Most UptoDate HashiCorp VA-002-P Exam Dumps PDF 2022 [Q98-Q117]

Most UptoDate HashiCorp VA-002-P Exam Dumps PDF 2022

100% Free HashiCorp Security Automation VA-002-P Dumps PDF Demo Cert Guide Cover

HashiCorp VA-002-P Exam Syllabus Topics:

Topic	Details
Topic 1	Choose a secret method based on use case Describe Vault policy syntax: path Configure authentication methods
Topic 2	Be aware of identities and groups Describe root token uses and lifecycle Compare and configure Vault secrets engines
Topic 3	Explain the value of short-lived, dynamically generated secrets Choose an authentication method based on use case
Topic 4	Create tokens based on need Explain the purpose of a lease ID Authenticate to Vault via Curl
Topic 5	Describe the encryption of data stored by Vault Contrast dynamic secrets vs. static secrets and their use cases
Topic 6	Configure transit secret engine Compare authentication methods Illustrate the value of Vault policy
Topic 7	Describe Shamir secret sharing and unsealing Craft a Vault policy based on requirements Describe Vault policy syntax: capabilities
Topic 8	Describe secrets caching Configure Vault policies Explain orphaned tokens Configure Vault policies
Topic 9	Explain encryption as a service Explain response wrapping Explain Vault architecture Authenticate to Vault
Topic 10	Access Vault secrets via Curl Manage Vault leases Define token accessors Create Vault policies

 

NEW QUESTION 98
True or False? Each Terraform workspace uses its own state file to manage the infrastructure associated with that particular workspace.

• A. True
• B. False

Answer: A

Explanation:
The persistent data stored in the backend belongs to a workspace. Initially, the backend has only one workspace, called "default", and thus there is only one Terraform state associated with that configuration.

 

NEW QUESTION 99
From the options below, select the benefits of using the PKI (certificates) secrets engine: (select three)

• A. Vault can act as an intermediate CA
• B. reduces time to get a certificate by eliminating the need to generate a private key and CSR
• C. TTLs on Vault certs are longer to ensure certificates are valid for a longer period of time
• D. reducing, or eliminating certificate revocations

Answer: A,B,D

Explanation:
Reference link:- https://www.vaultproject.io/docs/secrets/pki

 

NEW QUESTION 100
Vault secrets engines are used to do what with data? (select three)

• A. store
• B. encrypt
• C. generate
• D. copy
• E. transmit

Answer: A,B,C

Explanation:
Vault secrets engines are used to store, generate, or encrypt data.
The KV secrets engine can store data, AWS can generate credentials, and the transit secret engine can encrypt data.

 

NEW QUESTION 101
Which Terraform command will check and report errors within modules, attribute names, and value types to make sure they are syntactically valid and internally consistent?

• A. terraform validate
• B. terraform fmt
• C. terraform show
• D. terraform format

Answer: A

Explanation:
The terraform validate command validates the configuration files in a directory, referring only to the configuration and not accessing any remote services such as remote state, provider APIs, etc.
Validate runs checks that verify whether a configuration is syntactically valid and internally consistent, regardless of any provided variables or existing state. It is thus primarily useful for general verification of reusable modules, including the correctness of attribute names and value types.

 

NEW QUESTION 102
Given the following screenshot, how many secrets engines have been enabled?

• A. 0
• B. 1
• C. 2
• D. 3

Answer: D

Explanation:
The Cubbyhole secret engine is a default secrets engine that is enabled by default for each Vault user.

 

NEW QUESTION 103
Which commands are available only after Vault has been unsealed? (select two)

• A. vault kv get kv/apps/app01
• B. vault login -method=ldap -username=vault
• C. vault operator unseal
• D. vault status

Answer: A,B

Explanation:
Once Vault is unsealed, you can run vault login -method=ldap -username=vault and vault kv get kv/apps/app01. The second command assumes that you have authenticated but it cannot be run unless Vault is unsealed. vault status can be run regardless of Vault is sealed or unsealed, and vault operator unseal can only be run when the vault is sealed.

 

NEW QUESTION 104
In the example below, where is the value of the DNS record's IP address originating from?
1. resource "aws_route53_record" "www" {
2. zone_id = aws_route53_zone.primary.zone_id
3. name = "www.helloworld.com"
4. type = "A"
5. ttl = "300"
6. records = [module.web_server.instance_ip_addr]
7. }

• A. by querying the AWS EC2 API to retrieve the IP address
• B. the regular expression named module.web_server
• C. value of the web_server parameter from the variables.tf file
• D. the output of a module named web_server

Answer: D

Explanation:
In a parent module, outputs of child modules are available in expressions as module.<MODULE NAME>.<OUTPUT NAME>. For example, if a child module named web_server declared an output named instance_ip_addr, you could access that value as module.web_server.instance_ip_addr.

 

NEW QUESTION 105
In order to reduce the time it takes to provision resources, Terraform uses parallelism. By default, how many resources will Terraform provision concurrently?

• A. 0
• B. 1
• C. 2
• D. 3

Answer: D

Explanation:
Terraform can limit the number of concurrent operations as Terraform walks the graph using the -parallelism=n argument. The default value for this setting is 10. This setting might be helpful if you're running into API rate limits.

 

NEW QUESTION 106
From the answers below, select the advantages of using Infrastructure as Code. (select four)

• A. Easily integrate with application workflows (GitLab Actions, Azure DevOps, CI/CD tools)
• B. Safely test modifications using a "dry run" before applying any actual changes
• C. Easily change and update existing infrastructure
• D. Provide reusable modules for easy sharing and collaboration
• E. Provide a codified workflow to develop customer-facing applications

Answer: A,B,C,D

Explanation:
Infrastructure as Code is not used to develop applications, but it can be used to help deploy or provision those applications to a public cloud provider or on-premises infrastructure.
All of the others are benefits to using Infrastructure as Code over the traditional way of managing infrastructure, regardless if it's public cloud or on-premises.

 

NEW QUESTION 107
Which of the following secrets engine can generate dynamic credentials? (select three)

• A. database
• B. key/value
• C. Transit
• D. Azure
• E. AWS

Answer: A,D,E

Explanation:
Vault has many secrets engines that can generate dynamic credentials, including AWS, Azure, and database secrets engines. The key/value secret engine is used to store data, and the transit secret engine is used to encrypt data.

 

NEW QUESTION 108
What does the following API request return?
1. $ curl \
2. --header "X-Vault-Token: ..." \
3. --request POST \
4. --data @payload.json \
5. http://127.0.0.1:8200/v1/sys/tools/random/164

• A. None
• B. a random string of 164 characters
• C. a random token valid for 164 uses
• D. a secured secret based on 164 bytes of data

Answer: B

Explanation:
This endpoint returns high-quality random bytes of the specified length.

 

NEW QUESTION 109
To prepare for day-to-day operations, the root token should be safety saved outside of Vault in order to administer Vault

• A. False
• B. True

Answer: A

Explanation:
It is generally considered a best practice to not persist root tokens. Instead, a root token should be generated using Vault's operator generate-root command only when absolutely necessary.
For day-to-day operations, the root token should be deleted after configuring other auth methods which will be used by admins and Vault clients.

 

NEW QUESTION 110
Vault's User Interface (UI) needs to be enabled in the command line before it can be used.

• A. FALSE
• B. TRUE

Answer: A

Explanation:
The UI is enabled in the Vault configuration file, not in the CLI.

 

NEW QUESTION 111
Beyond encryption and decryption of data, which of the following is not a function of the Vault transit secrets engine?

• A. act as a source of random bytes
• B. generate hashes and HMACs of data
• C. sign and verify data
• D. store the encrypted data securely in Vault for retrieval

Answer: D

Explanation:
Vault doesn't store the data sent to the secrets engine.
The transit secrets engine handles cryptographic functions on data-in-transit. It can also be viewed as "cryptography as a service" or "encryption as a service". The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.

 

NEW QUESTION 112
From the code below, identify the implicit dependency:
1. resource "aws_eip" "public_ip" {
2. vpc = true
3. instance = aws_instance.web_server.id
4. }
5. resource "aws_instance" "web_server" {
6. ami = "ami-2757f631"
7. instance_type = "t2.micro"
8. depends_on = [aws_s3_bucket.company_data]
9. }

• A. The S3 bucket labeled company_data
• B. The EC2 instance labeled web_server
• C. The EIP with an id of ami-2757f631
• D. The AMI used for the EC2 instance

Answer: B

Explanation:
The EC2 instance labeled web_server is the implicit dependency as the aws_eip cannot be created until the aws_instance labeled web_server has been provisioned and the id is available.
Note that aws_s3_bucket.example is an explicit dependency.

 

NEW QUESTION 113
What type of token does not have a TTL (time to live)?

• A. child tokens
• B. parent tokens
• C. root tokens
• D. expired tokens
• E. default tokens
• F. user tokens

Answer: C

Explanation:
Non-root tokens are associated with a TTL, which determines how long a token is valid. Root tokens are not associated with a TTL, and therefore, do not expire.
Root tokens are tokens that have the root policy attached to them. They are the only type of token within Vault that are not associated with a TTL, and therefore, do not expire.

 

NEW QUESTION 114
When creating a dynamic secret in Vault, Vault returns what value that can be used to renew or revoke the lease?

• A. token_revocation_id
• B. revocation_access
• C. vault_accessor
• D. lease_id

Answer: D

Explanation:
When reading a dynamic secret, such as via vault read, Vault always returns a lease_id. This is the ID used with commands such as vault lease renew and vault lease revoke to manage the lease of the secret.
vault lease lookup
Usage: vault lease <subcommand> [options] [args]
This command groups subcommands for interacting with leases. Users can revoke or renew leases.
Renew a lease:
$ vault lease renew database/creds/readonly/2f6a614c...
Revoke a lease:
$ vault lease revoke database/creds/readonly/2f6a614c...
Subcommands:
renew Renews the lease of a secret
revoke Revokes leases and secrets
Reference link:- https://www.vaultproject.io/docs/concepts/lease

 

NEW QUESTION 115
Which of the following variable declarations is going to result in an error?

• A. variable "example" {
  type = object({})
  }
• B. variable "example" {
  description = "This is a variable description"
  type = list(string)
  default = {}
  }
• C. variable "example" {
  description = "This is a test"
  type = map
  default = {"one" = 1, "two" = 2, "Three" = "3"}
  }
• D. variable "example" {}

Answer: D

Explanation:
Lists are defined with [ ], maps are defined with { }.
https://www.terraform.io/docs/configuration/types.html#structural-types

 

NEW QUESTION 116
True or False:
Once you create a KV v1 secrets engine and place data in it, there is no way to modify the mount to include the features of a KV v2 secrets engine.

• A. False
• B. True

Answer: A

Explanation:
The kv enable-versioning command turns on versioning for an existing non-versioned key/value secrets engine (K/V Version 1) at its path.
Reference link:- https://www.vaultproject.io/docs/commands/kv/enable-versioning

 

NEW QUESTION 117
......

Updated HashiCorp VA-002-P Dumps – PDF & Online Engine: https://www.realexamfree.com/VA-002-P-real-exam-dumps.html