vault certification Practice Exam 2025: Latest Questions

A team wants their applications to retrieve secrets without storing long-lived credentials on disk. The applications run in Kubernetes and can use their service account identity. Which Vault auth method best fits this requirement?

You need to store and retrieve arbitrary key/value secrets (for example, API keys) and want support for secret versioning and soft deletes. Which secrets engine should you use?

Which Vault component is responsible for enforcing policies on a request (for example, ensuring a token has 'read' capability on a path) before the request is processed?

A security engineer wants an immutable record of Vault requests for compliance investigations. Which Vault feature provides this capability?

A policy contains the following stanza: path "secret/data/payroll" { capabilities = ["read"] } A user tries to run `vault kv get secret/payroll` and receives a 403 permission denied. KV v2 is enabled at the mount path `secret/`. What is the MOST likely cause?

A platform team wants database credentials that automatically expire and can be revoked centrally if an application is compromised. Which approach best meets this requirement?

An application authenticates with AppRole and receives a token. The team wants the token to remain valid as long as the app is healthy, but to expire automatically if it stops renewing. What token type/behavior should they use?

You want a token presented to a CI job to be unable to create child tokens that outlive it or remain valid after the parent is revoked. Which is the BEST token approach?

A Vault cluster uses integrated storage (Raft). One node is consistently behind and cannot become a voter due to poor network connectivity. What is the best practice to improve cluster health and availability?

A team writes an ACL policy allowing `create` on `auth/approle/role/my-role/secret-id` but their automation still fails to fetch a SecretID. The error indicates permission denied on `auth/approle/role/my-role/secret-id`. The token is valid. What is the most likely missing capability and why?

You have a Vault cluster with integrated storage and multiple nodes. After a restart, one node is active and the others are standby. What is the primary purpose of standby nodes in this architecture?

An app uses the AppRole auth method. The security team wants to reduce the impact if a SecretID is leaked. Which AppRole setting directly limits the number of times a SecretID can be used to log in?

A team wants to issue short-lived database credentials for PostgreSQL so that users never share a static password. Which Vault secrets engine best fits this requirement?

A Vault policy includes the following stanza: path "secret/data/payroll" { capabilities = ["read"] } A user with this policy tries to read a secret at "secret/data/payroll/2026" and receives a permission denied error. Why?

You need a token for an automated job that must keep access as long as the job is running, without requiring a human to re-authenticate, but you still want it to expire if it stops renewing. What type of token best matches this behavior?

An operator wants to rotate the Vault encryption key used to protect data at rest without re-encrypting all stored data immediately. Which operation should they perform?

A team enables the KV v2 secrets engine at path "kv/" and writes a secret to "kv/app". They then run a policy test by trying to read "kv/app" but get a 404. What is the most likely cause?

An application authenticates with Vault using a token obtained from an auth method. You want to ensure that if the auth method is disabled or its token is revoked, any tokens created by that login are also revoked automatically. Which token behavior provides this revocation linkage?

You are designing policies so that an operator can manage auth methods (enable/disable) but cannot read any application secrets from KV. Which approach best follows Vault best practices?

A security engineer wants to use Vault Agent with auto-auth to provide credentials to an application. The application should never see a long-lived token on disk, and the token should be automatically rotated. Which Vault Agent feature best meets this requirement?

You want a single Vault cluster to securely serve multiple teams. Each team must have its own isolated set of auth methods, policies, and secrets paths, managed independently. What Vault feature best meets this requirement?

A team is troubleshooting why applications cannot read secrets in the KV v2 engine. The policy includes: path "secret/*" { capabilities = ["read"] }. The secret is stored at secret/data/app/config. The token receives 403 permission denied. What is the most likely fix?

An operator wants to rotate the master key used to encrypt Vault’s storage without changing the unseal keys. Which action should they take?

A security engineer wants to ensure that an application token cannot be used from any network other than the application subnet 10.20.0.0/16. What is the recommended Vault control to enforce this?

An organization uses Vault to issue dynamic database credentials. They want every lease revocation to also immediately disable the database user even if Vault is temporarily unavailable when the application terminates. Which approach best addresses this requirement?