Back to the course
Test yourself

Ansible for secure automation

Final exam · 18 questions · answers explained as you pick
Secrets & vault
9 questions
01In a typical Ansible repo, plaintext secrets most often hide in…
Correct — Inventory variables are the classic place credentials leak into git.
Incorrect — That is configuration, not a variable store.
Incorrect — Modules ship with Ansible; your secrets are not in them.
Incorrect — That holds host keys, not your secrets.
02ansible-vault protects secrets…
Incorrect — Values are decrypted in memory on the control node during a run.
Correct — Encrypted vars files can live in git; the password is managed elsewhere.
Incorrect — SSH already encrypts the transport — that is not vault’s job.
Incorrect — Vault governs storage at rest, not runtime memory.
03To encrypt one value inside an otherwise-readable vars file, use…
Incorrect — That encrypts everything, losing readability of the rest.
Correct — Keeps the file readable while protecting the single secret.
Incorrect — Encoding is trivially reversible — it is not encryption.
Incorrect — Comments do nothing to protect a value.
04The vault password itself should be…
Incorrect — Shipping the key with the ciphertext defeats the encryption.
Correct — For example a script pulling from a secret manager or CI variable.
Incorrect — That puts the key in the repo — same problem.
Incorrect — Unmanaged distribution is how vault passwords leak.
05To rotate the vault password across encrypted files you…
Incorrect — Error-prone and briefly exposes plaintext.
Correct — rekey swaps the password without ever exposing plaintext.
Incorrect — That loses the encrypted data.
Incorrect — Config changes do not re-encrypt anything.
06To stop a task from printing a secret to stdout and logs, set…
Incorrect — Not a task directive.
Correct — Suppresses the task’s data from output and logs.
Incorrect — That controls privilege, not logging.
Incorrect — That hides failures, not secrets.
07For short-lived, dynamic secrets, Ansible can…
Incorrect — Vault files are static at-rest secrets.
Correct — e.g. community.hashi_vault fetches a fresh secret each run.
Incorrect — Env vars are limited and often just as static.
Incorrect — Lookups make dynamic retrieval straightforward.
08Committing an ansible-vault-encrypted file to git is…
Incorrect — The file is ciphertext at rest — that is the point of vault.
Correct — Guard the key; the encrypted blob itself is safe in the repo.
Incorrect — It is an ordinary file; git stores it fine.
Incorrect — Repo visibility does not change the encryption.
09Pointing vault_password_file at a git-ignored file is…
Incorrect — It is a supported, common configuration.
Correct — Convenient locally while the secret path is git-ignored.
Incorrect — The file is never committed, so it is not the same.
Incorrect — It works locally and in CI alike.
9 questions · explanations appear as you answer
Execution, idempotency & supply chain
9 questions
01Privilege escalation is best applied…
Incorrect — Playbook-wide root turns any template typo into a root action.
Correct — Scope escalation to the few tasks that truly require root.
Incorrect — That escalates everything everywhere — the opposite of least privilege.
Incorrect — Running everything as root removes the control entirely.
02An idempotent playbook…
Incorrect — That is the opposite of idempotency.
Correct — Rerunning is safe and shows changed=0.
Incorrect — Idempotency is precisely about safe repeat runs.
Incorrect — Idempotency is a property of the tasks, not of check mode.
03--check mode…
Incorrect — That is --syntax-check, a different flag.
Correct — A dry run you can attach to a change review.
Incorrect — It still evaluates tasks; it just does not apply them.
Incorrect — Handlers are simply not fired during the dry run.
04Frequently reaching for the shell/command module is a smell because…
Incorrect — Speed is not the concern.
Correct — Prefer a real module; if you must, guard it carefully.
Incorrect — It can escalate like any task.
Incorrect — Python version is unrelated.
05To make a necessary shell task idempotent, use…
Incorrect — That hides failures rather than controlling change.
Correct — Tells Ansible when the command actually changed state.
Incorrect — That hides output, not change reporting.
Incorrect — Escalation has nothing to do with idempotency.
06Running --check against a shell task with no changed_when may…
Incorrect — Ansible cannot predict an opaque command’s effect.
Correct — Annotate changed_when so check mode stays meaningful.
Incorrect — It does not crash; it just guesses.
Incorrect — The play still runs in dry-run form.
07Roles installed from Ansible Galaxy are…
Incorrect — Community content runs as root across your fleet.
Correct — Read what a role does before it touches production.
Incorrect — They execute with full privileges on targets.
Incorrect — They make real changes with your credentials.
08In requirements.yml, roles and collections should be…
Incorrect — Floating versions invite supply-chain surprises.
Correct — Reproducible installs and reviewable upgrades.
Incorrect — Scope and version them per project instead.
Incorrect — Vetted reuse is valuable; blanket avoidance wastes it.
09Before adopting a community collection you should…
Incorrect — Popularity is not a security guarantee.
Correct — It executes with your privileges on your hosts.
Incorrect — Unnecessary overhead for vetted content.
Incorrect — That removes exactly the safety you want.
9 questions · explanations appear as you answer