Question 1

What is the most maintenance-free way to ensure a Conjur host’s access reflects any changes made to accounts in a safe in the CyberArk vault?

Accepted Answer

C

Explanation: The CyberArk Vault Synchronizer is designed to automate the process of making Vault secrets available in Conjur. For each synchronized Safe, the Synchronizer automatically generates a Conjur policy that includes a consumers group (role). This group is granted read and execute permissions on all variables (secrets) synchronized from that Safe. By adding a Conjur host as a member of this consumers group, the host inherits these permissions. The Synchronizer ensures this group's access is perpetually aligned with the Safe's contents, automatically reflecting any additions or removals of accounts without requiring any manual policy changes. This is the intended and most maintenance-free integration pattern.

Question 2

DRAG DROP Match the correct network port to its function in Conjur. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/CyberArk_SECRET-SEN/page_22_img_1.jpg

Accepted Answer

Explanation: The Conjur architecture utilizes a specific set of ports to maintain high availability and security across a distributed cluster. Port 443 is the primary interface for all HTTPS-based API calls and UI management. Port 444 is a specialized, unauthenticated port used by load balancers to perform health checks without requiring complex credentials. For internal database synchronization, Conjur relies on Port 5432 , the standard for PostgreSQL, to replicate data from the Leader to Standbys and Followers. To maintain a centralized audit trail, Port 1999 is dedicated to streaming log data from downstream Followers back to the Leader. Finally, Port 22 is the standard port used for administrative SSH access to the server or container.

Question 3

What is the correct command to import the root CA certificate into Conjur?

Accepted Answer

A

Explanation: The evoke utility is the command-line tool used for configuring a CyberArk Conjur instance. To import certificates, the evoke ca import command is used. The question specifically asks to import a root CA certificate. According to the official Conjur documentation, this requires the use of the --root flag to designate the certificate as a trusted root certificate authority. Option A includes the correct command structure (evoke ca import) and the necessary --root flag. The --no-restart flag is a valid option to prevent Conjur services from restarting immediately after the import.

Question 4

What is a possible Conjur node role change?

Accepted Answer

A

Explanation: In a CyberArk Conjur high-availability (HA) cluster, the architecture is designed for resilience using Leader and Standby nodes. The Leader is the single writable node, while Standby nodes are synchronous replicas. The primary function of a Standby is to be available for immediate promotion to the Leader role in the event of a failure of the active Leader. This promotion is the core mechanism of a failover, ensuring the continued availability of the Conjur service for write operations like policy updates. This process can be initiated automatically by a cluster manager or manually by an administrator.

Question 5

You are deploying Kubernetes resources/objects as Conjur identities. In addition to Namespace and Deployment, from which options can you choose? (Choose two.)

Accepted Answer

A, E

Explanation: CyberArk Conjur's Kubernetes Authenticator allows mapping Kubernetes service identities to Conjur host identities. This identity is derived from the pod's metadata. Besides the high-level Deployment controller, Conjur also supports other primary workload controllers like StatefulSet, which is used for stateful applications. Alternatively, the identity can be based on the pod's ServiceAccount. Using a ServiceAccount provides a flexible identity that is independent of the specific controller managing the pod, allowing multiple workloads to share the same Conjur identity and permissions. Both StatefulSet and ServiceAccount are officially supported and commonly used resources for defining Conjur identities.

Question 6

Followers are replications of the Leader configured for which purpose?

Accepted Answer

B

Explanation: In the CyberArk Secrets Manager (Conjur) architecture, Followers are read-only replicas of the Leader node. They are designed specifically for scaling secret retrieval operations. The Leader asynchronously replicates its data to the Followers, which can then serve read requests from applications. This architecture distributes the read load, reduces latency for geographically dispersed applications, and allows the system to handle a massive number of concurrent requests without overwhelming the primary Leader node.

Question 7

You are setting up the Secrets Provider for Kubernetes to support rotation with Push-to-File mode. Which deployment option should be used?

Accepted Answer

C

Explanation: The sidecar deployment model is the correct option for supporting secret rotation with the Push-to-File mode. In this pattern, the CyberArk Secrets Provider runs in a separate container alongside the application container within the same Kubernetes pod. They share a memory volume (emptyDir). The sidecar container is a long-running process that authenticates to the vault, retrieves secrets, and writes them to the shared volume. It periodically checks for updated secret versions and automatically pushes the new value to the file, enabling seamless rotation without requiring an application restart.

Question 8

A customer requires high availability in its AWS cloud infrastructure. What is the minimally viable Conjur deployment architecture to achieve this?

Accepted Answer

A

Explanation: For high availability (HA) in an AWS environment, the architecture must be resilient to the failure of a single Availability Zone (AZ). The minimally viable Conjur deployment to achieve this involves distributing Followers across multiple AZs within a single region. Placing one Follower in each AZ and fronting them with a regional load balancer ensures that if one AZ fails, traffic is automatically redirected to the healthy Followers in the other AZs. This configuration maintains service availability for read operations, which constitutes the majority of client requests, thus meeting the HA requirement with the minimum necessary components.

Question 9

In a 3-node auto-failover cluster, the Leader has been brought down for patching that lasts longer
than the configured TTL. A Standby has been promoted.
Which steps are required to repair the cluster when the old Leader is brought back online?

Accepted Answer

A

Explanation: When an auto-failover occurs and a Standby is promoted to Leader, the old Leader is considered lost by the cluster. To reintroduce it, it must be rebuilt as a Standby. The correct procedure involves generating a new Standby seed file on the current Leader. This seed file contains the necessary configuration and certificates for the old Leader node to securely connect and synchronize with the new Leader. The old Leader node is then re-initialized as a Standby using this seed file, effectively re-enrolling it into the cluster in its new role.

Question 10

What does “Line of business (LOB)” represent?

Accepted Answer

A

Explanation: In the context of the CyberArk Vault Synchronizer, a Line of Business (LOB) is a construct used to delegate the administration of Safe synchronization. It is represented by a user group in the Vault or Privilege Cloud. This LOB group is responsible for managing which of its Safes are synced to Conjur. The LOB administrator grants the Synchronizer user the necessary permissions on their specific Safes, thereby facilitating the syncing of secrets required by that business group's applications without needing full Vault administrative privileges.

Question 11

Which statement is correct about this message? Message: “[number-of-deleted-rows] rows has successfully deleted “CEADBR009D Finished vacuum”?

Accepted Answer

A

Explanation: The message CEADBR009D [number-of-deleted-rows] rows has successfully deleted. Finished vacuum. is an informational message generated by CyberArk Conjur Enterprise. It indicates that the automated audit retention process has run successfully. This process purges old audit records from the Conjur audit database (audit.db) based on the configured retention policy. The "Finished vacuum" part confirms that a database maintenance operation was completed to reclaim storage space freed by the deleted rows. As a successful, routine informational message, it does not require any administrative action.

Question 12

DRAG DROP You want to allow retrieval of a secret with the CCP. The safe and the required secrets already exist. Assuming the CCP is installed, arrange the steps in the correct sequence. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/CyberArk_SECRET-SEN/page_25_img_1.jpg

Accepted Answer

Explanation: To enable secret retrieval via the Central Credential Provider (CCP), you must first establish a unique identity for the requesting application within the Vault. This involves creating an Application ID and defining authentication constraints (e.g., IP address, OS user, or Certificate). Once the identity is defined, you must authorize it by adding both the Application ID and the CCP AppProvider user as members of the target Safe , typically granting the "Retrieve accounts" permission. Only after identity creation and permissioning is complete can the application successfully execute a REST API call (typically GetPassword ) to retrieve the credential.

Question 13

DRAG DROP Arrange the steps of a Conjur authentication flow in the correct sequence.

Accepted Answer

Explanation: The process begins with Authentication , where a workload or user provides credentials (API keys, certificates, etc.) to the Conjur authenticator. Once identity is verified, Conjur issues a short-lived access token (typically valid for 8 minutes). This token is then used by the requester for subsequent REST API calls to interact with Conjur resources. Finally, for every request made with that token, Conjur performs an Authorization check. It evaluates the request against the Role-Based Access Control (RBAC) rules defined in the loaded security policies to ensure the requester has the specific permissions (e.g., execute or read ) for the requested resource.

Question 14

DRAG DROP Arrange the steps to configure authenticators in the correct the sequence. https://kxbjsyuhceggsyvxdkof.supabase.co/storage/v1/object/public/file-images/CyberArk_SECRET-SEN/page_27_img_3.jpg

Accepted Answer

Explanation: To enable authenticators in CyberArk Conjur, you must first define the security policy that governs them. Once the policy is loaded , the specific authenticator instances (identified by type and Service ID) must be whitelisted in the conjur.yml configuration file on the Conjur Master/Follower. Finally, to commit these environment-level changes and restart the necessary internal services to recognize the new authenticators, the evoke configuration apply command must be executed. This sequence ensures that the identity provider is both logically defined in the database and physically enabled in the server configuration.

Question 15

When attempting to retrieve a credential managed by the Synchronizer, you receive this error: What is the cause of the issue?

Accepted Answer

B

Explanation: The Conjur API returns an HTTP 404 "Not Found" error for two primary reasons: either the requested secret variable does not exist at the specified path, or the authenticated role (in this case, the host) lacks the necessary permissions to access it. As a security principle to prevent information leakage, Conjur intentionally does not distinguish between these two scenarios for an unauthorized client. Therefore, if the Synchronizer has successfully created the variable in Conjur, the most probable cause for this error is that the host making the API call has not been granted the required read and execute privileges on the secret variable via a Conjur policy.

Free CyberArk SECRET-SEN Actual Exam Questions