AWS Security

Question 1

client side encryption

Answer 1

• envelop encryption - encrypt something greater than 4KB
  
  • encrypt your file client-side using key generated by KMS and bundle with encrypted data key to send to AWS
  • GenerateDataKey API in KMS
  • use the encryption SDK to have AWS do this for you
    
    • feature - data key caching - reuse the data key so you have less calls to KMS

Question 2

AWS KMS

Answer 2

• key management service
  
  • 4KB limit for the secret (lambda ENV vars also have a 4 kb limit)
  • integrated with IAM
  • able to audit KMS key usage through cloudTrail
• Keys are REGION specific

Question 3

KMS scoped per…

Answer 3

• scoped per REGION!
  
  • Symmetric (AES-256) - single encryption key
  • Asymmetric (RSA & ECC key pairs) - public and private
    
    • can download public key but private key is hidden
    • use case: encryption outside of aws cloud by users who can’t call the KMS API

Question 4

KMS symmetric

Answer 4

Question 5

KMS keys

Answer 5

• AWS managed key - free (aws/service-name, example aws/rds)
• AWS customer managed key (CMK) - 1$ / month
• AWS managed keys imported 1$ / month
• • pay for API calls to KMS
• key policies - similar to S3 bucket policies
  
  • default - allow everyone in your account to access the key
  • custom KMS key policy - define users, roles for access (helpful for cross-account access)
    
    • use to copy snapshot across account

Question 6

KMS quotas

Answer 6

• depends on region
  
  • exceed quota - get throttling exception
  • quota is shared for cryptographic API operations
    
    • to fix, cache DEK key
    • generate request quota increase through API or AWS support

Question 7

SSM Parameter store

Answer 7

• securely store secrets and configuration
  
  • simple systems manager
  • optional seamless encryption using KMS
  • hierarchy based
  • GetParameters API
  • tiers
    
    • standard - 10k parametesr of 4kb max size each
    • advanced - 100k

Question 8

AWS Secrets Manager

Answer 8

• usually username / password pairs for DB access
• came after SSM parameter store
• capability to force rotation of secrets every X days
• integration with RDS
• more expensive
• CodeBuild Secrets
  
  • ENv variables that reference SSM parameter store or secrets manager secrets

Question 9

how to share ssh key pairs across regions

Answer 9

Here is the correct way of reusing SSH keys in your AWS Regions:

Generate a public SSH key (.pub) file from the private SSH key (.pem) file.

Set the AWS Region you wish to import to.

Import the public SSH key into the new Region.

Question 10

AWS trusted advisor

Answer 10

Trusted Advisor inspects your AWS environment and makes recommendations for saving money, improving system performance, or closing security gaps

Question 11

generatedatakey api

Answer 11

To encrypt data outside of AWS KMS:

Use the GenerateDataKey operation to get a data key.

Use the plaintext data key (in the Plaintext field of the response) to encrypt your data outside of AWS KMS. Then erase the plaintext data key from memory.

Store the encrypted data key (in the CiphertextBlob field of the response) with the encrypted data.

To decrypt data outside of AWS KMS:

Use the Decrypt operation to decrypt the encrypted data key. The operation returns a plaintext copy of the data key.

Use the plaintext data key to decrypt data outside of AWS KMS, then erase the plaintext data key from memory.

Question 12

gateway endpoints

Answer 12

s3 and dynamo