VA-002-P Online Practice Questions and Answers

Correct Answer: BD

The Vault configuration file supports either JSON or HCL, which is HashiCorp Configuration Language

Correct Answer: A

Vault supports AWS, Azure, Google Cloud, and Alibaba Cloud out of the box for secrets engines

Correct Answer: A

Everything in Vault is path-based including policies. Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault. Policies are deny by default, so an empty policy grants no permission in the system.

Correct Answer: ABD

The encryption key used to encrypt the plaintext is regarded as a data key. This data key needs to be protected so that your encrypted data cannot be decrypted comfortably by an unauthorized party. In this case, data has been encrypted by specifying the keyring name creditcard.

Correct Answer: AE

Within each datacenter, we have a mixture of clients and servers. It is expected that there be between three to five servers. This strikes a balance between availability in the case of failure and performance, as consensus gets progressively slower as more machines are added. However, there is no limit to the number of clients, and they can easily scale into the thousands or tens of thousands. Server or Leader - It indicates whether the agent is running in server or client mode. Server nodes participate in the consensus quorum, storing cluster state, and handling queries. At any given time, the peer set elects a single node to be the leader. The leader is responsible for ingesting new log entries, replicating to followers, and managing when an entry is considered committed. Client or Follower - Client nodes make up the majority of the cluster, and they are very lightweight as they interface with the server nodes for most operations and maintain a very little state of their own. Reference link:- https://www.consul.io/docs/internals/ architecture.html

Correct Answer: C

In this particular question, a VPC endpoint can provide private connectivity to an AWS service without having to traverse the public internet. This way you hit a private endpoint for the service rather than connecting to the public endpoint. This is more of an AWS-type question, but the underlying premise still holds regardless of where your Vault cluster is deployed. If you use a public cloud KMS solution, such as AWS KMS, Azure Key Vault, GCP Cloud KMS, or AliCloud KMS, your Vault cluster will need the ability to communicate with that service to unseal itself.

Correct Answer: B

If using ACLs in Consul, you'll need appropriate permissions. For Consul 0.8, these policies will work for most use-cases, assuming that your service name is vault and the prefix being used is vault/Consul ACLs should always be enabled when using Consul as a storage backend. This policy allows Vault to communicate to the required services hosted on Consul. Reference link:- https://www.vaultproject.io/docs/ configuration/storage/consul

Correct Answer: A

Provisioners are used to execute scripts on a local or remote machine as part of resource creation or destruction. Provisioners can be used to bootstrap a resource, cleanup before destroy, run configuration management, etc. Even if the functionality you need is not available in a provider today, HashiCorp suggests that you consider local-exec usage as a temporary workaround and to open an issue in the relevant provider's repo to discuss adding first-class support.

Correct Answer: C

github is not a supported backend type. https://www.terraform.io/docs/backends/types/index.html

Correct Answer: B

The terraform state command is used for advanced state management. Rather than modify the state directly, the terraform state commands can be used in many cases instead. https://www.terraform.io/docs/ commands/state/index.html