Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

HashiCorp Vault-Associate Exam - Topic 4 Question 42 Discussion

Which of the following statements are true about Vault policies? Choose two correct answers.
C) Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault and E) Policies deny by default (empty policy grants no permission)
A) The default policy can not be modified
B) You must use YAML to define policies
D) Vault must be restarted in order for a policy change to take an effect

HashiCorp Vault-Associate Exam - Topic 4 Question 42 Discussion

Actual exam question for HashiCorp's Vault-Associate exam
Question #: 42
Topic #: 4
[All Vault-Associate Questions]

Which of the following statements are true about Vault policies? Choose two correct answers.

Show Suggested Answer Hide Answer
Suggested Answer: C, E

Vault policies are written in HCL or JSON format and are attached to tokens or roles by name. Policies define the permissions and restrictions for accessing and performing operations on certain paths and secrets in Vault.Policies are deny by default, which means that an empty policy grants no permission in the system, and any request that is not explicitly allowed by a policy is implicitly denied1. Some of the features and benefits of Vault policies are:

Policies are path-based, which means that they match the request path to a set of rules that specify the allowed or denied capabilities, such as create, read, update, delete, list, sudo, etc2.

Policies are additive, which means that if a token or a role has multiple policies attached, the effective policy is the union of all the individual policies.The most permissive capability is granted if there is a conflict3.

Policies can use glob patterns, such as * and +, to match multiple paths or segments with a single rule.For example, path ''secret/*'' matches any path starting with secret/, and path ''secret/+/config'' matches any path with two segments after secret/ and ending with config4.

Policies can use templating to interpolate certain values into the rules, such as identity information, time, randomness, etc.For example, path ''secret/{{identity.entity.id}}/*'' matches any path starting with secret/ followed by the entity ID of the requester5.

Policies can be managed by using the vault policy commands or the sys/policy API endpoints.You can write, read, list, and delete policies by using these interfaces6.

The default policy is a built-in policy that is attached to all tokens by default and cannot be deleted. However, the default policy can be modified by using the vault policy write command or the sys/policy API endpoint.The default policy provides common permissions for tokens, such as renewing themselves, looking up their own information, creating and managing response-wrapping tokens, etc7.

You do not have to use YAML to define policies, as Vault supports both HCL and JSON formats.HCL is a human-friendly configuration language that is also JSON compatible, which means that JSON can be used as a valid input for policies as well8.

Vault does not need to be restarted in order for a policy change to take effect, as policies are stored and evaluated in memory. Any change to a policy is immediately reflected in the system, and any token or role that has that policy attached will be affected by the change.


by Dominga at Jul 08, 2025, 02:54 AM

Limited Time Offer

25%

Off

Get Premium Vault-Associate Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Carrol
5 months ago
You can define policies in YAML, but it's not the only way!
upvoted 0 times
...
Stefania
6 months ago
Wait, can the default policy actually be modified?
upvoted 0 times
...
Denna
6 months ago
Totally agree, C is definitely true!
upvoted 0 times
...
Hildred
6 months ago
Policies provide a declarative way to grant or forbid access.
upvoted 0 times
...
Vernell
6 months ago
D is false, no need to restart Vault for policy changes.
upvoted 0 times
...
Haydee
6 months ago
I believe policies deny by default, which makes sense for security, so E seems like a safe choice.
upvoted 0 times
...
Lorriane
7 months ago
I'm a bit confused about whether you need YAML for policies. I feel like I saw examples in JSON too, but I can't recall clearly.
upvoted 0 times
...
Daniel
7 months ago
I remember practicing a question about how policies work, and I think they do provide a way to manage access, so maybe C is correct.
upvoted 0 times
...
Sol
7 months ago
I think the default policy can be modified, but I'm not entirely sure. It feels like I read something about that.
upvoted 0 times
...
Leota
7 months ago
I've got a good handle on Vault policies. I know they use YAML and that they deny access by default. I'll select those two options and move on to the next question.
upvoted 0 times
...
Becky
8 months ago
I'm a little confused about the default policy. Can it really not be modified? That doesn't seem right to me. I'll select the declarative access and deny by default options, but I'm not 100% sure about the default policy.
upvoted 0 times
...
Wilbert
8 months ago
Okay, let's see here. I remember that Vault policies are used to control access, but I can't recall if you have to restart Vault for changes to take effect. I'll go with the declarative access and deny by default options for now.
upvoted 0 times
...
Tamie
8 months ago
Hmm, I'm a bit unsure about the default policy and whether it can be modified. I'll need to double-check that one. The YAML part seems straightforward, though.
upvoted 0 times
...
Emiko
8 months ago
I'm pretty confident about this one. I know that Vault policies provide a declarative way to grant or forbid access, and that they deny by default. I'll select those two options.
upvoted 0 times
...
Wilford
10 months ago
I believe A and D are false, as you can modify the default policy without restarting Vault.
upvoted 0 times
...
Temeka
10 months ago
I agree with Eric, policies in Vault do provide a way to control access and they deny by default.
upvoted 0 times
...
Murray
11 months ago
Wait, the default policy can't be modified? That's a bit restrictive. Oh well, C and E it is.
upvoted 0 times
...
Olga
11 months ago
Ha, I bet the Vault developers have a policy that they can't restart the service every time someone wants to change a policy. C and E seem like the way to go.
upvoted 0 times
Truman
10 months ago
Yeah, it would be a hassle if they had to restart the service every time a policy change is made.
upvoted 0 times
...
Maddie
10 months ago
I agree, C and E are the correct statements about Vault policies.
upvoted 0 times
...
...
Andra
11 months ago
Hmm, I thought you had to use JSON for policies. Good to know YAML works too. And C and E sound right to me.
upvoted 0 times
Patrick
10 months ago
Yes, policies provide a way to control access and deny by default.
upvoted 0 times
...
Elke
10 months ago
YAML is an option for defining policies.
upvoted 0 times
...
...
Eric
11 months ago
I think C and E are true.
upvoted 0 times
...
Karol
11 months ago
C and E are definitely true. Vault policies are all about controlling access, and the default is to deny everything unless explicitly granted.
upvoted 0 times
Kerry
10 months ago
Yes, the default policy can not be modified and policies deny by default. So, C and E are the correct statements.
upvoted 0 times
...
Tricia
10 months ago
That's correct! Policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.
upvoted 0 times
...
Dorathy
11 months ago
C and E are definitely true. Vault policies are all about controlling access, and the default is to deny everything unless explicitly granted.
upvoted 0 times
...
...

Save Cancel