Summer Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

HashiCorp HCVA0-003 - HashiCorp Certified: Vault Associate (003) Exam

Page: 9 / 10
Total 324 questions

Which of the following is true about the token authentication method in Vault? (Select three)

A.

The token auth method is automatically enabled in Vault and cannot be disabled

B.

External authentication mechanisms, such as GitHub, are used to dynamically create tokens

C.

The token auth method is used as the first method of authentication for Vault for a newly initialized Vault node/cluster

D.

Tokens cannot be used directly; they must be used in conjunction with one of Vault’s many auth methods

Over a few years, you have a lot of data that has been encrypted by older versions of a Transit encryption key. Due to compliance regulations, you have to re-encrypt the data using the newest version of the encryption key. What is the easiest way to complete this task without putting the data at risk?

A.

Rotate the encryption key used to encrypt the data

B.

Decrypt the data manually and encrypt it with the latest version

C.

Use the transit rewrap feature

D.

Create a new master key used by Vault

Your team uses the Transit secrets engine to encrypt all data before writing it to a MySQL database server. During testing, you manually retrieve ciphertext from the database and decrypt it to ensure the data can be read. After decrypting the data, you are worried something is wrong because the plaintext data isn’t legible. Why can you not read the original plaintext data after decrypting the ciphertext?

    $ vault write transit/decrypt/krausen-key ciphertext=vault:v1:8SDd3WHDOjf7mq69C.....

    Key Value

    --- -----

    plaintext Zml2ZSBzdGFyIHByYWN0aWNlIGV4YW1zIGJ5IGJyeWFuIGtyYXVzZW4=

A.

The incorrect key was selected when decrypting the ciphertext. Use the correct key to successfully read the data

B.

The incorrect key version was used to decrypt the data. Update the ciphertext and change the v1 to v3 to use the latest key version

C.

The plaintext is Base64 encoded. Decode the plaintext to see the original data

D.

The data was also encrypted on the database. Therefore Vault cannot decrypt the original data

You have a CI/CD pipeline using Terraform to provision AWS resources with static privileged credentials. Your security team requests that you use Vault to limit AWS access when needed. How can you enhance this process and increase pipeline security?

A.

Enable the SSH secrets engine and have Terraform generate dynamic credentials when deploying resources in AWS

B.

Enable the Transit secrets engine to encrypt the AWS credentials and have Terraform retrieve these credentials when needed

C.

Store the AWS credentials in the Vault KV store and use the Vault provider to obtain these credentials on each terraform apply

D.

Enable the aws secrets engine and configure Terraform to dynamically generate a short-lived AWS credential on each terraform apply

You have multiple Vault clusters in your environment, one for test and one for production. You have the CLI installed on your local machine and need to target the production cluster to make configuration changes. What environment variable can you set to target the production cluster?

A.

VAULT_REDIRECT_ADDR

B.

VAULT_CLUSTER_ADDR

C.

VAULT_ADDR

D.

VAULT_CAPATH

Your organization is integrating its legacy application with Vault to improve its security. However, you have discovered that the application has issues when the token changes for authentication during testing. What type of token could be used to help alleviate this issue without compromising security?

A.

Periodic Service Token

B.

Root Token

C.

Orphan Service Token

D.

Batch Token

To secure your applications, your organization uses certificates generated by a public CA. However, this strategy has proven expensive and you have to revoke certificates even though they have additional time left. What Vault plugin can be used to quickly generate X.509 certificates to secure your internal applications?

A.

Identity secrets engine

B.

PKI secrets engine

C.

SSH secrets engine

D.

Transit secrets engine

Sara uses the Vault CLI for administrative tasks on the production cluster. However, she encounters permission-denied errors when making changes and needs to check which policies are attached to her token to view and adjust permissions. What command can she run on the Vault node to see the attached policies?

A.

vault operator diagnose

B.

vault policy list

C.

vault token capabilities

D.

vault token lookup

What of the following features are true about batch tokens in Vault? (Select two)

A.

Batch tokens are not persisted (written) to storage

B.

Batch tokens can be renewed

C.

Batch tokens are valid across all clusters when using Vault Enterprise replication

D.

Batch tokens can create child tokens

By default, what methods of authentication does Vault support? (Select four)

A.

SSH

B.

Kubernetes

C.

VMware

D.

LDAP

E.

AppRole

F.

JWT