Reliable HashiCorp Security Automation VA-002-P Dumps PDF Jul 04, 2023 Recently Updated Questions
Pass Your HashiCorp VA-002-P Exam with Correct 202 Questions and Answers
HashiCorp VA-002-P Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
| Topic 7 |
|
NEW QUESTION # 107
By default, where does Terraform store its state file?
- A. remotely using Terraform Cloud
- B. Amazon S3 bucket
- C. shared directory
- D. current working directory
Answer: D
Explanation:
By default, the state file is stored in a local file named "terraform.tfstate", but it can also be stored remotely, which works better in a team environment.
NEW QUESTION # 108
What is the best and easiest way for Terraform to read and write secrets from HashiCorp Vault?
- A. API access using the AppRole auth method
- B. Vault provider
- C. Integration with a tool like Jenkins
- D. CLI access from the same machine running Terraform
Answer: B
Explanation:
The Vault provider allows Terraform to read from, write to, and configure Harshicorp Vault.
NEW QUESTION # 109
What is the result of the following terraform function call?
lookup({a="hello", b="goodbye"}, "c", "what?")
- A. what?
- B. goodbye
- C. c
- D. hello
Answer: A
Explanation:
lookup retrieves the value of a single element from a map, given its key. If the given key does not exist, the given default value is returned instead. In this case, the function call is searching for the key "c". But since there is no key "c", the default vault "what?" is returned.
https://www.terraform.io/docs/configuration/functions/lookup.html
NEW QUESTION # 110
A user has logged into the Vault user interface but cannot browse to a secret located at kv/applications/app3, however, the policy the user is bound by permits read permission to the secret.
Because of the read permission, the user should be able to read the secret in the Vault UI.
- A. True
- B. False
Answer: B
Explanation:
To browse Vault paths in the UI, the user must have list permissions on the mount and the paths leading up to the secret.
NEW QUESTION # 111
A Vault client who has read access to the path secrets/apps/app1 is having trouble viewing the secret in the user interface (UI) but can access via the API. What can be done to resolve this issue?
- A. add LIST to the policy so the user can browse the paths leading up to the key/value's path
- B. remove the deny policy blocking access to the secrets/apps/app1 path
- C. add read permissions to the path secrets/apps
- D. modify the policy to allow the create permission
Answer: A
Explanation:
To view the paths leading up to the secrets/apps/app1 path in the user interface, the user must have at least LIST permissions to avoid permission denied error in the UI.
NEW QUESTION # 112
When architecting a Vault replication configuration, why should you never terminate TLS on a front-end load balancer?
- A. Vault generates self-signed mutual TLS for replication. If the LB is performing TLS termination, this will break the mutual TLS between nodes.
- B. If Vault detects that the traffic has been unencrypted and re-encrypted, due to the load balancer, it will automatically drop the traffic as it is no longer trusted.
- C. Vault requires that only Consul service discovery can be used to direct traffic to an active Vault node.
- D. Vault replication won't work with the type of certificates that a traditional load balancer uses.
Answer: A
Explanation:
For replication (port 8201), Vault generates a mutual TLS connection between nodes using self-generated certs/keys (this is different than the TLS you configure in the listener, which is particular to client requests)... server-to-server always uses this mutual TLS, even if you have TLS disabled on the listener.
Reference link:-
https://www.vaultproject.io/docs/configuration/listener/tcp
https://www.vaultproject.io/docs/concepts/ha
NEW QUESTION # 113
True or False:
Workspaces provide identical functionality in the open-source, Terraform Cloud, and Enterprise versions of Terraform.
- A. True
- B. False
Answer: B
Explanation:
Workspaces, managed with the terraform workspace command, aren't the same thing as Terraform Cloud workspaces.
Terraform Cloud workspaces act more like completely separate working directories.
CLI workspaces(OSS) are just alternate state files.
NEW QUESTION # 114
Which of the following policies would permit a user to generate dynamic credentials on a database?
- A. path "database/creds/read_only_role" {
capabilities = ["sudo"]
} - B. path "database/creds/read_only_role" {
capabilities = ["read"]
} - C. path "database/creds/read_only_role" {
capabilities = ["list"]
} - D. path "database/creds/read_only_role" {
capabilities = ["generate"]
}
Answer: B
Explanation:
The HTTP request is a GET which corresponds to a read capability. Thus, to grant access to generate database credentials, the policy would grant read access on the appropriate path.
NEW QUESTION # 115
You've logged into the Vault CLI and attempted to enable an auth method, but received this error message. What can be done to resolve the error and configure Vault?
Error enabling userpass auth: Post https://127.0.0.1:8200/v1/sys/auth/userpass: http: server gave HTTP response to HTTPS client
- A. ask an admin to grant you permission to enable the userpass auth method
- B. change 'userpass' to 'username and password'
- C. set the VAULT_ADDR environment variable to HTTP
- D. restart the Vault service on this node
Answer: C
Explanation:
If you're running Vault in a non-prod environment, you can configure Vault to disable TLS.
In this case, TLS has been disabled but the default value for VAULT_ADDR is https://127.0.0.1:8200, therefore Vault is sending the request over HTTPS but Vault is responding using HTTP since TLS is disabled.
To handle this error, set the VAULT_ADDR environment variable to "http://127.0.0.1:8200".
NEW QUESTION # 116
True or False? When using the Terraform provider for Vault, the tight integration between these HashiCorp tools provides the ability to mask secrets in the terraform plan and state files.
- A. True
- B. False
Answer: B
Explanation:
Currently, Terraform has no mechanism to redact or protect secrets that are returned via data sources, so secrets read via this provider will be persisted into the Terraform state, into any plan files, and in some cases in the console output produced while planning and applying. These artifacts must, therefore, all be protected accordingly.
NEW QUESTION # 117
Select the feature below that best completes the sentence:
The following list represents the different types of __________ available in Terraform.
1. max
2. min
3. join
4. replace
5. list
6. length
7. range
- A. data sources
- B. named values
- C. backends
- D. functions
Answer: D
Explanation:
The Terraform language includes a number of built-in functions that you can call from within expressions to transform and combine values. The Terraform language does not support user-defined functions, and only the functions built into the language are available for use.
NEW QUESTION # 118
How can Vault be used to programmatically obtain a generated code for MFA, somewhat similar to Google Authenticator?
- A. the identity secrets engine
- B. the random byte generator
- C. TOTP secrets engine
- D. cubbyhole
Answer: C
Explanation:
The TOTP secrets engine generates time-based credentials according to the TOTP standard. The secrets engine can also be used to generate a new key and validate passwords generated by that key.
The TOTP secrets engine can act as both a generator (like Google Authenticator) and a provider (like the Google.com sign-in service).
As a Generator
The TOTP secrets engine can act as a TOTP code generator. In this mode, it can replace traditional TOTP generators like Google Authenticator. It provides an added layer of security since the ability to generate codes is guarded by policies and the entire process is audited.
Reference link:- https://www.vaultproject.io/docs/secrets/totp
NEW QUESTION # 119
Which of the following secrets engine can generate dynamic credentials? (select three)
- A. key/value
- B. Transit
- C. database
- D. Azure
- E. AWS
Answer: C,D,E
Explanation:
Vault has many secrets engines that can generate dynamic credentials, including AWS, Azure, and database secrets engines. The key/value secret engine is used to store data, and the transit secret engine is used to encrypt data.
NEW QUESTION # 120
Select the two default policies created in Vault. (select two)
- A. base
- B. default
- C. vault
- D. admin
- E. root
- F. user
Answer: B,E
Explanation:
Vault creates two default policies; root, and default.
The root policy cannot be deleted or modified.
The default policy is attached to all tokens, by default, however, this action can be modified if needed.
NEW QUESTION # 121
You want to use terraform import to start managing infrastructure that was not originally provisioned through infrastructure as code. Before you can import the resource's current state, what must you do in order to prepare to manage these resources using Terraform?
- A. shut down or stop using the resources being imported so no changes are inadvertently missed
- B. run terraform refresh to ensure that the state file has the latest information for existing resources.
- C. update the configuration file to include the new resources
- D. modify the Terraform state file to add the new resources
Answer: C
Explanation:
The current implementation of Terraform import can only import resources into the state. It does not generate a configuration. Because of this, and prior to running terraform import, it is necessary to manually write a resource configuration block for the resource to which the imported object will be mapped.
First, add the resources to the configuration file:
resource "aws_instance" "example" {
# ...instance configuration...
}
Then run the following command:
$ terraform import aws_instance.example i-abcd1234
NEW QUESTION # 122
The Vault Agent provides which of the following benefits? (select three)
- A. client-side caching of responses
- B. token renewal
- C. automatically creates secrets in the desired storage backend
- D. authentication to Vault
Answer: A,B,D
Explanation:
Vault Agent is a client daemon that provides the following features:
- Auto-Auth
- Caching
- Templating
Reference link:- https://www.vaultproject.io/docs/agent
NEW QUESTION # 123
In order to extend a Consul storage backend, Consul nodes should be provisioned across multiple data centers or cloud regions.
- A. True
- B. False
Answer: B
Explanation:
Consul nodes in the same cluster should not be provisioned across multiple data centers or cloud regions due to the low-latency requirements.
NEW QUESTION # 124
True or False:
A list(...) may contain a number of values of the same type while an object(...) can contain a number of values of different types.
- A. False
- B. True
Answer: B
Explanation:
A collection type allows multiple values of one other type to be grouped together as a single value. This includes a list, map, and set.
A structural type allows multiple values of several distinct types to be grouped together as a single value. This includes object and tuple.
NEW QUESTION # 125
Using the Vault CLI, what command is used to authenticate to Vault?
- A. vault user
- B. vault login
- C. vault creds
- D. vault auth
Answer: B
Explanation:
vault login command would be issued to log in to Vault via CLI followed by the type of login.
For example, an LDAP login would use vault login method=ldap username=<user>
NEW QUESTION # 126
By default, how long does the transit secrets engine store the resulting ciphertext?
- A. transit does not store data
- B. 30 days
- C. 24 hours
- D. 32 days
Answer: A
Explanation:
Vault does NOT store any data encrypted via the transit/encrypt endpoint. The output you received is the ciphertext. You can store this ciphertext at the desired location (e.g. MySQL database) or pass it to another application.
NEW QUESTION # 127
......
The exam is appropriate for IT professionals and developers seeking to boost their qualifications and career prospects. The individuals who pass the HashiCorp VA-002-P exam earn the title of HashiCorp Certified: Vault Associate, which is recognized globally as proof of expertise in Vault management. Applicants who pass the exam also have exclusive access to HashiCorp's Certified Community, which provides networking and mentorship opportunities.
Latest 2023 Realistic Verified VA-002-P Dumps: https://www.guidetorrent.com/VA-002-P-pdf-free-download.html