VA-003 · topic practice

Manage Vault leases practice questions

Practise VA-003 DHCP questions covering DORA flow, scopes, excluded addresses, default gateway options, helper addresses, and troubleshooting clients that receive APIPA or cannot get an IP address.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Manage Vault leases

What the exam tests

What to know about Manage Vault leases

DHCP questions usually test address assignment, scopes, relay agents, excluded addresses and why a client cannot obtain an IP address.

DHCP discovery, offer, request and acknowledgement flow.

DHCP scopes, excluded addresses and default gateway options.

DHCP relay using helper addresses.

Troubleshooting clients that receive APIPA or no address.

Why learners struggle

Why Manage Vault leases questions are commonly missed

DHCP questions are missed when learners overlook the relay agent requirement for cross-subnet assignments, or assume that because a DHCP server exists, a client will always get an address. Routing, relay, scope, and exclusion details all affect the outcome.

  • ·DHCP relay required — clients on a different subnet cannot broadcast to a remote DHCP server without a helper address
  • ·Excluded addresses — addresses in an excluded range are never offered, even if they are in the scope
  • ·Default gateway option — must match the client subnet, not the server's subnet
  • ·APIPA address (169.254.x.x) — indicates DHCP discovery failed, not a server response
  • ·DORA flow — Discovery, Offer, Request, Acknowledgement; missing any step breaks assignment
  • ·Scope exhaustion — a full scope returns no addresses even when the server is reachable

Watch out for

Common Manage Vault leases exam traps

  • A DHCP server on another subnet usually requires a relay/helper address.
  • Excluded addresses are not offered to clients.
  • The default gateway option must match the client subnet.
  • A client can fail even when the server exists if routing or relay is wrong.

Practice set

Manage Vault leases questions

20 questions · select your answer, then reveal the explanation

A DevOps team is using Vault's database secrets engine to generate dynamic credentials for a PostgreSQL database. They notice that the lease duration is set to 24 hours, but security policy requires that credentials expire after 1 hour. What should the team do to enforce the 1-hour expiration without changing the default lease TTL for all secrets?

An organization uses Vault to issue certificates via the PKI secrets engine. They have set the default lease TTL on the PKI mount to 72h, and the role's ttl to 24h. A user requests a certificate with a requested TTL of 48h. What will be the actual TTL of the issued certificate?

Which TWO of the following actions can reduce the number of active leases in Vault? (Select two.)

A developer runs the commands shown in the exhibit. After renewing the lease, the lease_duration remains 1 hour. What is the most likely reason?

Exhibit

Refer to the exhibit.

```
$ vault read database/creds/my-role
Key                Value
---                -----
lease_id           database/creds/my-role/abc123...
lease_duration     1h
lease_renewable    true
password           ...
username           v-token-my-role-...

$ vault lease renew database/creds/my-role/abc123...
Key                Value
---                -----
lease_id           database/creds/my-role/abc123...
lease_duration     1h
lease_renewable    true
```

A company runs a microservices application on Kubernetes. Each service authenticates to Vault using the Kubernetes auth method and obtains a short-lived token with a TTL of 15 minutes. The services use these tokens to read secrets from the KV v2 secrets engine. Recently, the operations team noticed that Vault's lease count has been steadily increasing, and some services are experiencing 'lease not found' errors when trying to renew their tokens. Investigation reveals that the services are not renewing tokens before they expire because the token TTL is too short to complete some long-running tasks. The team wants to fix the issue without compromising security. They are considering the following actions:

A. Increase the default lease TTL for the KV v2 mount to 1 hour. B. Increase the token TTL for the Kubernetes auth role to 1 hour. C. Implement a renewal loop in each service to renew tokens every 10 minutes. D. Use periodic tokens with a period of 1 hour for all services.

A DevOps team uses Vault dynamic secrets for database credentials with a lease of 1 hour. They notice that applications are making excessive calls to renew leases, causing performance issues. The team wants to reduce the renewal frequency while maintaining security. What is the best approach?

A Vault administrator needs to manage leases for dynamic secrets. Which TWO of the following are valid operations related to lease management?

A developer is troubleshooting an application that uses Vault's PostgreSQL secrets engine. The application successfully obtains a database credential from Vault, but after 30 minutes, the application starts receiving authentication errors from the database. The developer checks the Vault audit logs and sees that the lease for the credential was revoked. The lease was originally created with a TTL of 1 hour. The application is not renewing the lease. The developer wants to fix the issue so that the credential works for the full 1 hour. What should the developer do?

A company uses Vault to manage database credentials for its applications. The applications request a one-hour TTL for database secrets, but the database engine's default lease TTL is set to 24 hours. The Vault administrator wants to ensure that leases are revoked promptly after the applications finish using them, to minimize the window of exposure. Which approach best achieves this goal?

An organization uses Vault's AWS secrets engine to generate temporary IAM credentials. The Vault administrator has set the default lease TTL on the AWS mount to 15 minutes. A developer creates a role with role TTL of 30 minutes and explicit max TTL of 1 hour. Which TWO statements are true regarding the lease behavior for credentials generated under this role?

Drag and drop the steps to configure Vault's audit logging to a file into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each Vault term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Encrypted state requiring unseal

Decrypt master key to access data

Encryption layer protecting storage

Key splitting for unseal

Superuser token with full access

An administrator notices that after revoking a specific lease, the underlying database credential is still accessible. What is the most likely cause?

What command is used to view the remaining time on a lease?

A Vault cluster is sealed. An operator attempts to renew a lease but gets an error. What is the most likely error?

A developer wants to ensure that their application automatically renews its secret leases before expiration. Which approach is recommended?

Which of the following best describes a Vault lease?

An operator runs vault lease list and sees many expired leases. Why are expired leases still listed?

What happens when a lease reaches its TTL?

A security policy requires that all leases must be revoked within 1 hour of creation. Which setting should be configured on the secret engine mount?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Manage Vault leases sessions

Start a Manage Vault leases only practice session

Every question in these sessions is drawn from the Manage Vault leases domain — nothing else.

Related practice questions

Related VA-003 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the VA-003 exam test about Manage Vault leases?
DHCP questions usually test address assignment, scopes, relay agents, excluded addresses and why a client cannot obtain an IP address.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Manage Vault leases questions in a focused session?
Yes — the session launcher on this page draws every question from the Manage Vault leases domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other VA-003 topics?
Use the topic links above to move to related areas, or go back to the VA-003 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the VA-003 exam covers. They are not copied from any real exam or dump site.