Which of these is not a benefit of dynamic secrets?

Which of these is not a benefit of dynamic secrets?
A . Supports systems which do not natively provide a method of expiring credentials
B . Minimizes damage of credentials leaking
C . Ensures that administrators can see every password used
D . Replaces cumbersome password rotation tools and practices

View Answer

Answer: C

Explanation:

Dynamic secrets are generated on-demand by Vault and have a limited time-to-live (TTL). They do not ensure that administrators can see every password used, as they are often encrypted and ephemeral.

The benefits of dynamic secrets are:

They support systems that do not natively provide a method of expiring credentials, such as databases, cloud providers, SSH, etc. Vault can revoke the credentials when they are no longer needed or when the lease expires.

They minimize the damage of credentials leaking, as they are short-lived and can be easily rotated or revoked. If a credential is compromised, the attacker has a limited window of opportunity to use it before it becomes invalid.

They replace cumbersome password rotation tools and practices, as Vault can handle the generation and revocation of credentials automatically and securely. This reduces the operational overhead and complexity of managing secrets.

Reference:

https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-dynamic-secrets1, https://developer.hashicorp.com/vault/docs/concepts/lease2