VA-002-P 시험 - HashiCorp실제시험문제와 답 - 200문항

Question No : 1

Which of the following secrets engine can generate dynamic credentials? (select three)

A.Azure
B.database
C.key/value
D.Transit
E.AWS

정답:
Explanation:
Vault has many secrets engines that can generate dynamic credentials, including AWS, Azure, and database secrets engines. The key/value secret engine is used to store data, and the transit secret engine is used to encrypt data.

Question No : 2

You've logged into the Vault CLI and attempted to enable an auth method, but received this error message.
What can be done to resolve the error and configure Vault?
Error enabling userpass auth: Post https://127.0.0.1:8200/v1/sys/auth/userpass: http: server gave HTTP response to HTTPS client

A.change 'userpass' to 'username and password'
B.restart the Vault service on this node
C.set the VAULT_ADDR environment variable to HTTP
D.ask an admin to grant you permission to enable the userpass auth method

정답:
Explanation:
If you're running Vault in a non-prod environment, you can configure Vault to disable TLS. In this case, TLS has been disabled but the default value for VAULT_ADDR is https://127.0.0.1:8200, therefore Vault is sending the request over HTTPS but Vault is responding using HTTP since TLS is disabled.
To handle this error, set the VAULT_ADDR environment variable to "http://127.0.0.1:8200".

Question No : 3

Which of the following unseal options can automatically unseal Vault upon the start of the Vault service? (select four)

A.Transit
B.HSM
C.AWS KMS
D.Key Shards
E.Azure KMS

정답:
Explanation:
When a Vault server is started, it starts in a sealed state and it does not know how to decrypt data. Before any operation can be performed on the Vault, it must be unsealed. Unsealing is the process of constructing the master key necessary to decrypt the data encryption key.
Below are links covering details of each option: -https://www.vaultproject.io/docs/concepts/seal
AWS KMS
https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms
Auto-unseal using Transit Secrets Engine
https://learn.hashicorp.com/vault/operations/autounseal-transit
Auto-unseal using Azure Key Vault
https://learn.hashicorp.com/vault/day-one/autounseal-azure-keyvault
Auto-unseal using HSM
https://learn.hashicorp.com/vault/operations/ops-seal-wrap
Key shards don't support auto unseal instead key shards require the user to provide unseal
keys to reconstruct the master key
https://www.vaultproject.io/docs/concepts/seal

Question No : 4

True or False?
terraform init cannot automatically download Community providers.

A.False
B.True

정답:
Explanation:
Anyone can develop and distribute their own Terraform providers. (See Writing Custom Providers for more about provider development.) These third-party providers must be manually installed, since terraform init cannot automatically download them. https://www.terraform.io/docs/configuration/providers.html#third-party-plugins

Question No : 5

After logging into the Vault UI, a user complains that they cannot enable Replication.
Why would the replication configuration be missing?

A.replication wasn't configured in the Vault configuration file
B.replication hasn't been enabled
C.Vault is running an open-source version
D.replication configuration isn't available in the UI

정답:
Explanation:
Replication is not available in open-source versions of Vault. It is an enterprise feature.

Question No : 6

What happens to child tokens when a parent token is revoked?

A.the child tokens are renewed
B.the child tokens are converted to parent tokens
C.the child tokens create their own child tokens to be used
D.the child tokens are revoked

정답:
Explanation:
When a parent token is revoked, all of its child tokens and leases are revoked as well. This ensures that a user cannot skip revocation by simply making a timeless tree of child tokens.

Question No : 7

The command vault lease revoke -prefix aws/ will revoke all leases associated with the secret engine mounted at aws/

A.False
B.True

정답:
Explanation:
The lease command groups subcommands for interacting with leases attached to secrets.
Subcommands:
renew Renews the lease of a secret
revoke Revokes leases and secrets
Using the '-prefix' flag allows you to revoke the entire tree of secrets.

Question No : 8

You are deploying Vault in a local data center, but want to be sure you have a secondary cluster in the event the primary cluster goes offline. In the secondary data center, you have applications that are running, as they are architected to run active/active.
Which type of replication would be best in this scenario?

A.disaster recovery replication
B.single-node replication
C.performance replication
D.end-to-end replication

정답:
Explanation:
In this scenario, the key to answering is that there are applications actively running the secondary data center. Because of this, you can deploy Performance Replication and the applications can now use the Vault cluster in their respective data center. This reduces network latency for your applications and provides you with a secondary cluster for redundancy.

Question No : 9

An application requires a specific key/value to be updated in order to process a batch job. The value should be either "true" or "false". However, when developers have been updating the value, sometimes they mistype the value or capitalize on the value, causing the batch job not to run.
What feature of a Vault policy can be used in order to restrict the entry to the required values?

A.added an allowed_parameters value to the policy
B.use a * wildcard at the end of the policy
C.change the policy to include the list capability
D.add a deny statement for all possible misspellings of the value

정답:
Explanation:
allowed_parameters - Whitelists a list of keys and values that are permitted on the given path.
Setting a parameter with a value of the empty list allows the parameter to contain any value.
Reference link: - https://www.vaultproject.io/docs/concepts/policies

Question No : 10

Unsealing Vault creates the encryption keys, which is used to unencrypt the data on the storage backend.

A.FALSE
B.TRUE

정답:
Explanation:
Unsealing is the process of obtaining the plaintext master key necessary to read the decryption key to decrypt the data, allowing access to the Vault. The master key is used to decrypt the encryption key which can unencrypt the data on the storage backend.

Question No : 11

plaintext Y3JlZGl0LWNhcmQtbnVtYmVyCg==

A.The resulting plaintext data is base64-encoded. To reveal the original plaintext, use the base64 --decode command.
B.The data is corrupted. Execute the encryption command again using a different data key
C.the user doesn't have permission to decrypt the data, therefore Vault returns false data so as not to reveal if the data was actually encrypted by Vault
D.Vault is sealed, therefore the data cannot be decrypted. Unseal Vault to properly decrypt the data

정답:
Explanation:
All plaintext data must be base64-encoded. The reason for this requirement is that Vault does not require that the plaintext is "text". It could be a binary file such as a PDF or image. The easiest safe transport mechanism for this data as part of a JSON payload is to base64-encode it.
Reference link: - https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit

Question No : 12

http://127.0.0.1:8200/v1/sys/tools/random/164

A.a random string of 164 characters
B.a random token valid for 164 uses
C.None
D.a secured secret based on 164 bytes of data

정답:
Explanation:
This endpoint returns high-quality random bytes of the specified length.

Question No : 13

You have been given requirements to create a security group for a new application. Since your organization standardizes on Terraform, you want to add this new security group with the fewest number of lines of code.
What feature could you use to iterate over a list of required tcp ports to add to the new security group?

A.terraform import
B.splat expression
C.dynamic block
D.dynamic backend

정답:
Explanation:
A dynamic block acts much like a for expression but produces nested blocks instead of a complex typed value. It iterates over a given complex value and generates a nested block for each element of that complex value.

Question No : 14

In order to extend Vault beyond a data center or cloud regional boundary, what feature should be used?

A.plugins
B.secrets engine
C.replication
D.seal/unseal
E.snapshots

정답:
Explanation:
To extend Vault beyond a data center or cloud regional boundary, replication can be used. Vault supports both DR replication and Performance replication to copy data from the primary cluster to a secondary cluster safely.

Question No : 15

When configuring Vault replication and monitoring its status, you keep seeing something called 'WALs'.
What are WALs?

A.wake after lan
B.warning of allocated logs
C.write-ahead log
D.write along logging

정답:
Explanation:
Reference links:
https://learn.hashicorp.com/vault/day-one/monitor-replication
https://www.vaultproject.io/docs/internals/replication

HashiCorp VA-002-P 시험