Chapter 5 Encryption on AWS

Question 1

Three ways to create keys with KMS

Answer 1

1. KMS
2. AWS CloudHSM
3. importing your own key material

Question 2

Default key rotation

Answer 2

Once a year without having to re-encrypt what was already encrypted

Question 3

CMK

Answer 3

Customer Master Key. Used to control access to your data encryption keys (data keys) and to encrypt and decrypt your data.

Question 4

Where are CMKs stored?

Answer 4

Within a CloudHSM in a single region. The CloudHSM is configured for multi tenancy by default, but you can use single tenant if necessary.

Question 5

KMI

Answer 5

Key Management Infrastructure. Can be hosted by you or AWS.

Question 6

Caveat of encrypting at block-level or file level

Answer 6

Cannot encrypt an EBS boot volume.

Question 7

How to encrypt RDS data via client side technology?

Answer 7

Encrypt data before writing to the DB. You can also add HMAC field to DB so that you query against that value instead of exposing plaintext values in queries.

Question 8

S3 server side encryption mechanism (managed)

Answer 8

S3 can encrypt data written to disk in S3. Each object has its own data key. This is offered at no additional charge

Question 9

Explain S3 server side encryption via customer provided key

Answer 9

You provide key during upload, and S3 uses it to encrypt objects. Then it deletes the provided key. When you download from S3, you provide your key again, and S3 will decrypt object and send it. (no additional cost)

Question 10

Explain S3 server side encryption via KMS

Answer 10

When you upload object, request sent to KMS for object key. KMS responds with object key in two forms (1. encrypted from master key and 2. plaintext version). Then, S3 encrypts object via plaintext key and deletes the plaintext key. Now S3 holds both the encrypted object and encrypted object key.

When it needs to retrieve an object, S3 sends KMS the encrypted object key. KMS decrypts the object key and returns it. Then S3 can decrypt the object itself.

Question 11

KMI anatomy

Answer 11

1. Storage layer that protects plaintext keys

2. Management layer that authorizes use of stored keys

Question 12

Options for encryption via KMI

Answer 12

1. You control encryption method in addition to the entire KMI
2. You control the encryption method and the management layer of the KMI, and AWS handles storage layer
3. AWS controls the encryption method and both components of the KMI

Question 13

Which AWS service provides asymmetric and symmetric encryption capabilities?

Answer 13

CloudHSM

Question 14

Which feature of AWS Key Management Service (AWS KMS) enables you to use an AWS CloudHSM cluster for the storage of your encryption keys?

Answer 14

Custom Key Stores

Question 15

Difference b/t SSE-S3 and SSE-KMS

Answer 15

SSE-S3 does not use KMS (no CMK). SSE-S3 manages encryption keys and performs rotations periodically for you. SSE-S3 is less hands on.

Question 16

What are key features of KMS (5 attributes)

Answer 16

1. Centralized key management
2. Integration with other AWS services
3. Audit capabilities and high availability
4. Custom Key Store (within CloudHSM, allows single tenant)
5. Compliance