Quiz: Secrets and Machine Identity

DataField.Dev

Quiz: Secrets and Machine Identity

A 25-question self-check covering secrets management, machine and workload identity, certificate lifecycle, and secret scanning. Questions tagged [Sec+] map to CompTIA Security+ and [CISSP] to the (ISC)² CISSP. Answers and one-line explanations are at the end; try the whole quiz before checking.

Section 1 — Multiple choice (1 pt each)

1. [Sec+] Any confidential value (password, API key, token, private key, certificate) that grants access or proves identity to a system is best called a: A. control B. secret C. role D. credential vault

2. The proliferation of secrets across an environment without central control, inventory, or rotation is called: A. secret leak B. secret sprawl C. key escrow D. certificate transparency

3. [Sec+] A credential generated by a vault on demand, scoped to the caller, with a short time-to-live after which it is automatically revoked, is a: A. static secret B. dynamic secret C. pre-shared key D. certificate signing request

4. The single most effective response to a secret that has been confirmed leaked is to: A. delete the commit containing it B. rewrite the git history C. rotate (invalidate and reissue) it D. add it to a deny-list

5. [CISSP] Granting a workload access based on what it provably is and where it runs (attested by the platform) rather than a stored secret it carries is called: A. password vaulting B. workload identity C. role-based access control D. federation

6. The most preventable catastrophic failure in operations, because its trigger is a knowable date, is the: A. SQL injection B. expired-certificate outage C. ransomware encryption event D. DDoS flood

7. [Sec+] Which of these is an exploit path against workload identity rather than a defense? A. requiring the session-token-protected metadata service B. least-privilege role scoping C. SSRF tricking an app into fetching its own instance credentials D. short-lived credentials

8. A service account that classically goes wrong does NOT typically have which of these problems? A. a static password that never rotates B. excessive privilege C. phishing-resistant MFA enforced D. interactive-logon capability it never needs

9. [CISSP] A secrets vault typically encrypts the secrets it stores under a master key held in a(n): A. environment variable B. configuration file C. hardware security module (HSM) D. public CRL

10. Why is "no interactive login" good news for a defender of machine identities? A. it removes the need for any monitoring B. machine behavior should be regular, so any deviation is a stark, high-confidence anomaly C. it means the secret cannot be stolen D. it satisfies compliance automatically

11. [Sec+] Certificate revocation via CRL/OCSP is unreliable mainly because clients often: A. cache certificates forever B. fail open (trust the cert) when they cannot reach the revocation endpoint C. ignore the notAfter date D. require mTLS

12. A regular expression beginning \bAKIA[0-9A-Z]{16}\b is designed to detect: A. a GitHub token B. an AWS access key ID C. a Slack token D. a private key block

Section 2 — True / False with justification (1 pt each)

For each, mark T or F and give a one-sentence reason.

13. "Storing secrets in environment variables is equivalent to using a secrets vault."

14. [Sec+] "Because secrets pushed to public repositories are often abused within minutes, scanning only after the fact is a sufficient defense."

15. "A short-lived certificate barely needs revocation, because it effectively revokes itself by expiring."

16. "Deleting the file that contained a leaked API key and pushing a new commit removes the secret from exposure."

17. "Workload identity is more secure than a stored API key partly because it eliminates the long-lived secret entirely."

Section 3 — Fill in the blank (1 pt each)

18. The discipline of securely storing, distributing, rotating, and auditing secrets across their lifecycle is called _ _.

19. [Sec+] The end-to-end process of issuing, deploying, monitoring, renewing, and revoking digital certificates is called certificate __ management.

20. Two workloads that authenticate each other, each presenting and verifying a certificate, are using _ _ (mTLS).

21. Credentials deliberately given a brief validity window so a stolen one is quickly useless are called __ credentials.

22. A machine-identity account left behind when the team that created it disbands, with no owner and no one willing to disable it, is an __ service account.

Section 4 — Short answer (2 pts each)

23. [CISSP] Explain in two or three sentences why a leaked machine secret is often more dangerous than a leaked human password, referencing second factors, rotation, and privilege.

24. Describe the three placements where a secret scanner should run and what each one catches that the others may miss.

Section 5 — Applied scenario (5 pts)

25. [Sec+] Meridian discovers an AWS access key for a nightly backup job hard-coded in a Git repository that was cloned to an unmanaged contractor laptop. (a) Identify the secret, the machine identity, the sprawl, and the leak. (b) State the immediate response and why deleting the commit is not enough. (c) Recommend two controls from this chapter that would prevent recurrence, and name the residual risk that remains after them.

Answer Key

Click to reveal answers and explanations

1. **B** — a secret is any confidential value that grants access/identity. 2. **B** — sprawl is the uncontrolled proliferation; a leak is the specific exposure event. 3. **B** — generated on demand, scoped, short TTL, auto-revoked = dynamic secret. 4. **C** — only rotation actually closes the exposure; the others leave the value valid. 5. **B** — workload identity attests what a workload is rather than a secret it holds. 6. **B** — the expiry date is knowable in advance, so it is preventable with a calendar and a script. 7. **C** — SSRF against the metadata service steals temporary credentials; the others are defenses. 8. **C** — service accounts notoriously *lack* MFA; the secret is usually the only factor. 9. **C** — the vault's master key lives in an HSM (root of trust). 10. **B** — boring/regular machine behavior makes deviations stark and high-confidence. 11. **B** — fail-open on unreachable CRL/OCSP means revocation may not stop a determined attacker. 12. **B** — `AKIA` + 16 uppercase alphanumerics is an AWS access key ID. 13. **F** — env vars leak into logs/child processes, lack per-access audit, rotation, and expiry; they are a step, not a vault. 14. **F** — after-the-fact scanning loses the race; pre-commit and pipeline scanning catch secrets before they go public. 15. **T** — its short lifetime bounds exposure without depending on unreliable revocation. 16. **F** — the secret remains in git history (and clones/caches) and may already be scraped; it must be rotated. 17. **T** — no long-lived, hard-codeable key exists to leak, and credentials auto-rotate and expire. 18. secrets management. 19. lifecycle. 20. mutual TLS (mutual Transport Layer Security). 21. short-lived (short-lived credentials). 22. orphaned. 23. A machine secret usually has no second factor (the secret is the only proof of identity), is rarely rotated so it stays valid for years, and is frequently over-privileged — whereas a human password may be protected by MFA and will eventually expire, limiting the damage. 24. Pre-commit (developer machine) — catches a secret before it enters history but is bypassable; pipeline/CI on every push — enforceable because it runs on infrastructure the developer does not control, catches what slipped past pre-commit; history/runtime scanning — catches secrets committed before scanning existed (still in history forever) and secrets printed into logs at runtime. 25. (a) Secret = the AWS access key; machine identity = the nightly backup job; sprawl = the key copied into committed source (and now onto the laptop and any clones/CI caches); leak = the moment the repo reached the unmanaged laptop (and a third-party tool). (b) Immediate response: rotate the key (invalidate and reissue) and review CloudTrail for misuse; deleting the commit is insufficient because the key remains in git history and clones and may already be scraped/used. (c) Two of: move the job to workload identity (an IAM role → no key to hard-code); store any unavoidable secret in a vault and fetch at runtime; enable pre-commit + pipeline secret scanning; enforce least privilege on the backup identity. Residual risk: other undiscovered secrets may already be leaked, the key may have been used before rotation, and SSRF/metadata theft remains possible against workload identity — motivating the full discovery scan and behavioral detection. **Topics to review by question:** 1–3, 13, 18 → §20.1–20.2; 4, 14, 16, 24 → §20.5; 5, 7, 8, 17, 22 → §20.3; 6, 11, 15, 19 → §20.4; 9, 27-style HSM → §20.2 (and Ch.4–5); 10, 21, 23 → §20.1–20.2; 25 → §20.5–20.6.