HashiCorp Certified: Vault Associate VA-002-P Exam Questions

HashiCorp Certified Vault Associate certification is for Cloud Engineers specializing in security, development, or operations who know the basic concepts, skills, and use cases associated with open source HashiCorp Vault. PassQuestion has developed HashiCorp Certified: Vault Associate VA-002-P Exam Questions that will get you through your VA-002-P exam in a 100% sure shot way. Use our ultimate online HashiCorp Certified: Vault Associate VA-002-P Exam Questions and secure your certification.

HashiCorp Certified: Vault Associate VA-002-P Free Questions

1. True or False: You can migrate the Terraform backend but only if there are no resources currently being managed.

False

True

2. When multiple engineers start deploying infrastructure using the same state file, what is a feature of remote state storage that is critical to ensure the state does not become corrupt?

state locking

object storage

encryption

workspaces

3. Vault secrets engines are used to do what with data? (select three)

copy

generate

store

transmit

encrypt

4. What is the purpose of using the local-exec provisioner? (select two)

ensures that the resource is only executed in the local infrastructure where Terraform is deployed

to execute one or more commands on the machine running Terraform

to invoke a local executable

executes a command on the resource to invoke an update to the Terraform state

5. Which command is used to initialize Vault after first starting the Vault service?

vault create key

vault operator init

vault operator initialize keys

vault start

vault operator unseal

6. True or False:

Once you create a KV v1 secrets engine and place data in it, there is no way to modify the mount to include the features of a KV v2 secrets engine.

True

False

7. Which of the following Terraform files should be ignored by Git when committing code to a repo? (select two)

output.tf

terraform.tfstate

terraform.tfvars

variables.tf

8. Vault has failed to start. You inspect the log and find the error below.

What needs to be changed in order to successfully start Vault? "Error parsing config.hcl: At 1:12: illegal char"

the " character cannot be used in the config file

fix the syntax error in the Vault configuration file

you must use single quotes vs double quotes in the config file

line 1 on the config file is blank

9. When using providers that require the retrieval of data, such as the HashiCorp Vault provider, in what phase does Terraform actually retrieve the data required?

terraform apply

terraform plan

terraform init

terraform delete

10. The Terraform language supports a number of different syntaxes for comments. Select all that are supported. (select three)

/* and */

<* and *>

11. What is the result of the following terraform function call? index(["a", "b", "c"], "c")

true

12. True or False: When encrypting data with the transit secrets engine, Vault always stores the ciphertext in a dedicated KV store along with the associated encryption key.

False

True

13. Which three interfaces can be used to access Vault? (select three)

JSON

CLI

RPC

API

Consul

14. Select the answer below that completes the following statement:

Terraform Cloud can be managed from the CLI but requires __________?

a TOTP token

a username and password

authentication using MFA

an API token

15. Using multi-cloud and provider-agnostic tools provides which of the following benefits? (select two)

operations teams only need to learn and manage a single tool to manage infrastructure, regardless of where the infrastructure is deployed

slower provisioning speed allows the operations team to catch mistakes before they are applied

can be used across major cloud providers and VM hypervisors

increased risk due to all infrastructure relying on a single tool for management

16. If a client is currently assigned the following policy, what additional policy can be added to ensure they cannot access the data stored at secret/apps/confidential but still, read all other secrets?

path "secret/apps/confidential/*" {
capabilities = ["deny"]
}

path "secret/apps/*" {
capabilities = ["deny"]
}

path "secret/apps/confidential" {
capabilities = ["deny"]
}

path "secret/apps/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "secret/*" {
capabilities = ["read", "deny"]
}

17. True or False:

Multiple providers can be declared within a single Terraform configuration file.

False

True

18. }

anything they want to within Vault

ability to enable a secret engine at the path *

only make changes to policies

nothing, since the policy doesn’t specify any specific paths

19. }

Create a distinct list of route table name objects

Create a map of route table names to subnet names

Create a map of route table names from a list of subnet names

Create a list of route table names eliminating duplicates

20. When administering Vault on a day-to-day basis, why is logging in with the root token, as shown below, a bad idea? (select two).

the root token isn’t a secure way of logging into Vault

the root token is attached to the root policy, which likely provides too many privileges to a user

the root token should be revoked and not used on a day-to-day basis

It’s easier to just use the root token than to configure additional auth methods

21. When Vault is sealed, which are the only two options available to a Vault administrator? (select two)

rotate the encryption key

unseal Vault

view the status of Vault

configure policies

author security policies

view data stored in the key/value store

22. What happens when a terraform plan is executed?

the backend is initialized and the working directory is prepped

creates an execution plan and determines what changes are required to achieve the desired state in the configuration files.

applies the changes required in the target infrastructure in order to reach the desired configuration

reconciles the state Terraform knows about with the real-world infrastructure

23. While Vault provides businesses tons of functionality out of the box, what feature allows you to extend its functionality with solutions written by third-party providers?

vault agent

namespaces

plugin backend

control groups

24. Choose the correct answer which fixes the syntax of the following Terraform code:

resource "aws_security_group" "vault_elb" {
name = "${var.name_prefix}-vault-elb"
description = var_Vault ELB
vpc_id = var.vpc_id
}

resource "aws_security_group" "vault_elb" {
name = "${var.name_prefix}-vault-elb"
description = Vault ELB
vpc_id = var.vpc_id
}

resource "aws_security_group" "vault_elb" {
name = "${var.name_prefix}-vault-elb"
description = "${Vault ELB}"
vpc_id = var.vpc_id
}

resource "aws_security_group" "vault_elb" {
name = "${var.name_prefix}-vault-elb"
description = [Vault ELB]
vpc_id = var.vpc_id
}

resource "aws_security_group" "vault_elb" {
name = "${var.name_prefix}-vault-elb"
description = "Vault ELB"
vpc_id = var.vpc_id
}

25. You want to use terraform import to start managing infrastructure that was not originally provisioned through infrastructure as code.

Before you can import the resource’s current state, what must you do in order to prepare to manage these resources using Terraform?

run terraform refresh to ensure that the state file has the latest information for existing resources.

update the configuration file to include the new resources

modify the Terraform state file to add the new resources

shut down or stop using the resources being imported so no changes are inadvertently missed

26. Which auth method is ideal for machine to machine authentication?

GitHub

UserPass

AppRole

Okta

27. In order to reduce the time it takes to provision resources, Terraform uses parallelism. By default, how many resources will Terraform provision concurrently?

28. Which of the following is an invalid variable name?

instance_name

web

var1

count

29. What are the primary benefits of running Vault in a production deployment over dev server mode? (select two)

ability to enable auth methods

persistent storage

encryption via TLS

faster deployment

access to all of the secret engines

30. Which type of Vault replication copies all data from Vault, including K/V data, policies, and client tokens?

DR replication

performance replication

failover replication

online replication

31. Vault configuration files can be written in what languages? (select two)

XML

JSON

YAML

HCL

32. True or False:

When using the transit secrets engine, setting the min_decryption_version will determine the minimum key length of the data key (i.e., 2048, 4096, etc.)

False

True

33. A Vault client who has read access to the path secrets/apps/app1 is having trouble viewing the secret in the user interface (UI) but can access via the API.

What can be done to resolve this issue?

add read permissions to the path secrets/apps

modify the policy to allow the create permission

remove the deny policy blocking access to the secrets/apps/app1 path

add LIST to the policy so the user can browse the paths leading up to the key/value’s path

34. Select all features which are exclusive to Terraform Enterprise. (select three)

Audit Logs

Cost Estimation

Sentinel

Clustering

SAML/SSO

35. }

"db"

resource

"aws_instance"

instance_type

36. Given the following screenshot, how many secrets engines have been enabled?

37. Your organization has moved to AWS and has manually deployed infrastructure using the console. Recently, a decision has been made to standardize on Terraform for all deployments moving forward.

What can you do to ensure that all existing is managed by Terraform moving forward without interruption to existing services?

resources that are manually deployed in the AWS console cannot be imported by Terraform

using terraform import, import the existing infrastructure into your Terraform state

delete the existing resources and recreate them using new a Terraform configuration so Terraform can manage them moving forward

submit a ticket to AWS and ask them to export the state of all existing resources and use terraform import to import them into the state file

38. Which of the following commands will remove all secrets at a specific path?

vault lease revoke -prefix <path>

vault delete lease -all <path>

vault lease revoke -all <path>

vault revoke -all <path>

39. What is the best and easiest way for Terraform to read and write secrets from HashiCorp Vault?

CLI access from the same machine running Terraform

API access using the AppRole auth method

Vault provider

Integration with a tool like Jenkins

40. What is the result of the following terraform function call?

zipmap(["a", "b"], [1, 2])

{
"a",
"b",
"1",
"2",
}

[
"a",
"b",
"1",
"2",
]

{
"a" = 1
"b" = 2
}

[
"a" = 1
"b" = 2
]

41. When using parent/child modules to deploy infrastructure, how would you export value from one module to import into another module?

For example, a module dynamically deploys an application instance or virtual machine, and you need the IP address in another module to configure a related DNS record in order to reach the newly deployed application.

configure an output value in the application module in order to use that value for the DNS module

preconfigure the IP address as a parameter in the DNS module

configure the pertinent provider’s configuration with a list of possible IP addresses to use

export the value using terraform export and input the value using terraform input

42. Provider dependencies are created in several different ways. Select the valid provider dependencies from the following list: (select three)

Use of any resource belonging to a particular provider in a resource or data block in the configuration.

Existence of any provider plugins found locally in the working directory.

Explicit use of a provider block in configuration, optionally including a version constraint.

Existence of any resource instance belonging to a particular provider in the current state.

43. After executing a terraform apply, you notice that a resource has a tilde (~) next to it.

What does this infer?

the resource will be destroyed and recreated

the resource will be created

Terraform can’t determine how to proceed due to a problem with the state file

the resource will be updated in place

44. range

named values

backends

functions

data sources

45. Which of the following allows Terraform users to apply policy as code to enforce standardized configurations for resources being deployed via infrastructure as code?

functions

workspaces

module registry

sentinel

46. Which commands are available only after Vault has been unsealed? (select two)

vault login -method=ldap -username=vault

vault operator unseal

vault kv get kv/apps/app01

vault status

47. Which of the following is not a valid Terraform string function?

tostring

replace

format

join

48. Select the policies below that permit you to create a new entry of foo=bar at the path /secrets/apps/my_secret (select three)

path "secrets/apps/my_secret" {
capabilities = ["create"]
allowed_parameters = {
"foo" = []
}
}

path "secrets/+/my_secret" {
capabilities = ["create"]
allowed_parameters = {
"*" = ["bar"]
}
}

path "secrets/apps/my_secret" {
capabilities = ["update"]
}

path "secrets/apps/*" {
capabilities = ["create"]
allowed_parameters = {
"foo" = ["bar", "zip"]
}
}

49. Which is not a capability that can be used when writing a Vault policy?

read

list

delete

create

modify

update

50. Terraform Enterprise (also referred to as pTFE) requires what type of backend database for a clustered deployment?

Cassandra

MSSQL

PostgreSQL

MySQL

51. In order to extend a Consul storage backend, Consul nodes should be provisioned across multiple data centers or cloud regions.

True

False

52. The security barrier protects all of the following Vault components except ___.

secret engine

auth method

storage backend

audit devices

token store

53. What happens when a terraform apply command is executed?

applies the changes required in the target infrastructure in order to reach the desired configuration

creates the execution plan for the deployment of resources

reconciles the state Terraform knows about with the real-world infrastructure

the backend is initialized and the working directory is prepped

54. Which TCP port does Vault use, by default, for its API and UI?

8600

8201

8500

8301

8300

8200

55. You’ve set up multiple Vault clusters, one on-premises which is intended to be the primary cluster, and the second cluster in AWS, which was deployed to be used for performance replication. After enabling replication, developers complain that all the data they’ve stored in the AWS Vault cluster is missing.

What happened?

the data was moved to a recovery path after replication was enabled. Use the vault secrets move command to move the data back to its intended location

there is a certificate mismatch after replication was enabled since Vault replication generates its own TLS certificates to ensure nodes are trusted entities

the data was automatically copied to the primary cluster after replication was enabled since all writes are always forwarded to the primary cluster

all of the data on the secondary cluster was deleted after replication was enabled

56. }

The EC2 instance labeled web_server

The EIP with an id of ami-2757f631

The AMI used for the EC2 instance

The S3 bucket labeled company_data

57. }

data source

dynamic block

local values

conditional expression

58. Select two answers to complete the following sentence:

Before a new provider can be used, it must be ______ and _______.

approved by HashiCorp

declared in the configuration

initialized

uploaded to source control

59. Which of the following policies would permit a user to generate dynamic credentials on a database?

path "database/creds/read_only_role" {
capabilities = ["read"]
}

path "database/creds/read_only_role" {
capabilities = ["generate"]
}

path "database/creds/read_only_role" {
capabilities = ["list"]
}

path "database/creds/read_only_role" {
capabilities = ["sudo"]
}

60. True or False:

The terraform refresh command is used to reconcile the state Terraform knows about (via its state file) with the real-world infrastructure. If the drift is detected between the real-world infrastructure and the last known-state, it will modify the infrastructure to correct the drift.

False

True

61. True or False? By default, Terraform destroy will prompt for confirmation before proceeding.

True

False

62. In regards to using a K/V v2 secrets engine, select the three correct statements below: (select three)

issuing a vault kv destroy statement permanently deletes a single version of a secret

issuing a vault kv destroy statement deletes all versions of a secret

issuing a vault kv delete statement permanently deletes the secret

issuing a vault kv metadata delete statement permanently deletes the secret

issuing a vault kv delete statement performs a soft delete

63. In terraform, most resource dependencies are handled automatically.

Which of the following statements describes best how terraform resource dependencies are handled?

The terraform binary contains a built-in reference map of all defined Terraform resource dependencies. Updates to this dependency map are reflected in terraform versions. To ensure you are working with the latest resource dependency map you much be running the latest version of Terraform.

Terraform analyses any expressions within a resource block to find references to other objects and treats those references as implicit ordering requirements when creating, updating, or destroying resources.

Resource dependencies are identified and maintained in a file called resource. dependencies. Each terraform provider is required to maintain a list of all resource dependencies for the provider and it’s included with the plugin during initialization when terraform init is executed. The file is located in the terraform.d folder.

Resource dependencies are handled automatically by the depends_on meta_argument, which is set to true by default.

64. An administrator wants to create a new KV mount for individual users to maintain their own secrets but needs a way to simplify the policy so they don’t need to write a new one for each new user?

With the requirements listed below, what would such a policy look like?

Requirement: Each user can perform all operations on their allocated key/value secret path

path "user-kv/data/{{identity.entity.name}}/*" { capabilities = [ "create", "update", "read", "delete", "list" ] }

path "user-kv/data/{{identity.entity.id.name}}/*" { capabilities = [ "create", "update", "read", "delete", "list" ] }

path "user-kv/data/{{identity.entity.aliases.<<mount accessor>>.id}}/*" { capabilities = [ "create", "update", "read", "delete", "list" ] }

path "user-kv/data/{{user}}/*" {
capabilities = [ "create", "update", "read", "delete", "list" ]
}

65. }

this ensures that all Terraform providers are above a certain version to match the application being deployed

the user wants to ensure that the application being deployed is a minimum version of 0.12

versions before Terraform 0.12 were not approved by HashiCorp to be used in production

Terraform 0.12 introduced substantial changes to the syntax used to write Terraform configuration

66. When configuring Vault replication and monitoring its status, you keep seeing something called ‘WALs’.

What are WALs?

wake after lan

warning of allocated logs

write-ahead log

write along logging

67. In order to extend Vault beyond a data center or cloud regional boundary, what feature should be used?

plugins

secrets engine

replication

seal/unseal

snapshots

68. You have been given requirements to create a security group for a new application. Since your organization standardizes on Terraform, you want to add this new security group with the fewest number of lines of code.

What feature could you use to iterate over a list of required tcp ports to add to the new security group?

terraform import

splat expression

dynamic block

dynamic backend

69. http://127.0.0.1:8200/v1/sys/tools/random/164

a random string of 164 characters

a random token valid for 164 uses

None

a secured secret based on 164 bytes of data

70. plaintext Y3JlZGl0LWNhcmQtbnVtYmVyCg==

The resulting plaintext data is base64-encoded. To reveal the original plaintext, use the base64 –decode command.

The data is corrupted. Execute the encryption command again using a different data key

the user doesn’t have permission to decrypt the data, therefore Vault returns false data so as not to reveal if the data was actually encrypted by Vault

Vault is sealed, therefore the data cannot be decrypted. Unseal Vault to properly decrypt the data

71. Unsealing Vault creates the encryption keys, which is used to unencrypt the data on the storage backend.

FALSE

TRUE

72. An application requires a specific key/value to be updated in order to process a batch job. The value should be either "true" or "false". However, when developers have been updating the value, sometimes they mistype the value or capitalize on the value, causing the batch job not to run.

What feature of a Vault policy can be used in order to restrict the entry to the required values?

added an allowed_parameters value to the policy

use a * wildcard at the end of the policy

change the policy to include the list capability

add a deny statement for all possible misspellings of the value

73. You are deploying Vault in a local data center, but want to be sure you have a secondary cluster in the event the primary cluster goes offline. In the secondary data center, you have applications that are running, as they are architected to run active/active.

Which type of replication would be best in this scenario?

disaster recovery replication

single-node replication

performance replication

end-to-end replication

74. The command vault lease revoke -prefix aws/ will revoke all leases associated with the secret engine mounted at aws/

False

True

75. What happens to child tokens when a parent token is revoked?

the child tokens are renewed

the child tokens are converted to parent tokens

the child tokens create their own child tokens to be used

the child tokens are revoked

76. After logging into the Vault UI, a user complains that they cannot enable Replication.

Why would the replication configuration be missing?

replication wasn’t configured in the Vault configuration file

replication hasn’t been enabled

Vault is running an open-source version

replication configuration isn’t available in the UI

77. True or False?

terraform init cannot automatically download Community providers.

False

True

78. Which of the following unseal options can automatically unseal Vault upon the start of the Vault service? (select four)

Transit

HSM

AWS KMS

Key Shards

Azure KMS

79. You’ve logged into the Vault CLI and attempted to enable an auth method, but received this error message.

What can be done to resolve the error and configure Vault?

Error enabling userpass auth: Post https://127.0.0.1:8200/v1/sys/auth/userpass: http: server gave HTTP response to HTTPS client

change ‘userpass’ to ‘username and password’

restart the Vault service on this node

set the VAULT_ADDR environment variable to HTTP

ask an admin to grant you permission to enable the userpass auth method

80. Which of the following secrets engine can generate dynamic credentials? (select three)

Azure

database

key/value

Transit

AWS

Question 1 of 80

HashiCorp Certified: Vault Associate VA-002-P Exam Questions

HashiCorp Certified: Vault Associate VA-002-P Free Questions

Leave a Reply Cancel reply