QUESTION: 13 Exam Topic: 1, Exam Pool A

You've set up multiple Vault clusters, one on-premises intended to be the primary cluster, and the second cluster in AWS, which was deployed for performance replication. After enabling replication, developers complain that all the data they've stored in the AWS Vault cluster is missing.
What happened?

There is a certificate mismatch after replication was enabled since Vault replication generates its own TLS certificates to ensure nodes are trusted entities
All of the data on the secondary cluster was deleted after replication was enabled
The data was automatically copied to the primary cluster after replication was enabled since all writes are always forwarded to the primary cluster
The data was moved to a recovery path after replication was enabled. Use the vault secrets move command to move the data back to its intended location

Answer(s): B

Explanation:

Comprehensive and Detailed in Depth
A: Certificate issues don't delete data. Incorrect.
B: Performance replication wipes the secondary's data to sync with the primary. Correct.
C: Data isn't copied to the primary; replication is one-way. Incorrect.
D: No recovery path exists; data is wiped. Incorrect.
Overall Explanation from Vault Docs:
"When replication is enabled, all of the secondary's existing storage will be wiped... This is irrevocable."

Reference:

https://developer.hashicorp.com/vault/tutorials/enterprise/performance-replication

Show Answer Next Question

QUESTION: 14 Exam Topic: 1, Exam Pool A

Based on the screenshot below, how many auth methods have been enabled on this Vault instance?

Answer(s): B

Explanation:

Comprehensive and Detailed in Depth
Token is enabled by default and cannot be disabled.
Userpass is explicitly enabled.
Total: 2 auth methods.
Overall Explanation from Vault Docs:
"Tokens are the default auth method... Additional methods like userpass increase the count."

Reference:

https://developer.hashicorp.com/vault/docs/concepts/tokens

Show Answer Next Question

QUESTION: 15 Exam Topic: 1, Exam Pool A

Given the following policy, which command below would not result in a permission denied error (select two)?
path "secret/*" { capabilities = ["create", "update"] allowed_parameters = { "student" = ["steve", "frank", "jamie", "susan", "gerry", "damien"] } }
path "secret/apps/*" { capabilities = ["read"] }
path "secret/apps/results" { capabilities = ["deny"] }

vault kv put secret/apps/results student03=practice
vault kv put secret/apps/app01 student=bryan
vault kv put secret/common/results student=frank
vault kv get secret/apps/api_key

Answer(s): C,D

Explanation:

Comprehensive and Detailed in Depth
A: Denied by secret/apps/results deny policy. Incorrect.
B: secret/apps/app01 only allows read, not create. Incorrect.
C: secret/common/results allows create with student=frank (allowed value). Correct.
D: secret/apps/api_key allows read. Correct.
Overall Explanation from Vault Docs:
"deny overrides any allow... allowed_parameters restricts values."

Reference:

https://developer.hashicorp.com/vault/docs/concepts/policies#parameter-constraints

Show Answer Next Question

QUESTION: 16 Exam Topic: 1, Exam Pool A

Which of the following Vault policies will allow a Vault client to read a secret stored at secrets/applications/app01/api_key?

path "secrets/applications/" { capabilities = ["read"] allowed_parameters = { "certificate" = [] } }
path "secrets/*" { capabilities = ["list"] }
path "secrets/applications/+/api_*" { capabilities = ["read"] }
path "secrets/applications/app01/api_key/*" { capabilities = ["update", "list", "read"] }

Answer(s): C

Explanation:

Comprehensive and Detailed in Depth
This question requires identifying a policy that permits reading the secret at secrets/applications/app01/api_key. Vault policies use paths and capabilities to control access. Let's evaluate:
A: path "secrets/applications/" { capabilities = ["read"] allowed_parameters = { "certificate" = [] } } This policy allows reading at secrets/applications/, but not deeper paths like secrets/applications/app01/api_key. The allowed_parameters restriction is irrelevant for reading secrets. Incorrect.
B: path "secrets/*" { capabilities = ["list"] }
The list capability allows listing secrets under secrets/, but not reading their contents. Reading requires the read capability. Incorrect.
C: path "secrets/applications/+/api_*" { capabilities = ["read"] } The + wildcard matches one segment (e.g., app01), and api_* matches api_key. This policy grants read access to secrets/applications/app01/api_key. Correct.
D: path "secrets/applications/app01/api_key/*" { capabilities = ["update", "list", "read"] } This policy applies to subpaths under api_key/, not the exact path api_key. It includes read, but the path mismatch makes it incorrect for this specific secret.
Overall Explanation from Vault Docs:
"Wildcards (*, +) allow flexible path matching... read capability is required to retrieve secret data." Option C uses globbing to precisely target the required path.

Reference:

https://developer.hashicorp.com/vault/tutorials/policies/policies

Show Answer Next Question

Free HashiCorp HCVA0-003 Exam Questions (page: 5)

QUESTION: 13 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

QUESTION: 14 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

QUESTION: 15 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

QUESTION: 16 Exam Topic: 1, Exam Pool A

Explanation:

Reference:

HCVA0-003 Exam Discussions & Posts