Sample Questions - Vault Associate Certification

The exam mainly consists of multiple choice and true/false questions. In addition, there are UI area selection questions. Some of the multiple choice questions are scenario-based questions to test your understanding of Vault usages.

Below are some examples so you can familiarize yourself with the exam format.

»True/false questions

»Q1: When Vault is sealed, it can access the physical storage but cannot read the data because it does not know how to decrypt them.

🔘 True
🔘 False

»Q2: Batch tokens can be renewed indefinitely.

🔘 True
🔘 False

»Q3: To seal a Vault, the client token must have the sudo capability on the sys/seal path.

🔘 True
🔘 False

»Multiple choice questions

When there is more than one correct answer, the question explicitly states so. For example, "Choose TWO correct answers."

»Q4: Which statement is true about an orphan token?

🔘 It does not expire when its parent does
🔘 It is not persisted
🔘 It does not have a max time-to-live (TTL)
🔘 It has a use limit

»Q5: Which path will this policy allow?

path "kv/+/team_*" {
    capabilities = [ "read" ]
}

path "kv/+/team_*" {    capabilities = [ "read" ]}

🔘 kv/team_edu
🔘 kv/us-west/team
🔘 kv/us-west/team_edu
🔘 kv/us-west/ca/team_edu

»Q6: What is true of Vault tokens? Choose TWO correct answers.

• Vault tokens are generated by every authentication method login
• Vault tokens are also known as unseal keys
• Vault tokens are required for every Vault call
• Vault token IDs always begin with "s." such as s.E7rOurS2n7m2Dt5409jWxR87
• Vault tokens are the core method for authentication in Vault

»Q7: Which statements correctly describe the command below. Choose TWO correct answers.

vault write transit/decrypt/password \
  ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==

vault write transit/decrypt/password \  ciphertext=vault:v1:8SDd3WHDOjf7mq69CyCqYjBXAiQQAVZRkFM13ok481zoCmHnSeDX9vyf7w==

• Returns an error due to missing encryption key name
• Returns base64-encoded plaintext
• Decrypts the ciphertext if the token permits
• Returns the ciphertext
• Requires sudo capability on the transit/decrypt/password path

»Q8: An organization needs to protect sensitive application data currently stored in a database as plaintext. Which secrets engine provides a solution?

🔘 Key/Value v2 secrets engine
🔘 Cubbyhole secrets engine
🔘 Transit secrets engine
🔘 Database secrets engine

»Q9: Which of the following statements explains the benefit of response wrapping? Choose TWO correct answers.

• Limits the time of secret exposure by having a short-lived wrapping token
• Allow versioning of the secrets
• It protects Vault's master key
• Only the reference to the secrets is transmitted over the public network
• Limits the size of secrets to be transmitted over the network

»Vault UI questions

»Q10: You need to edit a policy, but the UI appears as shown. What is the problem?

🔘 This is an UI error. Contact support.
🔘 You don't have a permission to manage policies.
🔘 Vault UI does not support policy creation and management.
🔘 Use the command shell in UI to manage policies.

»Q11: Where on the page would you click to display the list of available Vault-created encryption keys.

To answer this question: Use your mouse to click on the screenshot in the location described above. An arrow indicator will mark where you have clicked. Click the "Answer" button once you have positioned the arrow to answer the question. You may need to scroll down to see the entire screenshot.

»Next steps

The Review Guide lists a table of exam objectives with its corresponding documentation and the learn tutorial link. Use the table as your check-list to prepare for the exam.