AWS Key Management Service | Security Flashcards
Do your prices include taxes?
Security
AWS Key Management Service | Security, Identity & Compliance
Except as otherwise noted, our prices are exclusive of applicable taxes and duties, including VAT and applicable sales tax. For customers with a Japanese billing address, use of AWS services is subject to Japanese Consumption Tax. You can learn more here.
Who can use and manage my keys in AWS KMS?
Security
AWS Key Management Service | Security, Identity & Compliance
AWS KMS enforces usage and management policies that you define. You choose to allow AWS Identity and Access Management (IAM) users and roles from your account or other accounts to use and manage your keys.
Can AWS employees access my keys in AWS KMS?
Security
AWS Key Management Service | Security, Identity & Compliance
AWS KMS is designed so that no one has access to your master keys. The service is built on systems that are designed to protect your master keys with extensive hardening techniques such as never storing plaintext master keys on disk, not persisting them in memory, and limiting which systems can connect to the device. All access to update software on the service is controlled by a multi-level approval process that is audited and reviewed by an independent group within Amazon.
More details about these security controls can be found in the AWS KMS Cryptographic Details whitepaper. In addition, you can request a copy of the Service Organization Controls (SOC) report available from AWS Compliance to learn more about security controls AWS uses to protect your data and master keys.
Can I use KMS to help me comply with the encryption and key management requirements in the Payment Card Industry Data Security Standard (PCI DSS 3.1)?
Security
AWS Key Management Service | Security, Identity & Compliance
Yes. KMS has been validated as having the functionality and security controls to help you meet the encryption and key management requirements (primarily referenced in sections 3.5 and 3.6 of the PCI DSS 3.1).
For more details on PCI DSS compliant services in AWS, you can read the PCI DSS FAQs.
How does AWS KMS secure the data keys I export and use in my application?
Security
AWS Key Management Service | Security, Identity & Compliance
You can request that AWS KMS generate data keys that can be returned for use in your own application. The data keys are encrypted under a master key you define in AWS KMS so that you can safely store the encrypted data key along with your encrypted data. Your encrypted data key (and therefore your source data) can only be decrypted by users with permissions to use the original master key used in encrypting the data key.
What length of keys does AWS KMS generate?
Security
AWS Key Management Service | Security, Identity & Compliance
Master keys in AWS KMS are 256-bits in length. Data keys can be generated at 128-bit or 256-bit lengths and encrypted under a master key you define. AWS KMS also provides the ability to generate random data of any length you define suitable for cryptographic use.
Can I export a master key from AWS KMS and use it in my own applications?
Security
AWS Key Management Service | Security, Identity & Compliance
No. Master keys are created and used only within AWS KMS to help ensure their security, enable your policies to be consistently enforced, and provide a centralized log of their use.
What geographic region are my keys stored in?
Security
AWS Key Management Service | Security, Identity & Compliance
Keys are only stored and used in the region in which they are created. They cannot be transferred to another region. For example; keys created in the EU-Central (Frankfurt) region are only stored and used within the EU-Central (Frankfurt) region.
How can I tell who used or changed the configuration of my keys in AWS KMS?
Security
AWS Key Management Service | Security, Identity & Compliance
Logs in AWS CloudTrail will show requests on your master keys, including both management requests (e.g. create, rotate, disable, policy edits) and cryptographic requests (e.g. encrypt/decrypt). Turn on AWS CloudTrail in your account to view these logs.