Cloud engineers can use the Vault Operations Professional certification exam from HashiCorp to verify their specialized security automation skills.
HashiCorp Professional Security Automation Certification
HashiCorp Certified: Vault Operations Professional
The Vault Operations Professional exam is for Cloud Engineers focused on deploying, configuring, managing, and monitoring HashiCorp Vault. Well-qualified candidates hold the Vault Associate Certification (or equivalent knowledge), have experience operating Vault in production, and can evaluate Vault Enterprise functionality and use cases. Certification holders have proven they have the skills, knowledge, and competency to perform the Vault operational tasks listed in the objectives.
Prerequisites
We strongly recommend passing the associate-level Vault exam before taking the professional-level exam. Practitioners who are already experienced with Vault operations in a production environment—and understand the concepts covered in the associate exam— may be able to successfully pass the professional-level exam.
- HashiCorp Certified: Vault Associate Certification (recommended)
- Linux skills such as list and edit files via command terminal
- Understanding of IP networking
- Experience with Public Key Infrastructure (PKI), including PGP and TLS
- Information security fundamentals such as network security and RBAC
- Understand the concepts and functionality of infrastructure running in containers including starting and stopping services, and reading logs
Product version tested
Vault 1.13.0 and higher
Renewing your Vault Professional certification
To renew your Vault Professional certification, you will need to take and pass the Vault Professional exam.
If you hold an unexpired Vault Professional certification: You can take the exam again starting 18 months after your previous exam date. When you pass the exam, the expiration date on your credentials will be extended.
If you hold an expired Vault Professional certification: You are eligible to recertify at any time. When you pass the exam again, you will receive a new, separate set of credentials with a new expiration date.
Exam Details
| Assessment Type* | Lab-based and multiple choice |
|---|---|
| Format | Online proctored |
| Duration | 4 hours; 15-minute break included |
| Price | $295 USD plus locally applicable taxes and fees Includes free retake |
| Language | English |
| Expiration | 2 years |
*Assessment Type
This exam is primarily lab-based, in addition to a shorter multiple-choice section. During the lab scenarios, exam-takers will be tested on performing real-world Vault operational tasks on the command line. The Vault UI and API can also be used where applicable, and exam-takers will have access to the Vault and Vault API documentation.
Preparing for the Exam
Visit the Prepare for Vault Operations Pro Exam page on HashiCorp Learn to start your exam prep. There you will find an overview, a study guide, and a review guide. The study guide includes tips and example questions, while the review guide is a direct mapping of where what documentation and tutorials to study each exam objective.
Exam Objectives
| 1 | Create a working Vault server configuration given a scenario |
|---|---|
| 1a | Enable and configure secret engines |
| 1b | Practice production hardening |
| 1c | Auto unseal Vault |
| 1d | Implement integrated storage for open source and Enterprise Vault |
| 1e | Enable and configure authentication methods |
| 1f | Practice secure Vault initialization |
| 1g | Regenerate a root token |
| 1h | Rekey Vault and rotate encryption keys |
| 2 | Monitor a Vault environment |
|---|---|
| 2a | Monitor and understand Vault telemetry |
| 2b | Monitor and understand Vault audit logs |
| 2c | Monitor and understand Vault operational logs |
| 3 | Employ the Vault security model |
|---|---|
| 3a | Describe secure introduction of Vault clients |
| 3b | Describe the security implications of running Vault in Kubernetes |
| 4 | Build fault-tolerant Vault environments |
|---|---|
| 4a | Configure a highly available (HA) cluster |
| 4b | [Vault Enterprise] Enable and configure disaster recovery (DR) replication |
| 4c | [Vault Enterprise] Promote a secondary cluster |
| 5 | Understand the hardware security module (HSM) integration |
|---|---|
| 5a | [Vault Enterprise] Describe the benefits of auto unsealing with HSM |
| 5b | [Vault Enterprise] Describe the benefits and use cases of seal wrap (PKCS#11) |
| 6 | Scale Vault for performance |
|---|---|
| 6a | Use batch tokens |
| 6b | [Vault Enterprise] Describe the use cases of performance standby nodes |
| 6c | [Vault Enterprise] Enable and configure performance replication |
| 6d | [Vault Enterprise] Create a paths filter |
| 7 | Configure access control |
|---|---|
| 7a | Interpret Vault identity entities and groups |
| 7b | Write, deploy, and troubleshoot ACL policies |
| 7c | [Vault Enterprise] Understand Sentinel policies |
| 7d | [Vault Enterprise] Define control groups and describe their basic workflow |
| 7e | [Vault Enterprise] Describe and interpret multi-tenancy with namespaces |
| 8 | Configure Vault Agent |
|---|---|
| 8a | Securely configure auto-auth and token sink |
| 8b | Configure templating |