EMT Practice Test

1. Question Content...


Question List

Question1: When creating a policy, an error was thrown:

Which statement describes the fix for this issue?

Question2: You are using Vault CLI and enable the database secrets engine on the default path of database/. However, the DevOps team wants to enable another database secrets engine for testing but receives an error stating the path is already in use. How can you enable a second database secrets engine using the CLI?

Question3: An organization would like to use a scheduler to track & revoke access granted to a job (by Vault) at completion. What auth-associated Vault object should be tracked to enable this behavior?

Question4: True or False? Once you authenticate to Vault using the API, subsequent requests will automatically be permitted without further interaction.

Question5: What command would have created the token displayed below?
$ vault token lookup hvs.nNeZ2I64ALCxuO7dqQEJGPrO
Key: policies Value: [default dev], num_uses: 5, ttl: 767h59m49s
* Key Value
* --- -----
* accessor mfvaVMFgOcXHIeqlRasroSOn
* creation_time 1604610457
* creation_ttl 768h
* display_name token
* entity_id n/a
* expire_time 2024-12-07T16:07:37.7540672-05:00
* explicit_max_ttl 0s
* id hvs.nNeZ2I64ALCxuO7dqQEJGPrO
* issue_time 2024-11-05T16:07:37.7540672-05:00
* meta <nil>
* num_uses 5
* orphan false
* path auth/token/create
* policies [default dev]
* renewable true
* ttl 767h59m49s
* type service

Question6: What is the default maximum time-to-live (TTL) for a token, measured in days?

Question7: Which statement best explains the role and usage of storage backends in HashiCorp Vault?

Question8: Suzy is a Vault user that needs to create and replace values at the path secrets/automation/apps/chef. Does the following policy permit her the permissions to do so?
text
CollapseWrapCopy
path "secrets/automation/apps/chef" {
capabilities = ["create", "read", "list"]
}

Question9: You have enabled the Transit secrets engine and want to start encrypting data to store in Azure Blob storage.
What is the next step that needs to be completed before you can encrypt data? (Select two)

Question10: The following three policies exist in Vault. What do these policies allow an organization to do?

Question11: Which of the following describes the Vault's auth method component?

Question12: Below is a list of parent and child tokens and their associated TTL. Which token(s) will be revoked first?

Question13: When using the Vault Secrets Operator, where is the secret written to after being retrieved from Vault?

Question14: A Fintech company is using Vault to store its static long-lived credentials so automated processes can quickly retrieve secrets. A user needs to add a new static secret for a new automated job. What CLI commands can be used to store a new static credential? (Select two)

Question15: You are deploying Vault in a local data center, but want to be sure you have a secondary Vault cluster in the event the primary cluster goes offline. In the secondary data center, you have applications that are running, as they are architected to run active/active. Which type of replication would be best in this scenario?

Question16: An application is trying to use a dynamic secret in which the lease has expired. What can be done in order for the application to successfully request data from Vault?

Question17: Where does the Vault Agent store its cache?

Question18: Tommy has written an AWS Lambda function that will perform certain tasks for the organization when data has been uploaded to an S3 bucket. Security policies for the organization do not allow Tommy to hardcode any type of credential within the Lambda code or environment variables. However, Tommy needs to retrieve a credential from Vault to write data to an on-premises database. What auth method should Tommy use in Vault to meet the requirements while not violating security policies?

Question19: After encrypting data using the Transit secrets engine, you've received the following output. Which of the following is true based on the output displayed below?
Key: ciphertext Value: vault:v2:
45f9zW6cglbrzCjI0yCyC6DBYtSBSxnMgUn9B5aHcGEit71xefPEmmjMbrk3

Question20: What features are offered by the Vault Agent? (Select three)

Question21: Your supervisor has requested that you log into Vault and update a policy for one of the development teams.
You successfully authenticated to Vault via OIDC but do not see a way to manage the Vault policies. Why are you unable to manage policies in the Vault UI?

Question22: What is the Vault CLI command to query information about the token the client is currently using?

Question23: You've hit the URL for the Vault UI, but you're presented with this screen. Why doesn't Vault present you with a way to log in?

Question24: You have a CI/CD pipeline using Terraform to provision AWS resources with static privileged credentials.
Your security team requests that you use Vault to limit AWS access when needed. How can you enhance this process and increase pipeline security?

Question25: True or False? To encrypt existing encrypted data with the latest version of the encryption key, you need to first decrypt it and then request Vault to re-encrypt it with the latest version of the encryption key.

Question26: You have successfully authenticated using the Kubernetes auth method, and Vault has provided a token. What HTTP header can be used to specify your token when you request dynamic credentials? (Select two)

Question27: True or False? Once you create a KV v1 secrets engine and place data in it, there is no way to modify the mount to include the features of a KV v2 secrets engine.

Question28: The vault lease renew command increments the lease time from:

Question29: Your team uses the Transit secrets engine to encrypt all data before writing it to a MySQL database server.
During testing, you manually retrieve ciphertext from the database and decrypt it to ensure the data can be read. After decrypting the data, you are worried something is wrong because the plaintext data isn't legible.
Why can you not read the original plaintext data after decrypting the ciphertext?
* $ vault write transit/decrypt/krausen-key ciphertext=vault:v1:8SDd3WHDOjf7mq69C.....
* Key Value
* --- -----
* plaintext Zml2ZSBzdGFyIHByYWN0aWNlIGV4YW1zIGJ5IGJyeWFuIGtyYXVzZW4=

Question30: You have logged into the Vault UI and see this screen. What Vault component is being enabled in the screenshot below?

Question31: Which of the following secrets engines can store static secrets in Vault for future retrieval?

Question32: Which of these is not a benefit of dynamic secrets?

Question33: In Vault, there are two main types of tokens, batch and service. Which of the following is true about the renewable capabilities of each?

Question34: You are the primary Vault operator. During a routine audit, an auditor requested the ability to display all secrets under a specific path in Vault without seeing the actual stored data. Which policy permits the auditor to display the stored secrets without revealing their contents?

Question35: * A Jenkins server is using the following token to access Vault. Based on the lookup shown below, what type of token is this?$ vault token lookup hvs.FGP1A77Hxa1Sp6Pkp1yURcZB
* Key Value
* --- -----
* accessor RnH8jtgrxBrYanizlyJ7Y8R
* creation_time 1604604512
* creation_ttl 24h
* display_name token
* entity_id n/a
* expire_time 2025-11-06T14:28:32.8891566-05:00
* explicit_max_ttl 0s
* id hvs.FGP1A77Hxa1Sp6KRau5eNB
* issue_time 2025-11-06T14:28:32.8891566-05:00
* meta <nil>
* num_uses 0
* orphan false
* path auth/token/create
* period 24h
* policies [admin default]
* renewable true
* ttl 23h59m50s
* type service

Question36: Which of the following is true about the token authentication method in Vault? (Select three)

Question37: You have a long-running app that cannot handle a regeneration of a token or secret. What type of token should be created for this application in order to authenticate and interact with Vault?

Question38: Which of the following statements best describes the difference between static and dynamic credentials in a secrets management system?

Question39: An organization wants to authenticate an AWS EC2 virtual machine with Vault to access a dynamic database secret. The only authentication method which they can use in this case is AWS.

Question40: True or False? The following policy permits a user to read secrets contained in the path secrets/cloud/apps
/jenkins?
text
CollapseWrapCopy
path "secrets/cloud/apps/jenkins/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}

Question41: Which of the following are benefits of using the Vault Secrets Operator (VSO)? (Select three)

Question42: Assuming default configurations, which of the following operations require a threshold of key shares to perform? (Select three)

Question43: You need to create a limited-privileged token that isn't impacted by the TTL of its parent. What type of token should you create?

Question44: Which of the following Vault policies will allow a Vault client to read a secret stored at secrets/applications
/app01/api_key?

Question45: Your organization recently suffered a security breach on a specific application, and the security response team believes that MySQL database credentials were likely obtained during the event. The application generated the credentials using the database secrets engine in Vault mounted at the path database/. How can you quickly revoke all of the secrets generated by this secrets engine?

Question46: By default, what TCP port does Vault replication use?

Question47: When an auth method is disabled all users authenticated via that method lose access.

Question48: What does the following policy do?

Question49: When configuring Vault replication and monitoring its status, you keep seeing something called 'WALs'.
What are WALs?

Question50: You want to integrate a third-party application to retrieve credentials from the HashiCorp Vault API. How can you accomplish this without having direct access to the source code?

Question51: Your organization runs workloads on both AWS and Azure for production applications. The security team has requested that a single Vault authentication mechanism be enabled to support applications on both public cloud platforms. Which of the following would be a valid auth method you can use?

Question52: Which of the following token attributes can be used to renew a token in Vault (select two)?

Question53: Before the following command can be run to encrypt data, what (three) commands must be run to enable and configure the transit secrets engine in Vault? (Select three) text CollapseWrapCopy
$ vault write transit/encrypt/vendor \
plaintext="aGFzaGljb3JwIGNlcnRpZmllZA=="

Question54: True or False? Performing a rekey operation using the vault operator rekey command creates new unseal
/recovery keys as well as a new root key?

Question55: Your organization is integrating its legacy application with Vault to improve its security. However, you have discovered that the application has issues when the token changes for authentication during testing. What type of token could be used to help alleviate this issue without compromising security?

Question56: What is the result of the following Vault command?
$ vault auth enable kubernetes

Question57: True or False? Although AppRole is designed for machines, humans can use it to authenticate to Vault if you wish.

Question58: True or False? Once the lease for a dynamic secret has expired, Vault revokes the credentials on the backend platform for which they were created (i.e., database, AWS, Kubernetes).

Question59: When using Integrated Storage, which of the following should you do to recover from possible data loss?

Question60: In regards to the Transit secrets engine, which of the following is true given the following command and output (select three):
$ vault write encryption/encrypt/creditcard plaintext=$(base64 <<< "1234 5678 9101 1121") Key: ciphertext Value: vault:v3:cZNHVx+sxdMErXRSuDa1q
/pz49fXTn1PScKfhf+PIZPvy8xKfkytpwKcbC0fF2U=

Question61: You are configuring your application to retrieve a new PKI certificate upon provisioning. The Vault admins have given you an AppRole role-id and secret-id to inject into the CI/CD pipeline job that provisions your app. The application uses the credentials to successfully authenticate to Vault using the API. Which of the following is true about the step next required after authenticating to Vault?

Question62: When a lease is created, what actions can be performed by using only the lease ID? (Choose two)

Question63: True or False? You can create and update Vault policies using the UI.

Question64: A developer has requested access to manage secrets at the path kv/apps/webapp01. You create the policy below which gives them the proper access:
path "kv/apps/webapp01" {
capabilities = ["read", "create", "update", "list"]
}
However, when the developer logs in to the Vault UI, they see the following screenshot and cannot access the desired secret. Why can't the developer see the secrets they need?

Question65: Christy has created a token and needs to use that token to access Vault. What command can she use to authenticate and access secrets stored in Vault?
$ vault token create -policy=christy
Key Value
--- -----
token hvs.hxDIPd8RPVtxu4AzSGS1lArP
token_accessor AxwxpDs6LbdFQbWGmBDnwIK3
token_duration 24h
token_renewable true
token_policies ["christy" "default"]
identity_policies []
policies ["christy" "default"]

Question66: From the options below, select the benefits of using the PKI (x.509 certificates) secrets engine (select three):

Question67: You have ciphertext stored in an Amazon S3 bucket encrypted by the key named prod-customer. Will Vault decrypt this data with the command vault write transit/decrypt/prod-customer ciphertext="vault:v4:
Xa1f9FIJtn13em/Wb7QCsXsU/kCOn7..." given this output?
* $ vault read transit/keys/prod-customer
* Key Value
* --- -----
* ...
* keys map[4:1549347108 5:1549347109 6:1549347110]
* latest_version 6
* min_available_version 0
* min_decryption_version 4
* min_encryption_version 0
Will Vault decrypt this data for you by running the following command?
* $ vault write transit/decrypt/prod-customer ciphertext="vault:v4:Xa1f9FIJtn13em/Wb7QCsXsU
/kCOn7..."

Question68: An Active Directory admin created a service account for an internal application. You want to store these credentials in Vault, allowing a CI/CD pipeline to read and configure the application with them during provisioning. Vault should maintain the last 3 versions of this secret. Which Vault secrets engine should you use?

Question69: Hanna is working with Vault and has been assigned a namespace called integration, where she stores all her secrets. Hanna configured her application to use the following API request, but the request is failing. What changes below will help Hanna correctly retrieve the secret? (Select two)
$ curl \
--header "X-Vault-Token:hvs.lzrmRe5Y3LMcDRmOttEjWoag" \
--request GET \
https://vault.example.com:8200/v1/secret/data/my-secret

Question70: You are using Azure Key Vault for the auto-unseal configuration on your cluster. After the Vault service restarts, what command must you run to unseal Vault?

Question71: Vault enables the generation of dynamic credentials against many different platforms. When generating these credentials, what Vault feature is used to track the credentials?

Question72: The key/value v2 secrets engine is enabled at secret/ See the following policy:

Which of the following operations are permitted by this policy? Choose two correct answers.

Question73: You have TBs of data encrypted by Vault stored in a database and are worried about Vault becoming unavailable and not being able to decrypt the data. Is it possible to export the encryption key to store it somewhere else in the event Vault becomes unavailable?

Question74: You've set up multiple Vault clusters, one on-premises intended to be the primary cluster, and the second cluster in AWS, which was deployed for performance replication. After enabling replication, developers complain that all the data they've stored in the AWS Vault cluster is missing. What happened?

Question75: You can build a high availability Vault cluster with any storage backend.

Question76: Which of the following statements describe the CLI command below?
S vault login -method-1dap username-mitche11h

Question77: Short-lived, dynamically generated secrets provide organizations with many benefits. Select the benefits from the options below. (Select four)

Question78: Your organization has an initiative to reduce and ultimately remove the use of long lived X.509 certificates.
Which secrets engine will best support this use case?

Question79: Which of the following is a machine-oriented Vault authentication backend?

Question80: During a service outage, you must ensure all current tokens and leases are copied to another Vault cluster for failover so applications don't need to authenticate. How can you accomplish this?

Question81: Why are short-lived, dynamic secrets in Vault more secure than long-lived, static credentials?

Question82: Running the second command in the GUI CLI will succeed.

Question83: Select the policies below that permit you to create a new entry of environment=prod at the path /secrets/apps
/my_secret (select three).

Question84: What command is used to extend the TTL of a token, if permitted?

Question85: You are planning the deployment of your first Vault cluster and have decided to use Integrated Storage as the storage backend. Where do you configure the storage backend to be used by Vault?

Question86: You are trying to create a new orphan token but receiving a Permission Denied error. What capabilities are required to create this token without using a root token?

Question87: You are using an orchestrator to deploy a new application. Even though the orchestrator creates anew AppRole secret ID, security requires that only the new application has the combination of the role ID and secret ID. What feature can you use to meet these requirements?

Question88: A new application is being provisioned in your environment. The application requires the generation of dynamic credentials against the Oracle database in order to read reporting data. Which is the best auth method to use to permit the application to authenticate to Vault?

Question89: To give a role the ability to display or output all of the end points under the /secrets/apps/* end point it would need to have which capability set?

Question90: What environment variable overrides the CLI's default Vault server address?

Question91: All Vault instances, or clusters, include two built-in policies that are created automatically. Choose the two policies below and the correct information regarding each policy. (Select two)

Question92: After decrypting data using the Transit secrets engine, the plaintext output does not match the plaintext credit card number that you encrypted. Which of the following answers provides a solution?
$ vault write transit/decrypt/creditcard ciphertext="vault:v1:cZNHVx+sxdMEr......." Key: plaintext Value: Y3JlZGl0LWNhcmQtbnVtYmVyCg==

Question93: You need to decrypt customer data to provide it to an application. When you run the decryption command, you get the output below. Why does the response not directly reveal the cleartext data?
$ vault write transit/decrypt/phone_number ciphertext="vault:v1:tgx2vsxtlQRfyLSKvem..." Key Value
--- -----
plaintext aGFzaGljb3JwIGNlcnRpZmllZDogdmF1bHQgYXNzb2NpYXRl

Question94: You have a legacy application that requires secrets from Vault that must be written to a local configuration file. However, you cannot refactor the application to communicate directly with Vault.What solution should you implement to satisfy the requirements?

Question95: Your organization operates active/active applications across multiple data centers for high availability. Which Vault feature should be used in the secondary data centers to provide local access to secrets?

Question96: A user issues the following cURL command to encrypt data using the transit engine and the Vault AP:

Which payload.json file has the correct contents?

Question97: Tom needs to set the proper environment variable so he doesn't need to first authenticate to Vault toretrieve dynamically generated credentials for a database server. What environment variable does Tom need to set first before running commands?

Question98: You are performing a high number of authentications in a short amount of time. You're experiencing slow throughput for token generation. How would you solve this problem?

Question99: True or False? To prepare for day-to-day operations, the root token should be safely saved outside of Vault in order to administer Vault.

Question100: Which scenario most strongly indicates a need to run a self-hosted Vault cluster instead of using HCP Vault Dedicated?

Question101: Your Azure Subscription ID is stored in Vault and you need to retrieve it via Vault API for an automated job.
The Subscription ID is stored at secret/cloud/azure/subscription. The secret is stored on a KV Version 2 secrets engine. What curl command below would successfully retrieve the latest version of the secret?

Question102: How long does the Transit secrets engine store the resulting ciphertext by default?

Question103: When unsealing Vault, each Shamir unseal key should be entered:

Question104: An authentication method should be selected for a use case based on:

Question105: What command can be used to revoke all leases associated with a database role named prod-mysql?

Question106: How many Shamir's key shares are required to unseal a Vault instance?

Question107: Where do you define the Namespace to log into using the Vault Ul?
To answer this question
Use your mouse to click on the screenshot in the location described above. An arrow indicator will mark where you have clicked. Click the "Answer" button once you have positioned the arrow to answer the question. You may need to scroll down to see the entire screenshot.

Question108: Which of the following is NOT a valid way in which a lease can be revoked in Vault?

Question109: Use this screenshot to answer the question below:

When are you shown these options in the GUI?

Question110: Which of the following statements describe the secrets engine in Vault? Choose three correct answers.

Question111: What occurs when a Vault cluster cannot maintain a quorum while using the Integrated Storage backend?

Question112: From the options below, select the benefits of using the PKI (x.509 certificates) secrets engine (select three):

Question113: Julie is a developer who needs to ensure an application can properly renew its lease for AWS credentials it uses to access data in an S3 bucket. Although the application would generally use the API, what is the equivalent CLI command to perform this action?

Question114: Given the following screenshot, how many secrets engines have been enabled by a Vault user?

Question115: You are using Vault CLI and enable the database secrets engine on the default path of database/. However, the DevOps team wants to enable another database secrets engine for testing but receives an error stating the path is already in use. How can you enable a second database secrets engine using the CLI?

Question116: Based on the screenshot below, how many auth methods have been enabled on this Vault instance?

Question117: If Bobby is currently assigned the following policy, what additional policy can be added to ensure Bobby cannot access the data stored at secret/apps/confidential but still read all other secrets?
path "secret/apps/*" { capabilities = ["create", "read", "update", "delete", "list"] }

Question118: A web application uses Vault's transit secrets engine to encrypt data in-transit. If an attacker intercepts the data in transit which of the following statements are true? Choose two correct answers.

Question119: A security architect is designing a solution to address the "Secret Zero" problem for a Kubernetes-based application that needs to authenticate to HashiCorp Vault. Which approach correctly leverages Vault features to solve this challenge?

Question120: Which auth method is ideal for machine-to-machine authentication?

Question121: When looking at Vault token details, which key helps you find the paths the token is able to access?

Question122: What is a benefit of response wrapping?

Question123: The Vault encryption key is stored in Vault's backend storage.

Question124: Which of the following tokens are representative of a batch token? (Select two)

Question125: Mike's Cereal Shack uses Vault to encrypt customer data to ensure it is always stored securely. They are developing a new application integration to send new customer data to be encrypted using the following API request:
text
CollapseWrapCopy
$ curl \
--header "X-Vault-Token: hvs.sf4vj1rFV5PvQSV3M9dcv832brxQFsfbXA" \
--request POST \
--data @data.json \
https://vault.mcshack.com:8200/v1/transit/encrypt/customer-data
What would be contained within the data.json file?

Question126: To protect the sensitive data stored in Vault, what key is used to encrypt the data before it is written to the storage backend?

Question127: True or False? The userpass auth method has the ability to access external services in order to provide authentication to Vault.

Question128: What is the correct order that Vault uses to protect data?

Question129: Thomas has authenticated to Vault using the API and has received the following response. What data must Thomas parse from the response in order to continue making requests to Vault?
text
CollapseWrapCopy
{
"request_id": "65897160-fd8b-1f87-c24e-fdba14c9728e",
"lease_id": "",
"renewable": false,
"lease_duration": 0,
"data": null,
"wrap_info": null,
"warnings": null,
"auth": {
"client_token": "hvss.lzrmRe5Y3LMcDRmOttEjWoagd92fD29fxakwej_38djs",
"accessor": "EMX0nv4nr0Y1wXoaN7i0WDW1",
"policies": ["bryan", "default"],
"token_policies": ["bryan", "default"],
"metadata": {"username": "bryan"},
"lease_duration": 2764800,
"renewable": true,
"entity_id": "40e203e8-818e-b6ad-4cb3-0befdbf9b598",
"token_type": "service",
"orphan": true
}
}

Question130: How would you describe the value of using the Vault transit secrets engine?

Question131: Elijah manages a legacy application that requires strict control over when its service account credentials change. Which type of credential should be used for this legacy application?

Question132: There are a few ways in Vault that can be used to obtain a root token. Select the valid methods from the answers below. (Select three)

Question133: What command creates a secret with the key "my-password" and the value "53cr3t" at path "my-secrets" within the KV secrets engine mounted at "secret"?

Question134: Which Vault secret engine may be used to build your own internal certificate authority?

Question135: What can be used to limit the scope of a credential breach?