A Vault operator wants to see all active leases for a specific secrets engine without revoking them. What are the best ways to achieve this visibility?
Querying the storage backend directly (e.g., Consul KV) to see the stored lease entries.
Inspecting the Vault audit logs for recent lease generation events that haven't had a corresponding
revocation.
Running vault status -leases to get a summary count of all active leases in the system.
Using the vault list sys/leases/lookup/path/ command to browse the hierarchy of active leases.
Using the Vault UI to navigate to the "Leases" tab and filtering by the engine's path.
Explanation: Using the vault list sys/leases/lookup/path/ command to browse the hierarchy of active leases.
Querying the storage backend directly (e.g., Consul KV) to see the stored lease entries. Using the Vault UI
to navigate to the "Leases" tab and filtering by the engine's path. Inspecting the Vault audit logs for recent
lease generation events that haven't had a corresponding revocation.
A Vault operator observes that after enabling mlock in the configuration, the process crashes on startup with permission errors when running as a non-root user. The environment must support mlock for key protection in memory. Which environment variable adjustment combined with OS configuration allows mlock without root privileges?
Use VAULT_LOG_LEVEL=trace to debug.
Export VAULT_DISABLE_MLOCK=true temporarily.
Set cap_ipc_lock capability on the Vault binary and run with VAULT_MLOCK=true implicitly via
config.
VAULT_ENABLE_FILE_PERMISSIONS_CHECK=false.
Explanation: VAULT_ENABLE_FILE_PERMISSIONS_CHECK=false. This server environment variable
disables the strict file permission checks that conflict with mlock capabilities granted via Linux capabilities
(cap_ipc_lock), allowing the non-root Vault process to lock the root key and keyring pages in memory as
intended by the mlock configuration.
For disaster recovery scripting, create a service token role with period=30d renewable=true to issue tokens that auto-renew monthly without explicit max TTL limits.
True
False
Explanation: Periodic tokens renew to their period but are capped by system/mount max TTL (default
32d); no unlimited non-root periods exist.
For a Transit key created as type=chacha20-poly1305, the encrypt API requires associated_data (AAD) parameter for all calls, authenticating it alongside ciphertext without encryption.
True
False
Explanation: AEAD ciphers like chacha20-poly1305 mandate associated_data (base64) for authentication;
omitting it errors during encrypt/decrypt/verify. AAD protects metadata integrity without confidentiality,
computed into GCM/Poly1305 tags for tamper detection.
Which of the following describes the behavior of policy path matching when multiple paths overlap, such as `secret/data/foo` and `secret/data/foo/bar`? (Select 3)
Vault ignores wildcards if an exact string match exists
Vault combines all capabilities from all matching paths
Wildcards (`+` or `*`) are evaluated if no exact match is found
The most specific (longest) path match wins
The "deny" capability always takes precedence regardless of path length
Explanation: Vault policy evaluation follows a "most specific match" rule where the longest matching path
string determines the permissions. However, if a "deny" capability exists on any matching path that would apply, it overrides other permissions. Wildcards allow for flexible matching but are secondary to an exact string match for a specific path.
At Hotel Retail, the operations team must decide between userpass for temporary contractors (human) and AppRole for long-running batch jobs (system). Contractors log in daily via UI with passwords that expire after 24h and trigger lockout after 3 failures, while jobs use role_id fetched once and secret_id wrapped
for 60s. The chosen methods must differ in token renewability: contractors get renewable service tokens, jobs get non-renewable batch tokens. Which key distinction in token lifecycle and credential management must guide the selection?
Userpass disables batch token type
Both enforce secret_id_num_uses=1
Human methods rely on interactive secrets that expire per login; system methods use static role_id with
ephemeral secret_id
System methods always use renewable tokens with max_ttl
Explanation: Human methods rely on interactive secrets that expire per login; system methods use static
role_id with ephemeral secret_id must guide the selection because userpass requires fresh password entry
each session with per-user TTL and lockout, producing renewable tokens, whereas AppRole provides a
fixed role_id combined with short-lived wrapped secret_ids for one-time use in batch jobs, producing non-
renewable tokens suited to unattended machine execution.
A security team wants to allow an application to encrypt data but strictly forbid it from decrypting any data. How should the Vault policy be structured to enforce this "write-only" encryption requirement?
Grant `read` capability on the path `transit/keys/app-key` to allow key discovery
Grant `sudo` capability on the `transit/encrypt/app-key` path
Explicitly deny the `update` capability on the path `transit/decrypt/app-key`
Grant `list` capability on the `transit/keys/` path
Grant `create` and `update` capabilities on the path `transit/encrypt/app-key`
Explanation: In Vault's Transit engine, encryption is an `update` (or `create`) operation on the `encrypt`
sub-path. By granting this and explicitly denying or simply not granting access to the `decrypt` sub-path,
you create a one-way encryption service. Listing keys is often helpful for administrative or discovery
purposes but doesn't grant decryption rights.
A DevOps engineer is configuring a CI/CD pipeline to interact with a Vault instance over TLS with a self- signed certificate and custom namespace. The pipeline script must use environment variables to set the server address, authentication token, and skip TLS verification without using CLI flags. Which combination of environment variables ensures secure yet automated access while avoiding certificate validation errors and specifying the namespace for all commands?
Exporting only VAULT_ADDR and VAULT_TOKEN, as namespace and skip verify default to production settings.
Using VAULT_FORMAT=json and VAULT_LOG_LEVEL=debug for debugging.
Setting VAULT_ADDR, VAULT_TOKEN, VAULT_NAMESPACE, and VAULT_SKIP_VERIFY to
true.
Setting VAULT_CACERT and VAULT_CLIENT_CERT for full TLS chain.
Explanation: Setting VAULT_ADDR, VAULT_TOKEN, VAULT_NAMESPACE, and
VAULT_SKIP_VERIFY to true. These variables configure the CLI globally for the target server,
authentication, namespace scoping, and TLS bypass in non-production pipelines, enabling all subsequent
vault commands to operate without flags or certificate errors while isolating operations to the specified
namespace.
Response wrapping for API: POST to /sys/wrapping/wrap with target path returns token; unwrap extracts. Provides origin verification as token metadata shows wrapping path, preventing spoofed secret requests.
True
False
Explanation: True. Wrapping tokens include metadata like creation path, allowing pre-unwrap validation.
In a Vault environment utilizing Shamir's Secret Sharing, the security team wants to perform a "Rekey" operation. What are the specific outcomes and requirements of this process?
The operation requires a quorum of the existing unseal keys to be provided to start the process
A new set of unseal keys is generated and distributed to the key holders
A new master key is generated and used to re-encrypt the keyring
The Vault cluster must be sealed during the entire duration of the rekey operation
The existing data in the storage backend is decrypted and re-encrypted with the new keys
Explanation: A rekey operation changes the unseal keys (the Shamir shards) and the underlying master key
that protects the keyring. It requires a threshold of current unseal key holders to authorize the change. The
cluster remains unsealed and online during this process; it does not require a full data re-encryption of the
storage backend.
A production Vault instance using AWS KMS auto-unseal experiences a region outage. The administrator has recovery keys stored offline. To restore access to the keyring without waiting for KMS recovery or migrating seals, what is the precise sequence involving the recovery keys and a specific flag on the unseal command?
vault operator rekey -target=recovery using the recovery keys to authorize.
vault operator rotate followed by recovery key entry.
vault operator unseal -migrate followed by recovery key entry.
vault operator unseal with the recovery keys directly.
Explanation: vault operator rekey -target=recovery using the recovery keys to authorize. Recovery keys
authorize rekeying or root token generation in auto-unseal failures; they are entered with the -
target=recovery flag to perform administrative recovery actions without decrypting the root key
themselves until KMS returns.
A microservice authenticates via AppRole, receiving a token with lease_id "auth/approle/login/xyz789-..." and renewable=true. The service uses Vault Agent's lifetime watcher with increment=3600 on this lease_id. When renewal fails due to backend downtime, Vault automatically revokes all child leases created by this token before the watcher can request a new auth lease.
False
True
Explanation: Token revocation cascades to revoke all associated child leases, but a failed renewal on the auth lease does not trigger automatic token revocation; the service must handle renewal failure.
Short-lived secrets from vault write aws/staging/creds/lease ttl=900 limit blast radius in supply-chain attacks, as compromised creds auto-expire post-15m, forcing re-fetch and enabling detection via lease audit logs over static creds valid 365d.
True
False
Explanation: False because dynamic TTL enforces expiry, shrinking exposure vs. long-lived statics, with
audit trails on creation/revoke aiding incident response in real-time threat models.
A user is assigned two policies. Policy A grants `read` on `secret/data/app`. Policy B grants `update` on
`secret/data/app`. What is the resulting effective permission for the user on that path? (Select 3)
Capabilities are additive
The user can perform a "patch" operation
The user can update the secret
The user can read the secret
The user can't do anything because of a conflict
Explanation: Vault policies are additive. When multiple policies are attached to a token, the capabilities are
combined (the union of all permissions). Therefore, the user receives both read and update permissions.
Note that "patch" is a separate capability and is not automatically granted by "update" in all contexts,
though update often covers standard write-like behaviors.
During a scheduled maintenance window on Vault 1.18, an operator needs to safely revoke all dynamic database credentials issued under the role `finance` (lease IDs prefixed `database/creds/finance/`) while ensuring backend cleanup (DELETE statements) executes even if some database connections are temporarily unavailable. Which CLI command with flags guarantees revocation proceeds despite backend errors?
vault lease revoke database/creds/finance/
vault lease lookup database/creds/finance/
vault lease renew -increment=0 database/creds/finance/
vault lease revoke -force database/creds/finance/
Explanation: vault lease revoke -force database/creds/finance/ is the correct command because the -force
flag instructs Vault to ignore backend errors during revocation, ensuring all leases under the prefix are
marked revoked and cleanup proceeds where possible using the lease ID prefix mechanism.
An organization wants to implement Vault in a highly regulated environment and requires FIPS 140-2 compliance. Which architectural choices support this requirement?
Deploying Vault on FIPS-validated operating systems and hardware
Enabling the "Entropy Augmentation" feature to use external high-quality entropy sources
Using only the Shamir Secret Sharing method with at least 5 shards
Using Vault Enterprise with the HSM integration enabled
Configuring the Transit engine to use only FIPS-approved ciphers for all operations
Explanation: FIPS compliance involves using validated cryptographic modules (HSMs), running on
validated infrastructure, and ensuring the quality of entropy (randomness) used for key generation.
Enterprise features like HSM integration and entropy augmentation are specifically designed to meet these
rigorous standards.
Vault Secrets Operator is configured to sync dynamic database credentials. To prevent credential leakage after lease expiry, which operator feature combined with VaultSecret CR lifetime setting automatically revokes and refreshes the Kubernetes Secret?
secretTransformation with lease management enabled in the CR
Static secret only
No lifetime setting
Vault Agent only
Explanation: secretTransformation with lease management enabled in the CR leverages the operator's
built-in dynamic secret handling to revoke expired leases and update the Kubernetes Secret automatically.
An engineer configures Vault’s built‑in PKI secrets engine to issue client certificates with a short ttl of 86400 and a max_ttl of 172800. Applications read the certificate and receive a lease_id such as pki/issue/client/... with lease_duration: 86400 and lease_renewable: true. The engineer writes a script that calls vault lease renew -increment=86400 ... every 12 hours and observes that after 48 hours the lease becomes non‑renewable and the certificate is revoked. The engineer concludes that the lease_renewable flag flips from true to false once the second renewal is processed.
True
False
Explanation: True. The lease_renewable flag is fixed at lease creation and does not change dynamically;
what changes is the lease’s state, not the flag. In this case, the PKI‑engine max_ttl of 172800 seconds (48
hours) sets an absolute upper bound on the lease lifetime. If the original issuance occurs at t=0 and each
renewal extends the lease toward that maximum, the lease will reach its max‑TTL at 48 hours and then be
marked as non‑renewable because no further extensions are allowed. The API response reflecting
renewable: false after that point indicates post‑expiration state, not a runtime flip of the flag. The
engineer’s conclusion that the flag itself flips during renewal is therefore incorrect.
An organization is using the AppRole method. They want to ensure that if a secret\_id is stolen, it cannot be used from outside their data center. Which parameters in the AppRole configuration can help enforce this?
secret\_id\_bound\_cidrs: Restricts the use of the secret\_id to specific IP ranges.
secret\_id\_num\_uses: Limits how many times a single secret\_id can be used to log in.
role\_id\_bound\_cidrs: A parameter that prevents the role\_id from being retrieved from unauthorized
IPs.
token\_bound\_cidrs: Restricts the resulting Vault token to specific IP ranges.
bind\_secret\_id: A boolean that requires a secret\_id for login (true by default).
Explanation: Vault provides several "defense in depth" settings for AppRole. `secret_id_bound_cidrs`
ensures that the login attempt itself must come from a trusted network. `token_bound_cidrs` goes a step
further by ensuring that even after a token is issued, it can only be used from those same trusted IPs.
`secret_id_num_uses` is a great way to limit the "blast radius" of a credential, making it a one-time-use
secret if desired.
A security architect at Beta Finance is designing identity unification across LDAP for human admins and AppRole for CI/CD pipelines. After successful logins, the architect needs to manually create an internal group named "finance-auditors" that includes entities from both auth methods, attach a read-only policy to the group so all members inherit it at evaluation time, and ensure external LDAP group membership is not auto-synced but requires explicit alias mapping on the group. The CLI command sequence must start with identity/group creation using type=internal followed by member_entity_ids assignment. Which approach correctly achieves unified policy inheritance without relying on external group aliases?
Rely solely on token policies attached during AppRole role creation
Create internal groups via the identity secrets engine and assign member entities manually
Enable external groups with alias to LDAP DN and use automatic membership on token renewal
Use JWT groups_claim mapping directly on token metadata
Explanation: Create internal groups via the identity secrets engine and assign member entities manually
correctly achieves unified policy inheritance without relying on external group aliases because internal
groups allow explicit addition of entity IDs from any auth method (including LDAP aliases and AppRole
role-ids), policies attached to the group are evaluated alongside token policies at request time, and
membership is fully managed by the operator rather than depending on external sync during renewals.