VAULT-ASSOCIATE-002 · Question #21
VAULT-ASSOCIATE-002 Question #21: Real Exam Question with Answer & Explanation
To revoke a dynamically generated AWS S3 credential from Vault, the vault lease revoke command must be used with the full lease ID provided in the output from Vault.
Question
A developer mistakenly committed code that contained AWS S3 credentials into a public repository. You have been tasked with revoking the AWS S3 credential that was in the code. This credential was created using Vault's AWS secrets engine and the developer received the following output when requesting a credential from Vault. Which Vault command will revoke the lease and remove the credential from AWS? vault lease revoke aws/creds/s3-access/f3e92392-7d9c-09c8-c921- A. 575d62fe80d8
Options
- Bvault lease revoke AKIAIOMQXTLW36DV7IEA
- Cvault lease revoke f3e92392-7d9c-09c8-c921-575d62fe80d8
- Dvault lease revoke access_key=AKIAIOWQXTLW36DV7IEA
Explanation
To revoke a dynamically generated AWS S3 credential from Vault, the vault lease revoke command must be used with the full lease ID provided in the output from Vault.
Common mistakes.
- B. This command attempts to revoke using the AWS access key ID, which is not the lease ID Vault uses for revocation.
- C. This command is missing the secrets engine mount path (
aws/creds/s3-access/) required to correctly identify the lease within Vault. - D. This command tries to revoke using a key-value pair for the access key, which is not the correct syntax for
vault lease revoke.
Concept tested. Vault lease revocation for dynamic secrets
Reference. https://developer.hashicorp.com/vault/docs/commands/lease/revoke
Topics
Community Discussion
No community discussion yet for this question.