CertGrid
HashiCorp Certification

HashiCorp Vault Associate (002) Practice Exam

Validates secrets management fundamentals with Vault — auth methods, secrets engines, policies, tokens, and encryption as a service.

Practice 298 exam-style HashiCorp Vault Associate (002) questions with full answer explanations, then take timed mock exams that score like the real thing.

Start practicing free Sign in
298
Practice questions
57
On the real exam
700
Passing score
60 min
Exam length

What the HashiCorp Vault Associate (002) exam covers

Free HashiCorp Vault Associate (002) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 298.

  1. Question 1Vault Architecture

    What is HashiCorp Vault primarily used for?

    • ASecurely storing, accessing, and dynamically generating secrets, plus encryption as a serviceCorrect
    • BLoad balancing
    • CResolving DNS
    • DRunning containers
    ✓ Correct answer: A

    HashiCorp Vault is a centralized secrets management platform designed for storing, accessing, and dynamically generating credentials. It provides encryption as a service and policy-based access controls across distributed systems. Organizations use Vault to reduce standing secrets, automate credential rotation, and maintain comprehensive audit trails of all secret access.

    Why the other options are wrong
    • BLoad balancing is incorrect because Vault is not a load balancer; it is a secrets management system C.
    • CResolving DNS is incorrect because DNS resolution is not a feature of HashiCorp Vault D.
    • DRunning containers is incorrect because Vault does not run containers; it manages secrets for applications
  2. Question 2Policies

    Why is auditing important in Vault?

    • ATo increase bandwidth
    • BTo resolve DNS
    • CTo assign IPs
    • Daudit devices log all requests/responses (hashed) for accountability and investigationCorrect
    ✓ Correct answer: D

    This answer correctly reflects Vault architecture and operation.

    Why the other options are wrong
    • ATo increase bandwidth is incorrect because this option does not accurately describe the correct behavior B.
    • BTo resolve DNS is incorrect because DNS resolution is not related to Vault's functionality C.
    • CTo assign IPs is incorrect because this option does not accurately describe the correct behavior
  3. Question 3Tokens and Leases

    A dynamic database role issues credentials with a 30-day TTL but apps only need them for minutes, causing thousands of active leases to accumulate. What is the most effective tuning to control lease tracking overhead?

    • ADisable the audit device to save space
    • BLower the role's TTL (and max TTL) so leases expire and are purged quickly, reducing the number of tracked leasesCorrect
    • CSwitch the role to a static KV secret
    • DIncrease the TTL to 90 days so renewals happen less often
    ✓ Correct answer: B

    The database secrets engine generates short-lived, unique credentials for database access on-demand. It connects to the target database, dynamically creates new database users with specified permissions, and automatically revokes credentials after their TTL expires. This approach eliminates static database credentials and automates lifecycle management, improving security and operational efficiency.

    Why the other options are wrong
    • ADisable the audit device to save space is incorrect because this option does not accurately describe the correct behavior C.
    • CSwitch the role to a static KV secret is incorrect because this option does not accurately describe the correct behavior D.
    • DIncrease the TTL to 90 days so renewals happen less often is incorrect because this option does not accurately describe the correct behavior
  4. Question 4Vault Architecture

    Which command initializes a new Vault with 5 key shares and a threshold of 3?

    • Avault operator generate-root -shares=5
    • Bvault init -keys=5 -quorum=3
    • Cvault operator init -key-shares=5 -key-threshold=3Correct
    • Dvault operator unseal -shares=5 -threshold=3
    ✓ Correct answer: C

    This answer correctly reflects Vault architecture and operation.

    Why the other options are wrong
    • Avault operator generate-root -shares=5 is incorrect because this option does not accurately describe the correct behavior B.
    • Bvault init -keys=5 -quorum=3 is incorrect because this option does not accurately describe the correct behavior D.
    • Dvault operator unseal -shares=5 -threshold=3 is incorrect because this option does not accurately describe the correct behavior
  5. Question 5Vault Architecture

    In a Vault HA cluster, how do standby nodes handle client requests by default?

    • AThey forward (or redirect) requests to the active node, which alone processes writesCorrect
    • BStandbys serve writes while the active node serves only reads
    • CStandbys reject all client traffic until promoted
    • DEvery standby independently writes to storage in parallel
    ✓ Correct answer: A

    This answer correctly reflects Vault architecture and operation.

    Why the other options are wrong
    • BStandbys serve writes while the active node serves only reads is incorrect because this option does not accurately describe the correct behavior C.
    • CStandbys reject all client traffic until promoted is incorrect because this option does not accurately describe the correct behavior D.
    • DEvery standby independently writes to storage in parallel is incorrect because this option does not accurately describe the correct behavior
  6. Question 6Vault Architecture

    When using auto-unseal with a cloud KMS, what is the recovery key threshold used for (since the master key is no longer split by Shamir)?

    • AUnsealing Vault after every restart
    • BEncrypting the audit log
    • CRotating TLS certificates automatically
    • DAuthorizing privileged operations like generating a new root token or rekeying, not unsealingCorrect
    ✓ Correct answer: D

    Auto-unseal with cloud KMS services eliminates the need for manual unseal key entry while maintaining strong security. The master key is protected by an external key management service (AWS KMS, Azure Key Vault, etc.) rather than being held in memory. This approach provides operational benefits by automating the unsealing process, reduces the risk of key exposure during manual entry, and allows for rapid cluster recovery without manual intervention. Enterprises typically prefer this for production deployments due to improved operational resilience and security posture.

    Why the other options are wrong
    • AUnsealing Vault after every restart is incorrect because this option does not accurately describe the correct behavior B.
    • BEncrypting the audit log is incorrect because this option does not accurately describe the correct behavior C.
    • CRotating TLS certificates automatically is incorrect because this option does not accurately describe the correct behavior
  7. Question 7Vault Architecture

    How are sensitive values such as tokens represented in Vault audit logs by default?

    • AThey are HMAC hashed using a per-device salt so they are not stored in plaintextCorrect
    • BThey are encrypted with the requester's public key
    • CThey are stored in plaintext for easy debugging
    • DThey are omitted entirely so the log has no value field
    ✓ Correct answer: A

    This answer correctly reflects Vault architecture and operation.

    Why the other options are wrong
    • BThey are encrypted with the requester's public key is incorrect because this option does not accurately describe the correct behavior C.
    • CThey are stored in plaintext for easy debugging is incorrect because Vault encrypts all data before storage D.
    • DThey are omitted entirely so the log has no value field is incorrect because this option does not accurately describe the correct behavior
  8. Question 8Secrets Engines

    When migrating an application from static database passwords in a config file to Vault's database secrets engine, what changes about how the app obtains credentials?

    • AThe app requests credentials from Vault at runtime and receives unique, leased credentials that Vault revokes when the lease endsCorrect
    • BVault emails the DBA a new password each morning
    • CThe app continues reading the same static password, now copied into KV permanently
    • DThe database disables authentication entirely
    ✓ Correct answer: A

    The database secrets engine generates short-lived, unique credentials for database access on-demand. It connects to the target database, dynamically creates new database users with specified permissions, and automatically revokes credentials after their TTL expires. This approach eliminates static database credentials and automates lifecycle management, improving security and operational efficiency.

    Why the other options are wrong
    • BVault emails the DBA a new password each morning is incorrect because this option does not accurately describe the correct behavior C.
    • CThe app continues reading the same static password, now copied into KV permanently is incorrect because this option does not accurately describe the correct behavior D.
    • DThe database disables authentication entirely is incorrect because this option does not accurately describe the correct behavior
  9. Question 9Vault Architecture

    After a power outage, your single Vault node restarts but clients get 503 errors and 'vault status' shows Sealed: true with no auto-unseal configured. What must you do to restore service?

    • ASubmit the threshold number of unseal key shares with 'vault operator unseal' until the seal is removedCorrect
    • BDelete the storage backend so Vault starts fresh
    • CRestart the process repeatedly until it unseals itself
    • DRun 'vault operator init' again to regenerate the cluster
    ✓ Correct answer: A

    Auto-unseal with cloud KMS services eliminates the need for manual unseal key entry while maintaining strong security. The master key is protected by an external key management service (AWS KMS, Azure Key Vault, etc.) rather than being held in memory. This approach provides operational benefits by automating the unsealing process, reduces the risk of key exposure during manual entry, and allows for rapid cluster recovery without manual intervention. Enterprises typically prefer this for production deployments due to improved operational resilience and security posture.

    Why the other options are wrong
    • BDelete the storage backend so Vault starts fresh is incorrect because this option does not accurately describe the correct behavior C.
    • CRestart the process repeatedly until it unseals itself is incorrect because this option does not accurately describe the correct behavior D.
    • DRun 'vault operator init' again to regenerate the cluster is incorrect because this option does not accurately describe the correct behavior
  10. Question 10Authentication

    To enforce multi-factor authentication for human logins in Vault Enterprise, where is an MFA method (e.g., TOTP or Duo) typically applied?

    • ABy encrypting every secret a second time with the transit engine
    • Bas a login MFA method enforced on an auth mount or via a policy/identity configuration so the second factor is required during authenticationCorrect
    • CBy increasing the Shamir key-share threshold for unsealing
    • DBy disabling all non-token auth methods
    ✓ Correct answer: B

    This answer correctly reflects Vault architecture and operation.

    Why the other options are wrong
    • ABy encrypting every secret a second time with the transit engine is incorrect because this option does not accurately describe the correct behavior C.
    • CBy increasing the Shamir key-share threshold for unsealing is incorrect because this option does not accurately describe the correct behavior D.
    • DBy disabling all non-token auth methods is incorrect because this option does not accurately describe the correct behavior
Unlock all 298 HashiCorp Vault Associate (002) questions

HashiCorp Vault Associate (002) practice exam FAQ

How many questions are in the HashiCorp Vault Associate (002) practice exam on CertGrid?

CertGrid has 298 practice questions for HashiCorp Vault Associate (002), covering 5 exam domains. The real HashiCorp Vault Associate (002) exam has about 57 questions.

What is the passing score for HashiCorp Vault Associate (002)?

The HashiCorp Vault Associate (002) exam passing score is 700, and you have about 60 minutes to complete it. CertGrid scores your practice attempts the same way so you know when you are ready.

Are these official HashiCorp Vault Associate (002) exam questions?

No. CertGrid is an independent practice platform. Questions are written to mirror the style and concepts of HashiCorp Vault Associate (002), with full explanations, but they are not official or copied vendor exam items. They are original practice questions designed to help you genuinely learn the material.

Can I practice HashiCorp Vault Associate (002) for free?

Yes. You can start practicing HashiCorp Vault Associate (002) for free with daily practice and sample questions. Paid plans unlock full timed exams, complete explanations, and domain analytics.