AWS Security and Encryption: KMS, SSM Parameter Store, Shield, WAF Flashcards
What level of geographic lock do KMS keys exist at?
Regional
How do you use a KMS key without having to write it in plaintext?
You use an API call
What service would be used to audit KMS key usage?
CloudTrail
How do multi-region keys work?
You have a primary key in one region and then replica keys in other regions
Are multi-region KMS keys the same as global KMS keys?
No, global keys don’t exist, and multi-regional keys are just for the specific specified regions
What is SSM Parameter store?
Secure storage for configurations and secrets with version tracking
What is AWS Secrets Manager?
A newer service than Parameter Store, specifically designed for storing secrets. Has the capability to force rotation every X days as well as automate secret generation on rotation.
What service would be used to manage TLS certificates for in-flight encryption?
AWS Certificate Manager
Can AWS certificate manager automatically renew TLS certificates?
Yes
Where should the TLS certificate live for a global CloudFront or API Gateway set up?
us-east-1
What do you lose if you import a certificate from outside of AWS certificate manager instead of requesting one through it?
Automatic renewal feature, although you do get alerts that it will run out
What is the goal of the WAF service?
To protect against common exploits at layer 7
What service is the primary service to protect against DDoS attacks?
AWS Shield
Why use Shield Advanced?
Protects against more sophisticated attacks, 24/7 team, insured against higher fees that result from DDoS attacks
What is the purpose of the firewall manager service?
Baseline rules across all accounts in an organisation and automate firewall application to newly created resources
