[HSA] HashiCorp Security Automation Certification
Review Guide
**Question 1. Which Vault component is primarily responsible for encrypting data before it is
written to any storage backend?**
A) Seal/Unseal process
B) Transit secrets engine
C) Integrated storage (Raft)
D) Audit device
Answer: B
Explanation: The Transit secrets engine performs encryption and decryption operations without
persisting the data, acting as “encryption as a service” for applications.
**Question 2. In Vault’s Shamir’s Secret Sharing scheme, how many key shares are required to
successfully unseal the Vault if the configuration is set to 5-of‑7?**
A) 3
B) 5
C) 7
D) 2
Answer: B
Explanation: A 5‑of‑7 configuration means any 5 of the 7 total key shares can reconstruct the
master key to unseal Vault.
**Question 3. Which storage backend provides built-in high‑availability using the Raft consensus
algorithm?**
A) Consul
B) Integrated storage
C) MySQL
D) DynamoDB
Answer: B
, [HSA] HashiCorp Security Automation Certification
Review Guide
Explanation: Integrated storage (Raft) is Vault’s native HA storage backend that uses the Raft
consensus protocol for leader election and data replication.
**Question 4. When configuring a Kubernetes auth method, which Kubernetes resource is used
to map a service account to a Vault role?**
A) ConfigMap
B) Secret
C) ServiceAccount
D) RoleBinding
Answer: C
Explanation: The ServiceAccount token is presented to Vault; the auth method maps the service
account name/namespace to a Vault role.
**Question 5. Which Vault policy capability allows a client to list the keys under a given path
without reading their values?**
A) read
B) list
C) sudo
D) delete
Answer: B
Explanation: The `list` capability permits enumeration of keys (e.g., `kv/metadata/`) without
exposing the secret values.
**Question 6. What is the default lease duration for dynamic AWS credentials generated by the
AWS secrets engine?**
A) 1 hour
B) 12 hours
, [HSA] HashiCorp Security Automation Certification
Review Guide
C) 24 hours
D) 30 minutes
Answer: A
Explanation: By default, the AWS secrets engine issues credentials with a 1‑hour lease unless
overridden in the role definition.
**Question 7. Which token type is intended for short‑lived, high‑performance use cases and
does not persist to storage?**
A) Service token
B) Batch token
C) Orphan token
D) Periodic token
Answer: B
Explanation: Batch tokens are non‑persistent, stored only in memory, and are ideal for
high‑throughput scenarios.
**Question 8. In Vault Agent, what feature automatically renews a token before it expires?**
A) Auto‑unseal
B) Token helper
C) Auto‑auth
D) Auto‑renew
Answer: D
Explanation: The `auto_renew` block in the Agent configuration periodically renews the token to
keep it valid.
**Question 9. Which audit device writes audit logs to a syslog server?**
A) file
, [HSA] HashiCorp Security Automation Certification
Review Guide
B) socket
C) syslog
D) stdout
Answer: C
Explanation: The `syslog` audit device forwards audit events to a remote syslog daemon for
centralized logging.
**Question 10. When using Consul as a storage backend, which Consul feature ensures that
Vault data is replicated across multiple datacenters?**
A) Service mesh
B) Gossip protocol
C) Consul Connect
D) Consul federation
Answer: D
Explanation: Consul federation replicates KV data across datacenters, enabling Vault data
redundancy when Consul is the backend.
**Question 11. Which of the following is NOT a valid capability in an HCL‑based Vault policy?**
A) read
B) write
C) sudo
D) execute
Answer: D
Explanation: Vault policies support `read`, `create`, `update`, `delete`, `list`, and `sudo`; there is
no `execute` capability.
Review Guide
**Question 1. Which Vault component is primarily responsible for encrypting data before it is
written to any storage backend?**
A) Seal/Unseal process
B) Transit secrets engine
C) Integrated storage (Raft)
D) Audit device
Answer: B
Explanation: The Transit secrets engine performs encryption and decryption operations without
persisting the data, acting as “encryption as a service” for applications.
**Question 2. In Vault’s Shamir’s Secret Sharing scheme, how many key shares are required to
successfully unseal the Vault if the configuration is set to 5-of‑7?**
A) 3
B) 5
C) 7
D) 2
Answer: B
Explanation: A 5‑of‑7 configuration means any 5 of the 7 total key shares can reconstruct the
master key to unseal Vault.
**Question 3. Which storage backend provides built-in high‑availability using the Raft consensus
algorithm?**
A) Consul
B) Integrated storage
C) MySQL
D) DynamoDB
Answer: B
, [HSA] HashiCorp Security Automation Certification
Review Guide
Explanation: Integrated storage (Raft) is Vault’s native HA storage backend that uses the Raft
consensus protocol for leader election and data replication.
**Question 4. When configuring a Kubernetes auth method, which Kubernetes resource is used
to map a service account to a Vault role?**
A) ConfigMap
B) Secret
C) ServiceAccount
D) RoleBinding
Answer: C
Explanation: The ServiceAccount token is presented to Vault; the auth method maps the service
account name/namespace to a Vault role.
**Question 5. Which Vault policy capability allows a client to list the keys under a given path
without reading their values?**
A) read
B) list
C) sudo
D) delete
Answer: B
Explanation: The `list` capability permits enumeration of keys (e.g., `kv/metadata/`) without
exposing the secret values.
**Question 6. What is the default lease duration for dynamic AWS credentials generated by the
AWS secrets engine?**
A) 1 hour
B) 12 hours
, [HSA] HashiCorp Security Automation Certification
Review Guide
C) 24 hours
D) 30 minutes
Answer: A
Explanation: By default, the AWS secrets engine issues credentials with a 1‑hour lease unless
overridden in the role definition.
**Question 7. Which token type is intended for short‑lived, high‑performance use cases and
does not persist to storage?**
A) Service token
B) Batch token
C) Orphan token
D) Periodic token
Answer: B
Explanation: Batch tokens are non‑persistent, stored only in memory, and are ideal for
high‑throughput scenarios.
**Question 8. In Vault Agent, what feature automatically renews a token before it expires?**
A) Auto‑unseal
B) Token helper
C) Auto‑auth
D) Auto‑renew
Answer: D
Explanation: The `auto_renew` block in the Agent configuration periodically renews the token to
keep it valid.
**Question 9. Which audit device writes audit logs to a syslog server?**
A) file
, [HSA] HashiCorp Security Automation Certification
Review Guide
B) socket
C) syslog
D) stdout
Answer: C
Explanation: The `syslog` audit device forwards audit events to a remote syslog daemon for
centralized logging.
**Question 10. When using Consul as a storage backend, which Consul feature ensures that
Vault data is replicated across multiple datacenters?**
A) Service mesh
B) Gossip protocol
C) Consul Connect
D) Consul federation
Answer: D
Explanation: Consul federation replicates KV data across datacenters, enabling Vault data
redundancy when Consul is the backend.
**Question 11. Which of the following is NOT a valid capability in an HCL‑based Vault policy?**
A) read
B) write
C) sudo
D) execute
Answer: D
Explanation: Vault policies support `read`, `create`, `update`, `delete`, `list`, and `sudo`; there is
no `execute` capability.
