Free Access to HashiCorp.HCVA0-003.v2025-10-21.q101 with Valid Practice Test (Page 14)

Question 61

A developer has requested access to manage secrets at the path kv/apps/webapp01. You create the policy below which gives them the proper access:
path "kv/apps/webapp01" {
capabilities = ["read", "create", "update", "list"]
}
However, when the developer logs in to the Vault UI, they see the following screenshot and cannot access the desired secret. Why can't the developer see the secrets they need?

A.The Vault UI isn't enabled for the developer, therefore they will only see the default options
B.The key/value secrets engine isn't available in the Vault UI, therefore the developer should use a different Vault interface instead
C.The policy doesn't permit list access to the paths prior to the secret so the Vault UI doesn't display the mount path
D.The secrets are stored under the cubbyhole secrets engine, so the developer should browse to that secrets engine

Question 62

* A Jenkins server is using the following token to access Vault. Based on the lookup shown below, what type of token is this?$ vault token lookup hvs.FGP1A77Hxa1Sp6Pkp1yURcZB
* Key Value
* --- -----
* accessor RnH8jtgrxBrYanizlyJ7Y8R
* creation_time 1604604512
* creation_ttl 24h
* display_name token
* entity_id n/a
* expire_time 2025-11-06T14:28:32.8891566-05:00
* explicit_max_ttl 0s
* id hvs.FGP1A77Hxa1Sp6KRau5eNB
* issue_time 2025-11-06T14:28:32.8891566-05:00
* meta <nil>
* num_uses 0
* orphan false
* path auth/token/create
* period 24h
* policies [admin default]
* renewable true
* ttl 23h59m50s
* type service

A.Periodic token
B.Batch token
C.Orphaned token
D.Secondary token

Question 63

Which isnota capability that can be used when writing a Vault policy?

A.delete
B.modify
C.create
D.list
E.read
F.update

Question 64

A web application uses Vault's transit secrets engine to encrypt data in-transit. If an attacker intercepts the data in transit which of the following statements are true? Choose two correct answers.

A.You can rotate the encryption key so that the attacker won't be able to decrypt the data
B.The keys can be rotated and min_decryption_version moved forward to ensure this data cannot be decrypted
C.The Vault administrator would need to seal the Vault server immediately
D.Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in transit)

Correct Answer: B,D

A web application that uses Vault's transit secrets engine to encrypt data in-transit can benefit from the following security features:
* Even if the attacker was able to access the raw data, they would only have encrypted bits (TLS in transit). This means that the attacker would need to obtain the encryption key from Vault in order to decrypt the data, which is protected by Vault's authentication and authorization mechanisms. The transit secrets engine does not store the data sent to it, so the attacker cannot access the data from Vault either.
* The keys can be rotated and min_decryption_version moved forward to ensure this data cannot be decrypted. This means that the web application can periodically change the encryption key used to encrypt the data, and set a minimum decryption version for the key, which prevents older versions of the key from being used to decrypt the data. This way, even if the attacker somehow obtained an old version of the key, they would not be able to decrypt the data that was encrypted with a newer version of the key.
The other statements are not true, because:
* You cannot rotate the encryption key so that the attacker won't be able to decrypt the data. Rotating the key alone does not prevent the attacker from decrypting the data, as they may still have access to the old version of the key that was used to encrypt the data. You need to also move the min_decryption_version forward to invalidate the old version of the key.
* The Vault administrator would not need to seal the Vault server immediately. Sealing the Vault server would make it inaccessible to both the attacker and the legitimate users, and would require unsealing it with the unseal keys or the recovery keys. Sealing the Vault server is a last resort option in case of a severe compromise or emergency, and is not necessary in this scenario, as the attacker does not have access to the encryption key or the data in Vault. References: Transit - Secrets Engines | Vault | HashiCorp Developer, Encryption as a service: transit secrets engine | Vault | HashiCorp Developer

Question 65

Before the following command can be run to encrypt data, what (three) commands must be run to enable and configure the transit secrets engine in Vault? (Select three) text CollapseWrapCopy
$ vault write transit/encrypt/vendor \
plaintext="aGFzaGljb3JwIGNlcnRpZmllZA=="

A.base64 <<< "hashicorp certified"
B.vault write transit/encrypt/vendor
C.vault secrets list
D.vault secrets enable transit
E.vault write -f transit/keys/vendor

Question 61

Question 62

Question 63

Question 64

Question 65

Download PDF File