What is the default method of authentication after first initializing Vault?
Correct Answer: D
Comprehensive and Detailed in Depth Explanation: After initializing Vault, the default authentication method isTokens, specifically the root token. The HashiCorp Vault documentation states: "After initializing, Vault provides the user the root token, which is the only way to log in to Vault in order to configure additional auth methods." This root token is generated during initialization and serves as the initial means of authentication until other methods are configured. The documentation further explains under the "Token Authentication" section: "Tokens are the core method for authentication within Vault. Upon initialization, a root token is created which can be used to configure Vault further."TLS certificates,GitHub,AppRole, andUserpassrequire additional setup, and there's no defaultAdmin accountmethod. Thus, D (Tokens) is correct. Reference: HashiCorp Vault Documentation - Token Authentication
Question 97
You are performing a high number of authentications in a short amount of time. You're experiencing slow throughput for token generation. How would you solve this problem?
Correct Answer: B
Batch tokens are a type of tokens that are not persisted in Vault's storage backend, but are encrypted blobs that carry enough information to perform Vault actions. Batch tokens are extremely lightweight and scalable, and can improve the throughput for token generation. Batch tokens are suitable for high-volume and ephemeral workloads, such as containers or serverless functions, that require short-lived and non-renewable tokens. Batch tokens canbe created by using the -type=batch flag in the vault token create command, or by configuring the token_type parameter in the auth method's role or mount options. Batch tokens have some limitations compared to service tokens, such as the lack of renewal, revocation, listing, accessor, and cubbyhole features. Therefore, batch tokens should be used with caution and only when the trade-offs are acceptable. References: https://developer.hashicorp.com/vault/tutorials/tokens/batch-tokens1, https://developer.hashicorp.com/vault/docs/commands/token/create2, https://developer.hashicorp.com/vault /docs/concepts/tokens#token-types3
Question 98
Which of the following statements describe the secrets engine in Vault? Choose three correct answers.
Correct Answer: A,C,D
Secrets engines are components that store, generate, or encrypt data in Vault. They are enabled at a specific path in Vault and have their own API and configuration. Some of the statements that describe the secrets engines in Vault are: * Some secrets engines simply store and read data, such as the key/value secrets engine, which acts like an encrypted Redis or Memcached. Other secrets engines perform more complex operations, such as generating dynamic credentials, encrypting data, issuing certificates, etc1. * You can build your own custom secrets engine by using the plugin system, which allows you to write and run your own secrets engine as a separate process that communicates with Vault over gRPC. You can also use the SDK to create your own secrets engine in Go and compile it into Vault2. * Each secrets engine is isolated to its path, which means that the secrets engine cannot access or interact with other secrets engines or data outside its path. The path where the secrets engine is enabled can be customized and can have multiple segments. For example, you can enable the AWS secrets engine at aws/ or aws/prod/ or aws/dev/3. The statements that are not true about the secrets engines in Vault are: * You can disable an existing secrets engine by using the vault secrets disable command or the sys /mounts API endpoint. When a secrets engine is disabled, all of its secrets are revoked and all of its data is deleted from the storage backend4. * A secrets engine can be enabled at multiple paths, with a few exceptions, such as the system and identity secrets engines. Each secrets engine enabled at a different path is independent and isolated from others. For example, you can enable the KV secrets engine at kv/ and secret/ and they will not share any data3. 1 (https://developer.hashicorp.com/vault/docs/secrets), 2 (https://developer.hashicorp.com/vault/docs/secrets), 3 (https://developer.hashicorp.com/vault/docs/secrets), 4 (https://developer.hashicorp.com/vault/docs/secrets)
