2024年最新のVault-Associate試験問題集で最近更新された57問題 [Q14-Q37]

Share

2024年最新のVault-Associate試験問題集で最近更新された57問題

HashiCorp Vault-Associateリアル2024年最新のブレーン問題集で模擬試験問題集


HashiCorp Vault-Associate 認定試験の出題範囲:

トピック出題範囲
トピック 1
  • Differentiate human vs. system auth methods
  • Choose an authentication method based on use case
トピック 2
  • Describe authentication methods
  • Illustrate the value of Vault policy
トピック 3
  • Configure authentication methods
  • Describe Vault policy syntax: capabilities
トピック 4
  • Describe root token uses and lifecycle
  • Craft a Vault policy based on requirements
トピック 5
  • Configure Vault policies
  • Access Vault secrets via Curl
  • Explain Vault architecture
トピック 6
  • Compare and configure Vault secrets engines
  • Contrast dynamic secrets vs. static secrets and their use cases
トピック 7
  • Choose a secret method based on use case
  • Explain the purpose of a lease ID
トピック 8
  • Be aware of identities and groups
  • Explain the value of short-lived, dynamically generated secrets
トピック 9
  • Describe Shamir secret sharing and unsealing
  • Differentiate between service and batch tokens. Choose one based on use-case

 

質問 # 14
Which of the following vault lease operations uses a lease _ id as an argument? Choose two correct answers.

  • A. describe
  • B. revoke -prefix
  • C. revoke
  • D. renew
  • E. create

正解:C、D

解説:
The vault lease operations that use a lease_id as an argument are renew and revoke. The renew operation allows a client to extend the validity of a lease associated with a secret or a token. The revoke operation allows a client to terminate a lease immediately and invalidate the secret or the token. Both operations require a lease_id as an argument to identify the lease to be renewed or revoked. The lease_id can be obtained from the response of reading a secret or creating a token, or from the vault lease list command. The other operations, revoke-prefix, create, and describe, do not use a lease_id as an argument. The revoke-prefix operation allows a client to revoke all secrets or tokens generated under a given prefix. The create operation allows a client to create a new lease for a secret. The describe operation allows a client to view information about a lease, such as its TTL, policies, and metadata. Reference: Lease, Renew, and Revoke | Vault | HashiCorp Developer, vault lease - Command | Vault | HashiCorp Developer


質問 # 15
A developer mistakenly committed code that contained AWS S3 credentials into a public repository. You have been tasked with revoking the AWS S3 credential that was in the code. This credential was created using Vault's AWS secrets engine and the developer received the following output when requesting a credential from Vault.

Which Vault command will revoke the lease and remove the credential from AWS?

  • A. vault lease revoke access_key-AKIAI0WQXTLW36DV7IEA
  • B. vault lease revoke f3e92392-7d9c-O9c8-c921-575d62fe80d8
  • C. vault lease revoke AKIAI0WQXTLW36DV7IEA
  • D. vault lease revoke aws/creds/s3-access/f3e92392-7d9c-99c8-c921-57Sd62fe89d8

正解:D

解説:
The correct answer is A because the lease ID is the unique identifier for the credential. The lease ID is used to revoke the credential using the vault lease revoke command. This command will invalidate the credential immediately and prevent any further renewals. It will also delete the access key and secret key from AWS, rendering them useless1. The access key and secret key are not sufficient to revoke the credential, as they are not recognized by Vault. The lease ID is composed of the path of the secrets engine, the role name, and a random UUID. In this case, the path is aws/creds, the role name is s3-access, and the UUID is f3e92392-7d9c-99c8-c921-57Sd62fe89d8.
Reference:
lease revoke - Command | Vault | HashiCorp Developer


質問 # 16
When creating a policy, an error was thrown:

Which statement describes the fix for this issue?

  • A. Replace write with create in the capabilities list
  • B. sudo is not a capability
  • C. You cannot have a wildcard (" * ") in the path

正解:A

解説:
The error was thrown because the policy code contains an invalid capability, "write". The valid capabilities for a policy are "create", "read", "update", "delete", "list", and "sudo". The "write" capability is not recognized by Vault and should be replaced with "create", which allows creating new secrets or overwriting existing ones. The other statements are not correct, because the wildcard (*) and the sudo capability are both valid in a policy. The wildcard matches any number of characters within a path segment, and the sudo capability allows performing certain operations that require root privileges.
Reference:
[Policy Syntax | Vault | HashiCorp Developer]
[Policy Syntax | Vault | HashiCorp Developer]


質問 # 17
You are using the Vault userpass auth method mounted at auth/userpass. How do you create a new user named "sally" with password "h0wN0wB4r0wnC0w"? This new user will need the power-users policy.

  • A.
  • B.
  • C.
  • D.

正解:D

解説:
To create a new user named "sally" with password "h0wN0wB4r0wnC0w" and the power-users policy, you would use the Vault userpass auth method mounted at auth/userpass. You would use the following command: "vault write auth/userpass/users/sally password=h0wN0wB4r0wnC0w policies=power-users". This command would create a new user named "sally" with the specified password and policy. Reference:
[Userpass Auth Method | Vault | HashiCorp Developer]
[Create Vault policies | Vault | HashiCorp Developer]


質問 # 18
The following three policies exist in Vault. What do these policies allow an organization to do?

  • A. Nothing, as the minimum permissions to perform useful tasks are not present
  • B. Create a transit encryption key for encrypting, decrypting, and rewrapping encrypted data
  • C. Separates permissions allowed on actions associated with the transit secret engine
  • D. Encrypt, decrypt, and rewrap data using the transit engine all in one policy

正解:D

解説:
The three policies that exist in Vault are:
admins: This policy grants full access to all secrets and operations in Vault. It can be used by administrators or operators who need to manage all aspects of Vault.
default: This policy grants access to all secrets and operations in Vault except for those that require specific policies. It can be used as a fallback policy when no other policy matches.
transit: This policy grants access only to the transit secrets engine, which handles cryptographic functions on data in-transit. It can be used by applications or services that need to encrypt or decrypt data using Vault.
These policies allow an organization to perform useful tasks such as:
Encrypting, decrypting, and rewrapping data using the transit engine all in one policy: This policy grants access to both the transit secrets engine and the default policy, which allows performing any operation on any secret in Vault.
Creating a transit encryption key for encrypting, decrypting, and rewrapping encrypted data: This policy grants access only to the transit secrets engine and its associated keys, which are used for encrypting and decrypting data in transit using AES-GCM with a 256-bit AES key or other supported key types.
Separating permissions allowed on actions associated with the transit secret engine: This policy grants access only to specific actions related to the transit secrets engine, such as creating keys or wrapping requests. It does not grant access to other operations or secrets in Vault.


質問 # 19
Use this screenshot to answer the question below:

When are you shown these options in the GUI?

  • A. Enabling secret engines
  • B. Enabling policies
  • C. Enabling authentication engines
  • D. Enabling authentication methods

正解:D

解説:
This screenshot is shown when you are enabling authentication methods in the GUI. Authentication methods are the ways users and applications authenticate with Vault. Vault supports many different authentication methods, including username and password, GitHub, and more. You can enable one or more authentication methods from the grid of options, which are divided into three categories: Generic, Cloud, and Infra. Each option has a name, a description, and a logo. You can also enable authentication methods using the Vault CLI or API.
Enabling policies, authentication engines, and secret engines are different tasks that are not related to this screenshot. Policies are rules that govern the access to Vault resources, such as secrets, authentication methods, and audit devices. Authentication engines are components of Vault that perform authentication and assign policies to authenticated entities. Secret engines are components of Vault that store, generate, or encrypt data. These tasks have different GUI pages and options than the screenshot.
Reference:
[Authentication | Vault | HashiCorp Developer]
[Policies | Vault | HashiCorp Developer]
[Authentication | Vault | HashiCorp Developer]
[Secrets Engines | Vault | HashiCorp Developer]


質問 # 20
Where does the Vault Agent store its cache?

  • A. In an unencrypted file
  • B. In the Vault key/value store
  • C. In a file encrypted using the Vault transit secret engine
  • D. In memory

正解:D

解説:
The Vault Agent stores its cache in memory, which means that it does not persist the cached tokens and secrets to disk or any other storage backend. This makes the cache more secure and performant, as it avoids exposing the sensitive data to potential attackers or unauthorized access. However, this also means that the cache is volatile and will be lost if the agent process is terminated or restarted. To mitigate this, the agent can optionally use a persistent cache file to restore the tokens and leases from a previous agent process. The persistent cache file is encrypted using a key derived from the agent's auto-auth token and a nonce, and it is stored in a user-specified location on disk. Reference: Caching - Vault Agent | Vault | HashiCorp Developer, Vault Agent Persistent Caching | Vault | HashiCorp Developer


質問 # 21
What does the following policy do?

  • A. Allows a user to read data about the secret endpoint identity
  • B. Grants access to a special system entity folder
  • C. Nothing, this is not a valid policy
  • D. Grants access for each user to a KV folder which shares their id

正解:A

解説:
This policy allows a user to read data about the secret endpoint identity. The policy grants the user the ability to create, update, read, and delete data in the "secret/data/{identity.entity.id}" path. Additionally, the user is allowed to list data in the "secret/metadata/{identity.entity.id}" path. This policy is useful for users who need to access information about the secret endpoint identity.
The secret endpoint identity is a feature of the Identity Secrets Engine, which allows Vault to generate identity tokens that can be used to access other Vault secrets engines or namespaces. The identity tokens are based on the entity and group information of the user or machine that authenticates with Vault. The entity is a unique identifier for the user or machine, and the group is a collection of entities that share some common attributes. The identity tokens can carry metadata and policies that are associated with the entity and group.
The "secret/data/{identity.entity.id}" path is where the user can store and retrieve data that is related to the secret endpoint identity. For example, the user can store some configuration or preferences for the secret endpoint identity in this path. The "secret/metadata/{identity.entity.id}" path is where the user can list the metadata of the data stored in the "secret/data/{identity.entity.id}" path. For example, the user can list the version, creation time, deletion time, and destroy time of the data in this path.
Reference:
[Identity - Secrets Engines | Vault | HashiCorp Developer]
[KV - Secrets Engines | Vault | HashiCorp Developer]


質問 # 22
As a best practice, the root token should be stored in which of the following ways?

  • A. Should be stored in another password safe
  • B. Should be stored in configuration automation tooling
  • C. Should be revoked and never stored after initial setup
  • D. Should be stored in Vault

正解:C

解説:
The root token is the initial token created when initializing Vault. It has unlimited privileges and can perform any operation in Vault. As a best practice, the root token should be revoked and never stored after initial setup. This is because the root token is a single point of failure and a potential security risk if it is compromised or leaked. Instead of using the root token, Vault operators should create other tokens with appropriate policies and roles that allow them to perform their tasks. If a new root token is needed in an emergency, the vault operator generate-root command can be used to create one on-the-fly with the consent of a quorum of unseal key holders. Reference: Tokens | Vault | HashiCorp Developer, Generate root tokens using unseal keys | Vault | HashiCorp Developer


質問 # 23
What command creates a secret with the key "my-password" and the value "53cr3t" at path "my-secrets" within the KV secrets engine mounted at "secret"?

  • A. vault kv write secret/my-secrets/my-password 53cr3t
  • B. vault kv put secret/my-secrets/my-password-53cr3t
  • C. vault kv put secret/my-secrets/my-password 53cr3t
  • D. vault kv write 53cr3t my-secrets/my-password

正解:C

解説:
The vault kv put command writes the data to the given path in the K/V secrets engine. The command requires the mount path of the K/V secrets engine, the secret path, and the key-value pair to store. The mount path can be specified with the -mount flag or as part of the secret path. The key-value pair can be given as an argument or read from a file or stdin. The correct syntax for the command is:
vault kv put -mount=secret my-secrets/my-password 53cr3t
or
vault kv put secret/my-secrets my-password=53cr3t
The other options are incorrect because they use the deprecated vault kv write command, or they have the wrong order or format of the arguments. Reference: https://developer.hashicorp.com/vault/docs/commands/kv/put3, https://developer.hashicorp.com/vault/docs/commands/kv4


質問 # 24
What is a benefit of response wrapping?

  • A. Load balanc secret generation across a Vault cluster
  • B. Log every use of a secret
  • C. Ensure that only a single party can ever unwrap the token and see what's inside
  • D. Provide error recovery to a secret so it is not corrupted in transit

正解:C

解説:
Response wrapping is a feature that allows Vault to take the response it would have sent to a client and instead insert it into the cubbyhole of a single-use token, returning that token instead. The client can then unwrap the token and retrieve the original response. Response wrapping has several benefits, such as providing cover, malfeasance detection, and lifetime limitation for the secret data. One of the benefits is to ensure that only a single party can ever unwrap the token and see what's inside, as the token can be used only once and cannot be unwrapped by anyone else, even the root user or the creator of the token. This provides a way to securely distribute secrets to the intended recipients and detect any tampering or interception along the way5.
The other options are not benefits of response wrapping:
Log every use of a secret: Response wrapping does not log every use of a secret, as the secret is not directly exposed to the client or the network. However, Vault does log the creation and deletion of the response-wrapping token, and the client can use the audit device to log the unwrapping operation6.
Load balance secret generation across a Vault cluster: Response wrapping does not load balance secret generation across a Vault cluster, as the secret is generated by the Vault server that receives the request and the response-wrapping token is bound to that server. However, Vault does support high availability and replication modes that can distribute the load and improve the performance of the cluster7.
Provide error recovery to a secret so it is not corrupted in transit: Response wrapping does not provide error recovery to a secret so it is not corrupted in transit, as the secret is encrypted and stored in the cubbyhole of the token and cannot be modified or corrupted by anyone. However, if the token is lost or expired, the secret cannot be recovered either, so the client should have a backup or retry mechanism to handle such cases.


質問 # 25
When using Integrated Storage, which of the following should you do to recover from possible data loss?

  • A. Failover to a standby node
  • B. Use server logs
  • C. Use snapshot
  • D. Use audit logs

正解:C

解説:
Integrated Storage is a Raft-based storage backend that allows Vault to store its data internally without relying on an external storage system. It also enables Vault to run in high availability mode with automatic leader election and failover. However, Integrated Storage is not immune to data loss or corruption due to hardware failures, network partitions, or human errors. Therefore, it is recommended to use the snapshot feature to backup and restore the Vault data periodically or on demand. A snapshot is a point-in-time capture of the entire Vault data, including the encrypted secrets, the configuration, and the metadata. Snapshots can be taken and restored using the vault operator raft snapshot command or the sys/storage/raft/snapshot API endpoint. Snapshots are encrypted and can only be restored with a quorum of unseal keys or recovery keys. Snapshots are also portable and can be used to migrate data between different Vault clusters or storage backends. Reference: https://developer.hashicorp.com/vault/docs/concepts/integrated-storage1, https://developer.hashicorp.com/vault/docs/commands/operator/raft/snapshot2, https://developer.hashicorp.com/vault/api-docs/system/storage/raft/snapshot3


質問 # 26
The key/value v2 secrets engine is enabled at secret/ See the following policy:

Which of the following operations are permitted by this policy? Choose two correct answers.

  • A. vault kv put secret/webapp1 apikey-"ABCDEFGHI] K123M"
  • B. vault kv delete secret/super-secret
  • C. vault kv get secret/webapp1
  • D. vault kv list secret/super-secret
  • E. vault kv metadata get secret/webapp1

正解:C、E

解説:
The policy shown in the image is:
path "secret/data/webapp1" { capabilities = ["create", "read", "update", "delete", "list"] } path "secret/data/super-secret" { capabilities = ["deny"] } This policy grants or denies access to the key/value v2 secrets engine mounted at secret/ according to the following rules:
The path "secret/data/webapp1" has the capabilities of "create", "read", "update", "delete", and "list". This means that the policy allows performing any of these operations on the secrets stored under this path. The data/ prefix is used to access the actual secret data in the key/value v2 secrets engine5. Therefore, the policy permits the operation of vault kv get secret/webapp1, which reads the secret data at secret/data/webapp16.
The path "secret/data/super-secret" has the capability of "deny". This means that the policy denies performing any operation on the secrets stored under this path. The policy overrides any other policy that might grant access to this path. Therefore, the policy does not permit the operations of vault kv delete secret/super-secret and vault kv list secret/super-secret, which delete and list the secret data at secret/data/super-secret respectively6.
The policy does not explicitly define any rules for the path "secret/metadata". The metadata/ prefix is used to access the metadata of the secrets in the key/value v2 secrets engine, such as the number of versions, the deletion status, the creation time, etc5. By default, if the policy grants any of the capabilities of "create", "read", "update", or "delete" on the data/ path, it also grants the same capabilities on the corresponding metadata/ path7. Therefore, the policy permits the operation of vault kv metadata get secret/webapp1, which reads the metadata of the secret at secret/metadata/webapp18.


質問 # 27
What is the Vault CLI command to query information about the token the client is currently using?

  • A. vault lookup token
  • B. vault self-lookup
  • C. vault lookup self
  • D. vault token lookup

正解:D

解説:
The Vault CLI command to query information about the token the client is currently using is vault token lookup. This command displays information about the token or accessor provided as an argument, or the locally authenticated token if no argument is given. The information includes the token ID, accessor, policies, TTL, creation time, and metadata. This command can be useful for debugging and auditing purposes, as well as for renewing or revoking tokens. Reference: token lookup - Command | Vault | HashiCorp Developer, Tokens | Vault | HashiCorp Developer


質問 # 28
To give a role the ability to display or output all of the end points under the /secrets/apps/* end point it would need to have which capability set?

  • A. sudo
  • B. update
  • C. None of the above
  • D. read
  • E. list

正解:A

解説:
To give a role the ability to display or output all of the end points under the /secrets/apps/* end point, it would need to have the list capability set. The list capability allows a role to perform any operation on any path in Vault, including reading, writing, deleting, and listing. The list capability is required for roles that need to access sensitive data or perform administrative tasks in Vault. The other capabilities are not relevant for this scenario, as they only allow specific operations on specific paths or secrets engines. Reference: Policies | Vault | HashiCorp Developer, token capabilities - Command | Vault | HashiCorp Developer


質問 # 29
To make an authenticated request via the Vault HTTP API, which header would you use?

  • A. The X-Vault-Namespace HTTP Header
  • B. The x-Vault-Request HTTP Header
  • C. The X-Vault-Token HTTP Header
  • D. The Content-Type HTTP Header

正解:C

解説:
To make an authenticated request via the Vault HTTP API, you need to use the X-Vault-Token HTTP Header or the Authorization HTTP Header using the Bearer <token> scheme. The token is a string that represents your identity and permissions in Vault. You can obtain a token by using an authentication method, such as userpass, approle, aws, etc. The token can also be a root token, which has unlimited access to Vault, or a wrapped token, which is a response-wrapping token that can be used to unwrap the actual token. The token must be sent with every request to Vault that requires authentication, except for the unauthenticated endpoints, such as sys/init, sys/seal-status, sys/unseal, etc. The token is used by Vault to verify your identity and enforce the policies that grant or deny access to various paths and operations. Reference: https://developer.hashicorp.com/vault/api-docs3, https://developer.hashicorp.com/vault/docs/concepts/tokens4, https://developer.hashicorp.com/vault/docs/concepts/auth5


質問 # 30
When looking at Vault token details, which key helps you find the paths the token is able to access?

  • A. Path
  • B. Accessor
  • C. Meta
  • D. Policies

正解:D

解説:
When looking at Vault token details, the policies key helps you find the paths the token is able to access. Policies are a declarative way to grant or forbid access to certain paths and operations in Vault. Policies are written in HCL or JSON and are attached to tokens by name. Policies are deny by default, so an empty policy grants no permission in the system. A token can have one or more policies associated with it, and the effective policy is the union of all the individual policies. You can view the token details by using the vault token lookup command or the auth/token/lookup API endpoint. The output will show the policies key with a list of policy names that are attached to the token. You can also view the contents of a policy by using the vault policy read command or the sys/policy API endpoint. The output will show the rules key with the HCL or JSON representation of the policy. The rules will specify the paths and the capabilities (such as create, read, update, delete, list, etc.) that the policy allows or denies. Reference: https://developer.hashicorp.com/vault/docs/concepts/policies4, https://developer.hashicorp.com/vault/docs/commands/token/lookup5, https://developer.hashicorp.com/vault/api-docs/auth/token#lookup-a-token6, https://developer.hashicorp.com/vault/docs/commands/policy/read7, https://developer.hashicorp.com/vault/api-docs/system/policy8


質問 # 31
Which of the following describes the Vault's auth method component?

  • A. It is responsible for durable storage of client tokens
  • B. It dynamically generates a unique set of secrets with appropriate permissions attached
  • C. It verifies a client against an internal or external system, and generates a token with the appropriate policies attached
  • D. It verifies a client against an internal or external system, and generates a token with root policy

正解:C

解説:
The Vault's auth method component is the component that performs authentication and assigns identity and policies to a client. It verifies a client against an internal or external system, and generates a token with the appropriate policies attached. The token can then be used to access the secrets and resources that are authorized by the policies. Vault supports various auth methods, such as userpass, ldap, aws, kubernetes, etc., that can integrate with different identity providers and systems. The auth method component can also handle token renewal and revocation, as well as identity grouping and aliasing. Reference: Auth Methods | Vault | HashiCorp Developer, Authentication - Concepts | Vault | HashiCorp Developer


質問 # 32
Use this screenshot to answer the question below:

Where on this page would you click to view a secret located at secret/my-secret?

  • A. C
  • B. A
  • C. B
  • D. E
  • E. D

正解:A

解説:
In the HashiCorp Vault UI, secrets are organized in a tree-like structure. To view a secret located at secret/my-secret, you would click on the "secret/" folder in the tree, then click on the "my-secret" file. In this screenshot, the "secret/" folder is located at option C. This folder contains the secrets that are stored in the key/value secrets engine, which is the default secrets engine in Vault. The key/value secrets engine allows you to store arbitrary secrets as key/value pairs. The key is the path of the secret, and the value is the data of the secret. For example, the secret located at secret/my-secret has a key of "my-secret" and a value of whatever data you stored there.
Reference:
[KV - Secrets Engines | Vault | HashiCorp Developer]


質問 # 33
You are using Vault's Transit secrets engine to encrypt your dat
a. You want to reduce the amount of content encrypted with a single key in case the key gets compromised. How would you do this?

  • A. Periodically re-key the Vault's unseal keys
  • B. Use 4096-bit RSA key to encrypt the data
  • C. Periodically rotate the encryption key
  • D. Upgrade to Vault Enterprise and integrate with HSM

正解:C

解説:
The Transit secrets engine supports the rotation of encryption keys, which allows you to change the key that is used to encrypt new data without affecting the ability to decrypt data that was already encrypted. This reduces the amount of content encrypted with a single key in case the key gets compromised, and also helps you comply with the NIST guidelines for key rotation. You can rotate the encryption key manually by invoking the /transit/keys/<name>/rotate endpoint, or you can configure the key to automatically rotate based on a time interval or a number of encryption operations. When you rotate a key, Vault generates a new key version and increments the key's latest_version metadata. The new key version becomes the encryption key used for encrypting any new data. The previous key versions are still available for decrypting the existing data, unless you specify a minimum decryption version to archive the old key versions. You can also delete or disable old key versions if you want to revoke access to the data encrypted with those versions. Reference: https://developer.hashicorp.com/vault/docs/secrets/transit1, https://developer.hashicorp.com/vault/api-docs/secret/transit2


質問 # 34
Examine the command below. Output has been trimmed.

Which of the following statements describe the command and its output?

  • A. Generated token's TTL is 60 hours
  • B. Missing a default token policy
  • C. Configures the AppRole auth method with user specified role ID and secret ID
  • D. Generated token is an orphan token which can be renewed indefinitely

正解:A、D

解説:
The command shown in the image is:
vault token create -policy=approle -orphan -period=60h
This command creates a new token with the following characteristics:
It has the policy "approle" attached to it, which grants or denies access to certain paths and operations in Vault according to the policy rules. The policy can be defined by using the vault policy write command or the sys/policy API endpoint12.
It is an orphan token, which means it has no parent token and it will not be revoked when its parent token is revoked. Orphan tokens can be useful for creating long-lived tokens that are not affected by the token hierarchy3.
It has a period of 60 hours, which means it has a renewable TTL of 60 hours. This means that the token can be renewed indefinitely as long as it does not go past the 60-hour mark from the last renewal time. The token's TTL will be reset to 60 hours upon each renewal. Periodic tokens are useful for creating tokens that have a fixed lifetime and can be easily revoked4.


質問 # 35
A web application uses Vault's transit secrets engine to encrypt data in-transit. If an attacker intercepts the data in transit which of the following statements are true? Choose two correct answers.

  • A. Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in transit)
  • B. The Vault administrator would need to seal the Vault server immediately
  • C. You can rotate the encryption key so that the attacker won't be able to decrypt the data
  • D. The keys can be rotated and min_decryption_version moved forward to ensure this data cannot be decrypted

正解:A、D

解説:
A web application that uses Vault's transit secrets engine to encrypt data in-transit can benefit from the following security features:
Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in transit). This means that the attacker would need to obtain the encryption key from Vault in order to decrypt the data, which is protected by Vault's authentication and authorization mechanisms. The transit secrets engine does not store the data sent to it, so the attacker cannot access the data from Vault either.
The keys can be rotated and min_decryption_version moved forward to ensure this data cannot be decrypted. This means that the web application can periodically change the encryption key used to encrypt the data, and set a minimum decryption version for the key, which prevents older versions of the key from being used to decrypt the data. This way, even if the attacker somehow obtained an old version of the key, they would not be able to decrypt the data that was encrypted with a newer version of the key.
The other statements are not true, because:
You cannot rotate the encryption key so that the attacker won't be able to decrypt the data. Rotating the key alone does not prevent the attacker from decrypting the data, as they may still have access to the old version of the key that was used to encrypt the data. You need to also move the min_decryption_version forward to invalidate the old version of the key.
The Vault administrator would not need to seal the Vault server immediately. Sealing the Vault server would make it inaccessible to both the attacker and the legitimate users, and would require unsealing it with the unseal keys or the recovery keys. Sealing the Vault server is a last resort option in case of a severe compromise or emergency, and is not necessary in this scenario, as the attacker does not have access to the encryption key or the data in Vault. Reference: Transit - Secrets Engines | Vault | HashiCorp Developer, Encryption as a service: transit secrets engine | Vault | HashiCorp Developer


質問 # 36
Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates. Which secrets engine will best support this use case?

  • A. Key/Value secrets engine version 2, with TTL defined
  • B. Cloud KMS
  • C. PKI
  • D. Transit

正解:C

解説:
The PKI secrets engine is designed to support the use case of reducing and ultimately removing the use of long lived X.509 certificates. The PKI secrets engine can generate dynamic X.509 certificates on demand, with short time-to-live (TTL) and automatic revocation. This eliminates the need for manual processes of generating, signing, and rotating certificates, and reduces the risk of certificate compromise or misuse. The PKI secrets engine can also act as a certificate authority (CA) or an intermediate CA, and can integrate with external CAs or CRLs. The PKI secrets engine can issue certificates for various purposes, such as TLS, SSH, code signing, email encryption, etc. Reference: https://developer.hashicorp.com/vault/docs/secrets/pki1, https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets


質問 # 37
......

厳密検証されたVault-Associate試験問題集と解答で無料提供のVault-Associate問題と正解付き:https://jp.fast2test.com/Vault-Associate-premium-file.html


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어