Deck 1 Flashcards by Oliver Reyes

The vault lease renew command increments the lease time from:

A. The current time
B. The end of the lease

A. The current time

How well did you know this?

Not at all

Perfectly

You have a 2GB Base64 binary large object (blob) that needs to be encrypted. Which of the following best describes the transit secrets engine?

A. A data key encrypts the blob locally, and the same key decrypts the blob locally.

B. To process such a large blob. Vault will temporarily store it in the storage backend.

C. Vault will store the blob permanently. Be sure to run Vault on a compute optimized machine.

D. The transit engine is not a good solution for binaries of this size.

A. A data key encrypts the blob locally, and the same key decrypts the blob locally.

How well did you know this?

Not at all

Perfectly

How would you describe the value of using the Vault transit secrets engine?

A. Vault has an API that can be programmatically consumed by applications

B. The transit secrets engine ensures encryption in-transit and at-rest is enforced enterprise wide

C. Encryption for application data is best handled by a storage system or database engine, while storing encryption keys in Vault

D. The transit secrets engine relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault

How well did you know this?

Not at all

Perfectly

What is the Vault CLI command to query information about the token the client is currently using?

A. vault lookup token

B. vault token lookup

C. vault lookup self

D. vault self lookup

B. vault token lookup

How well did you know this?

Not at all

Perfectly

Which of the following is a machine-oriented Vault authentication backend?

A. Okta

B. AppRole

C. Transit

D. GitHub

B. AppRole

How well did you know this?

Not at all

Perfectly

Security requirements demand that no secrets appear in the shell history. Which command does not meet this requirement?

A. generate-password | vault kv put secret/password value=

B. vault kv put secret/password value=itsasecret

C. vault kv put secret/password value=@data.txt

D. vault kv put secret/password value=$SECRET_VALUE

B. vault kv put secret/password value=itsasecret

How well did you know this?

Not at all

Perfectly

You can build a high availability Vault cluster with any storage backend.

A. True

B. False

How well did you know this?

Not at all

Perfectly

What command creates a secret with the key “my-password” and the value “53cr3t” at path “my-secrets” within the KV secrets engine mounted at “secret”?

A. vault kv put secret/my-secrets/my-password 53cr3t

B. vault kv write secret/my-secrets/my-password 53cr3t

C. vault kv write 53cr3t my-secrets/my-password

D. vault kv put secret/my-secrets my-password-53cr3t

How well did you know this?

Not at all

Perfectly

What can be used to limit the scope of a credential breach?

A. Storage of secrets in a distributed ledger

B. Enable audit logging

C. Use of a short-lived dynamic secrets

D. Sharing credentials between applications

C. Use of a short-lived dynamic secrets

How well did you know this?

Not at all

Perfectly

What environment variable overrides the CLI’s default Vault server address?

A. VAULT_ADDR

B. VAULT_HTTP_ADDRESS

C. VAULT_ADDRESS

D. VAULT_HTTPS_ADDRESS

A. VAULT_ADDR

How well did you know this?

Not at all

Perfectly

Which of the following statements describe the CLI command below?

$ vault login -method=ldap username=mitchellh

A. Generates a token which is response wrapped

B. You will be prompted to enter the password

C. By default, the generated token is valid for 24 hours

D. Fails because the password is not provided

B. You will be prompted to enter the password

How well did you know this?

Not at all

Perfectly

Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool. Which secrets engine would you recommend?

A. Google Cloud Secrets Engine

B. Identity secrets engine

C. Key/Value secrets engine version 2

D. SSH secrets engine

A. Google Cloud Secrets Engine

How well did you know this?

Not at all

Perfectly

Which of these is not a benefit of dynamic secrets?

A. Supports systems which do not natively provide a method of expiring credentials

B. Minimizes damage of credentials leaking

C. Ensures that administrators can see every password used

D. Replaces cumbersome password rotation tools and practices

C. Ensures that administrators can see every password used

How well did you know this?

Not at all

Perfectly

Which of the following cannot define the maximum time-to-live (TTL) for a token?

A. By the authentication method

B. By the client system

C. By the mount endpoint configuration

D. A parent token TTL

E. System max TTL

B. By the client system

How well did you know this?

Not at all

Perfectly

What are orphan tokens?

A. Orphan tokens are tokens with a use limit so you can set the number of uses when you create them

B. Orphan tokens are not children of their parent; therefore, orphan tokens do not expire when their parent does

C. Orphan tokens are tokens with no policies attached

D. Orphan tokens do not expire when their own max TTL is reached

B. Orphan tokens are not children of their parent; therefore, orphan tokens do not expire when their parent does

How well did you know this?

Not at all

Perfectly

To give a role the ability to display or output all of the end points under the /secrets/apps/* end point it would need to have which capability set?

A. update
B. read
C. sudo
D. list
E. None of the above

D. list

How well did you know this?

Not at all

Perfectly

When using Integrated Storage, which of the following should you do to recover from possible data loss?

A. Failover to a standby node

B. Use snapshot

C. Use audit logs

D. Use server logs

B. Use snapshot

How well did you know this?

Not at all

Perfectly

Which of these are a benefit of using the Vault Agent?

A. Vault Agent allows for centralized configuration of application secrets engines

B. Vault Agent will auto-discover which authentication mechanism to use

C. Vault Agent will enforce minimum levels of encryption an application can use

D. Vault Agent will manage the lifecycle of cached tokens and leases automatically

How well did you know this?

Not at all

Perfectly

How many Shamir’s key shares are required to unseal a Vault instance?

A. All key shares
B. A quorum of key shares
C. One or more keys
D. The threshold number of key shares

D. The threshold number of key shares

How well did you know this?

Not at all

Perfectly

Which of the following describes usage of an identity group?

A. Limit the policies that would otherwise apply to an entity in the group

B. When they want to revoke the credentials for a whole set of entities simultaneously

C. Audit token usage

D. Consistently apply the same set of policies to a collection of entities

How well did you know this?

Not at all

Perfectly

Vault supports which type of configuration for source limited token?

A. Cloud-bound tokens
B. Domain-bound tokens
C. CIDR-bound tokens
D. Certificate-bound tokens

C. CIDR-bound tokens

How well did you know this?

Not at all

Perfectly

Where does the Vault Agent store its cache?

A. In a file encrypted using the Vault transit secret engine

B. In the Vault key/value store

C. In an unencrypted file

D. In memory

How well did you know this?

Not at all

Perfectly

Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?

A. PKI

B. Key/Value secrets engine version 2, with TTL defined

C. Cloud KMS

D. Transit

A. PKI

How well did you know this?

Not at all

Perfectly

As a best practice, the root token should be stored in which of the following ways?

A. Should be revoked and never stored after initial setup

B. Should be stored in configuration automation tooling

C. Should be stored in another password safe

D. Should be stored in Vault

A. Should be revoked and never stored after initial setup

How well did you know this?

Not at all

Perfectly

An organization wants to authenticate an AWS EC2 virtual machine with Vault to access a dynamic database secret. The only authentication method which they can use in this case is AWS. A. True B. False

B. False

When unsealing Vault each Shamir unseal key should be entered: A. Sequentially from one system that all of the administrators are in front of B. By different administrators each connecting from different computers C. While encrypted with each administrators PGP key D. At the command line in one single command

B. By different administrators each connecting from different computers

Where can you set the Vault seal configuration? (Choose two.) A. Cloud Provider KMS B. Vault CLI C. Vault configuration file D. Environment variables E. Vault API

C. Vault configuration file D. Environment variables

To make an authenticated request via the Vault HTTP API, which header would you use? A. The X-Vault-Token HTTP Header B. The X-Vault-Request HTTP Header C. The Content-Type HTTP Header D. The X-Vault-Namespace HTTP Header

A. The X-Vault-Token HTTP Header

Which of the following vault lease operations uses a lease_id as an argument? (Choose two.) A. renew B. revoke -prefix C. create D. describe E. revoke

A. renew E. revoke

Which of the following are replication methods available in Vault Enterprise? (Choose two.) A. Cluster sharding B. Namespaces C. Performance Replication D. Disaster Recovery Replication

C. Performance Replication D. Disaster Recovery Replication

You are using Vault’s Transit secrets engine to encrypt your data. You want to reduce the amount of content encrypted with a single key in case the key gets compromised. How would you do this? A. Use 4096-bit RSA key to encrypt the data B. Upgrade to Vault Enterprise and integrate with HSM C. Periodically re-key the Vault's unseal keys D. Periodically rotate the encryption key

D. Periodically rotate the encryption key

You are performing a high number of authentications in a short amount of time. You're experiencing slow throughput for token generation. How would you solve this problem? A. Increase the time-to-live on service tokens B. Implement batch tokens C. Establish a rate limit quota D. Reduce the number of policies attached to the tokens

B. Implement batch tokens

When looking at Vault token details, which key helps you find the paths the token is able to access? A. Meta B. Path C. Policies D. Accessor

C. Policies

When an auth method is disabled, all users authenticated via that method lose access. A. True B. False

A. True

An authentication method should be selected for a use case based on: A. The auth method that best establishes the identity of the client B. The cloud provider for which the client is located on C. The strongest available cryptographic hash for the use case D. Compatibility with the secret engine which is to be used

A. The auth method that best establishes the identity of the client

The Vault encryption key is stored in Vault’s backend storage. A. True B. False

A. True

Which of the following statements describes the secrets engine in Vault? (Choose three.) A. Some secrets engines simply store and read data B. Once enabled, you cannot disable the secrets engine C. You can build your own custom secrets engine D. Each secrets engine is isolated to its path E. A secrets engine cannot be enabled at multiple paths

A. Some secrets engines simply store and read data C. You can build your own custom secrets engine D. Each secrets engine is isolated to its path

What is a benefit of response wrapping? A. Log every use of a secret B. Load balance secret generation across a Vault cluster C. Provide error recovery to a secret so it is not corrupted in transit D. Ensure that only a single party can ever unwrap the token and see what’s inside

D. Ensure that only a single party can ever unwrap the token and see what’s inside "It provides malfeasance detection by ensuring that only a single party can ever unwrap the token and see what's inside. A client receiving a token that cannot be unwrapped can trigger an immediate security incident. In addition, a client can inspect a given token before unwrapping to ensure that its origin is from the expected location in Vault.

Which of the following describes the Vault’s auth method component? A. It verifies a client against an internal or external system, and generates a token with the appropriate policies attached B. It verifies a client against an internal or external system, and generates a token with root policy C. It is responsible for durable storage of client tokens D. It dynamically generates a unique set of secrets with appropriate permissions attached

A. It verifies a client against an internal or external system, and generates a token with the appropriate policies attached

Which Vault secret engine may be used to build your own internal certificate authority? A. Transit B. PKI C. PostgreSQL D. Generic

B. PKI

Which of the following statements are true about Vault policies? (Choose two.) A. The default policy can not be modified B. You must use YAML to define policies C. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault D. Vault must be restarted in order for a policy change to take an effect E. Policies deny by default (empty policy grants no permission)

C. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault E. Policies deny by default (empty policy grants no permission)

An organization would like to use a scheduler to track & revoke access granted to a job (by Vault) at completion. What auth-associated Vault object should be tracked to enable this behavior? A. Token accessor B. Token ID C. Lease ID D. Authentication method

A. Token accessor

Which statement describes the results of this command: $ vault secrets enable transit? A. Enables the transit secrets engine at transit path B. Requires a root token to execute the command successfully C. Enables the transit secrets engine at secret path D. Fails due to missing -path parameter E. Fails because the transit secrets engine is enabled by default

A. Enables the transit secrets engine at transit path

Which of these options does not allow the creation of a root token? A. By using batch tokens B. By using another root token C. The initial root token generated at the vault operator init time D. By using vault operator generate-root with the permission of a quorum of unseal key holders

A. By using batch tokens

You manage two Vault dusters: “vaultduster1.acme.corp” and “vaultduster2.acme.corp”. You want to write a secret to the first Vaultcluster vaultcluster1.acme.corp and run vault kv put secret/foo value=‘bar’. The command times out and the error references the Vault cluster, “vaultcluster2.acme.corp”. You run the command again with the following address flag: vault kv put -address=‘https://vaultcluster1.acme.corp’ secret/foo value=‘bar’ The command completes successfully. You find that the terminal session defines the environment variable VAULT_ADDR=‘https://vaultcluster2.acxe.corp:8200’ Why was the second attempt successful? A. Environment variables take precedence over flags B. VAULT_CLUSTER_ADDR needs to be provided C. Flags take precedence over environment variables D. Vault listener is misconfigured

C. Flags take precedence over environment variables

Which statement describes the results of this command: vault kv list secret/test? A. Check the status of a specific key/value secrets engine B. List the existing key names at the “secret/test” path C. Output all key/value secrets engines D. Output all key names from all key/value secrets engine

B. List the existing key names at the “secret/test” path

To encrypt your secret with the transit secrets engine, you must send the Base32-encoded plaintext to Vault. A. True B. False

B. False

Vault Agent supports which of the following? (Choose two.) A. Secrets Cachin B. Local key/value store C. Local replica of transit encryption key D. Auto-unseal Vault E. Auto authentication

A. Secrets Cachin E. Auto authentication

Which is not true of Vault tokens? A. Vault tokens are the core method for authentication in Vault B. Vault tokens are generated by every authentication method login C. Vault tokens map to information including polices the token holder has, TTL and max usage, metadata, creation and last renewal time, and more D. Vault tokens are required for every Vault call

D. Vault tokens are required for every Vault call

When using Integrated Storage, which of the following should you do to recover from possible data loss? A. Use local storage B. Enable audit device C. Use snapshot D. Use external storage

C. Use snapshot

What is a secret in the context of Vault? A. HTTP session token that provides authorization to Vault B. Threshold of keys required to unseal the Vault C. Anything stored or returned that contains confidential material D. Engine responsible for logging all requests and responses

C. Anything stored or returned that contains confidential material

What information is required to revoke a Vault lease? A. Secret ID B. User ID C. Lease ID D. Token ID

C. Lease ID

What methods of authentication does Vault support? (Choose four.) A. JWT/OIDC B. AppRole C. GitHub D. MMSQL E. PostgreSQL F. Nomad G. LDAP

A. JWT/OIDC B. AppRole C. GitHub G. LDAP

Vault Agent allows client-side caching of tokens and leases. If the agent is shut down, those tokens and leases cached will be revoked. A. True B. False

B. False

Which kind of token can be renewed indefinitely? A. Periodic token B. Orphan token C. Use-limit token D. Root token E. All of the above

A. Periodic token

What attributes are unique to batch tokens? (Choose three.) A. Cannot be renewed B. Are not persisted C. Can be periodic D. Have a set time-to-live (TTL) E. Are persisted

A. Cannot be renewed B. Are not persisted D. Have a set time-to-live (TTL)

You can use a response-wrapping token more than once for as long as it has not expired. A. True B. False

B. False

Which statement describes the results of this command: $ vault secrets enable -version=2 kv (Choose two.) A. Enables the secrets engine at path kv2/ B. The -version is an invalid flag C. Enables the secrets engine at path kv/ D. Enables K/V v1 secrets engine E. Enables K/V v2 secrets engine

C. Enables the secrets engine at path kv/ E. Enables K/V v2 secrets engine

Which of these are names of the replication methods available in Vault Enterprise? (Choose two.) A. Disaster Recovery B. Cluster sharping C. Namespaces D. Seal-Wrap E. Performance

A. Disaster Recovery E. Performance

A user successfully logs into Vault with the following cURL command: curl --request POST --data @payload.json http://127.0.0.1:8200/v1/auth/ldap/login/mitchellh The response will include what information? A. client_token and policies B. access_key and policies C. access_key and secrets available D. client_token and secrets available

A. client_token and policies

You have manually created some usernames and passwords for a Microsoft SQL database on Azure, and need to store these credentials in Vault. What secrets engine should you use for this? A. MSSQL database secrets engine B. Key/Value secrets engine version 2 C. Azure secrets engine D. Transit engine

B. Key/Value secrets engine version 2

To create a non-root token with time-to-live (TTL) set to 30 minutes but with no max TTL which flag would you use? A. -ttl=30n B. -explicit-max-ttl=0 C. -orphan D. None of the above

A. -ttl=30n

Which of the following statements are true about the default policy? (Choose two.) A. It is one of the built-in policies B. Provides a common set of permissions and is included on all tokens by default C. Can not be modified or deleted D. Gives a super admin permissions, similar to a root user on a Linux machine E. Vault upgrade will overwrite any update you made to the default policy

A. It is one of the built-in policies B. Provides a common set of permissions and is included on all tokens by default

Why might an application be mapped to an identity entity? A. To prohibit Vault administrators from revoking tokens associated with that application B. To get around cloud license limitations C. To allow an application deployed with multiple authentication methods have a consistent set of policies D. To allow the same application in one cloud to access already provisioned Vault tokens for that application in another cloud

C. To allow an application deployed with multiple authentication methods have a consistent set of policies

Unsealing a single Vault server in a cluster unseals all Vault servers in that cluster. A. True B. False

B. False

Which endpoint can be used to list all tokens? A. /kv/secrets B. /auth/token/list C. /secrets/kv D. /auth/token/accessors

D. /auth/token/accessors

The mechanism to associate an authentication method with access to specific secrets is by specifying a/an: A. Accessor B. Token C. Policy D. Secret

C. Policy

One of the benefits of using the Vault transit secrets engine is its ability to easily rotate encryption keys. Which of these is true regarding key rotation? A. Vault automatically rotates the encryption key based on a set period B. Vault can rotate encryption keys, but cannot enforce restrictions about the minimum encryption key version C. Vault does not maintain the versioned keyring D. Encryption keys can be rotated manually by a user, or by an automated process which invokes the key rotation API

D. Encryption keys can be rotated manually by a user, or by an automated process which invokes the key rotation API

What is not a function provided by Vault’s transit secret engine? A. Generating random bytes B. Encrypting data C. Storing ciphertext data D. Verifying signed data E. None of the above

C. Storing ciphertext data

Which of the following storage backends supports high availability? A. Azure Storage Container B. Manta C. Amazon S3 D. Consul

D. Consul

Which command will generate a new transit key? A. vault put transit/keys/my-key B. vault create -f transit/keys/my-key C. vault write -f transit/keys/my-key D. vault create transit/keys/my-key

C. vault write -f transit/keys/my-key

Which of the following is the correct option to authenticate to Vault using a token using the CLI? A. A token can be used to authenticate to Vault through the API, not the CLI or the UI B. vault login C. vault D. A token cannot be used to authenticate to Vault

B. vault login

A child token must be assigned the same or a subset the parent token’s policies. A. True B. False

A. True

Deck 1 Flashcards

(74 cards)