{"aws_account_id":"123"} conflicts. Which entity/group interpretation resolves federated access in hybrid cloud?
Metadata filtering excludes stale aliases post-merge
Group alias resolution cascades from entity parents
Entity ID alias iteration debugs inheritance chains
Alias merge policy prioritizes external ID for group lookup
Answer: A,B,C
Explanation: Groups resolve aliases recursively from child entities, propagating federated memberships
correctly. Metadata tags filter relevant aliases, ignoring conflicts from legacy logins. ID-based iteration
traces full alias graphs, pinpointing inheritance breaks in hybrid setups.
A logistics firm promotes Vault Enterprise DR secondary to primary after primary ransomware attack. Post-promotion, clients can't auth due to lease desync. What resolves this? (Choose TWO)
Execute vault lease revoke -prefix for stale leases from old primary
Restart replication to new secondary from promoted cluster
Run vault operator rekey -init -key-bits=256 to rotate master key
Promote namespaces individually: sys/replication/dr/secondary/promote -namespace=app
Answer: A,D
Explanation: lease revoke -prefix clears orphaned leases preventing client auth post-promotion.
Namespace-specific promotion ensures isolated failover without global downtime.
Scenario Title: Performance Secondary Namespace Isolation
Environment Description: A company has a Performance Secondary cluster in a "Finance" VPC and a
Primary in a "Core" VPC. They want to ensure that the Finance team can create their own namespaces on
the Secondary without those namespaces appearing on the Primary. Inspection Instructions: 1. Check the replication mode using `vault read sys/replication/performance/status`.
Attempt to create a namespace on the Performance Secondary.
Review the error message: "can't write to secondary cluster".
Check the `allow_multiregion` flag in the namespace configuration.
Why can't the administrator create a namespace directly on the Performance Secondary?
The administrator lacks the `sudo` capability on the `sys/namespaces` path.
The Secondary cluster has not been granted "Namespace Admin" rights by the Primary.
C. Namespaces must be created with the `-local` flag on the Secondary to bypass replication.
Performance Secondaries are read-only for all metadata including namespaces.
Answer: D
Explanation: In Performance Replication, the Primary cluster is the source of truth for all configuration,
including namespaces, mount points, and policies. Secondaries are read-only for these control-plane
objects. Any namespace must be created on the Primary, and it will then be replicated to all Secondaries.
There is no concept of a "Secondary-only" namespace.
Scenario Title: Monitoring Vault Memory Consumption with `runtime` Metrics
Environment Description: You notice that a Vault node's resident set size (RSS) memory is steadily
increasing. You are looking at the `vault.runtime.sys_bytes` and `vault.runtime.heap_objects` metrics.
Inspection Instructions:
Compare `vault.runtime.heap_inuse_bytes` with `vault.runtime.heap_released_bytes`.
Check the number of active leases using `vault.expire.num_leases`.
Review the operational logs for "Go runtime: scavenge" messages.
Any changes you make will NOT affect grading — only your answer selection is scored.
If `vault.runtime.heap_inuse_bytes` is stable but `vault.runtime.sys_bytes` continues to grow, what does this indicate?
The Vault audit device buffer is overflowing into swap space.
The operating system is not reclaiming memory that the Go runtime has returned to it.
There is a high volume of identity entities being created in the memory cache.
Vault is experiencing a Go-level memory leak in the Raft FSM.
Answer: B
Explanation: `heap_inuse_bytes` tracks memory currently being used by Vault's Go objects. `sys_bytes`
tracks the total memory obtained from the OS. If `inuse` is stable but `sys` is high or growing, it often
means the Go garbage collector has freed the memory (making it available for reuse by Vault), but it hasn't
been released back to the OS, or the OS hasn't yet reclaimed those pages. This is common behavior for the Go runtime and is often managed by the `GOMEMLIMIT` environment variable in newer versions.
During deployment of a Vault Enterprise HA cluster with integrated storage on Kubernetes using Helm chart v0.25.0, pods in different namespaces fail to form quorum due to mismatched storage class and TLS certs. Which steps correctly configure HA? (Choose TWO)
Configure injector.externalVaultAddr pointing to LoadBalancer service for client access during leader changes
Set server.ha.enabled = true and server.integratedStorage.enabled = true in values.yaml with raft.nodeSecret for TLS
Deploy StatefulSet with volumeClaimTemplates using ReadWriteOnce storage class provisioned across multiple AZs
Enable server.standby = true on all replicas to force performance standby mode immediately
Answer: B,C
Explanation: Enabling ha and integratedStorage in Helm values with raft.nodeSecret provisions TLS-
secured Raft communication essential for Kubernetes HA clusters. Using StatefulSet with ReadWriteOnce
storage class ensures persistent Raft data volumes survive pod restarts and maintain quorum across AZs.
Multi-tenancy namespaces in Vault Enterprise PaaS: root enables secret/ engine, ns-beta tunes max_ttl=7d. Cross-ns read denied despite root policy. Which interpretations fix tenant isolation?
Token namespaces param lists allowed children only
Tuning inheritance requires explicit ns path override
Audit log prefixing enables per-tenant forensics
Sub-ns creation cascades policies recursively
Answer: A,C,D
Explanation: Tokens restrict via allowed_namespaces=["ns-beta"], blocking root-to-child leaks. Logs prefix
ns-beta/, segregating audits natively. Sub-namespaces inherit cascadingly unless tuned, scaling tenant
hierarchies.
For Vault clients in serverless functions, secure introduction requires which zero-trust validations?
Inject via orchestrator with secret zeroing post cold-start completion
Verify platform metadata endpoints before token issuance
Use function-specific policies with dynamic TTL matching invocation
Audit function ARN bindings in auth role configurations strictly
Answer: B,C
Explanation: Platform metadata verification establishes trusted identity without static creds. Dynamic TTL
matching invocation limits ephemeral access duration.
Scenario Title: Secure Introduction of RoleID and SecretID
Environment Description: You are setting up AppRole authentication for a microservice. You have created
the role but need to distribute the `role_id` and `secret_id` securely.
Inspection Instructions:
`vault read auth/approle/role/my-app/role-id`
`vault write -f auth/approle/role/my-app/secret-id`
To implement the "Pull" design pattern for the SecretID, what constraint should be applied to the token used by the application to fetch its SecretID?
The token must be tied to the `default` policy only.
The token should be a root token.
The token should be response-wrapped and have a short TTL with a limited number of uses.
The token must have the `sudo` capability on the `auth/approle/role/+/secret-id` path.
Answer: C
Explanation: In a secure "Pull" pattern, a trusted orchestrator (like Terraform or a CI tool) generates a
response-wrapped SecretID or a short-lived token that can only perform the `write` operation on the
`secret-id` generation path. By wrapping this or limiting its use, you ensure that even if the delivery
mechanism is compromised, the "SecretID" (which is the sensitive part of the AppRole) is protected and
its theft is detectable.
For Vault DR replication in Kubernetes across data centers, which security model practices ensure operation integrity?
Configure namespace-specific DR ops to prevent cross-tenant leaks
Promote secondary only after verifying primary health via automated job
Use TLS-encrypted replication traffic with node mutual auth
Distribute DR operation tokens with short TTL via Kubernetes secrets
Answer: A,C
Explanation: TLS with mutual auth secures replication traffic between clusters, protecting against
eavesdropping or tampering per security barrier design. Namespace-specific configs during DR promotion
maintain multi-tenant isolation, avoiding leaks in failover scenarios.
Scenario Title: Secure Introduction via AppRole and Response Wrapping
Environment Description: A CI/CD pipeline needs to provision a `role_id` and `secret_id` to a fleeting
Jenkins agent. The security team mandates that the `secret_id` must never exist in plain text within the
CI/CD logs or the orchestrator's environment variables.
Inspection Instructions:
`vault write -f auth/approle/role/jenkins/secret-id`
`vault read sys/wrapping/lookup/`
`vault policy read jenkins-policy`
Which workflow ensures the "Secure Introduction" principle is maintained for the Jenkins agent?
Deliver the `role_id` via environment variable and the `secret_id` via a 30-second TTL wrapped token
Use a response-wrapped `role_id` while keeping the `secret_id` as a permanent static credential
Provide a CIDR-restricted `secret_id` that is hardcoded into the Jenkins agent's Docker image
Generate a `secret_id` with a usage limit of 0 and send it via an encrypted SSH tunnel
Answer: A
Explanation: The correct option states to deliver the role\_id via environment variable and the secret\_id
via a 30-second TTL wrapped token. Response wrapping is a core component of the Vault security model
for secure introduction, ensuring that only the intended recipient can unwrap the secret and providing an
audit trail if the wrap is intercepted (as it would fail to unwrap).
Scenario Title: Monitoring Vault's Entropy Augmentation
Environment Description: A Vault Enterprise cluster is running on a virtualized environment with low
hardware entropy. The team has enabled the "Entropy Augmentation" feature using a supported PKCS#11
HSM.
Inspection Instructions:
`vault read sys/entropy/status`
`vault read sys/metrics`
`ls -l /dev/random`
Any changes you make will NOT affect grading — only your answer selection is scored.
Which metric would best allow an operator to monitor if Vault is successfully utilizing the HSM for entropy augmentation during cryptographic operations?
`vault.entropy.external.count`
`vault.core.external_entropy.upsert`
`vault.hsm.entropy.pulls`
`vault.core.entropy_source`
Answer: A
Explanation: When Entropy Augmentation is enabled in Vault Enterprise, Vault can pull high-quality
entropy from an external source (like an HSM) for its internal operations. The metric
`vault.entropy.external.count` tracks the number of times Vault successfully retrieved entropy from the
configured external source. Monitoring this ensures that the HSM integration is functional and that Vault
isn't falling back to the system's potentially depleted entropy pool.
When deploying Vault Enterprise in Kubernetes with Istio service mesh, which security implications must be addressed for mTLS enforcement?
Use SPIFFE auth method for workload identity verification without JWT tokens
Configure NetworkPolicies to isolate Vault namespace from application pods
Enable Vault PKI engine as internal CA for automated certificate lifecycle
Deploy Vault Secrets Operator with CSI driver for direct pod secret mounting
Answer: B,C
Explanation: NetworkPolicies isolate the Vault namespace, preventing lateral movement if applications are
compromised while allowing only trusted ingress. Vault's PKI engine automates mTLS certificate issuance
and rotation for service-to-service encryption in Istio, eliminating manual PKI management.
Scenario Title: Vault Agent Auto-Auth with AppRole
Environment Description: A Kubernetes sidecar is running Vault Agent to provide secrets to a legacy
application. The Agent is configured with the AppRole auth method. The `role_id` is baked into the image,
and the `secret_id` is provided via a local file.
Inspection Instructions:
`cat /etc/vault/agent-config.hcl`
`vault agent -config=/etc/vault/agent-config.hcl`
`cat /tmp/vault-token`
`ls -l /var/run/secrets/vault/`
The Vault Agent successfully authenticates and writes a token to the sink. However, when the application attempts to use the token 2 hours later, the token is invalid, even though the AppRole token TTL is set to 24 hours. What is the most likely cause?
The Vault Agent process exited after the initial login, so it stopped renewing the token.
The sink file permissions prevented the Agent from updating the token on disk.
The Agent configuration lacks an `auto_auth` method for token renewal.
The `secret_id` file was deleted by the Agent, causing immediate token revocation.
Answer: A
Explanation: Vault Agent's `auto_auth` functionality includes an active manager that handles the lifecycle
of the acquired token. If the Agent is not running as a long-lived daemon (for example, if it was run with a
one-shot command or crashed), it cannot perform the necessary background renewals. Even if the TTL is
24 hours, the token may expire or be revoked if it is not explicitly maintained by a running Agent.
Scenario Title: Verifying Entropy Augmentation through Metrics
Environment Description: A Vault Enterprise cluster is running on a Linux VM with hardware-based
entropy augmentation enabled. You need to verify that Vault is successfully utilizing the `entropy`
augmentation feature for cryptographic operations.
Inspection Instructions:
Look for `vault.entropy.external.success` in the Prometheus output.
Check the Vault configuration file for the `entropy "device"` block.
Review operational logs for "entropy: source successfully initialized".
Any changes you make will NOT affect grading — only your answer selection is scored.
Which telemetry metric provides the most direct evidence that Vault is using an external entropy source for secret generation?
`vault.core.check_entropy`
`vault.audit.log.request`
`vault.token.creation.entropy`
`vault.entropy.source.count`
Answer: D
Explanation: Vault Enterprise supports entropy augmentation to ensure high-quality randomness. The
metric `vault.entropy.source.count` (or similar depending on the specific provider) tracks the interaction
with the external entropy source. Monitoring this value ensures that the cluster is not falling back to
standard pseudo-random number generators due to a failure in the hardware or external entropy module.
A security team is reviewing Vault Enterprise deployment in Kubernetes, where Vault is running as a deployment with multiple replicas. They want to ensure that no Vault‑specific vulnerabilities arise from the Kubernetes orchestration model. Which two points should they validate?
Allow the Vault deployment to run in the default namespace alongside other workloads.
Confirm that Vault’s storage backend (e.g., Consul) is isolated from other tenants in the cluster and not
shared.
Store all Vault‑related secrets in Kubernetes Secrets without encryption.
Verify that Vault’s unseal‑key and auto‑unseal providers are not exposed via Kubernetes Secrets in
plaintext.
Answer: B,D
Explanation: Ensuring Vault’s storage backend is isolated from other tenants prevents cross‑tenant
exposure and maintains Vault’s security model, since Consul‑based backends can be accessed by other
pods if not properly segmented. Protecting unseal keys and auto‑unseal configuration (for example via
transit‑encrypted storage or external KMS) prevents attackers who compromise the Kubernetes control
plane from obtaining the ability to re‑seal or re‑configure Vault. Running Vault in default namespaces
alongside other workloads or storing unseal‑related secrets in plain Kubernetes Secrets increases the risk of
misconfiguration and lateral‑movement‑based attacks.
Scenario Title: Monitoring Batch Token Usage for Performance Tuning
Environment Description: To reduce pressure on the Raft storage, your team has migrated several high-
frequency applications to use Batch Tokens. You need to monitor the impact of this change on the
cluster's performance.
Inspection Instructions:
Monitor `vault.token.creation` and filter by type.
Check `vault.storage.raft.replication.appendEntries` frequency.
Observe the `vault.expire.num_leases` metric.
Any changes you make will NOT affect grading — only your answer selection is scored.
Which trend in telemetry would confirm that Batch Tokens are successfully reducing storage overhead?
An increase in `vault.core.check_token` latency.
A decrease in `vault.storage.put` and `vault.storage.delete` operations relative to the number of
authentications.
A spike in `vault.runtime.num_goroutines` during peak authentication periods.
A reduction in the size of the `vault.identity.entity.count` metric.
Answer: B
Explanation: Batch tokens are not persisted to the storage backend. Therefore, unlike Service tokens—
which require a `put` operation on creation and a `delete` operation on expiration/revocation—Batch
tokens should result in a significant decrease in total storage write operations (`vault.storage.put`) even as
the number of authentication events stays the same or increases.
An organization is designing a Vault‑backed secrets‑injection pattern for Kubernetes workloads that must comply with strict data‑residency and encryption‑at‑rest requirements. Which two configurations should be implemented?
Deploy Vault instances in each region and enforce region‑scoped policies that restrict cross‑region secret access.
Use a single global Vault cluster for all regions to simplify operations.
Use Vault‑transit‑backed encryption for Kubernetes‑managed secrets before storing them in etcd.
Store all secrets in plain‑text Kubernetes Secrets without Vault involvement.
Answer: A,C
Explanation: Using Vault‑transit‑backed encryption means secrets are encrypted before being written to
etcd, satisfying encryption‑at‑rest and data‑residency controls even if etcd is compromised. Deploying
region‑scoped Vault clusters with region‑bound policies ensures that secrets are not inadvertently replicated
or accessed across regions, aligning with data‑sovereignty and residency requirements. Storing secrets in
plain‑text Kubernetes Secrets or centralizing all regions under a single cluster without strict region‑scoping
can violate data‑residency and increase cross‑region exposure.
Scenario Title: Detecting Token Exhaustion via Metrics
Environment Description: A high-velocity CI/CD pipeline is causing Vault to generate thousands of short-
lived tokens. The monitoring team wants to set an alert to prevent the `auth/token` store from becoming a
performance bottleneck.
Inspection Instructions:
Examine the `vault.token.creation` metric.
Examine the `vault.token.count` metric.
Check the `vault.expire.num_leases` metric.
Any changes you make will NOT affect grading — only your answer selection is scored.
Which metric is the most critical to monitor for identifying a potential "Lease Explosion" where the number of active tokens might impact Vault's ability to perform revocation and expiration tasks?
`vault.token.creation_rate`
`vault.core.active_tokens`
`vault.token.count.by_policy`
`vault.expire.num_leases`
Answer: D
Explanation: In Vault, tokens and secrets are managed as leases. The `vault.expire.num_leases` metric
tracks the total number of active leases in the system. When this number grows excessively high (a "Lease
Explosion"), the expiration manager (which runs on the leader) must work harder to track and revoke
them, which can consume significant CPU and slow down the cluster.
access.
Instructions / Tasks:
Create group in root namespace.
Add entities from different namespaces.
Attach policy to group.
Verify cross-namespace access via group.
Success Criteria:
Group membership grants policy in child namespaces.
Isolation preserved for non-group paths. Time estimate for this lab: 19 minutes
Environment Description: Critical application using Vault Agent templating. Exit if secret unavailable.
Instructions / Tasks:
Set exit_on_retry_failure = true in template_config.
Configure template with required secret.
Simulate Vault outage.
Verify Agent exits on persistent failure.
Success Criteria:
Agent exits when template cannot render after retries.
Prevents app start with stale/missing secrets. Time estimate for this lab: 18 minutes
increasing lag in replication status.
Instructions / Tasks:
Check sys/replication/status on secondary.
Inspect logs for replication errors.
Verify network connectivity and license.
Adjust replication settings if needed.
Confirm sync recovery.
Success Criteria:
Lag reduced to near zero.
Replication status "stream-wal".
Reads consistent across clusters. Time estimate for this lab: 24 minutes
Instructions / Tasks:
Create control group policy requiring MFA entity.
Combine with Sentinel for additional checks.
Test access with/without second factor.
Verify combined enforcement.
Success Criteria:
Access denied without control group approval.
Sentinel adds further restrictions. Time estimate for this lab: 23 minutes
tokens under load.
Instructions / Tasks:
Create AppRoles for batch and service.
Run auth load test.
Measure latency and storage growth.
Confirm batch superiority.
Success Criteria:
Batch tokens show lower latency.
No token storage growth for batch.
Standbys handle increased auth load. Time estimate for this lab: 25 minutes
Enterprise binary in PATH. No Vault running. TLS certificates and keys available at
/etc/vault/tls/ (ca.pem, node1.pem, node1-key.pem etc., with SANs matching node IPs). Minimal config.hcl at /etc/vault/config.hcl on each node. Private network allows inter-node communication on ports 8200/8201.
Instructions / Tasks:
Update config.hcl on all three nodes to use Raft storage with unique node_id, cluster_addr, retry_join blocks using TLS leader_* settings, listener with TLS, and disable_mlock=true (per integrated storage best practices).
Start Vault server on each node in background.
On node1, initialize with default shares/threshold.
Unseal node1 using generated keys.
Join node2 and node3 to the cluster.
Verify Raft status and promote to healthy HA cluster.
Success Criteria:
vault status on all nodes shows "Sealed: false", "HA Enabled: true", "Leader: true" (one node) or "Leader: false".
vault operator raft list-peers shows three healthy voters with matching node_ids.
All nodes can read/write to sys/health without errors.
Raft logs in storage path confirm quorum formation.
vault operator raft autopilot state shows "Healthy" and "Redundancy zones" compliant.
No seal errors in logs; TLS handshake successful between nodes. Time Estimate: 20 minutes
# On all nodes: edit /etc/vault/config.hcl storage "raft" {
path = "/opt/vault/data"
node_id = "node1" # unique per node: node1/node2/node3 cluster_addr = "https://<node-ip>:8201"
retry_join {
leader_api_addr = "https://node1-ip:8200" leader_ca_cert_file = "/etc/vault/tls/ca.pem" leader_client_cert_file = "/etc/vault/tls/nodeX.pem" leader_client_key_file = "/etc/vault/tls/nodeX-key.pem"
}
}
listener "tcp" {
address = "0.0.0.0:8200"
cluster_address = "0.0.0.0:8201" tls_cert_file = "/etc/vault/tls/nodeX.pem" tls_key_file = "/etc/vault/tls/nodeX-key.pem"
}
disable_mlock = true
# Start on each: vault server -config=/etc/vault/config.hcl &
# On node1:
vault operator init -key-shares=5 -key-threshold=3
# Unseal node1 with 3 keys vault operator unseal <key1> vault operator unseal <key2> vault operator unseal <key3>
# On node2/node3:
vault operator raft join https://node1-ip:8200
vault operator unseal <key1> # repeat for threshold