Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

HashiCorp Exam Vault-Associate Topic 3 Question 5 Discussion

Actual exam question for HashiCorp's HashiCorp Certified: Vault Associate (002) exam
Question #: 5
Topic #: 3
[All HashiCorp Certified: Vault Associate (002) Questions]

Which of the following statements are true about Vault policies? Choose two correct answers.

Show Suggested Answer Hide Answer
Suggested Answer: C, E

Vault policies are written in HCL or JSON format and are attached to tokens or roles by name. Policies define the permissions and restrictions for accessing and performing operations on certain paths and secrets in Vault.Policies are deny by default, which means that an empty policy grants no permission in the system, and any request that is not explicitly allowed by a policy is implicitly denied1. Some of the features and benefits of Vault policies are:

Policies are path-based, which means that they match the request path to a set of rules that specify the allowed or denied capabilities, such as create, read, update, delete, list, sudo, etc2.

Policies are additive, which means that if a token or a role has multiple policies attached, the effective policy is the union of all the individual policies.The most permissive capability is granted if there is a conflict3.

Policies can use glob patterns, such as * and +, to match multiple paths or segments with a single rule.For example, path ''secret/*'' matches any path starting with secret/, and path ''secret/+/config'' matches any path with two segments after secret/ and ending with config4.

Policies can use templating to interpolate certain values into the rules, such as identity information, time, randomness, etc.For example, path ''secret/{{identity.entity.id}}/*'' matches any path starting with secret/ followed by the entity ID of the requester5.

Policies can be managed by using the vault policy commands or the sys/policy API endpoints.You can write, read, list, and delete policies by using these interfaces6.

The default policy is a built-in policy that is attached to all tokens by default and cannot be deleted. However, the default policy can be modified by using the vault policy write command or the sys/policy API endpoint.The default policy provides common permissions for tokens, such as renewing themselves, looking up their own information, creating and managing response-wrapping tokens, etc7.

You do not have to use YAML to define policies, as Vault supports both HCL and JSON formats.HCL is a human-friendly configuration language that is also JSON compatible, which means that JSON can be used as a valid input for policies as well8.

Vault does not need to be restarted in order for a policy change to take effect, as policies are stored and evaluated in memory. Any change to a policy is immediately reflected in the system, and any token or role that has that policy attached will be affected by the change.


by Harrison at Nov 22, 2023, 01:08 PM

Limited Time Offer

25%

Off

Get Premium Vault-Associate Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Farrah
4 days ago
Alright, let's see here. I'm going with C and E as well. Policies are all about controlling access, and the default is to deny everything unless you explicitly allow it. As for the other options, I'm leaning towards A being false - you can definitely modify the default policy. And D is just plain wrong, no need to restart Vault for policy changes.
upvoted 0 times
...
Allene
5 days ago
Haha, yeah, Vault exams are always a fun ride. I think B is a trick question - you can use either YAML or JSON to define policies. And I'm with you guys on C and E being the correct answers. As for the default policy, I'm pretty sure you can modify it, you just have to be careful.
upvoted 0 times
...
Garry
6 days ago
I agree with C and E, those seem pretty straightforward. But I'm not sure about modifying the default policy - I thought that was actually possible. And I'm pretty sure you don't need to restart Vault for policy changes to take effect. This exam loves to throw in trick questions, doesn't it?
upvoted 0 times
...
Abel
7 days ago
Hmm, this is a tricky one. I think the correct answers are C and E - policies provide a declarative way to grant or forbid access, and they deny by default if no permissions are specified. But I'm not totally sure about B, using YAML to define policies. Isn't it also possible to use JSON?
upvoted 0 times
...

Save Cancel