HCVA0-003 Free Practice Test

- (Topic 4)
You have a new team member on the Vault operations team. Their first task is to rotate the encryption key in Vault as part of the organization??s security policy. However, when they log in, they get an access denied error when attempting to rotate the key. The policy being used is below. Why can??t the user rotate the encryption key?
path "auth/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "sys/rotate" {
capabilities = ["read", "update"]
}

1. A. The policy requires sudo privileges since it is a root-protected path
2. B. The policy doesn??t include create privileges so a new encryption key can??t be created
3. C. The policy should include sys/rotate/ as part of the path
4. D. The encryption key has a minimum TTL, therefore the key cannot be rotated until that time expires

Correct Answer: A

- (Topic 5)
Which of the following statements describe the secrets engine in Vault? Choose three correct answers.

1. A. Some secrets engines simply store and read data
2. B. Once enabled, you cannot disable the secrets engine
3. C. You can build your own custom secrets engine
4. D. Each secrets engine is isolated to its path
5. E. A secrets engine cannot be enabled at multiple paths

Correct Answer: ACD

- (Topic 3)
What API endpoint is used to enable and configure a secrets engine?

1. A. /v1/sys/init
2. B. /v1/sys/mounts
3. C. /v1/sys/config
4. D. /v1/sys/plugins/catalog

Correct Answer: B

- (Topic 4)
A new application is being provisioned in your environment. The application requires the generation of dynamic credentials against the Oracle database in order to read reporting data. Which is the best auth method to use to permit the application to authenticate to Vault?

1. A. OIDC
2. B. GitHub
3. C. Userpass
4. D. AppRole

Correct Answer: D

- (Topic 4)
You have enabled the Transit secrets engine and want to start encrypting data to store in Azure Blob storage. What is the next step that needs to be completed before you can encrypt data? (Select two)

1. A. Export the encryption key and upload it to the application server
2. B. Enable the Transit secrets engine API
3. C. Create an encryption key for the application to use
4. D. Write a policy that permits the application to use the encryption key

Correct Answer: CD