Vault policies Questions
Practice questions for Vault policies topic in HashiCorp Certified: Vault Associate (003). 24 questions covering this domain.
A team needs a token that can enumerate keys beneath a path without reading the secret values themselves. Which capability should the policy grant?
An administrator must manage auth method mounts under sys/auth. Which additional policy capability is required beyond ordinary path access?
A token receives one policy granting read access to a path and another policy applying deny to the same path. Which result is correct?
Which two built-in Vault policies cannot be modified or removed?
A new token is created without any policy granting access to a secret path. What is the default access result in Vault?
A policy author needs a wildcard that matches exactly one path segment in a Vault policy path. Which symbol should be used?
A security team wants every request to auth/approle/role/web/secret-id to use response wrapping. Which policy setting achieves that most directly?
Two policy paths could match a request: secret/* and secret/apps/*. A client reads secret/apps/payroll. Which rule wins?
A team uses list capability on a path where key names contain customer IDs. Why is this risky even if the policy does not allow read?
A policy author plans to use allowed_parameters and denied_parameters to constrain writes through a KV v2 path. What limitation applies?
An administrator updates the contents of a policy named app-read. What happens to tokens that already have app-read attached?
A policy should let users list keys in a KV v2 mount at secret/. Which path should receive the list capability?
A platform engineer intentionally wants a token without the built-in default policy. Which CLI option creates that token most directly?
A policy on a write endpoint denies no_store=false but does not require the no_store parameter. What happens if a client omits no_store entirely?
Two attached policies both define the exact path secret/data/app. One grants read and the other grants list. What capabilities does Vault apply for th...
A policy should allow applications to generate database credentials from a database secrets engine role. Which capability is typically required on tha...
Which policy path uses Vault's supported asterisk glob behavior correctly?
When templating a policy with identity values, why does HashiCorp recommend using IDs instead of names where possible?
Which statement correctly describes Vault's two built-in ACL policies?
Which formats does Vault support for authoring ACL policies?
Sign in to see all 24 questions
Create a free account to browse all questions — completely free during our launch phase.