master key and decrypt the storage backend. Without unsealing, Vault cannot access any data or process client requests. E is correct because an enabled auth method is necessary to authenticate clients; Vault rejects all unauthenticated requests by default.

Exam trap

HashiCorp often tests the misconception that a secrets engine or policy is required for Vault to function, but the core requirement is unsealing and an auth method to accept any client request.

19
MCQhard

A Vault cluster uses DR replication. The primary cluster fails, and the DR secondary is promoted to primary. After promotion, some secret data written to the primary shortly before the failure is missing on the new primary. What is the most likely reason?

A.The data had not yet been replicated to the DR secondary before the primary failed.
B.The seal wrapping key was rotated on the primary after the last replication.
C.The secret engine was not enabled on the DR secondary.
D.The DR secondary was promoted with the 'force' option, which skips replication of the last writes.
AnswerA

Asynchronous replication means some writes may be lost.

Why this answer

In Vault DR replication, data is asynchronously replicated from the primary to the secondary cluster. If the primary fails before the replication stream has transmitted the most recent writes, those writes are lost. When the DR secondary is promoted to primary, it only contains data that was successfully replicated up to the point of failure.

This is the most likely reason the secret data is missing.

Exam trap

HashiCorp often tests the misconception that DR replication is synchronous or that the 'force' promotion option can recover missing writes, when in fact asynchronous replication inherently risks data loss of the most recent writes that have not yet been replicated.

How to eliminate wrong answers

Option B is wrong because the seal wrapping key is a cluster-level key used for encrypting the storage backend; its rotation does not affect the replication of secret data. Option C is wrong because DR replication operates at the storage layer, replicating all mounted secret engines and their data; if a secret engine was not enabled on the DR secondary, it would not have been replicated, but the question states the data was written to the primary, implying the engine was enabled there and would be replicated. Option D is wrong because the 'force' option during promotion is used to override a replication checkpoint mismatch (e.g., when the secondary is behind), but it does not skip replication of the last writes; it simply allows promotion despite the gap, meaning the missing data was never replicated, not that it was skipped.

20
MCQhard

During a performance test, Vault becomes unresponsive for several seconds when the storage backend experiences high latency. Which architectural change would best improve Vault's resilience to storage latency?

A.Configure Performance Standby nodes
B.Add more storage backend nodes
C.Disable storage replication
D.Increase the number of Vault nodes without replication
AnswerA

Offloads read operations and reduces load on the active node.

Why this answer

Performance Standby nodes are designed to handle read requests and can serve as hot standbys that take over active duty if the primary node becomes unresponsive due to storage backend latency. They maintain a local copy of the data via replication, allowing them to continue serving requests without waiting for the slow storage backend, thus improving resilience to high-latency storage conditions.

Exam trap

HashiCorp often tests the misconception that adding more nodes or storage capacity alone solves latency issues, but the key is replication and local data access, which Performance Standby nodes provide.

How to eliminate wrong answers

Option B is wrong because adding more storage backend nodes does not address the root cause of high latency; it may even increase complexity and replication overhead without providing a local, low-latency copy of the data. Option C is wrong because disabling storage replication would eliminate the mechanism that allows Performance Standby nodes to have a local copy, making the system more vulnerable to storage latency, not less. Option D is wrong because increasing the number of Vault nodes without replication means each node still depends on the same slow storage backend, so they would all become unresponsive simultaneously during high-latency events.

21
MCQhard

During a security assessment, a penetration tester discovers that Vault's seal configuration uses a single master key stored in a file on the server. The attacker gains root access to the server and retrieves the unseal key. What is the best mitigation to prevent this scenario?

A.Restrict network access to the Vault server with a firewall
B.Use a cloud auto-unseal mechanism such as AWS KMS
C.Use Shamir's secret sharing to split the key across multiple files
D.Encrypt the unseal key file with a strong password
AnswerB

Auto-unseal with KMS stores the master key in KMS, not on the server, requiring additional cloud credentials to retrieve.

Why this answer

Option B is correct because cloud auto-unseal mechanisms like AWS KMS decouple the unseal key from the Vault server itself. Instead of storing the master key on the local filesystem, Vault uses a cloud-based key management service (KMS) to wrap and unwrap the master key. Even if an attacker gains root access to the server, they cannot retrieve the unseal key because it is never stored locally; Vault must call the KMS API (with appropriate IAM credentials) to unseal, and those credentials can be further protected with instance profiles or roles.

Exam trap

HashiCorp often tests the misconception that Shamir's secret sharing is a sufficient standalone protection, but the trap here is that storing all shares on the same server negates its security benefit, as a root attacker can simply collect all shares from the filesystem.

How to eliminate wrong answers

Option A is wrong because restricting network access with a firewall does not prevent an attacker who already has root access to the server from reading the unseal key file; the key is still stored locally and accessible. Option C is wrong because Shamir's secret sharing splits the key into multiple shares, but if all shares are stored on the same server (e.g., in separate files), an attacker with root access can retrieve all of them and reconstruct the key. Option D is wrong because encrypting the unseal key file with a password only shifts the problem; the password must also be stored somewhere (e.g., in a script or environment variable) and can be extracted by an attacker with root access, making it a weak mitigation.

22
MCQhard

A company uses Vault Enterprise with Performance Replication. The primary cluster is in us-east-1, and a secondary cluster is in eu-west-1. Clients in eu-west-1 report that they receive stale data when reading from the local secondary cluster's active node. What is the most likely cause?

A.The secondary cluster has not enabled performance standby.
B.The replication filter is excluding certain paths.
C.The cluster is in 'primary_failover' mode.
D.The secondary cluster is in primary state instead of secondary.
AnswerB

If paths are excluded from replication, the secondary will not see updates, leading to stale data.

Why this answer

In Vault Enterprise Performance Replication, replication filters can be configured to exclude specific paths (e.g., secret engines or policies) from being replicated to secondary clusters. If a filter excludes certain paths, the secondary cluster will not receive updates for those paths, causing clients reading from the local secondary to see stale or missing data. This matches the symptom of stale reads on the secondary's active node.

Exam trap

HashiCorp often tests the misconception that stale data on a secondary is always due to network latency or cluster failover issues, when in fact replication filters are a deliberate configuration that can cause selective staleness.

How to eliminate wrong answers

Option A is wrong because performance standby nodes are used for read scalability within a cluster, not for replication between clusters; disabling them would affect read load distribution, not cause stale data from replication. Option C is wrong because 'primary_failover' mode is not a valid Vault cluster state; the correct term is 'performance standby' or 'disaster recovery' mode, and this mode would not cause stale reads on a properly configured secondary. Option D is wrong because if the secondary cluster were in primary state, it would not be receiving replicated data at all, leading to completely missing data rather than stale data, and clients would likely get errors or no data.

23
Multi-Selecthard

Which THREE of the following are true regarding Vault's high availability (HA) and replication? (Choose three.)

Select 3 answers
A.With Integrated Storage, all nodes can handle write requests
B.In an HA cluster with Integrated Storage, only the active node can serve write requests
C.Performance standby nodes can serve read requests without forwarding
D.Performance Replication replicates mounts and auth methods but not policies
E.Disaster Recovery Replication replicates everything including policies and audit logs
AnswersB, C, D

Standby nodes forward writes to the active node; only the active node handles writes.

Why this answer

In an HA cluster with Integrated Storage (Raft), only the active node can serve write requests because Raft ensures strong consistency by requiring all writes to go through the elected leader. The leader replicates the write to a quorum of follower nodes before acknowledging the client, preventing split-brain scenarios. This is a fundamental property of the Raft consensus protocol used by Vault Integrated Storage.

Exam trap

HashiCorp often tests the distinction between Performance Replication and DR Replication, specifically that DR Replication does replicate policies but NOT audit logs, while Performance Replication replicates mounts and auth methods but NOT policies.

24
Multi-Selectmedium

Which TWO of the following are components of Vault's architecture? (Choose two.)

Select 2 answers
A.Senlin
B.Consul Template
C.Vault Agent
D.Barrier
E.Seal
AnswersD, E

The barrier encrypts all data written to storage.

Why this answer

The Barrier and Seal are fundamental components of Vault's architecture. The Barrier is an encryption layer that protects all data written to storage by encrypting it with a master key before it is persisted. The Seal is the mechanism that wraps the master key, requiring an unseal process (using Shamir's Secret Sharing or an external key service like AWS KMS) to decrypt the master key and make Vault operational.

Exam trap

HashiCorp often tests the distinction between core architectural components (Barrier, Seal) and auxiliary tools (Vault Agent, Consul Template) or unrelated technologies (Senlin), expecting candidates to recognize that only the Barrier and Seal are integral to Vault's internal data protection and unsealing workflow.

25
MCQhard

After a failover event in a Vault HA cluster with Integrated Storage, the new active node reports a 'sealed' status incorrectly in monitoring metrics, but the cluster is still functioning correctly. What is the most likely cause?

A.Inconsistent seal configuration across nodes.
B.The new active node is actually a standby.
C.The Vault token used for monitoring has expired.
D.The storage backend is corrupted.
AnswerA

If seal blocks differ, nodes may report different seal statuses even when the cluster is healthy.

Why this answer

When a Vault HA cluster with Integrated Storage experiences a failover, the new active node must have a seal configuration that matches the cluster's unseal mechanism. If the seal configuration (e.g., Shamir threshold, auto-unseal KMS key, or transit engine path) is inconsistent across nodes, the new active node may report as 'sealed' in monitoring metrics even though the cluster is functional. This happens because the monitoring endpoint reads the node's local seal status, which can differ from the actual cluster state if the node cannot properly verify its own unseal state due to misconfiguration.

Exam trap

The trap here is that candidates assume a 'sealed' status always means the cluster is down or unavailable, but Cisco tests the nuance that monitoring metrics can reflect a node-level seal state that is inconsistent with the cluster's actual operational status due to configuration drift.

How to eliminate wrong answers

Option B is wrong because if the new active node were actually a standby, the cluster would not be functioning correctly—standby nodes do not serve requests, and the monitoring metrics would show a standby status, not a 'sealed' status. Option C is wrong because an expired Vault token used for monitoring would cause authentication failures or empty responses, not a false 'sealed' status in the metrics; the seal status is derived from the node's internal state, not token validity. Option D is wrong because a corrupted storage backend would prevent the cluster from functioning correctly—reads and writes would fail, and the node would likely crash or enter a recovery state, not simply report a false 'sealed' status while the cluster remains operational.

26
MCQmedium

A company is deploying Vault in a high-availability configuration across three data centers. They need to ensure that if the active Vault node fails, another node can take over without manual intervention. Which Vault feature should they configure?

A.Configure Vault with a highly available storage backend such as Raft and enable automatic leader election.
B.Enable performance standby nodes.
C.Use a load balancer with health checks to redirect traffic.
D.Set up Disaster Recovery (DR) replication between data centers.
AnswerA

Vault HA with Raft automatically elects a new leader if the active node fails.

Why this answer

Option A is correct because Vault's integrated Raft storage backend supports automatic leader election via the Raft consensus protocol. When the active node fails, the remaining nodes automatically hold an election to select a new leader, ensuring high availability without manual intervention. This is the native HA mechanism for Vault when using Raft as the storage backend.

Exam trap

HashiCorp often tests the distinction between automatic leader election (Raft HA) and manual failover mechanisms (DR replication), leading candidates to mistakenly choose DR replication for intra-cluster high availability.

How to eliminate wrong answers

Option B is wrong because performance standby nodes are designed to handle read requests and offload work from the active node, but they do not automatically take over as the new leader if the active node fails; leader election is required for write operations. Option C is wrong because a load balancer with health checks can redirect traffic away from a failed node, but it cannot elect a new leader or handle Vault's internal state replication; it only manages network traffic distribution. Option D is wrong because Disaster Recovery (DR) replication is intended for cross-datacenter failover and requires manual promotion of the DR secondary to become the primary; it does not provide automatic leader election within a single cluster.

27
MCQmedium

A Vault administrator is configuring Consul as the storage backend. The Consul cluster will span three data centers with low latency links. Which Consul deployment is recommended for Vault to ensure data safety?

A.3 Consul servers across 3 datacenters (1 per DC)
B.3 Consul servers in each datacenter (total 9)
C.3 Consul servers in one datacenter with agents in others
D.5 Consul servers in a single datacenter
AnswerD

A single datacenter setup provides strong consistency and low latency for Vault writes.

Why this answer

Option D is correct because Vault requires a strong consistency guarantee for its storage backend, and Consul achieves this via the Raft consensus protocol, which requires a majority of servers to be available. A single datacenter with 5 Consul servers provides the necessary fault tolerance and quorum (3 out of 5) to survive failures while maintaining data safety. Spreading servers across datacenters with low latency links still introduces network partitions and higher latency, which can break Raft's stability and lead to split-brain scenarios or degraded performance.

Exam trap

HashiCorp often tests the misconception that distributing Consul servers across datacenters improves resilience, but in reality, Raft requires low-latency, reliable connectivity between all servers, and spreading them across DCs increases the risk of network partitions that break quorum.

How to eliminate wrong answers

Option A is wrong because 3 Consul servers across 3 datacenters (1 per DC) creates a scenario where a single datacenter failure or network partition can cause loss of quorum (only 2 servers remain, which is not a majority of 3), leading to Vault becoming unavailable or data inconsistency. Option B is wrong because 9 Consul servers (3 per DC) introduces unnecessary complexity and latency; Raft consensus performance degrades with more nodes, and cross-datacenter links, even with low latency, increase the risk of network partitions that can disrupt quorum. Option C is wrong because placing 3 Consul servers in one datacenter with agents in others does not provide data safety; agents do not participate in Raft consensus, so the cluster still relies on a single datacenter for quorum, and a failure of that datacenter causes total data loss.

28
MCQeasy

A company stores static secrets in Vault and requires that all data is encrypted at rest in the storage backend. Which Vault feature provides this encryption?

A.The storage backend must be configured to encrypt data.
B.The transit secrets engine for encrypting secrets.
C.Vault's storage encryption via the barrier.
D.The storage backend's built-in encryption (e.g., Consul's encryption).
AnswerC

The barrier encrypts all data at rest.

Why this answer

C is correct because Vault's storage encryption is handled by the security barrier, which automatically encrypts all data written to the storage backend using a 256-bit AES-GCM encryption key. This ensures that data is encrypted at rest regardless of the storage backend's own capabilities, meeting the requirement without relying on backend-specific features.

Exam trap

HashiCorp often tests the misconception that storage backend encryption (e.g., Consul's built-in encryption) is required or sufficient, when in fact Vault's barrier provides mandatory encryption at rest that is independent of the backend.

How to eliminate wrong answers

Option A is wrong because the storage backend itself does not need to be configured to encrypt data; Vault's barrier handles encryption transparently, and the backend only stores the encrypted ciphertext. Option B is wrong because the transit secrets engine is used for encrypting application data in transit or at rest outside Vault, not for encrypting Vault's own stored secrets. Option D is wrong because relying on the storage backend's built-in encryption (e.g., Consul's encryption) is optional and not required by Vault; Vault's barrier provides its own encryption layer independent of the backend.

29
MCQhard

A large e-commerce company uses Vault to manage database credentials for microservices. They have a Vault cluster of 5 nodes using Integrated Storage (Raft). To increase capacity, they add a sixth node to the cluster. Shortly after, they notice intermittent 'no leader' errors in the Vault logs, and some clients experience failures when reading secrets. The cluster was functioning correctly before the addition. What is the most likely cause and the recommended action?

A.The cluster now has an even number of nodes, which can cause split-brain scenarios and leader election issues. Recommended action: remove the new node to revert to 5 nodes, or add a seventh node to make it odd.
B.The cluster's Raft protocol requires all nodes to be voters, but the new node is a non-voter. Recommended action: promote the new node to voter.
C.The new node has a different storage performance, causing it to lag behind and not participate in consensus. Recommended action: replace the new node with a faster instance.
D.The new node was not properly joined to the cluster and is running as a standalone server. Recommended action: re-run the join command and ensure the node is part of the cluster.
AnswerA

Raft performs best with an odd number of nodes to avoid split-brain. With 6 nodes, quorum is 4, and a partition could lead to no leader.

Why this answer

Option A is correct. Adding a sixth node creates an even-numbered cluster, which increases the risk of split-brain and leader election issues. The recommended action is to revert to an odd number (5 or 7).

Other options are less likely given the symptoms.

30
MCQeasy

A developer wants to authenticate to Vault using a username and password without any external identity provider. Which authentication method should be enabled?

A.Userpass authentication
B.Token authentication
C.LDAP authentication
D.AppRole authentication
AnswerA

Userpass allows local username/password authentication.

Why this answer

The userpass authentication method is designed for Vault to authenticate users directly with a username and password, without relying on any external identity provider. It stores the credentials within Vault's own backend, making it the correct choice for a standalone authentication scenario where no external system like LDAP or an OIDC provider is involved.

Exam trap

HashiCorp often tests the distinction between authentication methods that require external dependencies versus those that are self-contained; the trap here is that candidates may confuse token authentication (which is a result, not a method) with a credential-based login, or assume LDAP is the only option for username/password authentication.

How to eliminate wrong answers

Option B (Token authentication) is wrong because tokens are the result of a successful authentication, not a method for authenticating with a username and password; tokens are issued after authentication and are used for subsequent requests. Option C (LDAP authentication) is wrong because it requires an external LDAP directory service (e.g., OpenLDAP or Active Directory) to validate credentials, which contradicts the requirement of no external identity provider. Option D (AppRole authentication) is wrong because it is designed for machine-to-machine authentication using a RoleID and SecretID, not for human users providing a username and password.

31
MCQhard

A Vault cluster configured with auto-unseal using AWS KMS is deployed across two availability zones. After a network partition, the standby node remains sealed while the active node is unsealed and serving requests. What is the most likely reason the standby cannot unseal?

A.The standby node is using the wrong AWS region configuration.
B.The active node consumed all available KMS API quota for the region.
C.The cluster address on the standby is misconfigured.
D.The standby node cannot communicate with AWS KMS due to the network partition.
AnswerD

Auto-unseal requires network access to the seal provider.

Why this answer

In a Vault cluster with auto-unseal via AWS KMS, each node must independently communicate with AWS KMS to unseal itself. A network partition that isolates the standby node from AWS KMS prevents it from reaching the KMS endpoint, so it cannot decrypt its unseal key and remains sealed. The active node is unaffected because it is already unsealed and serving requests from the other side of the partition.

Exam trap

The trap here is that candidates may confuse the cluster replication traffic (which uses the cluster address) with the auto-unseal traffic (which uses outbound HTTPS to AWS KMS), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because the standby node would use the same AWS region configuration as the active node (typically set in Vault's configuration file or environment variables), and a network partition does not change the region setting; a misconfigured region would cause persistent unseal failures regardless of partition. Option B is wrong because KMS API quotas are per-account per-region and are not consumed by a single node; even if quota were exhausted, it would affect both nodes equally, not selectively leave the standby sealed. Option C is wrong because the cluster address is used for Raft or integrated storage replication between nodes, not for the auto-unseal process; a misconfigured cluster address would affect replication health but not the standby's ability to contact AWS KMS.

32
MCQhard

Refer to the exhibit. Based on the output from 'vault status', which statement is true?

A.The storage backend is a file backend.
B.The unseal configuration uses 5 key shares with a threshold of 3.
C.Auto-unseal is enabled using Consul as the seal provider.
D.Vault is not configured for high availability.
AnswerB

Total Shares is 5, Threshold is 3.

Why this answer

The 'vault status' output shows 'Sealed: false', 'Key Shares: 5', and 'Key Threshold: 3'. This indicates that Vault is unsealed and uses a Shamir seal configuration with 5 key shares, requiring any 3 of them to unseal. Option B correctly states this unseal configuration.

Exam trap

HashiCorp often tests the distinction between 'storage backend' and 'seal type' — candidates confuse the Consul storage backend with auto-unseal, but auto-unseal requires a separate seal provider like AWS KMS, not Consul.

How to eliminate wrong answers

Option A is wrong because the output shows 'Storage Type: consul', not 'file', so the storage backend is Consul, not a file backend. Option C is wrong because the output shows 'Seal Type: shamir', not 'auto-unseal' or 'Consul as seal provider'; auto-unseal would show a seal type like 'awskms' or 'gcpckms'. Option D is wrong because the output shows 'HA Enabled: true', indicating Vault is configured for high availability.

33
MCQmedium

Refer to the exhibit. A developer issues a Vault CLI command to write a secret to path 'secret/data/team/billing'. What will be the outcome?

A.The write is denied because the policy does not include a 'write' capability.
B.The write is denied because the second rule only allows read capability on the exact path, overriding the wildcard rule.
C.The write is denied unless the developer is authenticated with a token that has sudo privileges.
D.The write is allowed if the developer uses the 'vault kv put' command with the -force flag.
E.The write is allowed because the first rule grants create and update to all paths under team/.
AnswerB

Vault evaluates the most specific path first; the second rule matches exactly and only allows read, so the write is denied.

Why this answer

Option B is correct because Vault uses most-specific-path matching; the second rule applies to the exact path and only allows read, overriding the wildcard rule. The write is denied.

34
MCQeasy

Refer to the exhibit. A Vault administrator starts a Vault server and receives this error. What is the most likely cause?

A.The Vault binary is corrupt.
B.The listener address is incorrect.
C.The seal stanza is misconfigured.
D.The storage stanza is missing from the configuration file.
AnswerD

Vault requires a storage stanza to define the backend for persisting data.

Why this answer

The error indicates that Vault cannot find a configured storage backend. The storage stanza is mandatory in Vault's configuration file because it defines where Vault persists its data (e.g., Consul, Raft, file). Without it, the server fails to start because it has no backend to store secrets and state.

Exam trap

HashiCorp often tests the mandatory nature of the storage stanza, tricking candidates into thinking a listener or seal misconfiguration is the cause when the real issue is the absence of a storage backend definition.

How to eliminate wrong answers

Option A is wrong because a corrupt binary would typically produce a different error (e.g., checksum mismatch or segmentation fault), not a missing storage backend message. Option B is wrong because an incorrect listener address would cause a bind or connection error, not a missing storage stanza error. Option C is wrong because a misconfigured seal stanza (e.g., wrong transit path or key) would produce a seal initialization error, not a missing storage backend error.

35
MCQeasy

Which Vault component is responsible for encrypting data before storing it in the storage backend?

A.Storage Backend
B.Audit Device
C.Barrier
D.Secrets Engine
AnswerC

Encrypts all data before storage.

Why this answer

The Barrier (also known as the Security Barrier) is the Vault component responsible for encrypting all data before it is written to the storage backend. It wraps every entry with encryption using the master key, ensuring that data at rest is never stored in plaintext. This is a core architectural layer that provides a cryptographic boundary between Vault's internal operations and the underlying storage.

Exam trap

HashiCorp often tests the misconception that the Storage Backend handles encryption, but the trap here is that candidates confuse the storage layer's persistence role with the Barrier's cryptographic role, leading them to pick Option A.

How to eliminate wrong answers

Option A is wrong because the Storage Backend is a passive, durable storage layer (e.g., Consul, file system, S3) that only persists encrypted data; it has no encryption capabilities and never sees plaintext. Option B is wrong because an Audit Device logs requests and responses for auditing purposes but does not perform encryption of stored data; it operates at the logging layer, not the storage layer. Option D is wrong because a Secrets Engine generates, manages, and returns secrets (e.g., KV, AWS, database credentials) but does not encrypt data before storage; it relies on the Barrier to encrypt its output before writing to the storage backend.

36
MCQhard

Given the output from 'vault operator raft list-peers', which node(s) will become unavailable if node1 (leader) experiences a network partition away from all other nodes?

A.Only node1 becomes unavailable; the cluster remains operational with a new leader from node2 or node3
B.All nodes become unavailable because node1 is the leader
C.No nodes become unavailable; node1 remains leader but cannot serve writes
D.Node1, node4, and node5 become unavailable
AnswerA

Node1 is partitioned, but node2 and node3 (voters) can form quorum (2 out of 3) and elect a new leader.

Why this answer

Option A is correct because only node1 is unavailable; the remaining nodes (node2, node3, node4, node5) can still communicate and form quorum (3 voters out of 4, but node4 and node5 are non-voters; only voters count for quorum). Node2 and node3 are voters (2), less than majority of 5 voters? Wait initial voters: node1, node2, node3 are voters (3). If node1 is partitioned, node2 and node3 remain (2 voters out of 3, < majority? Actually quorum requires >50% of voters.

With 3 voters, quorum is 2. So node2 and node3 can still form quorum (2 is majority of 3) and elect a new leader. So only node1 becomes unavailable.

Option B is wrong because node2 and node3 can still agree. Option C is wrong because non-voters don't affect quorum. Option D is wrong.

37
MCQeasy

A company deploys Vault in a single data center with 3 nodes using Integrated Storage. The application team reports that secret reads are slow, with median latency of 200ms. The Vault cluster is under moderate load of 100 requests per second. The administrator checks the server metrics and sees that the Raft commit latency is low, but the HTTP request handling time is high. The Vault nodes are running on virtual machines with 4 vCPUs and 8GB RAM each. The administrator suspects that the bottleneck is due to resource contention. What should the administrator do to reduce read latency without compromising availability?

A.Add performance standby nodes to the cluster to handle read requests.
B.Increase the CPU and memory of the existing Vault nodes.
C.Switch to a Consul storage backend with more Consul servers.
D.Add more Vault nodes to the cluster to distribute read load.
AnswerA

Performance standbys reduce read latency by bypassing Raft.

Why this answer

Adding performance standby nodes is the correct solution because they are specifically designed to handle read requests without participating in the Raft consensus protocol. Since the bottleneck is high HTTP request handling time (not Raft commit latency), performance standbys offload read traffic from the active cluster nodes, reducing latency without affecting write availability or requiring changes to the existing cluster topology.

Exam trap

HashiCorp often tests the distinction between scaling reads with performance standbys versus scaling the cluster with additional Raft nodes, where candidates mistakenly assume adding more cluster nodes will improve read performance without considering the consensus overhead.

How to eliminate wrong answers

Option B is wrong because increasing CPU and memory addresses resource contention, but the metrics show low Raft commit latency and high HTTP request handling time, indicating the bottleneck is at the application layer (request handling), not compute resources; scaling vertically may not resolve the issue and could be less cost-effective. Option C is wrong because switching to a Consul storage backend introduces additional complexity and dependency on Consul servers, and the current issue is not related to storage backend performance (Raft commit latency is low); this would not directly reduce HTTP request handling time. Option D is wrong because adding more Vault nodes to the cluster increases the number of Raft participants, which can actually increase write latency and complexity, and does not specifically address read latency since all nodes in a Raft cluster can handle reads but still share the same consensus overhead; performance standbys are a more targeted solution for read scaling.

38
MCQeasy

A Vault operator runs `vault status` and sees the output above. The Vault cluster is in production and currently unresponsive to API requests. What is the most likely cause of the unresponsiveness?

A.The cluster is not initialized.
B.The cluster does not have HA enabled.
C.The Vault cluster is sealed.
D.The cluster has no active leader.
AnswerC

Sealed is true, meaning Vault cannot process requests until unsealed.

Why this answer

The `vault status` output shows that the Vault cluster is sealed. When a Vault cluster is sealed, it cannot process any API requests because the encryption key required to decrypt the data is not available in memory. This is the most common cause of unresponsiveness in a production Vault cluster that has been properly initialized.

Exam trap

HashiCorp often tests the distinction between initialization and sealing, where candidates mistakenly think an uninitialized cluster is the same as a sealed one, but initialization only happens once and sealing is a separate, reversible state that blocks all API requests.

How to eliminate wrong answers

Option A is wrong because if the cluster were not initialized, `vault status` would explicitly report 'Initialized: false', and the cluster would never have been able to serve requests in production. Option B is wrong because HA (High Availability) is not required for a Vault cluster to respond to API requests; a single-node cluster without HA can still be unsealed and fully operational. Option D is wrong because if there is no active leader, `vault status` would show 'HA Mode: standby' or 'no leader' but the cluster would still be responsive for read operations if unsealed; the unresponsiveness is specifically due to the sealed state, not the leader election status.

39
MCQeasy

A new Vault administrator unseals Vault using a single unseal key, but the Vault remains sealed. What is the most likely cause?

A.The storage backend is misconfigured, preventing key retrieval.
B.The administrator did not provide enough unseal keys to meet the threshold.
C.The administrator forgot to provide a valid token.
D.Vault needs to be re-initialized after the first unseal.
AnswerB

Shamir seal requires a threshold number of unseal keys.

Why this answer

Vault uses a threshold-based unsealing mechanism where a minimum number of unseal keys (the threshold) must be provided to reconstruct the master key and decrypt the storage backend. Providing only a single key, even if it is valid, leaves the Vault sealed because the threshold has not been met. The administrator must continue providing distinct unseal keys until the threshold count is reached.

Exam trap

HashiCorp often tests the misconception that a single unseal key is enough to unseal Vault, confusing the concept of a single key with the threshold requirement, or conflating unsealing with authentication via tokens.

How to eliminate wrong answers

Option A is wrong because a misconfigured storage backend would typically cause Vault to fail to start or to lose data, but it does not prevent the unseal process from accepting keys; the error here is specifically about the number of keys provided. Option C is wrong because tokens are used for authentication and authorization after Vault is unsealed, not during the unseal process itself; unsealing only requires unseal keys. Option D is wrong because Vault does not need to be re-initialized after the first unseal; initialization is a one-time process that generates the unseal keys and root token, and subsequent unseals use those same keys.

40
MCQmedium

An organization uses Vault to manage SSH access via the SSH secrets engine. They have a large number of servers, each with a unique host key. The admin configures the SSH secrets engine with a one-time password (OTP) type. Users report that sometimes they cannot authenticate to some servers because the OTP is not accepted. The admin reviews the logs and finds that the server's SSH daemon is not contacting Vault to verify the OTP. The SSH daemon is configured with the Vault SSH helper. What is the most likely cause?

A.The SSH secrets engine's default TTL is too short.
B.The Vault server is under high load and dropping requests from SSH helpers.
C.The SSH helper's client certificate is expired or not properly configured.
D.The Vault server's IP address has changed and the SSH helper is using the old address.
AnswerC

Certificate issues prevent authentication to Vault.

Why this answer

The SSH helper is a client-side component that must authenticate to Vault using a client certificate (mTLS) before it can verify OTPs. If this certificate is expired or misconfigured, the SSH daemon cannot establish a trusted connection to Vault, causing OTP verification to fail silently. This directly explains why the server is not contacting Vault despite the helper being installed.

Exam trap

HashiCorp often tests the distinction between network connectivity failures (wrong IP, high load) and authentication/authorization failures (expired certificates, misconfigured tokens) — the trap here is assuming a connectivity issue when the root cause is a TLS handshake failure due to an expired client certificate.

How to eliminate wrong answers

Option A is wrong because a short TTL would cause the OTP to expire before use, but the logs show the SSH daemon is not contacting Vault at all — not that the OTP is valid but expired. Option B is wrong because high load on Vault would result in delayed or dropped responses, but the SSH helper would still initiate the connection; the logs indicate no contact is made, not that requests are being dropped. Option D is wrong because if the Vault server IP changed, the SSH helper would fail to connect with a network error (e.g., connection refused or timeout), but the logs would show an attempted connection; the issue is that no contact is made, implying a TLS authentication failure rather than a network reachability problem.

41
Multi-Selecteasy

Which TWO statements about Vault's Storage Backend are correct?

Select 2 answers
A.It stores encrypted data
B.It logs all requests
C.It is abstracted and can be swapped
D.It handles authentication of clients
E.It is responsible for encrypting data
AnswersA, C

Data is encrypted by the barrier before storage.

Why this answer

Option A is correct because Vault's Storage Backend is responsible for persisting encrypted data. Vault encrypts all data at the application layer before writing it to the storage backend, ensuring that the backend itself never sees plaintext secrets. This design means the storage backend is a 'sealed box' that only stores ciphertext, providing defense in depth even if the backend is compromised.

Exam trap

HashiCorp often tests the misconception that the storage backend handles encryption or authentication, when in fact it is a passive, abstracted layer that only stores encrypted data and can be swapped without affecting Vault's core operations.

42
Drag & Dropmedium

Drag and drop the steps to configure Vault's PKI secrets engine to issue certificates into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Enable, generate root, create role, issue cert, revoke.

43
MCQeasy

A company runs Vault in a single cluster with three nodes using the Raft storage backend. The nodes are behind a load balancer that distributes traffic to all nodes. The operations team notices that occasionally, write operations (e.g., writing a secret or creating a policy) fail with a '502 Bad Gateway' error, while read operations succeed. The Vault audit logs show no errors. The load balancer health checks are configured to check the /v1/sys/health endpoint with a 200 response expected. The Vault nodes are all unsealed and the cluster is healthy. Which of the following is the most likely cause of the intermittent write failures?

A.The Raft storage backend does not support write operations.
B.The load balancer is sending write requests to standby nodes, which cannot handle writes.
C.The load balancer is not configured to use the /v1/sys/leader endpoint for routing.
D.One of the Vault nodes is sealed, causing write requests to fail.
AnswerB

Only the active node can process writes; standby nodes return a 502.

Why this answer

In a Vault cluster with Raft storage, only the elected leader node can handle write operations (e.g., writing secrets, creating policies). Standby nodes serve read requests and forward writes to the leader. If the load balancer distributes traffic to all nodes without considering leadership, write requests sent to a standby node will fail with a 502 Bad Gateway error because the standby cannot process the write locally and the load balancer may not properly handle the forwarded response or timeout.

Exam trap

HashiCorp often tests the misconception that all Vault nodes in a cluster can handle writes equally, but in reality only the leader node processes write operations; the trap here is assuming that a healthy, unsealed node can always accept writes.

How to eliminate wrong answers

Option A is wrong because the Raft storage backend fully supports write operations; it is a consensus-based backend that requires writes to go through the leader. Option C is wrong because while the /v1/sys/leader endpoint can be used for routing, the load balancer's health check on /v1/sys/health with a 200 response is not the root cause; the issue is that the load balancer sends writes to non-leader nodes, not the specific endpoint used for health checks. Option D is wrong because the scenario explicitly states all nodes are unsealed and the cluster is healthy, so a sealed node is not the cause.

44
MCQhard

Refer to the exhibit. A Vault policy is defined as shown. A user presents a token with this policy. Which operation will be permitted?

A.List secret/data/finance
B.Delete secret/data/finance/budget
C.Create secret/data/engineering/config
D.Read secret/data/finance
AnswerC

The glob secret/data/engineering/* grants create capability.

Why this answer

The policy grants `create` and `update` capabilities on `secret/data/engineering/*`, which allows creating secrets under that path. Option C is correct because the `create` capability permits writing a new secret at `secret/data/engineering/config`, as the path matches the glob pattern and the operation is a write (POST/PUT).

Exam trap

HashiCorp often tests the nuance that a policy with only `deny` on a path does not grant any capabilities, so operations like `list` or `read` on that path are implicitly denied, leading candidates to mistakenly assume a `deny` entry implies some form of access.

How to eliminate wrong answers

Option A is wrong because `list` requires the `list` capability, which is not granted on `secret/data/finance` (only `deny` is implied by absence). Option B is wrong because `delete` requires the `delete` capability, which is not granted on `secret/data/finance/budget` (the policy only allows `deny` on `secret/data/finance/*`). Option D is wrong because `read` requires the `read` capability, which is not granted on `secret/data/finance` (the policy only allows `deny` on `secret/data/finance/*` and no capabilities on the exact path).

45
MCQmedium

An organization uses Vault with a Consul storage backend. They have three Vault servers and three Consul servers. During a routine maintenance, they restart all Consul servers simultaneously. After the restart, Vault becomes sealed and cannot be unsealed. The Vault logs show 'storage: error listing' and 'failed to check status'. The Consul cluster is healthy with a leader. What is the most likely cause and solution?

A.Re-initialize Vault and generate new unseal keys
B.Restore Vault's storage backend from a recent backup
C.Generate a new root token using unseal keys
D.Use the unseal keys to unseal Vault again
AnswerB

Restores the encrypted data and master key.

Why this answer

When all Consul servers are restarted simultaneously, the Vault storage backend (Consul) may lose critical metadata or consistency state that Vault relies on to maintain its seal/unseal status. Even though the Consul cluster appears healthy with a leader, the underlying data corruption or loss of key-value entries (such as the barrier key or storage index) prevents Vault from reading its storage, causing it to seal and fail to unseal. Restoring Vault's storage backend from a recent backup is the correct solution because it recovers the consistent state of the data, including the encrypted master key and configuration, without requiring re-initialization.

Exam trap

HashiCorp often tests the misconception that a healthy Consul cluster with a leader guarantees Vault's storage integrity, but the trap here is that Vault's storage backend can suffer from data corruption or missing keys even when Consul's cluster health appears normal, leading candidates to incorrectly attempt re-unsealing or token generation instead of restoring from backup.

How to eliminate wrong answers

Option A is wrong because re-initializing Vault would generate a new master key and new unseal keys, destroying access to all existing secrets; the issue is data corruption in the storage backend, not a need for new keys. Option C is wrong because generating a new root token requires the Vault to be unsealed first, and the problem is that Vault cannot unseal due to storage errors, not a missing or expired token. Option D is wrong because using the unseal keys to unseal Vault again assumes the storage backend is intact and readable; the logs indicate 'storage: error listing' and 'failed to check status', meaning the storage is corrupted or inaccessible, so unseal operations will fail.

46
MCQeasy

An organization wants to use Vault's dynamic database credentials to manage MySQL access. They have multiple application servers that need to connect to different databases. What is the best practice for configuring database roles to minimize the number of Vault mounts?

A.Use the same database mount but create a separate role per application server.
B.Create a separate database mount for each database to isolate credential generation.
C.Create a single database mount and define multiple roles within it, each with different credential generation parameters.
D.Use a single role that generates credentials for all databases by using a wildcard in the username.
AnswerC

One mount per engine type, multiple roles for different databases.

Why this answer

Option C is correct because Vault allows a single database mount (e.g., `database/`) to manage multiple database connections, and within that mount, you can define multiple roles. Each role can specify different credential generation parameters (e.g., username template, default TTL, max TTL, and allowed roles) for distinct databases or application servers. This minimizes the number of mounts while still providing fine-grained access control and isolation of credentials.

Exam trap

HashiCorp often tests the misconception that more mounts equal better isolation, but the best practice in Vault is to minimize mounts and use roles for logical separation, as mounts are a higher-level administrative boundary that should be reserved for different secret engines or vastly different access policies.

How to eliminate wrong answers

Option A is wrong because creating a separate role per application server does not reduce the number of mounts; it increases the number of roles unnecessarily and does not address the goal of minimizing mounts. Option B is wrong because creating a separate database mount for each database directly contradicts the goal of minimizing mounts; it increases administrative overhead and complexity without any security benefit. Option D is wrong because using a wildcard in the username to generate credentials for all databases is not supported by Vault's database secrets engine; roles are bound to specific database connections and cannot use wildcards to span multiple databases, and this would violate the principle of least privilege.

47
Multi-Selecteasy

Which TWO components are required for Vault to start and function? (Choose two.)

Select 2 answers
A.Authentication method
B.Storage backend
C.Listener
D.Audit device
E.Seal mechanism
AnswersB, E

Required for persisting Vault's encrypted data.

Why this answer

The storage backend is required because Vault must persist all data, including encrypted secrets, configuration, and audit logs, to a durable backend (e.g., Consul, Integrated Storage, or filesystem). Without a configured storage backend, Vault cannot initialize or start. The seal mechanism is required because Vault uses it to encrypt and decrypt the master key; the seal wraps the master key and must be unsealed before Vault can serve requests.

Exam trap

HashiCorp often tests the misconception that a listener is required for Vault to start, but the trap is that Vault can start and initialize without a listener configured, as the listener is only needed to accept API traffic, not for core startup.

48
Multi-Selecteasy

A Vault administrator wants to ensure that all secrets are encrypted at rest and in transit. Which two configurations are necessary? (Choose two.)

Select 2 answers
A.Enable the `VAULT_ENCRYPT` environment variable on the Vault server.
B.Enable TLS on all Vault listener configurations.
C.Use a seal that provides envelope encryption for the storage backend.
D.Set the `encrypt` parameter on the audit device configuration.
E.Configure a storage backend that supports encryption at rest, such as Integrated Storage.
AnswersB, C

TLS encrypts data in transit.

Why this answer

Options A and C are correct. A: TLS encrypts data in transit. C: The seal provides encryption at rest via envelope encryption.

B is wrong because Integrated Storage does not inherently encrypt data at rest; it relies on the seal. D is wrong because audit device encryption is optional and not required. E is wrong because such an environment variable does not exist.

49
MCQmedium

A Vault cluster has two nodes configured for HA. The active node becomes unresponsive, and the standby node takes over. However, clients cannot connect to the new active node. The firewall rules allow traffic on port 8200. What is the most likely issue?

A.The standby node cannot connect to the storage backend.
B.The TLS certificate on the standby node is not valid for the hostname clients are using.
C.The original active node is tainted and blocking client requests.
D.The standby node is still sealed and cannot serve requests.
AnswerB

TLS certificate mismatch causes connection failures.

Why this answer

Option A is correct because if the TLS certificate on the standby node does not match the hostname clients use, connections will fail. Option B is wrong because storage backend connectivity is not required for client listener. Option C is wrong because the unseal status is independent of TLS.

Option D is wrong because a tainted node would not affect client connections to the active node.

50
MCQhard

A DevOps engineer is designing a Vault architecture for a multi-cloud environment spanning AWS, GCP, and on-premises data centers. The requirement is to have low-latency read access to secrets across all regions, and the ability to handle a full regional outage without manual intervention. Which architecture best meets these requirements?

A.Single Vault cluster with performance standby nodes in each region.
B.Multiple Vault clusters with disaster recovery replication using Performance Replication.
C.Multiple Vault clusters with Disaster Recovery (DR) replication and an automated failover script that promotes a DR cluster to primary.
D.Single Vault cluster spread across all regions using Integrated Storage with voter and non-voter nodes.
AnswerD

Non-voters can serve reads locally, and quorum can survive a regional outage.

Why this answer

Option D is correct because a single Vault cluster using Integrated Storage with voter and non-voter nodes can span multiple regions and clouds, providing low-latency reads via local non-voter nodes while maintaining a single Raft consensus group. This architecture handles a full regional outage without manual intervention because the Raft protocol automatically maintains quorum across voter nodes, and non-voter nodes can be promoted if needed, ensuring continuous read availability and automatic failover.

Exam trap

HashiCorp often tests the misconception that multiple clusters with DR replication are required for multi-region low-latency reads, but the trap is that DR replication requires manual promotion and does not provide automatic failover, whereas a single cluster with Integrated Storage and non-voter nodes can achieve both low-latency reads and automatic regional outage handling.

How to eliminate wrong answers

Option A is wrong because performance standby nodes do not participate in the Raft consensus or storage layer; they only forward write requests to the active node and cannot independently handle a full regional outage without the primary cluster. Option B is wrong because Disaster Recovery replication with Performance Replication requires manual promotion of a DR cluster to primary during an outage, violating the 'without manual intervention' requirement. Option C is wrong because even with an automated failover script, DR replication is designed for disaster recovery, not low-latency reads across regions, and the script introduces complexity and potential failure points that do not meet the requirement for automatic handling.

51
MCQmedium

A Vault administrator creates a policy that grants 'read' and 'list' on 'secret/data/engineering/*' for a group. However, users in that group cannot read 'secret/data/engineering/project/db_password'. What is the most likely issue?

A.The policy path is incorrect; KV v2 requires 'secret/data/engineering/*' for read access
B.The secret is stored in a different mount path
C.The policy is missing 'update' capability for the path
D.The users are in a different namespace that doesn't inherit the policy
AnswerA

For KV v2, data is under 'secret/data/'; the policy path must match the data path.

Why this answer

In Vault KV v2, secrets are accessed via a path that includes 'data' between the mount point and the secret name (e.g., 'secret/data/engineering/project/db_password'). The policy grants 'read' and 'list' on 'secret/data/engineering/*', which correctly covers the 'data' prefix. However, the user cannot read the secret because KV v2 also requires the 'read' capability on the 'metadata' path for the same secret (e.g., 'secret/metadata/engineering/project/db_password') to resolve version metadata.

Without 'list' or 'read' on the metadata path, the read operation fails. The most likely issue is that the policy is missing the metadata path capability, but among the given options, A is correct because the policy path is incorrect—it should include both 'data' and 'metadata' paths for KV v2.

Exam trap

HashiCorp often tests the distinction between KV v1 and KV v2 path structures, specifically that KV v2 requires both 'data' and 'metadata' paths, and candidates mistakenly think granting 'read' on the data path alone is sufficient.

How to eliminate wrong answers

Option B is wrong because the question states the secret is at 'secret/data/engineering/project/db_password', which matches the mount path 'secret' used in the policy; there is no indication of a different mount. Option C is wrong because 'update' capability is for writing or modifying secrets, not for reading; the issue is about read access, not write. Option D is wrong because namespaces in Vault are isolated and policies must be explicitly assigned within a namespace; if users are in a different namespace, they would not inherit the policy at all, but the question implies the policy is applied to the group and the users are in that group, so namespace mismatch is not the most likely issue.

52
MCQhard

An operator notices that after a network partition, a Vault cluster with integrated storage (Raft) has a node that is unreachable and does not automatically rejoin. The cluster has 5 nodes with a minimum quorum of 3. What is a likely cause for the node not rejoining?

A.The node's raft index is ahead of the leader's
B.The cluster may have lost quorum due to other nodes also being down
C.The node's clock skew is causing Raft timeouts
D.The node must be manually removed from the raft configuration and re-added
AnswerB

If 2 of 5 nodes are down, the remaining 3 constitute quorum; if more than 2 are down, quorum is lost.

Why this answer

In a Raft-based Vault cluster with 5 nodes and a quorum of 3, if a node becomes unreachable due to a network partition and does not automatically rejoin, the most likely cause is that additional nodes are also down or unreachable, causing the cluster to lose quorum. Without a majority of nodes (3 out of 5) able to communicate, the Raft consensus protocol cannot elect a leader or process log entries, so the isolated node cannot rejoin because the cluster itself is in a degraded state. The node not rejoining is a symptom of the broader quorum loss, not an isolated issue with that node.

Exam trap

HashiCorp often tests the misconception that a single node failure in a Raft cluster is automatically recoverable, but the trap here is that candidates overlook the quorum requirement and assume the node's own configuration or clock is at fault, rather than recognizing that the cluster may have lost majority due to multiple nodes being down.

How to eliminate wrong answers

Option A is wrong because a node's Raft index cannot be ahead of the leader's in a properly functioning Raft cluster; the leader always has the most up-to-date log index, and if a node were ahead, it would indicate a split-brain scenario or corruption, which is not typical after a partition. Option C is wrong because Raft does not rely on clock synchronization for timeouts; it uses election timeouts based on randomized timers, and clock skew is not a factor in Raft's consensus algorithm. Option D is wrong because manual removal and re-addition is a recovery step for a permanently failed node, not the likely cause of a node failing to rejoin after a partition; the cluster should automatically handle rejoin if quorum is restored.

53
MCQeasy

A startup is deploying Vault for the first time. They want to use Integrated Storage for simplicity. They plan to run Vault on three small instances. During initial setup, they start the first node and initialize Vault, obtaining the unseal keys and root token. Then they start the second node and run `vault operator raft join http://<first_node>:8200`. The second node joins successfully. They then start the third node and attempt to join, but the join command fails with an error saying 'no leader'. What is the most likely cause?

A.The first node was not unsealed before attempting to join the third node.
B.The third node is trying to join using the wrong IP address.
C.The Raft cluster requires a quorum of 2 nodes to elect a leader, but the first node may have been sealed.
D.The second node was not unsealed.
AnswerA

The leader must be unsealed for joins to work.

Why this answer

The correct answer is A. In a Vault Integrated Storage (Raft) cluster, a newly joined node must be able to contact an unsealed leader to complete the join process. If the first node (the initial leader) is still sealed after initialization, it cannot participate in Raft consensus or respond to join requests.

The third node's join fails with 'no leader' because the sealed first node cannot act as a leader, and the second node, while joined, has not been unsealed and thus cannot become leader either. Unsealing the first node would restore its leadership and allow the third node to join.

Exam trap

HashiCorp often tests the misconception that initializing Vault automatically makes it ready to accept cluster joins, when in fact the node remains sealed and cannot act as a leader until unsealed.

How to eliminate wrong answers

Option B is wrong because the join command explicitly specifies the IP address of the first node, and the error 'no leader' indicates the issue is not a network connectivity or addressing problem but rather the absence of an unsealed leader. Option C is wrong because while a quorum of 2 nodes is needed for leader election, the core issue is that the first node is sealed; if it were unsealed, it would already be the leader and the third node could join. Option D is wrong because the second node does not need to be unsealed for the third node to join; the join process only requires an unsealed leader (the first node) to accept the new node, and the second node's sealed state does not prevent the third from joining.

54
Multi-Selecthard

A Vault administrator wants to minimize the impact of a single node failure in a three-node Raft cluster. Which TWO actions will help? (Choose two.)

Select 2 answers
A.Set `disable_clustering` to true.
B.Use a load balancer to distribute client requests.
C.Configure monitoring to detect and replace failed nodes quickly.
D.Enable `retry_join` on all nodes with addresses of peers.
E.Enable `performance_standby` on all nodes.
AnswersC, D

Proactive detection and replacement reduce the window of vulnerability.

Why this answer

Configuring `retry_join` allows nodes to automatically rejoin the cluster after failure, and monitoring helps detect and replace failed nodes quickly. Load balancer and performance standby do not address node failure directly.

55
Multi-Selecthard

Which TWO statements correctly describe Vault's storage backend and seal/unseal mechanism?

Select 2 answers
A.During unseal, the unseal key is used to decrypt the master key which then decrypts the storage backend.
B.Shamir's secret sharing splits the master key into key shares.
C.The storage backend stores encrypted data and is responsible for durability.
D.The storage backend is responsible for sealing and unsealing Vault.
E.In a Vault cluster, when a new leader is elected, it automatically unseals itself.
AnswersA, C

The unseal process decrypts the master key, which in turn decrypts the data in the storage backend.

Why this answer

Option A is correct because Vault's unseal process uses a threshold of unseal keys to decrypt the master key stored in the keyring. The master key then decrypts the storage backend's encryption key, allowing Vault to access the encrypted data. This ensures that the storage backend remains encrypted at rest and is only readable after a successful unseal operation.

Exam trap

HashiCorp often tests the misconception that Shamir's secret sharing splits the master key itself, when in reality it splits the unseal key used to decrypt the master key, and that the storage backend handles sealing/unsealing rather than just data persistence.

56
MCQmedium

A DevOps team is deploying Vault in a Kubernetes cluster. They want to ensure that when a pod starts, it can obtain a short-lived Vault token without human intervention. Which Vault architecture component should they use?

A.Audit Device
B.Storage Backend (Consul)
C.Vault Agent sidecar
D.Vault CLI with token helper
AnswerC

Automatically authenticates and injects tokens into pods.

Why this answer

Option C is correct because the Vault Agent sidecar runs alongside the application container in the same pod, automatically authenticating to Vault and retrieving a short-lived token. This eliminates the need for human intervention by handling the authentication lifecycle (e.g., using Kubernetes auth method) and renewing or re-authenticating as needed, ensuring the application always has a valid token.

Exam trap

HashiCorp often tests the misconception that a storage backend or audit device can provide authentication tokens, when in fact they serve entirely different roles in Vault's architecture.

How to eliminate wrong answers

Option A is wrong because an Audit Device logs all requests and responses to Vault for security monitoring, but it does not provide tokens or handle authentication for pods. Option B is wrong because the Storage Backend (e.g., Consul) is used for persisting Vault's encrypted data and cluster state, not for issuing tokens to applications. Option D is wrong because the Vault CLI with a token helper is an interactive tool requiring a human to authenticate and manage tokens, which does not meet the requirement for automated, non-interactive token retrieval at pod startup.

57
MCQeasy

A security team is configuring Vault's seal mechanism. They want to ensure that in the event of a data center outage, the Vault cluster can be unsealed without human intervention, but still require approval from multiple administrators to rekey the master key. Which seal type should they use?

A.Shamir seals with auto-unseal using a cloud KMS.
B.HSM seal with a quorum of smart cards.
C.Transit seal with a key that requires manual approval from a quorum of operators.
D.Auto-unseal using AWS KMS with a key policy requiring multi-factor authentication for any key usage.
AnswerD

Auto-unseal with KMS allows automatic unseal and MFA for rekey.

Why this answer

Option B is correct because auto-unseal using a cloud KMS allows Vault to unseal automatically after a restart, and the KMS key can be configured to require MFA for cryptographic operations, effectively requiring multiple approvals for rekeying. Option A is wrong because Shamir seals require manual unseal. Option C is wrong because Transit seal requires a running Vault to unseal Vault.

Option D is wrong because HSM with quorum still requires manual intervention to unseal.

58
Multi-Selectmedium

A company is deploying Vault in a Kubernetes environment. Which three components are essential for a production-ready Vault on Kubernetes? (Choose three.)

Select 3 answers
A.A ConfigMap to store Vault configuration including unseal keys.
B.A persistent volume claim for each Vault pod for storage.
C.A service account with appropriate RBAC to interact with the Kubernetes API.
D.An Ingress controller to expose Vault externally.
E.A StatefulSet to manage Vault pods with stable network identities.
AnswersB, C, E

Persistent storage is essential for Raft.

Why this answer

Option B is correct because Vault requires durable storage for its encrypted data (the storage backend). In Kubernetes, a PersistentVolumeClaim (PVC) provides this durable block or file storage that survives pod restarts. Without a PVC, Vault would lose its data when the pod is rescheduled, making it unsuitable for production.

Exam trap

HashiCorp often tests the misconception that unseal keys can be stored in a ConfigMap for convenience, but the exam expects you to recognize that this violates Vault's security model and is never production-ready.

59
MCQmedium

A company requires that Vault's master key be split into multiple key shares and distributed to different administrators using Shamir's Secret Sharing. They also need to ensure that Vault can automatically unseal if a majority of shares are provided but cannot rely on manual intervention. Which unseal approach should they configure?

A.Store the master key in the transit secrets engine and unseal automatically
B.Use AWS KMS as a seal for auto-unseal
C.Configure Shamir seal with a threshold and use unseal keys via a key provider
D.Use a single unseal key stored in a password manager and manually unseal
AnswerC

Shamir seal with auto-unseal can be achieved by combining shares using a shamir seal wrapper.

Why this answer

Option C is correct because Shamir seal (also known as the 'seal' wrapping mechanism) allows Vault to use Shamir's Secret Sharing to split the master key into shares, and then automatically unseal by providing those shares via a key provider (e.g., a cloud KMS or HSM) without manual intervention. This satisfies the requirement of splitting the key among administrators while enabling auto-unseal when a majority of shares are available.

Exam trap

HashiCorp often tests the distinction between 'Shamir seal' (which uses multiple shares and a key provider for auto-unseal) and 'Shamir's Secret Sharing' (which is the manual unseal process), causing candidates to confuse the two and incorrectly select a single-key auto-unseal option like AWS KMS.

How to eliminate wrong answers

Option A is wrong because storing the master key in the transit secrets engine would defeat the purpose of splitting the key and does not provide auto-unseal; the transit engine is for encrypting data, not for managing unseal keys. Option B is wrong because AWS KMS as a seal (i.e., using AWS KMS as a seal wrapping mechanism) is a single-key auto-unseal approach, not a multi-share split-key method; it does not involve distributing key shares to multiple administrators. Option D is wrong because using a single unseal key stored in a password manager and manually unsealing violates the requirement to split the key into multiple shares and to avoid manual intervention.

60
MCQhard

A company deploys Vault in a production environment with three nodes using Integrated Storage (Raft). They have configured Performance Replication to a secondary datacenter. The primary datacenter experiences a complete outage. After restoring the primary, they promote the secondary to primary. However, they notice that some secrets written to the primary just before the outage are missing in the secondary. The replication status shows no errors. What is the most likely cause and correct action?

A.Accept the data loss and continue with the secondary as primary
B.Restore the primary from backup to recover missing secrets
C.Failback to the original primary after restoring it
D.Re-promote the original primary and use it as the new primary
AnswerA

Asynchronous replication may lose recent writes; accept and move on.

Why this answer

Performance Replication in Vault is asynchronous, meaning there is no guarantee that all writes to the primary are replicated to the secondary before a failure. When the primary experiences a complete outage, any secrets written just before the outage that had not yet been acknowledged by the secondary are permanently lost. Since the replication status shows no errors, the system is consistent up to the last replicated point, and the only correct action is to accept the data loss and continue with the promoted secondary as the new primary.

Exam trap

The trap here is that candidates assume replication guarantees zero data loss because the status shows no errors, but they fail to recognize that asynchronous replication inherently allows a small window of unreplicated writes.

How to eliminate wrong answers

Option B is wrong because restoring the primary from backup would reintroduce stale data and potentially cause conflicts with the promoted secondary, and it does not recover the missing secrets that were never replicated. Option C is wrong because failing back to the original primary after restoring it would require the original primary to catch up with the secondary, but the missing secrets were never on the secondary, so they cannot be recovered through failback. Option D is wrong because re-promoting the original primary as the new primary would ignore the fact that the secondary has already been promoted and is now the authoritative source; this would cause a split-brain scenario and data inconsistency.

61
Multi-Selecthard

Which TWO statements about Vault replication are correct?

Select 2 answers
A.A DR secondary can be promoted to primary only if the primary is offline.
B.DR replication replicates all data including tokens and leases.
C.Performance replication allows read requests to be served locally on the secondary cluster.
D.Performance replication replicates all secrets and auth methods.
E.Both performance and DR replication require a shared storage backend.
AnswersB, C

DR replication is a full data copy.

Why this answer

Option B is correct because Vault DR replication is designed to replicate all data, including tokens, leases, and secrets, to a secondary cluster for disaster recovery purposes. This ensures that the secondary cluster can take over with a complete state if the primary fails, as it mirrors the entire Vault data store.

Exam trap

HashiCorp often tests the misconception that performance replication replicates all data (including auth methods and mount configurations), when in fact it only replicates the data within the mount paths and does not replicate auth method configurations or system data like tokens.

62
MCQmedium

A Vault cluster uses Integrated Storage with 5 nodes. After a network split, the cluster loses quorum and becomes sealed. The network is restored, but the cluster does not automatically recover. What should the administrator do to recover the cluster?

A.Use `vault operator raft snapshot restore` on each node to restore from a backup.
B.Restart all nodes simultaneously to force a new leader election.
C.Manually unseal each node using the unseal keys.
D.Identify the node with the most recent data and use `vault operator raft recover` to create a new cluster from that node.
AnswerD

Raft recover creates a new cluster from a single node.

Why this answer

When a Vault cluster with Integrated Storage loses quorum due to a network split, the cluster seals itself to prevent split-brain. After the network is restored, the cluster does not automatically recover because the Raft consensus algorithm requires a majority of nodes to form a quorum. Option D is correct because `vault operator raft recover` allows an administrator to force a single node (typically the one with the most recent data) to form a new cluster, discarding the other nodes' data and re-establishing quorum.

Exam trap

HashiCorp often tests the misconception that unsealing or restarting nodes alone can recover a Raft-based cluster after quorum loss, when in fact the Raft layer must be explicitly recovered using a command like `vault operator raft recover`.

How to eliminate wrong answers

Option A is wrong because `vault operator raft snapshot restore` is used to restore data from a previously taken snapshot, not to recover from a quorum loss; it requires a functioning cluster or a single-node recovery first. Option B is wrong because restarting all nodes simultaneously does not resolve the underlying Raft quorum issue; the nodes will still attempt to form a cluster with the same stale peer set and will remain sealed if quorum cannot be achieved. Option C is wrong because manual unsealing only decrypts the Vault's seal, but the Raft layer still requires quorum to operate; unsealing does not repair the broken consensus.

63
MCQeasy

What is the purpose of the `storage` stanza in a Vault server configuration file?

A.Defines where Vault stores encrypted data.
B.Defines the encryption algorithm for secrets.
C.Defines the seal mechanism.
D.Defines the listener address.
AnswerA

The storage stanza configures the backend used to persist Vault's encrypted data.

Why this answer

The `storage` stanza in a Vault server configuration file defines the backend where Vault stores all encrypted data, including secrets, tokens, and metadata. This backend can be a file system, Consul, Raft, or other supported storage backends, and it is the persistent layer that holds the encrypted data after it has been processed by the seal mechanism. Without a properly configured `storage` stanza, Vault cannot persist any data and will fail to start.

Exam trap

HashiCorp often tests the distinction between the `storage` stanza (where data is stored) and the `seal` stanza (how data is encrypted), leading candidates to confuse the purpose of these two separate configuration blocks.

How to eliminate wrong answers

Option B is wrong because the encryption algorithm for secrets is not defined in the `storage` stanza; it is determined by the seal mechanism (e.g., using AES-256-GCM by default) and is not configurable in the storage stanza. Option C is wrong because the seal mechanism is defined in the `seal` stanza (e.g., `seal "awskms"` or `seal "shamir"`), not in the `storage` stanza. Option D is wrong because the listener address is defined in the `listener` stanza (e.g., `listener "tcp" { address = "127.0.0.1:8200" }`), which configures the network interface and port for API requests, not the storage backend.

64
MCQmedium

A company is running Vault in production with a single active node and two standby nodes using Integrated Storage. The operations team notices that after a network partition, one of the standby nodes becomes unavailable for a few minutes. Upon recovery, the node rejoins the cluster. However, the active node's performance degrades temporarily. What is the most likely cause?

A.The standby node caused a leadership election upon reconnection.
B.The standby node was not using a seal wrapping key, causing re-encryption of all data.
C.The standby node's recovery caused Raft snapshot installation, leading to temporary I/O load on the active node.
D.The standby node forced a full data sync from the active node, consuming resources.
AnswerC

When a node rejoins after a partition, it may need to install a snapshot, causing I/O on the leader.

Why this answer

When a standby node reconnects after a network partition, the Raft consensus protocol may require the node to catch up on missed log entries. If the log gap is large, the active node initiates a snapshot installation, which involves reading and sending a compressed snapshot of the Raft state. This process causes significant I/O and CPU load on the active node, temporarily degrading its performance.

Exam trap

HashiCorp often tests the misconception that a reconnecting standby node triggers a leadership election or a full data sync, when in reality Raft uses snapshot installation to efficiently catch up followers, which can cause temporary performance degradation on the active node.

How to eliminate wrong answers

Option A is wrong because a standby node rejoining does not trigger a leadership election; elections only occur when the active node fails or becomes unreachable. Option B is wrong because seal wrapping keys are used for encrypting the unseal key or root token, not for re-encrypting all data; re-encryption of all data is not a standard behavior upon node reconnection. Option D is wrong because Raft does not force a full data sync from the active node; it uses log replication and snapshot installation to bring the node up to date, which is more efficient than a full sync.

65
MCQmedium

Refer to the exhibit. A Vault administrator configures a three-node cluster with the above configuration on all nodes (with appropriate node_id). After starting all nodes, the administrator unseals node2 and node3. Node1 remains sealed. What will be the cluster state?

A.Nodes 2 and 3 will each try to become leader, causing a split-brain.
B.Node1 will automatically join the cluster once unsealed.
C.Nodes 2 and 3 will form a quorum and elect a leader; Node1 will be a standby when unsealed.
D.The cluster will be unavailable because Node1 is sealed.
AnswerC

Two nodes constitute a majority and can operate normally.

Why this answer

In a Vault cluster, a quorum requires a majority of nodes to be unsealed and available. With three nodes, the quorum size is 2. Nodes 2 and 3, both unsealed, form a quorum and elect a leader among themselves.

Node1, though sealed, is still a cluster member; once unsealed, it will join as a standby node, not as a leader, because the leader election has already occurred.

Exam trap

HashiCorp often tests the misconception that a sealed node makes the entire cluster unavailable, but the key is that Vault only requires a quorum of unsealed nodes for cluster operation, not all nodes.

How to eliminate wrong answers

Option A is wrong because Vault uses Raft consensus, which prevents split-brain by requiring a majority (quorum) for leader election; two nodes cannot both become leader as they will coordinate via Raft. Option B is wrong because Node1 will not automatically join the cluster once unsealed; it will join as a standby node only after being unsealed, but it does not automatically unseal itself. Option D is wrong because the cluster remains available as long as a quorum of nodes (2 out of 3) is unsealed; Node1 being sealed does not make the cluster unavailable.

66
Multi-Selecteasy

Which TWO are core components of Vault's architecture?

Select 2 answers
A.Seal
B.Storage backend
C.Audit device
D.Auth method
E.Replication
AnswersA, B

Core component that protects the encryption key.

Why this answer

The Seal is a core component of Vault's architecture because it provides the mechanism to encrypt and decrypt the master key, which is used to protect all other keys and data within Vault. When Vault is sealed, the master key is encrypted and cannot be accessed, rendering the Vault unable to decrypt its data. Unsealing requires a threshold of unseal keys to reconstruct the master key, ensuring that no single individual can access the Vault's secrets.

Exam trap

HashiCorp often tests the distinction between core architectural components (Seal and Storage Backend) and optional or pluggable features (audit devices, auth methods, replication), leading candidates to mistakenly select features that are critical for operation but not part of the minimal core architecture.

67
MCQhard

A company uses Vault Enterprise with Performance Replication across two data centers. The primary data center is in us-east-1 and the secondary is in eu-west-1. They have an application that writes secrets to the primary cluster, and those secrets are replicated to the secondary cluster for read access. Recently, they noticed that some secrets written to the primary are not appearing on the secondary even after several minutes. The latency between data centers is typically 50ms. The administrator checks the replication status and sees a 'merkle sync' in progress. What is the most likely reason for the delay?

A.The replication token has expired.
B.The primary cluster is using a different seal type than the secondary.
C.The secondary cluster is experiencing write load that is causing replication to fall behind.
D.Performance Replication only replicates data once per hour by default.
AnswerC

Heavy load can cause replication lag.

Why this answer

Performance Replication in Vault Enterprise uses asynchronous streaming of write-ahead log (WAL) entries to replicate data to secondary clusters. When a 'merkle sync' is in progress, it indicates that the secondary cluster has fallen behind and is performing a full tree comparison to reconcile differences. The most likely cause is that the secondary cluster is under write load, which can cause it to process replication WAL streams more slowly, leading to a backlog and triggering a merkle sync to catch up.

Exam trap

The trap here is that candidates may assume replication is always instant or that a merkle sync indicates a permanent failure, when in fact it is a normal recovery mechanism triggered by transient load or latency issues.

How to eliminate wrong answers

Option A is wrong because a replication token expiration would cause replication to stop entirely with an authentication error, not a merkle sync in progress. Option B is wrong because seal types (e.g., Shamir, Auto Unseal) do not affect replication mechanics; replication operates independently of the seal configuration. Option D is wrong because Performance Replication is near real-time, streaming WAL entries continuously; there is no default one-hour interval.

68
MCQmedium

An organization requires that all Vault secrets be encrypted with a key derived from a hardware security module (HSM) and that the cluster can be unsealed automatically. Which seal type should they use?

A.PKCS11 seal
B.Transit seal
C.Shamir seal
D.Cloud KMS seal
AnswerA

PKCS11 seal supports HSM integration for automatic unsealing and key management.

Why this answer

The PKCS11 seal type is correct because it enables Vault to derive the unseal key from a key stored in a hardware security module (HSM) via the PKCS#11 interface. This allows automatic unsealing of the cluster by leveraging the HSM's key, meeting both the encryption and auto-unseal requirements.

Exam trap

HashiCorp often tests the distinction between 'auto-unseal' and 'HSM-backed key derivation'; the trap here is that candidates may confuse Cloud KMS seal (which also provides auto-unseal) with HSM-based sealing, but Cloud KMS does not use a dedicated hardware security module for key derivation.

How to eliminate wrong answers

Option B (Transit seal) is wrong because the Transit seal uses Vault's Transit secrets engine to encrypt the unseal key, but it does not derive the key from an HSM; it relies on another Vault cluster or a separate encryption service, not a hardware security module. Option C (Shamir seal) is wrong because it uses Shamir's secret sharing to split the unseal key into shards, requiring manual intervention from multiple operators to unseal, and does not involve an HSM or automatic unsealing. Option D (Cloud KMS seal) is wrong because while it provides auto-unseal using a cloud provider's key management service (e.g., AWS KMS, Azure Key Vault, GCP Cloud KMS), it does not derive the key from a hardware security module; the key is managed by the cloud provider's software-based KMS, not a dedicated HSM.

69
MCQmedium

A security team needs to audit all interactions with Vault, including requests that are denied due to policy violations. They want to ensure that even if the audit device is full, Vault does not halt operations. Which audit device configuration should they recommend?

A.Socket audit device with a remote log aggregator
B.File audit device with blocking=true and a separate backup file
C.File audit device with blocking=false and fallback path configured
D.Syslog audit device with local syslog server
AnswerC

Non-blocking with fallback ensures audits continue even if primary fails, without halting Vault.

Why this answer

The file audit device with `blocking=false` ensures that Vault does not block requests when the audit log cannot be written, preventing denial of service. The fallback path provides a secondary location to continue logging if the primary path fails, maintaining audit coverage without halting operations.

Exam trap

The trap here is that candidates assume any remote or syslog-based audit device inherently avoids blocking, but Vault's default audit device behavior is blocking unless explicitly configured otherwise, and only the file audit device supports a fallback path to prevent data loss without halting operations.

How to eliminate wrong answers

Option A is wrong because a socket audit device sends logs over TCP/UDP, and if the remote log aggregator is unreachable or the socket buffer is full, Vault will block requests by default unless `blocking=false` is explicitly set, which is not mentioned. Option B is wrong because `blocking=true` causes Vault to halt operations when the audit device is full, directly contradicting the requirement to not halt operations. Option D is wrong because a syslog audit device with a local syslog server can still block Vault if the syslog server is overwhelmed or the local socket is full, as the default behavior is blocking; additionally, syslog does not natively support a fallback mechanism like the file audit device's fallback path.

70
MCQhard

After a security incident, the Vault administrator needs to change the encryption key used to encrypt data at rest. They have already rekeyed the unseal keys. What additional step is required to ensure new secrets are encrypted with a new key?

A.Reinitialize Vault with new unseal keys.
B.Run 'vault operator rotate' to rotate the encryption key.
C.Migrate all secrets to a new mount and delete the old one.
D.Run 'vault operator rekey' again with different parameters.
AnswerB

Rotates the barrier encryption key used for data at rest.

Why this answer

Option B is correct because the `vault operator rotate` command rotates the encryption key used by Vault's keyring to encrypt data at rest. After rekeying the unseal keys, the administrator must rotate the encryption key so that new secrets written to the storage backend are encrypted with a fresh key, while existing data remains decryptable with the old key until it is rewritten.

Exam trap

HashiCorp often tests the distinction between rekeying unseal keys (which affects how the master key is split) and rotating the encryption key (which changes the key used to encrypt data at rest), and the trap here is that candidates confuse `vault operator rekey` with `vault operator rotate`, assuming both affect data encryption when only the latter does.

How to eliminate wrong answers

Option A is wrong because reinitializing Vault with new unseal keys would destroy all existing secrets and configuration, which is unnecessary and destructive; the goal is to change the encryption key for new data, not to wipe the entire Vault. Option C is wrong because migrating secrets to a new mount and deleting the old one does not change the underlying encryption key used by the storage backend; it only moves data between mounts, and the new mount would still use the same keyring unless the key is rotated. Option D is wrong because `vault operator rekey` changes the unseal keys (shares and threshold), not the encryption key used for data at rest; rekeying with different parameters would only affect how the master key is split, not the encryption of stored data.

71
MCQmedium

A Vault server is configured with the above snippet. After starting, the server remains in a sealed state. Which command should the operator run to complete the initial unseal?

A.vault operator unseal -auto
B.vault operator unseal <key>
C.vault operator generate-root
D.vault operator init
AnswerD

Initialization generates the root token and sets up the seal; unseal happens automatically via GCP KMS.

Why this answer

Option D is correct because the snippet shows a Vault configuration but no `seal` or `unseal` keys have been generated yet. The `vault operator init` command generates the initial root token and unseal keys, which are required before any unseal operation can be performed. Without initialization, the server has no keys to unseal with, so it remains in a sealed state.

Exam trap

The trap here is that candidates confuse the initialization step with the unseal step, assuming a Vault server can be unsealed without first generating the unseal keys via `vault operator init`.

How to eliminate wrong answers

Option A is wrong because `vault operator unseal -auto` is not a valid command; Vault does not support an `-auto` flag for unsealing, and unsealing requires explicit key shares. Option B is wrong because `vault operator unseal <key>` assumes unseal keys already exist, but the server has not been initialized yet, so no keys are available to provide. Option C is wrong because `vault operator generate-root` is used to generate a new root token after initialization, not to unseal the server; it requires an already unsealed Vault to function.

72
MCQeasy

In a Vault HA cluster, which node is responsible for handling all write requests?

A.All nodes
B.The active node only
C.Standby nodes
D.The node that receives the request
AnswerB

The active node is the only node that can accept and process write requests.

Why this answer

In a Vault HA cluster, only the active node can handle write requests. This is because the active node holds the storage backend lock and is the only node that can modify the underlying data store. Standby nodes forward write requests to the active node, ensuring data consistency and preventing split-brain scenarios.

Exam trap

HashiCorp often tests the misconception that all nodes in an HA cluster can handle writes equally, but the key is that only the active node can process writes to maintain data integrity and avoid conflicts.

How to eliminate wrong answers

Option A is wrong because not all nodes handle write requests; only the active node can process writes, while standby nodes are read-only and forward writes to the active node. Option C is wrong because standby nodes do not handle write requests; they only serve read requests and forward writes to the active node. Option D is wrong because the node that receives the request may be a standby node, which cannot process writes locally and must forward the request to the active node.

73
Multi-Selecthard

Which THREE architectural considerations are important when designing a multi-datacenter Vault deployment?

Select 3 answers
A.Use a single storage backend across datacenters
B.Deploy a single Vault cluster spanning datacenters
C.Use separate storage backends per datacenter
D.Enable Performance Replication for local reads
E.Enable Disaster Recovery Replication for failover
AnswersC, D, E

Ensures isolation and reduces latency.

Why this answer

Option C is correct because in a multi-datacenter Vault deployment, each datacenter must have its own independent storage backend to avoid a single point of failure and to ensure that a failure in one datacenter does not corrupt or disrupt the storage layer of another. Vault’s architecture requires that each cluster manages its own storage backend (e.g., Consul, Integrated Storage, or Raft) to maintain data isolation and consistency within that datacenter.

Exam trap

HashiCorp often tests the misconception that a single Vault cluster or storage backend can be stretched across datacenters, but the correct design requires separate clusters and storage backends per datacenter, with replication handling cross-datacenter data flow.

74
MCQhard

A company requires that Vault data be continuously replicated from a primary data center to a secondary data center for disaster recovery. The secondary data center must be able to become writable in the event of a primary failure. Which Vault feature should they use?

A.Performance Replication
B.Consul as storage backend
C.Performance Standby
D.Disaster Recovery Replication
AnswerD

DR replication mirrors all data and allows promotion of the secondary cluster to primary for failover.

Why this answer

Disaster Recovery (DR) Replication is the correct choice because it provides asynchronous replication of Vault data (including configuration, policies, and secrets) from a primary cluster to a secondary cluster. In the event of a primary failure, the secondary cluster can be promoted to become writable, ensuring business continuity. This feature is specifically designed for disaster recovery scenarios where the secondary site must be able to take over write operations.

Exam trap

HashiCorp often tests the distinction between Performance Replication and Disaster Recovery Replication, where candidates mistakenly choose Performance Replication because they confuse read scaling with disaster recovery failover capabilities.

How to eliminate wrong answers

Option A is wrong because Performance Replication is designed for low-latency read scaling across geographically distributed clusters, but the secondary cluster remains read-only and cannot be promoted to writable in a disaster. Option B is wrong because Consul as a storage backend is a storage configuration, not a replication feature; it does not provide built-in continuous replication or failover to a writable secondary. Option C is wrong because Performance Standby nodes are read-only and intended to offload read requests from the active leader, not to serve as a writable disaster recovery target.

75
Multi-Selecthard

Which TWO of the following are valid ways to authenticate to Vault?

Select 2 answers
A.SAML 2.0
B.GitHub personal access token
C.Kubernetes auth
D.LDAP authentication
E.AWS EC2 instance metadata
AnswersC, D

Kubernetes auth is a built-in auth method.

Why this answer

Kubernetes auth is a valid Vault authentication method that allows Kubernetes service accounts to authenticate to Vault using a JSON Web Token (JWT) and a service account token. It is a first-class auth method in Vault, designed for dynamic, short-lived credentials in containerized environments.

Exam trap

HashiCorp often tests the distinction between 'auth methods' and 'login mechanisms' — candidates confuse external identity provider integrations (like SAML) with native Vault auth methods, or assume any cloud metadata can be used directly for authentication.

Page 1 of 2 · 84 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Vault Architecture questions.