Test yourself
Vault from dev to production
Final exam · 12 questions · answers explained as you pick
Cluster & auth
6 questions
01Integrated raft storage removes the need for…
Incorrect — You still unseal; raft only changes where data lives.
Correct — Raft makes Vault its own replicated store — fewer moving parts.
Incorrect — Transport security is still required.
Incorrect — Audit devices remain essential.
02Auto-unseal with a cloud KMS changes the trust model by…
Incorrect — Unrelated to transport security.
Incorrect — Vault is still stateful; only the unseal step changes.
Correct — You trade a manual Shamir ceremony for a dependency on the KMS key policy.
Incorrect — Auto-unseal is about the seal barrier, not logs.
03When one node of a 3-node raft cluster dies…
Incorrect — A quorum of 2 of 3 remains, so it keeps serving.
Correct — Raft tolerates the loss of a minority.
Incorrect — Data is replicated across nodes.
Incorrect — Existing tokens remain valid.
04The Kubernetes auth method verifies…
Incorrect — It checks identity, not image contents.
Correct — Workloads authenticate with the identity they already have.
Incorrect — It is service-account based.
Incorrect — Labels are not an authentication signal.
05OIDC auth is the right fit for…
Correct — People authenticate through the identity provider they already use.
Incorrect — Workloads use the Kubernetes or AppRole methods.
Incorrect — That is the PKI engine, not auth.
Incorrect — Auth is about who, not encryption.
06Binding an auth role to a specific policy matters because…
Incorrect — Performance is not the point.
Correct — Authentication says who; the policy says what they may touch.
Incorrect — Roles do not affect the root token.
Incorrect — That is TLS’s job.
6 questions · explanations appear as you answer
Dynamic secrets, PKI & rotation
6 questions
01Dynamic database credentials reduce risk because they are…
Incorrect — Length is not the main lever.
Correct — A leaked credential that already expired is a non-event.
Incorrect — Caching would increase exposure.
Incorrect — Per-consumer is the whole point.
02Revoking a Vault lease…
Incorrect — It actively invalidates the issued credential.
Correct — Lease revocation is how you contain a compromise fast.
Incorrect — Vault revokes at the backend without a restart.
Incorrect — It removes the dynamically created user, as designed.
03Short-lived (e.g. 24-hour) leaf certificates from Vault PKI…
Correct — Certs expire before a slow CRL would even matter.
Incorrect — Validation cost is unchanged.
Incorrect — cert-manager and agents automate issuance and renewal.
Incorrect — You still run root/intermediate CAs.
04A sensible PKI hierarchy in Vault is…
Incorrect — Exposing the root to routine signing is risky.
Correct — The root stays cold; the intermediate does day-to-day work.
Incorrect — That defeats chain-of-trust.
Incorrect — Unmanageable and pointless.
05Root credential rotation should be…
Incorrect — Never rotating is the bigger risk.
Correct — You must be able to prove rotation to an auditor.
Incorrect — Reactive-only rotation leaves long exposure windows.
Incorrect — Root operations need tight control.
06A break-glass drill tests…
Incorrect — That is load testing.
Correct — The first real unseal ceremony should never be during an outage.
Incorrect — Drills rehearse recovery, not feature rollout.
Incorrect — Size is not what the drill validates.
6 questions · explanations appear as you answer