26. AWS Security & Encryption: KMS, SSM, Parameter Store, CloudHSM, Shield, WAF Flashcards

1
Q

Encryption in flight (SSL)

A
  • Data is encrypted before sendind and decrypted after receiving.
  • SSL certificates help with encryption (HTTPS)
  • Encryption in flight ensures no MITM (man in the middle attack) can happen
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Server side encryption at rest

A
  • Data is encrypted after being received in the server
  • Data is decrypted before sent
  • It is stored in an encrypted form thank to a key (usually a data key)
  • The encryption/decryption keys must to managed somewhere and the server must have access to it.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Client side encryption

A
  • Data is encrypted by the client and never decrypted by the server
  • Data will be decrypted by a receiving client
  • The server should not be able to decrypt the data
  • Could laverage Envelope Encryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

AWS KMS (Key Management Service)

A
  • Anytime you hear “encryption” for an AWS service, it’s most likely KMS.
  • AWS manages encryption keys for us.
  • Fully integrated with IAM for authorization
  • Easy way to control access to your data
  • Able to audit KMS key usage using CloudTrail
  • Seamlessly integrated into most AWS service (EBS, S3, RDS, SSM…)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

KMS Keys Types

A
  • KMS Keys is the new name of KMS Cutomer Master Key
  • Symmetric (AES-256 keys)
    Single encryption key that is used to Encryupt and Decrypt
    AWS service that are integrated with KMS use Symmetric CMKs
    You never get acces to the KMS Key unencrypted (must call KMS API to use)
  • Asymmetric (RSA & ECC key pairs)
    Public (Encrypt) and Private key (Decrypt) pair
    Used for Encrypt/Decrypt, or Sign/Verify operations
    The public is downloadable, but you can’t access the Private Key unnencrypted
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Use case of Assymetric KMS key

A
  • Encryption outside of AWS by users who can’t call the KMS API
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AWS KMS (Key Management Service)

A
  • Type of KMS Keys
    AWS Oned Key (free): SSE-S3, SSE-SQS, SSE-DDB(default key)
    AWS Managed key: free (aws/service-name, example: aws/rds or aws/ebs)
    Customer managed keys created in KMS: $1/month
    Customer managed keys imported (must be summetric key): $1 / month
    + [au fpr API call to KMS ($0.03/10000 calls)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AWS KMS - Rotations keys

A
  • AWS managed KMS Keys: automatic every 1 year
  • Costomer-managed KMS Keys: (must be enabled) automatic every 1 year
  • Imported KMS Key: only manual rotation possible using alias
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

KMS Key Policies

A
  • Control access to KMS keys, “similar” to S3 buckets policies
  • Difference: you cannot control acces without them
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Default KMS Key Policy:

A
  • Created if you don’t provide a specific KMS Key Policy
  • Complete access to the key to use the root user = entire AWS account
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Custom KMS Key Policy:

A
  • Define users, roles that can acces ot the KMS keyu
  • Define who can administer the key
  • Define for cross-account access of your KMS key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AMI Sharing Process Encrypted via KMS

A
  1. AMI in Source Account is encrypted with KMS Key from Source Account
  2. Must modify the image attribute to add a Launch Permission wich correspondds to the specified target AWS Account
  3. Must share the KMs keys used to encrypted the snapshot the AMI reference
  4. The IAM Role/User in the target account must have the permission to DeescribeKey, ReEncrypted, CreateGrant, Decrypt
  5. When launching an EC2 instance from the AMI, optionally the target account can specify a new KMS key in its own account to re-encrypt the volume
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

S3 Replication

A
  • Unencrypted objects and objects encrypted with SSE-S3 are replicated by default
  • Object encrypted with SSE-C (customer provided key) are never replicated.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SSM Parameter Store

A
  • Secure storage form configuration and secrets
  • Optional Seamless Encryption using KMS
  • Serverless, scalable, durable, easy SDK
  • Version tracking of configuration / secrets
  • Security throught IAM
  • Notification with Amazon EventBridge
  • Integration with CloudFormation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AWS Secret Manager

A
  • Meant for storing secrets
  • Capability to force rotation of secrets every X days
  • Automate generation of secrets on rotation (use Lambda)
  • Integration with Amazon RDS (MySQL PostgresSQL, Aurora)
  • Secrets are encrypted using KMS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

AWS Secret Manager - Use cases

A
  • Mostly meant for RDS Integration
17
Q

AWS Secrets Manager - Multi region secret

A
  • Replicate Secrets accross multiple AWS Regions
  • Secrets Manager keeps read deplicas in sync with the primary Secret
  • Ability to promote a read replica Secret to a standalone Secret
  • Use cases: multi region apps, disaster recovery, disaster recovery strategies, multi-region DB