30. Security & Encryption **IMPORTANT**

Question 1

What is encryption in flight?

Answer 1

SSL/TLS (HTTPS)

Question 2

What is server-side encryption at rest

Answer 2

Data is encrypted after being received by the server and is decrypted before being sent (KMS)

Question 3

What is client-side encryption?

Answer 3

Data is encrypted by client and never decrypted by server

Question 4

What standard does KMS use for symmetric encryption?

Answer 4

AES-256

Question 5

What standard does KMS use for asymmetric encryption?

Answer 5

RSA & ECC key pairs

Question 6

What is the KMS data per call maximum?

Answer 6

4KB of data per call

Question 7

What should you use if your KMS data is greater than the maximum?

Answer 7

If data > 4KB, use envelope encryption

Question 8

What should you do in KMS to authorize cross-account access?

Answer 8

Attach a KMS Key Policy to authorize cross-account access

Question 9

True or False: KMS keys have a global view.

Answer 9

False. KMS keys are bound to the region they are in.

Question 10

What is the API used for envelope encryption?

Answer 10

GenerateDataKey

Question 11

What is the API for data key caching?

Answer 11

LocalCryptoMaterialsCache

Question 12

What is the API for creating a unique symmetric data key (DEK)?

Answer 12

GenerateDataKey

Question 13

What is the API for encrypting data 4KB or less?

Answer 13

Encrypt

Question 14

What is the API for generating a DEK for later use (not immediately)?

Answer 14

GenerateDataKeyWithoutPlaintext

Question 15

When you exceed a KMS request quota, what happens?

Answer 15

You get a ThrottlingException

Question 16

What are the possible solutions for resolving a KMS ThrottlingException?

Answer 16

1. exponential backoff
2. For GenerateDataKey, use DEK caching from the Encryption SDK
3. you can request a quota increase through API or AWS support

Question 17

True or False: Shared KMS request quotas vary with the AWS Region and the type of CMK used in the request.

Answer 17

True

Question 18

What are the 4 methods of encrypting objects in S3?

Answer 18

1. SSE-S3
2. SSE-KMS
3. SSE-C
4. Client-side Encryption

Question 19

What is SSE-S3?

Answer 19

SSE-S3 encrypts S3 objects using keys handled and managed by AWS

Question 20

What is SSE-KMS?

Answer 20

SSE-KMS leverages KMS to manage encryption keys

Question 21

What is SSE-C?

Answer 21

SSE-C is when you want to manage your own encryption keys

Question 22

What are the advantages of SSE-KMS?

Answer 22

user control and audit trail

Question 23

What header must be set for SSE-KMS?

Answer 23

“x-amz-server-side-encryption”: “aws:kms”

Question 24

What API calls does SSE-KMS leverage?

Answer 24

GenerateDataKey and DecryptKMS

these KMS API calls will show up in CloudTrail

Question 25

What do you need to perform SSE-KMS?

Answer 25

1. A KMS Key Policy that authorizes the user / role
2. An IAM policy that authorizes access to KMS
   (otherwise you’ll get an access denied error)

Question 26

True or False: S3 calls to KMS for SSE-KMS do not count against your KMS limits.

Answer 26

False.

S3 calls to KMS for SSE-KMS do count against your KMS limits.

Question 27

How can you enforce SSL on an S3 bucket?

Answer 27

Create an S3 bucket policy with a DENY on the condition aws:SecureTransport = false

Question 28

What is SSM Parameter Store?

Answer 28

AWS Systems Manager Parameter Store

• secure, hierarchical storage for configuration data management and secrets management
• simple API
• KMS encryption is optional
• can integrate with CloudFormation
• can track versions
• 2 tiers: Standard (free) and Advanced ($)

Question 29

What is AWS Secrets Manager?

Answer 29

• protect secrets needed to access your applications and services
• Capability to force rotation of secrets
• automatic creation of secrets on rotation (using Lambda)
• KMS encryption is mandatory
• integration with RDS and CloudFormation

Question 30

How does KMS encryption work?

Answer 30

KMS stores the CMK, and receives data from the clients, which it encrypts and sends back

Question 31

Which AWS entities can be used to deploy SSL/TLS server certificates?

Answer 31

AWS Certificate Manager and IAM

Question 32

Which is less expensive: SSM Parameter Store or Secrets Manager?

Answer 32

SSM Parameter Store

Question 33

What would you suggest for someone who wants to rotate their keys?

Answer 33

Secrets Manager

Question 34

How should you store secrets in CodeBuild?

Answer 34

DO NOT STORE THEM AS PLAINTEXT IN ENVIRONMENT VARIABLES

Use environment variables to reference parameter store parameters or secrets manager secrets.

Question 35

Are CloudTrail event log files encrypted by default?

Answer 35

Yes, with S3 Server-Side Encryption (SSE)

Question 36

KMS stores what types of keys?

Answer 36

Master keys (not data keys)

Question 37

KMS can be used with what AWS service to audit keys access history?

Answer 37

CloudTrail

Question 38

What are the primary resources in KMS?

Answer 38

Customer Master Keys (CMKs)

Question 39

What level of compliance does KMS have?

Answer 39

FIPS 140-2 Level 2 compliant

Question 40

What is the KMS command to turn on automatic key rotation?

Answer 40

> aws kms enable-key-rotation

only for symmetric keys

Question 41

What should you use to store database credentials?

Answer 41

Secrets Manager

It will store and automatically rotate your database credentials

Question 42

What should you use to block a single IP address?

Answer 42

NACL

Question 43

Are NACLs stateful or stateless?

Answer 43

Stateless (incoming rule will not be applied to outgoing)

Question 44

Are Security Groups stateful or stateless?

Answer 44

STATEFUL (if traffic is allowed inbound, it is also allowed outbound)

Question 45

Can a Security Group block a single IP address?

Answer 45

No. You cannot block specific IP addresses with Security Groups, for this you would need a Network Access Control List (NACL)