What command can be used to update a Vault policy named web-app-1 using the command line?
Correct Answer: D
Comprehensive and Detailed In-Depth Explanation: To update an existing Vault policy via the CLI, the correct command is vault policy write: * D. vault policy write web-app-1 web.hcl: This command updates (or creates if it doesn't exist) the policy named "web-app-1" with the contents of "web.hcl". The documentation states: "The write keyword is used to update an existing policy with the contents of the specified file." * Incorrect Options: * A. vault policy create: No such subcommand exists; create is invalid. "The create keyword is not a valid subcommand." * B. vault policy fmt: Formats the HCL file but doesn't update Vault. "It is used to format a policy file." * C. vault policy update: Incorrect syntax; Vault uses write, not update. "There is no update command, only write." The write command's dual purpose (create or update) simplifies policy management. Reference:https://developer.hashicorp.com/vault/docs/commands/policy/write
Question 97
Which of the following secrets engines does NOT issue a lease upon a read request?
Correct Answer: A
Comprehensive and Detailed in Depth Explanation: Leases tie to dynamic secrets with TTLs. Let's check: * A: KV- Static secrets, no lease on read. Correct. * B: Consul- Dynamic creds with leases. Incorrect. * C: Database- Dynamic creds with leases. Incorrect. * D: AWS- Dynamic creds with leases. Incorrect. Overall Explanation from Vault Docs: "The Key/Value Backend... does not issue leases although it may return a lease duration." Reference:https://developer.hashicorp.com/vault/docs/concepts/lease#lease-renew-and-revoke
Question 98
From the unseal options listed below, select the options you can use if you're deploying Vault on-premises (select four).
Correct Answer: B,C,D,E
Comprehensive and Detailed in Depth Explanation: Vault requires unsealing to access encrypted data, and on-premises deployments support various unseal mechanisms. Let's assess: * A: CertificatesCertificates secure communication (e.g., TLS), not unsealing. Vault's seal/unseal process uses cryptographic keys, not certificates. Incorrect. * B: TransitThe Transit secrets engine can auto-unseal Vault by managing encryption keys internally. Ideal for on-premises setups avoiding external services. Correct. * C: AWS KMSAWS KMS can auto-unseal Vault if the on-premises cluster has internet access to AWS APIs. Common in hybrid setups. Correct. * D: HSM PKCS11Hardware Security Modules (HSM) with PKCS11 support secure key storage and auto-unsealing on-premises. Correct. * E: Key shardsShamir's Secret Sharing splits the master key into shards, the default manual unseal methodfor all Vault clusters. Correct. Overall Explanation from Vault Docs: "Vault supports multiple seal types... Key shards (Shamir) is the default... Auto-unseal options like Transit, AWS KMS, and HSM (PKCS11) are viable for on-premises if configured with access to required services." Certificates are not an unseal mechanism. Reference:https://developer.hashicorp.com/vault/docs/configuration/seal
Question 99
Your supervisor has requested that you log into Vault and update a policy for one of the development teams. You successfully authenticated to Vault via OIDC but do not see a way to manage the Vault policies. Why are you unable to manage policies in the Vault UI?
Correct Answer: D
Comprehensive and Detailed In-Depth Explanation: In the Vault UI, the "Policies" tab is visible only if your token's policy grants access to policy management endpoints (e.g., sys/policy in Vault OSS or sys/policies/acl in Enterprise). If the tab is missing after OIDC authentication, it's because your policy lacks permissions like read and list on these paths, preventing UI navigation to policy management. For example, a minimal policy to view policies in OSS is path "sys/policy /*" { capabilities = ["read", "list"] }. Without this, the UI hides the tab, aligning with Vault's least-privilege model. Option A is false; policies exist in both OSS and Enterprise, with UI support in both. Option B is incorrect; a sealed Vault prevents login entirely, not just policy access. Option C is wrong; the UI does support policy management when permitted. Vault's policy docs confirm that UI visibility depends on policy permissions. References: Policy Management OSS Policy Management Enterprise
Question 100
During a service outage, you must ensure all current tokens and leases are copied to another Vault cluster for failover so applications don't need to authenticate. How can you accomplish this?
Correct Answer: C
Comprehensive and Detailed in Depth Explanation: * A:Insecure and manual; not a Vault feature. Incorrect. * B:Auto-auth doesn't replicate tokens/leases. Incorrect. * C:DR replication mirrors tokens and leases; promotion enables failover. Correct. * D:Performance replication doesn't replicate tokens fully. Incorrect. Overall Explanation from Vault Docs: "Disaster Recovery replication mirrors tokens and leases... Promote the secondary during an outage." Reference:https://developer.hashicorp.com/vault/docs/enterprise/replication#replicated-data
