Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Vault Associate 002Free trial

By hashicorp

Verified

25Q per page

Question 1

You are using the Vault userpass auth method mounted at auth/userpass. How do you create a new user named "sally" with password "h0wN0wB4r0wnC0w"? This new user will need the power-users policy.

—

Question 2

What command creates a secret with the key "my-password" and the value "53cr3t" at path "my-secrets" within the KV secrets engine mounted at "secret"?

A: vault kv put secret/my-secrets/my-password 53cr3t
B: vault kv write secret/my-secrets/my-password 53cr3t
C: vault kv write 53cr3t my-secrets/my-password
D: vault kv put secret/my-secrets my-password-53cr3t

—

Question 3

What can be used to limit the scope of a credential breach?

A: Storage of secrets in a distributed ledger
B: Enable audit logging
C: Use of a short-lived dynamic secrets
D: Sharing credentials between applications

—

Question 4

What environment variable overrides the CLI’s default Vault server address?

A: VAULT_ADDR
B: VAULT_HTTP_ADDRESS
C: VAULT_ADDRESS
D: VAULT_HTTPS_ADDRESS

—

Question 5

Which of the following statements describe the CLI command below?
$ vault login -method=ldap username=mitchellh

A: Generates a token which is response wrapped
B: You will be prompted to enter the password
C: By default, the generated token is valid for 24 hours
D: Fails because the password is not provided

—

Question 6

The following three policies exist in Vault What do these policies allow an organization to do? app.hcl

callcenter.hcl

rewrap.hcl

A: Separates permissions allowed on actions associated with the transit secret engine
B: Nothing, as the minimum permissions to perform useful tasks are not present
C: Encrypt decrypt, and rewrap data using the transit engine all in one policy
D: Create a transit encryption key for encrypting, decrypting, and rewrapping encrypted data

—

Question 7

Your DevOps team would like to provision VMs in GCP via a CICD pipeline. They would like to integrate Vault to protect the credentials used by the tool. Which secrets engine would you recommend?

A: Google Cloud Secrets Engine
B: Identity secrets engine
C: Key/Value secrets engine version 2
D: SSH secrets engine

—

Question 8

Which of these is not a benefit of dynamic secrets?

A: Supports systems which do not natively provide a method of expiring credentials
B: Minimizes damage of credentials leaking
C: Ensures that administrators can see every password used
D: Replaces cumbersome password rotation tools and practices

—

Question 9

Which of the following cannot define the maximum time-to-live (TTL) for a token?

A: By the authentication method
B: By the client system
C: By the mount endpoint configuration
D: A parent token TTL
E: System max TTL

—

Question 10

What are orphan tokens?

A: Orphan tokens are tokens with a use limit so you can set the number of uses when you create them
B: Orphan tokens are not children of their parent; therefore, orphan tokens do not expire when their parent does
C: Orphan tokens are tokens with no policies attached
D: Orphan tokens do not expire when their own max TTL is reached

—

Question 11

To give a role the ability to display or output all of the end points under the /secrets/apps/* end point it would need to have which capability set?

A: update
B: read
C: sudo
D: list
E: None of the above

—

Question 12

The vault lease renew command increments the lease time from:

A: The current time
B: The end of the lease

—

Question 13

You have been tasked with writing a policy that will allow read permissions for all secrets at path secret/bar. The users that are assigned this policy should also be able to list the secrets. What should this policy look like?

—

Question 14

When using Integrated Storage, which of the following should you do to recover from possible data loss?

A: Failover to a standby node
B: Use snapshot
C: Use audit logs
D: Use server logs

—

Question 15

How many Shamir’s key shares are required to unseal a Vault instance?

A: All key shares
B: A quorum of key shares
C: One or more keys
D: The threshold number of key shares

—

Question 16

Which of these are a benefit of using the Vault Agent?

A: Vault Agent allows for centralized configuration of application secrets engines
B: Vault Agent will auto-discover which authentication mechanism to use
C: Vault Agent will enforce minimum levels of encryption an application can use
D: Vault Agent will manage the lifecycle of cached tokens and leases automatically

—

Question 17

Which of the following describes usage of an identity group?

A: Limit the policies that would otherwise apply to an entity in the group
B: When they want to revoke the credentials for a whole set of entities simultaneously
C: Audit token usage
D: Consistently apply the same set of policies to a collection of entities

—

Question 18

Vault supports which type of configuration for source limited token?

A: Cloud-bound tokens
B: Domain-bound tokens
C: CIDR-bound tokens
D: Certificate-bound tokens

—

Question 19

Where does the Vault Agent store its cache?

A: In a file encrypted using the Vault transit secret engine
B: In the Vault key/value store
C: In an unencrypted file
D: In memory

—

That’s the end of your free questions

You’ve reached the preview limit for Vault Associate 002

Consider upgrading to gain full access!

Page 1 of 4 • Questions 1-25 of 93

1 2 3 4

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!