AWS KMS

Question 1

Is AWS KMS Free to use?

Answer 1

No, You pay for each key you store and each API call.

Question 2

How can I control who accesses AWS KMS?

Answer 2

AWS KMS service has the same IAM access control as other services in AWS.

Question 3

How can I control who can use the CMK keys created by AWS KMS?

Answer 3

A CMK can have an access control policy attached to it, this access control policy enables restriction to happen.

Question 4

what is a symmetric data key?

Answer 4

It is used to encrypt large blocks of data and is the same key for encryption and decryption, AES 256 is symetricencryption.

Question 5

What is asymmetric encryption?

Answer 5

It is public and private key encryption where the a public key is share with people to encrypt data. Good for small amounts of data.

Question 6

What is envelope encryption?

Answer 6

This is where you encrypt plane text data with a key and ten encrypt the key

Question 7

What is a CMK

Answer 7

Is is a customer master key, used to encrypt and decrypt unto 4k of data.

Question 8

Is KMS a global or regional service?

Answer 8

It is a regional service.

Question 9

Is the CMK a logical or real key?

Answer 9

It is a logical key, the reason for this is keys can be rotated and old keys kept until data is deleted.

Question 10

What is a data key?

Answer 10

Is a key generated by HSM under CMK, returned as plane and encrypted

Question 11

What is a permission?

Answer 11

A permission is a policy attached to a CMK and defines who/what can access the CMK.

Question 12

What is the hierarchy of the keys for KMS?

Answer 12

Domain Key 
HBK
Domain encrypts HBK and produced EKT
EKT is stord in CMK
CMK is stored in external durable storage form HSM

Question 13

What is a HBK?

Answer 13

It is a HSM backed keys, it is a key generated in the HSM and never leaves the HSM unencrypted.

Question 14

What is the EKT?

Answer 14

Is the HBK thet gets encrypted under the domain key and and is exported from the HSM into the CMK, CMK is resident in durable storage outside the hSM.

Question 15

What is CDK

Answer 15

It is a customer data keys, encrypted under CMK.

Question 16

I have an on-prem application that I want to use envelope encryption with, I need this to be highly secure and FIPS complaint, what are my options?

Answer 16

You could used AWS KMS and the KMS SKD to encrypt you key using the CMK.

Question 17

What dose the CMK consist of?

Answer 17

EKS which are encrypted HBK thet were generated in the HSM and encrypted under the domain key.

Question 18

Can I used my own Key with KMS and how dose this work?

Answer 18

Yes you can use your own key, you import they material into KMS and this key materiel is used for HBK, HBK gets encrypted under domain key and stored in logical CMK.

Question 19

I need a key to encrypt some data, what should I used?

Answer 19

Call GenerateDataKey API, this will create a data key they is encrypted under the CMK, you can get back bot encrypted and plane text versions of this key.

Question 20

I need to encrypt large amounts of data in my application, what options do I have?

Answer 20

You can used the AWS KMS SDK, it can be used to encrypt large amounts of data, it used KMS,

Question 21

I would like to have a more hand off approach to key management, what options do i have?

Answer 21

You can use KMS and have it automatically rotate the keys for you. This will involve KMS creating new HBK under the domain key to be come new EKS and stored in the logical CMK. These new keys will be used after creation and onl EKS will still be kept in the CMK to decrypt the data thet was encrypted.

Question 22

As part of corporate policy, I need to have KMS keep audit logs, what options do i have?

Answer 22

KMS is looked with CloudTrail, CloudTrail tracks all access to the KMS API.

Question 23

What are the 3 use cases KMS used for encrypting data?

Answer 23

• Use API to encrypt data (Key)
• Use AWS service that use KMS to encrypt data.
  Use The AWS SDK to encrypt data.

Question 24

What is envelope encryption?

Answer 24

Is is when you used another key (master) to encrypt a key.

Question 25

What is a customer key store?

Answer 25

You can create a CloudHSM and have KMS use it. Master keys created in the CloudHSM never leave it in plane text.

Question 26

When should I use KMS with CloudHSM?

Answer 26

When I want to manage the fife cycle of Master Keys.

If keys have to ve on a valid FIPS 140-2 level 3 device.

Question 27

What do you pay for with KMS?

Answer 27

You pay for each CMK and the number of API calls. You also pay as new keys are created from key rotation. Keys are charged at $1 a Key and for API calls 0.03 per 10K API calls.

Question 28

Whet regions are keys stored in?

Answer 28

They are stored only in the region they are created in.

Question 29

Do KMS keys get an ARN?

Answer 29

Yes each CMK in KMS get sits own ARN, this cna be used to refer to the key.

Question 30

When you create a CMK, is key rotation automatically turned on?

Answer 30

No, you have to enable this on a per key basis.

Question 31

Can I delete a key immediately?

Answer 31

No you have to wait between 7 - 30 days for key to be deleted, this is a safe guard.

Question 32

When we look at KMS what are the types of access control available?

Answer 32

We have IAM to control access to the KMS service, we also have Key (MMK) policies to control access to the CMK’s.

Question 33

Is KMS a regional or global service?

Answer 33

Regional.

Question 34

How does KMS create a data key?

Answer 34

KMS creates a data key by first generating a hardware baked key, encrypting this key and storing it in the CMK . The HBK is encrypted under the domain key and stored in the CMK as EKT.

Question 35

Will KMS manage your data keys?

Answer 35

No, one the data keys are handed over you have to manage them on your own, you have both the plain text and encrypted key, normally we encrypt some data and discard the plain text key and keep the encrypted key. Letser when we want to unencrypt the data we ask KMS to unencrypt the encrypted key using the KMS stored CMK, we then use this key to unencrypt the data.,

Question 36

What are the two types of CMK’s?

Answer 36

Customer-managed and AWS Managed CMKs.

Question 37

How often are customer-managed keys rotated by default?

Answer 37

Once every 3 years, but you can select to have this done every year.

Question 38

What is the difference between a customer and was managed CMK’s

Answer 38

When AWS creates a key as part of an AWS service like e S3, it is an AWS managed key. When you create a key through the portal or CLI then it is a customer managed key.

Question 39

Why would I use a customer-managed key?

Answer 39

Many AWSservices allow you to select a key to use for encryption, you can generate and manage your own KMS key and have the AWS service use it.

Question 40

What happens when CMK key rotation takes place?

Answer 40

A new HBK is created and encrypted using the domain key and placed in the CMK, the existing key is still stores as it will be used for old data decryption.

Question 41

I have a requirement for audit logs for KMS, what are my options?

Answer 41

Use CloudTrail.

Question 42

What are the FIPS that KMS supports?

Answer 42

FIPS 140-2

Question 43

I require an industry standards API interface for HSM, what are my options?

Answer 43

KMS does not support industry standards API interface, HSM would be a better option.

Question 44

Can CMKS leave the KMS service?

Answer 44

No they never leave the KMS service.

Question 45

What is the size of the data I can pass to KMS to have encrypted using the CMK?

Answer 45

4K

Question 46

How can I ensure only the users I want can use the CML?

Answer 46

CMKs have access control policies you can use to restrict who has access.

Question 47

How do I reference a CMK?

Answer 47

Each CMK get an ARN

Question 48

Can I use the KMS service globally?

Answer 48

No, each KMS is in a region as it is a regional service.