[2023] Use Valid VA-002-P Exam - Actual Exam Question & Answer
Test Engine to Practice VA-002-P Test Questions
HashiCorp VA-002-P Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
| Topic 6 |
|
NEW QUESTION 11
You've hit the URL for the Vault UI, but you're presented with this screen. Why doesn't Vault present you with a way to log in?
- A. a vault policy is preventing you from logging in
- B. the vault configuration file has an incorrect configuration
- C. the consul storage backend was not configured correctly
- D. vault needs to be initialized before it can be used
Answer: D
Explanation:
Before Vault can be used, it must be initialized and unsealed. This screen indicates that Vault has not been initialized yet and is offering you a way to do so.
NEW QUESTION 12
Which statements best describes what the local variable assignment is doing in the following code snippet:
1. variable "subnet_details" {
2. type = list(object({
3. cidr = string
4. subnet_name = string
5. route_table_name = string
6. aznum = number
7. }))
8. }
9. locals {
10. route_tables_all = distinct([for s in var.subnet_details : s.route_table_name ])
11. }
- A. Create a map of route table names from a list of subnet names
- B. Create a list of route table names eliminating duplicates
- C. Create a distinct list of route table name objects
- D. Create a map of route table names to subnet names
Answer: B
Explanation:
route_tables_all is assigned a list of unique route table names filtered from a list of objects describing subnet details, one of those object attributes being route_table_name.
NEW QUESTION 13
The userpass auth method has the ability to access external services in order to provide authentication to Vault.
- A. TRUE
- B. FALSE
Answer: B
Explanation:
The userpass auth method uses a local database that cannot interact with any services outside of the Vault instance.
NEW QUESTION 14
What happens to child tokens when a parent token is revoked?
- A. the child tokens are renewed
- B. the child tokens create their own child tokens to be used
- C. the child tokens are revoked
- D. the child tokens are converted to parent tokens
Answer: C
Explanation:
When a parent token is revoked, all of its child tokens and leases are revoked as well. This ensures that a user cannot skip revocation by simply making a timeless tree of child tokens.
NEW QUESTION 15
True or False: You can migrate the Terraform backend but only if there are no resources currently being managed.
- A. True
- B. False
Answer: B
Explanation:
If you are already using Terraform to manage infrastructure, you probably want to transfer to another backend, such as Terraform Cloud, so you can continue managing it. By migrating your Terraform state, you can hand off infrastructure without de-provisioning anything.
NEW QUESTION 16
Which Terraform command will force a marked resource to be destroyed and recreated on the next apply?
- A. terraform refresh
- B. terraform fmt
- C. terraform taint
- D. terraform destroy
Answer: C
Explanation:
The terraform taint command manually marks a Terraform-managed resource as tainted, forcing it to be destroyed and recreated on the next apply. This command will not modify infrastructure but does modify the state file in order to mark a resource as tainted. Once a resource is marked as tainted, the next plan will show that the resource will be destroyed and recreated. The next terraform apply will implement this change.
NEW QUESTION 17
You want to encrypt a credit card number using the transit secrets engine. You enter the following command and receive an error. What can you do to ensure that the credit card number is properly encrypted and the ciphertext is returned?
1. $ vault write -format=json transit/encrypt/creditcards plaintext="1234 5678 9101 1121"
2. Error writing data to transit/encrypt/orders: Error making API request.
3.
4. URL: PUT http://10.25.16.165:8200/v1/transit/encrypt/creditcards
5. Code: 400. Errors:
6.
7. * illegal base64 data at input byte 4
- A. the plain text data needs to be encoded to base64
- B. the token used to issue the encryption request does not have the appropriate permissions
- C. credit card numbers are not supported using the transit secrets engine since it is considered sensitive data
- D. the credit card number should not include spaces
Answer: A
Explanation:
When you send data to Vault for encryption, it must be in the form of base64-encoded plaintext for safe transport.
NEW QUESTION 18
After issuing the command to delete a secret, you run a vault kv list command but the secret still exists. What command would permanently delete this secret from Vault?
1. $ vault kv delete kv/applications/app01
2. Success! Data deleted (if it existed) at: kv/applications/app01
3. $ vault kv list kv/applications
4. Keys
5. ----
6. app01
- A. vault kv destroy -versions=1 kv/applications/app01
- B. vault kv delete -all kv/applications/app01
- C. vault kv delete -force kv/applications/app01
- D. vault kv metadata delete kv/applications/app01
Answer: D
Explanation:
The kv metadata command has subcommands for interacting with the metadata and versions for the versioned secrets (K/V Version 2 secrets engine) at the specified path.
The kv metadata delete command deletes all versions and metadata for the provided key.
Reference link:- https://www.vaultproject.io/docs/commands/kv/metadata
NEW QUESTION 19
You've decided to use AWS KMS to automatically unseal Vault on private EC2 instances. After deploying your Vault cluster, and running vault operator init, Vault responds with an error and cannot be unsealed.
You've determined that the subnet you've deployed Vault into doesn't have internet access. What can you do to enable Vault to communicate with AWS KMS in the most secure way?
- A. ask the networking team to provide Vault with inbound access from the internet
- B. add a VPC endpoint
- C. change the permissions on the Internet Gateway to allow the Vault nodes to communicate over the Internet
- D. deploy Vault in a public subnet and provide the Vault nodes with public IP addresses
Answer: B
Explanation:
In this particular question, a VPC endpoint can provide private connectivity to an AWS service without having to traverse the public internet. This way you hit a private endpoint for the service rather than connecting to the public endpoint.
This is more of an AWS-type question, but the underlying premise still holds regardless of where your Vault cluster is deployed. If you use a public cloud KMS solution, such as AWS KMS, Azure Key Vault, GCP Cloud KMS, or AliCloud KMS, your Vault cluster will need the ability to communicate with that service to unseal itself.
NEW QUESTION 20
True or False: When encrypting data with the transit secrets engine, Vault always stores the ciphertext in a dedicated KV store along with the associated encryption key.
- A. True
- B. False
Answer: B
Explanation:
Vault doesn't store the data sent to the secrets engine.
The transit secrets engine handles cryptographic functions on data-in-transit. It can also be viewed as "cryptography as a service" or "encryption as a service". The transit secrets engine can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.
Reference link:- https://www.vaultproject.io/docs/secrets/transit
NEW QUESTION 21
Which flag would be used within a Terraform configuration block to identify the specific version of a provider required?
- A. required_versions
- B. required_providers
- C. required-provider
- D. required-version
Answer: B
Explanation:
For production use, you should constrain the acceptable provider versions via configuration file to ensure that new versions with breaking changes will not be automatically installed by terraform init in the future. When terraform init is run without provider version constraints, it prints a suggested version constraint string for each provider For example:
terraform {
required_providers {
aws = ">= 2.7.0"
}
}
NEW QUESTION 22
Which of the following best describes a token accessor?
- A. a value that describes which clients have access to the attached token
- B. a token used for Consul to access Vault auth methods
- C. describes the value associated with the tokens TTL
- D. a value that acts as a reference to a token which can be used to perform limited actions against the token
Answer: D
Explanation:
When tokens are created, a token accessor is also created and returned. This accessor is a value that acts as a reference to a token and can only be used to perform limited actions:
- Lookup a token's properties (not including the actual token ID)
- Lookup a token's capabilities on a path
- Renew the token
- Revoke the token
Reference link:- https://www.vaultproject.io/docs/concepts/tokens#token-accessors
NEW QUESTION 23
Which of the following represents a feature of Terraform Cloud that is NOT free to customers?
- A. private module registry
- B. VCS integration
- C. workspace management
- D. roles and team management
Answer: D
NEW QUESTION 24
Which of the following commands will remove all secrets at a specific path?
- A. vault revoke -all <path>
- B. vault lease revoke -prefix <path>
- C. vault lease revoke -all <path>
- D. vault delete lease -all <path>
Answer: B
Explanation:
The -prefix flag treats the ID as a prefix instead of an exact lease ID. This can revoke multiple leases simultaneously.
NEW QUESTION 25
Which of the following Vault features is available only in the Enterprise version? (select three)
- A. replication
- B. cloud auto unseal
- C. MFA
- D. dynamic credentials
- E. auto unseal with HSM
Answer: A,C,E
Explanation:
Most of the important features of Vault are available in the open-source version, however, some of the features which are generally required by large organizations are only available in the Enterprise version such as:-
- MFA - Multi-factor Authentication
- Replication
- Auto unseal with HSM and many more.
Check all the features at the below link.
Reference link:- https://www.hashicorp.com/products/vault/pricing/
NEW QUESTION 26
When Terraform needs to be installed in a location where it does not have internet access to download the installer and upgrades, the installation is generally known as to be __________.
- A. a private install
- B. disconnected
- C. non-traditional
- D. air-gapped
Answer: D
Explanation:
A Terraform Enterprise install that is provisioned on a network that does not have Internet access is generally known as an air-gapped install. These types of installs require you to pull updates, providers, etc. from external sources vs. being able to download them directly.
NEW QUESTION 27
Vault's User Interface (UI) needs to be enabled in the command line before it can be used.
- A. TRUE
- B. FALSE
Answer: B
Explanation:
The UI is enabled in the Vault configuration file, not in the CLI.
NEW QUESTION 28
In order to make a Terraform configuration file dynamic and/or reusable, static values should be converted to use what?
- A. module
- B. regular expressions
- C. input parameters
- D. output value
Answer: C
Explanation:
Input variables serve as parameters for a Terraform module, allowing aspects of the module to be customized without altering the module's own source code, and allowing modules to be shared between different configurations.
NEW QUESTION 29
Which of the following is not an activity associated with the Vault transit secrets engine?
- A. rewrap
- B. update
- C. decrypt
- D. encrypt
Answer: B
Explanation:
Since Vault does not store any data, hence Vault transit secrets engine does not support update activity.
NEW QUESTION 30
When Vault is sealed, which are the only two options available to a Vault administrator? (select two)
- A. rotate the encryption key
- B. view the status of Vault
- C. view data stored in the key/value store
- D. configure policies
- E. author security policies
- F. unseal Vault
Answer: B,F
Explanation:
When Vault is sealed, the only two options available are, viewing the vault status and unsealing Vault. All the other actions performed after the Vault is unsealed and the user is authenticated.
NEW QUESTION 31
Which auth method is ideal for machine to machine authentication?
- A. Okta
- B. AppRole
- C. UserPass
- D. GitHub
Answer: B
Explanation:
The ideal method for a machine to machine authentication is AppRole although it's not the only method. The other options are frequently reserved for human access.
Reference link:- https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle/
NEW QUESTION 32
Which of the following Terraform files should be ignored by Git when committing code to a repo? (select two)
- A. terraform.tfvars
- B. terraform.tfstate
- C. output.tf
- D. variables.tf
Answer: A,B
Explanation:
The .gitignore file should be configured to ignore Terraform files that either contain sensitive data or aren't required to save.
The terraform.tfstate file contains the terraform state of a specific environment and doesn't need to be preserved in a repo. The terraform.tfvars file may contain sensitive data, such as passwords or IP addresses of an environment that you may not want to share with others.
NEW QUESTION 33
......
VA-002-P Actual Questions Answers PDF 100% Cover Real Exam Questions: https://www.actual4exams.com/VA-002-P-valid-dump.html
VA-002-P Real Exam Questions Test Engine Dumps Training With 202 Questions: https://drive.google.com/open?id=1kuFh7O4sa4gDpXRaUwiReBpPClEPE6Em