Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. HashiCorp
  5. HCVA0-003

Free HashiCorp HCVA0-003 Exam Questions (page: 4)

Page 4 of 73
PDF with 285 Questions

Which of the following statements are true regarding Vault seal and unseal (select three)?

  1. By default, Vault uses the Shamir Sharing algorithm to create unseal keys during the initialization process
  2. When using Vault Auto Unseal feature, Vault returns unseal keys to the user when it is initialized
  3. Vault can use a third-party KMS solution to automatically unseal during a service restart
  4. Vault supports high availability for the Auto Unseal feature, allowing you to point to multiple keys

Answer(s): A,C,D

Explanation:

Comprehensive and Detailed in Depth
A: Vault uses Shamir's Secret Sharing by default for unseal keys. Correct.
B: Auto Unseal uses KMS or similar; it returns recovery keys, not unseal keys. Incorrect.
C: Third-party KMS (e.g., AWS KMS) can auto-unseal Vault. Correct.
D: Auto Unseal supports HA with multiple keys for redundancy. Correct.
Overall Explanation from Vault Docs:
"Vault uses Shamir's algorithm by default... Auto Unseal with KMS supports HA and does not return unseal keys but recovery keys."


Reference:

https://developer.hashicorp.com/vault/docs/concepts/seal#seal-unseal



If Bobby is currently assigned the following policy, what additional policy can be added to ensure Bobby cannot access the data stored at secret/apps/confidential but still read all other secrets? path "secret/apps/*" { capabilities = ["create", "read", "update", "delete", "list"] }

  1. path "secret/apps/confidential" { capabilities = ["deny"] }
  2. path "secret/*" { capabilities = ["read", "deny"] }
  3. path "secret/apps/*" { capabilities = ["deny"] }
  4. path "secret/apps/confidential/*" { capabilities = ["deny"] }

Answer(s): A

Explanation:

Comprehensive and Detailed in Depth
A: Denies all access to secret/apps/confidential, overriding the original policy's permissions. Correct.
B: Applies to all secret/*, overly restrictive and unclear with mixed capabilities. Incorrect.
C: Denies all secret/apps/*, blocking more than required. Incorrect.

D: Denies subpaths under confidential, not the path itself. Incorrect.
Overall Explanation from Vault Docs:
"A deny capability takes precedence over any allow... Use it to restrict specific paths."


Reference:

https://developer.hashicorp.com/vault/docs/concepts/policies#capabilities



Tommy has written an AWS Lambda function that will perform certain tasks for the organization when data has been uploaded to an S3 bucket. Security policies for the organization do not allow Tommy to hardcode any type of credential within the Lambda code or environment variables. However, Tommy needs to retrieve a credential from Vault to write data to an on-premises database.
What auth method should Tommy use in Vault to meet the requirements while not violating security policies?

  1. AWS
  2. Userpass
  3. Token
  4. AppRole

Answer(s): A

Explanation:

Comprehensive and Detailed in Depth
A: AWS auth uses IAM roles, avoiding hardcoded credentials. Correct for Lambda.
B: Userpass requires username/password, violating policy. Incorrect.
C: Token requires a pre-generated token, often hardcoded. Incorrect.
D: AppRole needs RoleID/SecretID, typically hardcoded. Incorrect.
Overall Explanation from Vault Docs:
"The AWS auth method provides an automated mechanism to retrieve a Vault token for IAM principals... no manual credential provisioning required."


Reference:

https://developer.hashicorp.com/vault/docs/auth/aws#aws-auth-method



What command would have created the token displayed below? $ vault token lookup hvs.nNeZ2I64ALCxuO7dqQEJGPrO

Key: policies Value: [default dev], num_uses: 5, ttl: 767h59m49s

Key Value
--- -----
accessor mfvaVMFgOcXHIeqlRasroSOn creation_time 1604610457
creation_ttl 768h display_name token entity_id n/a expire_time 2024-12-07T16:07:37.7540672-05:00
explicit_max_ttl 0s id hvs.nNeZ2I64ALCxuO7dqQEJGPrO
issue_time 2024-11-05T16:07:37.7540672-05:00
meta <nil>
num_uses 5
orphan false path auth/token/create policies [default dev]
renewable true ttl 767h59m49s type service

  1. vault token create -policy=dev -use-limit=5
  2. vault token create -policy=dev -ttl=768h
  3. vault token create -policy=dev -policy=default -ttl=768h
  4. vault token create -policy=dev

Answer(s): A

Explanation:

Comprehensive and Detailed in Depth
A: Matches dev policy and num_uses=5. TTL is system default (768h). Correct.
B: Missing num_uses. Incorrect.
C: Adds default policy explicitly, not needed as it's implicit. Incorrect.
D: Missing num_uses. Incorrect.
Overall Explanation from Vault Docs:
"vault token create with -policy and -use-limit sets specific attributes... default policy is included implicitly."


Reference:

https://developer.hashicorp.com/vault/docs/commands/token/create#command-options



Viewing page 4 of 73
Viewing questions 13 - 16 out of 285 questions



Post your Comments and Discuss HashiCorp HCVA0-003 exam prep with other Community members:

HCVA0-003 Exam Discussions & Posts