CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. HashiCorp
  5. VA-002-P

Free VA-002-P Exam Braindumps (page: 22)

Page 22 of 51
PDF with 200 Questions

True or False:
When using the transit secrets engine, setting the min_decryption_version will determine the minimum key length of the data key (i.e., 2048, 4096, etc.)

  1. False
  2. True

Answer(s): A

Explanation:

The Transit engine supports the versioning of keys. Key versions that are earlier than a key's specified min_decryption_version gets archived, and the rest of the key versions belong to the working set. This is a performance consideration to keep key loading fast, as well as a security consideration: by disallowing decryption of old versions of keys, found ciphertext corresponding to obsolete (but sensitive) data can not be decrypted by most users, but in an emergency, the min_decryption_version can be moved back to allow for legitimate decryption.


Reference:

https://www.vaultproject.io/docs/secrets/transit



If a client is currently assigned the following policy, what additional policy can be added to ensure they cannot access the data stored at secret/apps/confidential but still, read all other secrets?

  1. path "secret/apps/confidential/*" {
    capabilities = ["deny"]
    }
  2. path "secret/apps/*" {
    capabilities = ["deny"]
    }
  3. path "secret/apps/confidential" {
    capabilities = ["deny"]
    }
  4. path "secret/apps/*" {
    capabilities = ["create", "read", "update", "delete", "list"] }
    path "secret/*" {
    capabilities = ["read", "deny"]
    }

Answer(s): C

Explanation:

"Deny" capability generally takes precedence over "allow" capability. Therefore, if you add the correct deny statement, the user will be able to read all secrets except for the data stored at secret/apps/confidential



True or False:
Similar to how Vault works with databases and cloud providers, the Active Directory secrets engine dynamically generates the account and password for the requesting Vault client.

  1. False
  2. True

Answer(s): A

Explanation:

The Active Directory secrets engine rotates Active Directory passwords dynamically. It does not, however, dynamically generate the AD account. The AD account must exist prior to configuring it in Vault. If it does not, the configuration will fail, stating that the account doesn't exist.


Reference:

https://www.vaultproject.io/docs/secrets/ad



You've decided to use AWS KMS to automatically unseal Vault on private EC2 instances. After deploying your Vault cluster, and running vault operator init, Vault responds with an error and cannot be unsealed.
You've determined that the subnet you've deployed Vault into doesn't have internet access. What can you do to enable Vault to communicate with AWS KMS in the most secure way?

  1. ask the networking team to provide Vault with inbound access from the internet
  2. deploy Vault in a public subnet and provide the Vault nodes with public IP addresses
  3. add a VPC endpoint
  4. change the permissions on the Internet Gateway to allow the Vault nodes to communicate over the Internet

Answer(s): C

Explanation:

In this particular question, a VPC endpoint can provide private connectivity to an AWS service without having to traverse the public internet. This way you hit a private endpoint for the service rather than connecting to the public endpoint.
This is more of an AWS-type question, but the underlying premise still holds regardless of where your Vault cluster is deployed. If you use a public cloud KMS solution, such as AWS KMS, Azure Key Vault, GCP Cloud KMS, or AliCloud KMS, your Vault cluster will need the ability to communicate with that service to unseal itself.



Page 22 of 51



Post your Comments and Discuss HashiCorp VA-002-P exam with other Community members:

Bruno commented on October 10, 2023
PDF is Vault, EXM is Teraform.
UNITED STATES
upvote