CloudAcademy: Knowledge Check: Encryption (SAA-C03) Flashcards
Which Amazon S3 data encryption mechanism offers the highest level of control to the customer, but also requires the highest level of customer responsibility?
A. SSE-C
B. SSE-S3
C. CSE-KMS
D. CSE-C
D. CSE-C
Explanation:
Using CSE-C, AWS assists in creating the keys and storing the encrypted objects. Key storage, rotation, encryption and decryption are entirely performed on the client’s side.
When an AWS CloudHSM device is initialized, what happens to the existing keys stored on the device?
A. The existing keys are destroyed.
B. The existing keys are unchanged.
C. The existing keys are updated.
D. The existing keys are backed up to Amazon S3.
Which of the following statements about AWS Secrets Manager is false?
A. You can let Secrets Manager create a new Lambda function for you to enable a secret rotation.
B. By default, automatic secret rotation is enabled.
C. If automatic secret rotation is enabled, when you first store a secret, it performs a rotation immediately.
D. You can use an existing Lambda function to enable a secret rotation.
B. By default, automatic secret rotation is enabled.
Explanation:
Here we can decide if we want to configure automatic rotation. By default, it’s disabled. Now you can let Secrets Manager create a new Lambda function for you to enable this rotation, or you can use an existing Lambda function. And when you first store your secret, it performs a rotation immediately.
You are in charge of choosing an encryption option for a set of newly acquired storage objects containing personal data. You have recently noticed a potential access issue with some of the other encryption keys using AWS server-side encryption with managed keys (SSE-S3).
Which of the following is the best scenario for choosing an encryption option to prevent key access issues?
A. Choosing server-side encryption with Key Management Service (KMS) because the the KMS monitors the encryption and decryption of objects.
B. Choosing server-side encryption with Key Management Service (KMS) because it allows you to define policies that define how keys are used.
C. Choosing server-side encryption with managed keys (SSE -S3) because it requires minimal configuration providing you more time to monitor key access.
D. Choosing server-side encryption with managed keys (SSE -S3) because AWS provides the most secure key management by default.
B. Choosing server-side encryption with Key Management Service (KMS) because it allows you to define policies that define how keys are used.
Explanation:
Using KMS gives you far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the KMS key, and audit against their usage using AWS Cloud Trail. SSE-S3 is a less appropriate option in this case because it manages the keys for you; similarly, using SSE -S3 makes the encryption process invisible to the end user, thus limiting your ability to understand or mitigate the encryption key issue. KMS allows for the monitoring in different ways of encryption and decryption processes by allowing the user access to these processes, not by doing it independently of the user.
The AWS Secrets Manager is used for _____.
A. autoscaling of EC2 instances
B. the encryption and decryption of data
C. assigning permissions and roles to users and resources
D. storing secrets such as database credentials in a secure store
D. storing secrets such as database credentials in a secure store
Explanation:
You should always avoid embedding and hard-coding credentials in an application. This problem is alleviated with the introduction of AWS Secrets Manager, a service which allows you to store the secret such as database credentials in a secure store.
Which statement regarding CloudHSM and AWS KMS is correct?
A. AWS KMS and CloudHSM only support asymmetric encryption.
B. AWS KMS does not use HSMs while CloudHSM does.
C. AWS KMS manages HSM devices while CloudHSM provides customer-managed HSM devices.
D. AWS KMS provides more key management options than AWS CloudHSM.
C. AWS KMS manages HSM devices while CloudHSM provides customer-managed HSM devices.
Explanation:
AWS CloudHSM is not the only encryption service available with AWS, you may have also heard of the Key Management Service, known as KMS.KMS is a managed service used to store and generate encryption keys that can be used by other AWS services and applications to encrypt your data.
Much like CloudHSM, KMS uses HSMs, but with KMS, these are managed by AWS, as a result, you have less management control of the keys and key material.Later in this course, I shall explain the integrations that exist between the 2 services.
AWS Key Management Service (KMS), makes use of ____ encryption, which is the practice of encrypting plaintext data with a unique data key, and then encrypting the data key with a key encryption(KEK).
A. super
B. nested
C. double
D. envelope
D. envelope
Explanation:
AWS KMS uses envelope encryption to protect data. Envelope encryption is the practice of encrypting plaintext data with a unique data key, and then encrypting the data key with a key encryption key (KEK). You might choose to encrypt the KEK with another KEK, and so on, but eventually you must have a master key. The master key is an unencrypted (plaintext) key with which you can decrypt one or more other keys.
The AWS CloudHSM service provides HSMs that are validated to Federal Information Processing Standards (FIPS) 140-2 Level 3. This validation is often requiredto offer which of the following services? (Choose 2 answers)
A. Password encryption
B. Run a public certificate authority
C. Encrypt a personal computer board
D. Offer document signing
D. Offer document signing
B. Run a public certificate authority
Explanation:
FIPS 140-2 defines four levels of security, simply named “Level 1” to “Level 4”. It does not specify in detail what level of security is required by any particular application.
FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be “production-grade” and various egregious kinds of insecurity must be absent. This applies to encryption of a personal computer board, which requires lower standards in physical security.
Password encryption is based more on algorithmic security rather than physical security, and certified password encryption can be provided using AES-128 encryption.
Your team has two KMS keys,KMS key1 and KMS key2.
The policy for KMS key1 allows access to the AWS account (root user). The policy for KMS key2 allows access to you and your coworker, River. River currently has no IAM policy.
Which keys, if any, does River have access to?
A. River has access to only KMS key2.
B. River has no access to either KMS key.
C. River has access to only KMS key1.
D. River has access to both KMS key1 and KMS key2.
AWS Secrets Manager rotates secrets automatically with backend support from _____.
A. Python scripts
B. built-in Lambda functions
C. DocumentDB
D. Redshift
B. built-in Lambda functions
Explanation:
AWS Secrets Manager supports RDS, DocumentDB, and Redshift and rotates these secrets automatically with backend support from built-in Lambda functions.
What is AWS CloudHSM?
A. A cloud-based hardware device that storescryptographic keys
B. A cryptographic key creation and storage service hosted in the AWS cloud
C. An AWS service that stores secrets in the cloud
D. An on-premise hardware device that managesidentity and access management
A. A cloud-based hardware device that storescryptographic keys
Explanation:
What is CloudHSM? Cloud HSM is a FIPS 140 level two validated hardware device for secure cryptographic key storage. I can’t stress this enough, CloudHSM is a hardware appliance, it is not a virtualized service.
Which of the following statements about key policies in AWS Key Management Service is true?
A. Neither an IAM identity-based policy nor a resource-based key policy are required to access and use a KMS key from a different A WS account.
B. Both an IAM identity-based policy in the AWS account that wants to access the KMS key and a resource-based key policy in the AWS account where the KMS key resides are required to access and use a KMS key from a different AWS account.
C. Only a resource-based key policy in the AWS account where the KMS key resides is required to access and use a KMS key from a different AWS account.
D. Only an IAM identity-based policy in the AWS account that wants to access the KMS key is required to access and use a KMS key from a different AWS account.
B. Both an IAM identity-based policy in the AWS account that wants to access the KMS key and a resource-based key policy in the AWS account where the KMS key resides are required to access and use a KMS key from a different AWS account.
Explanation:
Permissions to allow you to access and use a KMS key from a different AWS account can’t be given and generated using IAM alone. As a result, you have to use and edit a resource-based key policy in the AWS account where the KMS key resides, in addition to an IAM identity-based policy in the AWS account that wants to access the KMS key.
What are the general steps in SSE-S3 data encryption? (Choose 2 answers)
A. Encrypt the data key with a master key.
B. Encrypt the data with a data key
C. Encrypt the data with a master key.
D. Create a copy of a data key from the master key.
A. Encrypt the data key with a master key.
Explanation:
With SSE-S3, a multifactor encryption process was used by first encrypting the object data with a data key and then this data key was encrypted with a master key.
When transmitting sensitive data using encryption algorithms, ____ refers to the input to an encryption algorithm, meaning that the data is in its unprotected, or unencrypted form.
A. rawtext
B. usertext
C. ciphertext
D. plaintext
D. plaintext
Explanation:
Plaintext refers to information or data in an unencrypted, or unprotected, form. Ciphertext refers to the output of an encryption algorithm operating on plaintext. Ciphertext is unreadable without knowledge of the algorithm and a secret key.
When transmitting sensitive data using encryption algorithms, ____ refers to the input to an encryption algorithm, meaning that the data is in its unprotected, or unencrypted form.
A. rawtext
B. usertext
C. ciphertext
D. plaintext