An application requires a specific key/value pair to be updated in order to process a batch job. Thevalue should be either "true" or "false." However, when developers have been updating the value, sometimes they mistype the value or capitalize the value, causing the batch job not to run. What feature of a Vault policy can be used to restrict entry to the required values?
Correct Answer: B
Comprehensive and Detailed in Depth Explanation: To restrict the values of a key/value pair to only "true" or "false" and prevent mistyping or capitalization errors, theallowed_parametersfeature in a Vault policy is the most effective solution. The HashiCorp Vault documentation explains that allowed_parameters can be used to "permit a list of keys and values that are permitted on the given path." By specifying allowed_parameters with the exact values "true" and "false," the policy ensures that only these values are accepted, rejecting any deviations (e.g., "True," "TRUE," or "flase"). This provides fine-grained control and eliminates the risk of human error impacting the batch job. Adding adeny statement for all possible misspellingsis impractical and error-prone, as it requires anticipating every potential mistake, which is neither scalable nor efficient. Thelist capabilityallows listing and reading values but does not restrict what can be written, failing to address the problem of enforcing specific values. Using awildcard (*)at the end of the policy permits unrestricted values, which directly contradicts the need to limit entries to "true" or "false." Thus, allowed_parameters is the precise tool for this use case. Reference: HashiCorp Vault Documentation - Policies: Fine-Grained Control
Question 87
You need to write a Vault operator policy and give the users access to perform administrative actions in Vault. What path is used for Vault backend functions?
Correct Answer: E
Comprehensive and Detailed in Depth Explanation: The correct path for Vault backend functions, which include administrative actions, is/sys. The HashiCorp Vault documentation confirms: "All backend system functions live in the /sys backend. Policies should take /sys into account when users need to administer Vault configurations." This path hosts endpoints for system- level operations like mounting secrets engines, managing policies, and sealing/unsealing Vault. Paths like/security,/admin,/vault,/system, and/backendare not standard for Vault's system backend. Only/sys provides the necessary administrative capabilities, making E the correct answer. Reference: HashiCorp Vault Documentation - System Backend
Question 88
Select the two paths below that would be permitted for read access based on the following Vault policy: path "secret/+/training/*" { capabilities = ["create", "read"] }
Correct Answer: B,D
Comprehensive and Detailed In-Depth Explanation: Vault policies use path-based syntax with wildcards (+ for one segment, * for zero or more) to define permissions. The policy path "secret/+/training/*" { capabilities = ["create", "read"] } grants "create" and "read" access to paths matching this pattern. * Path Analysis: * The + wildcard matches exactly one segment after "secret/". * "training/" must follow that segment. * The * wildcard allows any number of subsequent segments (including none). * Correct Paths: * B. secret/cloud/training/test/exam: Matches as "cloud" fits +, followed by "training/", and "test /exam" fits *. "Permitted since + allows for cloud and * allows for test/exam." * D. secret/departments/training/vault: Matches with "departments" as +, "training/", and "vault" as *. "Permitted since + allows for departments and vault is in place of *." * Incorrect Paths: * A. secret/business/training: Fails because there's no trailing segment after "training/" to match *. "Not permitted since the wildcard is AFTER training." * C. secret/departments/certification/api: Fails because "certification" replaces "training/", which is required. "Not permitted since certification does not equal training." This policy targets paths with a specific structure, ensuring precise access control. Reference:https://developer.hashicorp.com/vault/docs/concepts/policies#policy-syntax
Question 89
Which of the following are supported auth methods for Vault? (Select six)
Correct Answer: A,B,C,D,E,G
Comprehensive and Detailed In-Depth Explanation: Supported auth methods: * A, B, C, D, E, G: "All of the options are valid auth methods except for Cubbyhole." Detailed in Vault docs. * Incorrect Option: * F: "Cubbyhole is a secrets engine." Reference:https://developer.hashicorp.com/vault/docs/auth
Question 90
Vault enables the generation of dynamic credentials against many different platforms. When generating these credentials, what Vault feature is used to track the credentials?
Correct Answer: D
Comprehensive and Detailed In-Depth Explanation: Dynamic credentials are tracked via leases. The Vault documentation states: "With every dynamic secret and service type authentication token, Vault creates a lease. A lease is metadata containing information such as time duration, renewability, and more. Vault promises that the data will be valid for the given period, or Time To Live (TTL). The lease_id is a unique identifier assigned to each dynamically generated credential by Vault." -Vault Concepts: Leases * D: Correct. lease_id tracks credential lifecycle: "It is used to track the lifecycle of the credential, including its creation, renewal, and revocation." -Vault Concepts: Leases * A: Namespaces organize, not track. * B: Roles define generation, not tracking. * C: Tokens authenticate, not track credentials. References: Vault Concepts: Leases
