True or False? Once you authenticate to Vault using the API, subsequent requests will automatically be permitted without further interaction.
Answer : B
Comprehensive and Detailed In-Depth
API auth requires ongoing token use:
B . False: 'Once you authenticate using the API, subsequent requests are not automatically permitted without further interaction. Each request to Vault requires authentication using the token returned by Vault.'
Incorrect Option:
A . True: Incorrect; token must be provided.
After decrypting data using the Transit secrets engine, the plaintext output does not match the plaintext credit card number that you encrypted. Which of the following answers provides a solution?
$ vault write transit/decrypt/creditcard ciphertext="vault:v1:cZNHVx+sxdMEr......."
Key: plaintext Value: Y3JlZGl0LWNhcmQtbnVtYmVyCg==
Answer : C
Comprehensive and Detailed in Depth
A: Sealing would prevent decryption, not return encoded data. Incorrect.
B: Permission issues don't return encoded data. Incorrect.
C: Transit returns base64-encoded plaintext; decoding Y3JlZGl0LWNhcmQtbnVtYmVyCg== yields ''credit-card-number''. Correct.
D: No evidence of corruption; it's a format issue. Incorrect.
Overall Explanation from Vault Docs:
''All plaintext data must be base64-encoded... Decode it to reveal the original value.''
From the options below, select the benefits of using a batch token over a service token (select four).
Answer : A, C, E, F
Comprehensive and Detailed in Depth
Batch tokens are lightweight alternatives to service tokens, with trade-offs. Let's analyze:
A: Designed for short-lived, high-performance tasks. Correct.
B: Cannot be root tokens; root status is service-token-specific. Incorrect.
C: Orphan batch tokens work in replication. Correct.
D: No accessors; unique to service tokens. Incorrect.
E: Minimal overhead makes them scalable. Correct.
F: No disk storage reduces cost. Correct.
Overall Explanation from Vault Docs:
''Batch tokens are encrypted blobs... lightweight, scalable, no storage cost, ideal for ephemeral workloads.''
An Active Directory admin created a service account for an internal application. You want to store these credentials in Vault, allowing a CI/CD pipeline to read and configure the application with them during provisioning. Vault should maintain the last 3 versions of this secret. Which Vault secrets engine should you use?
Answer : D
Comprehensive and Detailed In-Depth
The requirement is to store static credentials (from Active Directory) in Vault with versioning (last 3 versions) for a CI/CD pipeline. The KV v2 secrets engine is designed for this: it stores arbitrary key-value pairs and supports versioning, allowing configuration of a maximum version count (e.g., vault kv metadata put -max-versions=3 kv/path). KV v1 (option A) lacks versioning. The LDAP engine (B) is for dynamic LDAP credentials, not static storage. The Identity engine (C) manages identities, not secrets. KV v2's versioning capability meets all needs, per its documentation.
Below is a list of parent and child tokens and their associated TTL. Which token(s) will be revoked first?
Answer : D
Comprehensive and Detailed in Depth
Vault tokens have a Time-To-Live (TTL) that determines their expiration time, after which they are revoked. Parent-child relationships mean that revoking a parent token also revokes its children, regardless of their TTLs. Let's analyze:
A: TTL 4 hours - Expires after 4 hours, no children listed.
B: TTL 6 hours - Expires after 6 hours, parent to C.
C: TTL 4 hours (child of B) - Expires after 4 hours or if B is revoked earlier.
D: TTL 3 hours - Expires after 3 hours, parent to E.
E: TTL 5 hours (child of D) - Expires after 5 hours or if D is revoked earlier.
Analysis:
Shortest TTL is D (3 hours), so it expires first unless a parent above it (none listed) is revoked sooner.
E (5 hours) is a child of D. If D is revoked at 3 hours, E is also revoked, despite its longer TTL.
A and C (4 hours) expire after D.
B (6 hours) expires last among parents.
The question asks which token(s) are revoked first based on TTL alone, not manual revocation. D has the shortest TTL (3 hours) and will be revoked first. E's revocation depends on D, but the question focuses on initial expiration. Thus, only D is revoked first based on its TTL.
Overall Explanation from Vault Docs:
Tokens form a hierarchy where child tokens inherit revocation from their parents. ''When a parent token is revoked, all of its child tokens---and all of their leases---are revoked as well.'' TTL dictates automatic expiration unless overridden by manual revocation or parent revocation. Here, D's 3-hour TTL is the shortest, making it the first to expire naturally.
You have a CI/CD pipeline using Terraform to provision AWS resources with static privileged credentials. Your security team requests that you use Vault to limit AWS access when needed. How can you enhance this process and increase pipeline security?
Answer : D
Comprehensive and Detailed In-Depth
The AWS secrets engine generates dynamic credentials, enhancing security. The Vault documentation states:
'The best bet here is to use the AWS secrets engine to generate dynamic credentials for your AWS account(s) when Terraform is executed. You can use the Vault provider to grab these credentials for Vault and then use the credentials as inputs for your AWS provider. In this scenario, Terraform would generate credentials only when executed, and the credentials would automatically expire when the lease expires.'
--- Vault Secrets: AWS
D: Correct. Dynamic, short-lived credentials limit exposure:
'Enabling the aws secrets engine in Vault allows you to dynamically generate short-lived AWS credentials for each terraform apply.'
--- Vault Secrets: AWS
A: SSH engine is unrelated to AWS.
B: Transit encrypts data, not credentials.
C: KV stores static credentials, less secure.
Vault Secrets: AWS
Vault Provider for Terraform