CloudAcademy: Knowledge Check: Encryption (SAA-C03)

Question 1

Which Amazon S3 data encryption mechanism offers the highest level of control to the customer, but also requires the highest level of customer responsibility?

A. SSE-C
B. SSE-S3
C. CSE-KMS
D. CSE-C

Answer 1

D. CSE-C

Explanation:
Using CSE-C, AWS assists in creating the keys and storing the encrypted objects. Key storage, rotation, encryption and decryption are entirely performed on the client’s side.

Question 2

When an AWS CloudHSM device is initialized, what happens to the existing keys stored on the device?

A. The existing keys are destroyed.
B. The existing keys are unchanged.
C. The existing keys are updated.
D. The existing keys are backed up to Amazon S3.

Question 3

Which of the following statements about AWS Secrets Manager is false?

A. You can let Secrets Manager create a new Lambda function for you to enable a secret rotation.
B. By default, automatic secret rotation is enabled.
C. If automatic secret rotation is enabled, when you first store a secret, it performs a rotation immediately.
D. You can use an existing Lambda function to enable a secret rotation.

Answer 3

B. By default, automatic secret rotation is enabled.

Explanation:
Here we can decide if we want to configure automatic rotation. By default, it’s disabled. Now you can let Secrets Manager create a new Lambda function for you to enable this rotation, or you can use an existing Lambda function. And when you first store your secret, it performs a rotation immediately.

Question 4

You are in charge of choosing an encryption option for a set of newly acquired storage objects containing personal data. You have recently noticed a potential access issue with some of the other encryption keys using AWS server-side encryption with managed keys (SSE-S3).

Which of the following is the best scenario for choosing an encryption option to prevent key access issues?

A. Choosing server-side encryption with Key Management Service (KMS) because the the KMS monitors the encryption and decryption of objects.
B. Choosing server-side encryption with Key Management Service (KMS) because it allows you to define policies that define how keys are used.
C. Choosing server-side encryption with managed keys (SSE -S3) because it requires minimal configuration providing you more time to monitor key access.
D. Choosing server-side encryption with managed keys (SSE -S3) because AWS provides the most secure key management by default.

Answer 4

B. Choosing server-side encryption with Key Management Service (KMS) because it allows you to define policies that define how keys are used.

Explanation:
Using KMS gives you far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the KMS key, and audit against their usage using AWS Cloud Trail. SSE-S3 is a less appropriate option in this case because it manages the keys for you; similarly, using SSE -S3 makes the encryption process invisible to the end user, thus limiting your ability to understand or mitigate the encryption key issue. KMS allows for the monitoring in different ways of encryption and decryption processes by allowing the user access to these processes, not by doing it independently of the user.

Question 5

The AWS Secrets Manager is used for _____.

A. autoscaling of EC2 instances
B. the encryption and decryption of data
C. assigning permissions and roles to users and resources
D. storing secrets such as database credentials in a secure store

Answer 5

D. storing secrets such as database credentials in a secure store

Explanation:
You should always avoid embedding and hard-coding credentials in an application. This problem is alleviated with the introduction of AWS Secrets Manager, a service which allows you to store the secret such as database credentials in a secure store.

Question 6

Which statement regarding CloudHSM and AWS KMS is correct?

A. AWS KMS and CloudHSM only support asymmetric encryption.
B. AWS KMS does not use HSMs while CloudHSM does.
C. AWS KMS manages HSM devices while CloudHSM provides customer-managed HSM devices.
D. AWS KMS provides more key management options than AWS CloudHSM.

Answer 6

C. AWS KMS manages HSM devices while CloudHSM provides customer-managed HSM devices.

Explanation:
AWS CloudHSM is not the only encryption service available with AWS, you may have also heard of the Key Management Service, known as KMS.KMS is a managed service used to store and generate encryption keys that can be used by other AWS services and applications to encrypt your data.

Much like CloudHSM, KMS uses HSMs, but with KMS, these are managed by AWS, as a result, you have less management control of the keys and key material.Later in this course, I shall explain the integrations that exist between the 2 services.

Question 7

AWS Key Management Service (KMS), makes use of ____ encryption, which is the practice of encrypting plaintext data with a unique data key, and then encrypting the data key with a key encryption(KEK).

A. super
B. nested
C. double
D. envelope

Answer 7

D. envelope

Explanation:
AWS KMS uses envelope encryption to protect data. Envelope encryption is the practice of encrypting plaintext data with a unique data key, and then encrypting the data key with a key encryption key (KEK). You might choose to encrypt the KEK with another KEK, and so on, but eventually you must have a master key. The master key is an unencrypted (plaintext) key with which you can decrypt one or more other keys.

Question 8

The AWS CloudHSM service provides HSMs that are validated to Federal Information Processing Standards (FIPS) 140-2 Level 3. This validation is often requiredto offer which of the following services? (Choose 2 answers)

A. Password encryption
B. Run a public certificate authority
C. Encrypt a personal computer board
D. Offer document signing

Answer 8

D. Offer document signing
B. Run a public certificate authority

Explanation:
FIPS 140-2 defines four levels of security, simply named “Level 1” to “Level 4”. It does not specify in detail what level of security is required by any particular application.

FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be “production-grade” and various egregious kinds of insecurity must be absent. This applies to encryption of a personal computer board, which requires lower standards in physical security.

Password encryption is based more on algorithmic security rather than physical security, and certified password encryption can be provided using AES-128 encryption.

Question 9

Your team has two KMS keys,KMS key1 and KMS key2.

The policy for KMS key1 allows access to the AWS account (root user). The policy for KMS key2 allows access to you and your coworker, River. River currently has no IAM policy.

Which keys, if any, does River have access to?

A. River has access to only KMS key2.
B. River has no access to either KMS key.
C. River has access to only KMS key1.
D. River has access to both KMS key1 and KMS key2.

Question 10

AWS Secrets Manager rotates secrets automatically with backend support from _____.

A. Python scripts
B. built-in Lambda functions
C. DocumentDB
D. Redshift

Answer 10

B. built-in Lambda functions

Explanation:
AWS Secrets Manager supports RDS, DocumentDB, and Redshift and rotates these secrets automatically with backend support from built-in Lambda functions.

Question 11

What is AWS CloudHSM?

A. A cloud-based hardware device that storescryptographic keys
B. A cryptographic key creation and storage service hosted in the AWS cloud
C. An AWS service that stores secrets in the cloud
D. An on-premise hardware device that managesidentity and access management

Answer 11

A. A cloud-based hardware device that storescryptographic keys

Explanation:
What is CloudHSM? Cloud HSM is a FIPS 140 level two validated hardware device for secure cryptographic key storage. I can’t stress this enough, CloudHSM is a hardware appliance, it is not a virtualized service.

Question 12

Which of the following statements about key policies in AWS Key Management Service is true?

A. Neither an IAM identity-based policy nor a resource-based key policy are required to access and use a KMS key from a different A WS account.
B. Both an IAM identity-based policy in the AWS account that wants to access the KMS key and a resource-based key policy in the AWS account where the KMS key resides are required to access and use a KMS key from a different AWS account.
C. Only a resource-based key policy in the AWS account where the KMS key resides is required to access and use a KMS key from a different AWS account.
D. Only an IAM identity-based policy in the AWS account that wants to access the KMS key is required to access and use a KMS key from a different AWS account.

Answer 12

B. Both an IAM identity-based policy in the AWS account that wants to access the KMS key and a resource-based key policy in the AWS account where the KMS key resides are required to access and use a KMS key from a different AWS account.

Explanation:
Permissions to allow you to access and use a KMS key from a different AWS account can’t be given and generated using IAM alone. As a result, you have to use and edit a resource-based key policy in the AWS account where the KMS key resides, in addition to an IAM identity-based policy in the AWS account that wants to access the KMS key.

Question 13

What are the general steps in SSE-S3 data encryption? (Choose 2 answers)

A. Encrypt the data key with a master key.
B. Encrypt the data with a data key
C. Encrypt the data with a master key.
D. Create a copy of a data key from the master key.

Answer 13

A. Encrypt the data key with a master key.

Explanation:
With SSE-S3, a multifactor encryption process was used by first encrypting the object data with a data key and then this data key was encrypted with a master key.

Question 14

When transmitting sensitive data using encryption algorithms, ____ refers to the input to an encryption algorithm, meaning that the data is in its unprotected, or unencrypted form.

A. rawtext
B. usertext
C. ciphertext
D. plaintext

Answer 14

D. plaintext

Explanation:
Plaintext refers to information or data in an unencrypted, or unprotected, form. Ciphertext refers to the output of an encryption algorithm operating on plaintext. Ciphertext is unreadable without knowledge of the algorithm and a secret key.

Question 15

When transmitting sensitive data using encryption algorithms, ____ refers to the input to an encryption algorithm, meaning that the data is in its unprotected, or unencrypted form.
A. rawtext
B. usertext
C. ciphertext
D. plaintext

Question 15

When transmitting sensitive data using encryption algorithms, ____ refers to the input to an encryption algorithm, meaning that the data is in its unprotected, or unencrypted form.
A
rawtext
B
usertext
C
ciphertext
D
plaintext

Question 16

AWS CloudHSM is compatible with which type(s) of encryption keys?

A Both asymmetric and symmetric encryption keys
B. Neither symmetric nor asymmetric encryption keys
C. Symmetric encryption keys
D. Asymmetric encryption keys

Answer 16

A Both asymmetric and symmetric encryption keys

Explanation:
There are a number of different operations that CloudHSM can help you provide, these include:

The creation, storage and management of cryptographic keys, allowing you to import and export both asymmetric and symmetric keys.

The ability to use cryptographic hash functions to enable you to compute message digests and hash-based message authentication codes, otherwise known as HMACs.

Cryptographic data signing and signature verification.

Using both asymmetric and symmetric encryption algorithms.

And the ability to generate cryptographically secure random data.

Question 17

Key Management Service (KMS) is used to manage encryption keys in your AWS environment. How can you audit the changes made on KMS?

A. KMS provides full audit details as part of KMS console which can be accessed through web interface and APIs.
B. KMS has full audit and compliance integration with CloudTrail; this is where you can audit all changes performed on KMS.
C. KMS will log all changes in a special S3 bucket that is created the first time KMS service is being used.
D. KMS provides history to each key changes; you can track the changes done on each key using key history.

Answer 17

B. KMS has full audit and compliance integration with CloudTrail; this is where you can audit all changes performed on KMS.

Explanation:
KMS is fully integrated with CloudTrail which provides audit and compliance features on all actions performed in KMS.

Question 18

As a best practice with CloudHSM,always deploy CloudHSM in ahigh availabilityconfigurationwith at least _________appliances in separate availability zones.

A. three
B. two
C. five
D. four

Question 19

When creating a CloudHSM clustering, a physical HSM device cannot actually be placed in a VPC. Which of the following network components is used to represent each HSM device in a cluster?

A. NAT gateway
B. An Elastic IP address (EIP)
C. A NAT instance
D. An Elastic Network Interface (ENI)

Answer 19

D. An Elastic Network Interface (ENI)

Explanation:
During the deployment of your HSMs, it’s actually an Elastic Network Interface (ENI) that is placed within the subnet that you select of your VPC.The HSM itself actually resides in a different AWS-owned VPC, and is located in the same AZ as you select during its deployment.So it’s the ENI that is deployed in your VPC which acts as an interface between your network and the HSM residing in an AWS-owned VPC.

Question 20

A user has enabled server-side encryption with S3 (SSE-S3) for an object. The user downloads the encrypted object from S3. How can the user decrypt it?

A. The user must provide a KMS data key.
B. S3 provides an object key to decrypt the object.
C. S3 manages encryption and decryption automatically
D. The user needs to decrypt the object using their own account credentials.

Answer 20

C. S3 manages encryption and decryption automatically

Explanation:
If the user is using the server-side encryption feature, Amazon S3 encrypts the object data before saving it on disks in its data centres and decrypts it when the user downloads the objects. Thus, the user is free from the tasks of managing encryption, encryption keys, and related tools.

Question 21

Which KMS key type can generate, encrypt, and decrypt KMS data encryption keys?

A. Access Keys
B. AWS KMS Key
C. Data Key Pair
D. Data Key

Answer 21

B. AWS KMS Key

Explanation:
The AWS KMS Key is the main key type within KMS and can generate, encrypt, and decrypt data encryption keys known as the DEKs, which are used outside of the KMS service by other AWS services to perform encryption against your data.

Question 22

Key rotation is an important concept of key management. How does Key Management Service (KMS) implement key rotation?

A. KMS supports manual Key Rotation only; you can create new keys any time you want and all data will be re-encrypted with the new key.
B. Key rotation is supported through the re-importing of new KMS keys; once you import a new key all data keys will be re-encrypted with the new KMS key.
C. KMS creates new cryptographic material for your KMS keys every rotation period, and uses the new keys for any upcoming encryption; it also maintains old keys to be able to decrypt data encrypted with those keys.
D. Key rotation is the process of synchronizing keys between configured regions; KMS will synchronize key changes in near-real time once keys are changed.

Answer 22

C. KMS creates new cryptographic material for your KMS keys every rotation period, and uses the new keys for any upcoming encryption; it also maintains old keys to be able to decrypt data encrypted with those keys.

Explanation:
When you enable automatic key rotation for a customer-managed KMS key, AWS KMS generates new cryptographic material for the KMS key every year. AWS KMS also saves the KMS key’s older cryptographic material so it can be used to decrypt data that it has encrypted.

Question 23

Which of the following is true about AWS KMS keys managed by AWS?

A. You, as an AWS customer, can disable the key when it is no longer required.
B. These keys are used by other AWS services that have the ability to interact with KMS directly to perform encryption against data.
C. You can share AWS-managed keys between accounts.
D. Key policy configuration can be performed by the AWS customer.

Answer 23

B. These keys are used by other AWS services that have the ability to interact with KMS directly to perform encryption against data.

Explanation:
KMS keys can be managed either by AWS or by you and me as customers of AWS. KMS keys managed by AWS are used by other AWS services that have the ability to interact with KMS directly to perform encryption against data. An example is Amazon S3, in particular SSE-KMS, which is server-side encryption using the Key Management Service. KMS keys that are created and generated by you and me rather than AWS provide the ability to implement greater flexibility, such as being able to manage the key, including rotation, governing access, and key policy configuration, along with being able to both enable and disable the key when it is no longer required.

Question 24

When an AWS CloudHSM device is initialized, what happens to the existing keys stored on the device?

A. The existing keys are destroyed.
B. The existing keys are backed up to Amazon S3.
C. The existing keys are updated.
D. The existing keys are unchanged.

Question 25

What is the difference between default and custom KMS key stores?

A. Default key stores secure KMS keys within an AWS-managed HSM device, while custom key stores secure KMS keys within a CloudHSM device.
B. Default key stores secure KMS keys within an S3 bucket but custom key stores secure KMS keys within a CloudHSM device.
C. Both default and custom key stores secure KMS keys in AWS-managed HSM devices, but a custom key stores allow users to create customer-managed KMS keys.
D. Both default and custom key stores secure KMS keys in AWS-managed HSM devices, but custom key stores allow key material to be stored in CloudHSM devices.

Answer 25

D. Both default and custom key stores secure KMS keys in AWS-managed HSM devices, but custom key stores allow key material to be stored in CloudHSM devices.

Explanation:
Customers can create customer-managed KMS keys without using a custom key store.

The custom key store is a resource managed from within KMS but allows you to store your key material within your managed HSMs of your CloudHSM cluster.This allows you to use the key material located within your HSM cluster to create the KMS keys that KMS uses to implement encryption across different AWS services.KMS keys created from your custom key store are 256-bit, non-exportable AES symmetric keys that never leave the HSM unencrypted.All cryptographic operations made with the KMS key happen within the HSM cluster.

So the main difference between the store is how keys are created, and where the key material is stored.

Question 26

To manage access to your AWS KMS keys in AWS Key Management Service, you must use a(n) _____.

A. IAM policy
B. key policy
C. data encryption key
D. permission

Answer 26

B. key policy

Explanation:
In all cases, to manage access to your KMS keys, you must use a key policy.

Question 27

You typically use KMS keys in AWS KMS to encrypt your ____.

A. data encryption keys
B. S3 buckets
C. passwords
D. personal data

Answer 27

A. data encryption keys

Explanation:
The primary resources in AWS KMS are KMS keys. KMS keys are either customer-managed or AWS-managed. You can use either type of KMS key to protect up to 4 kibibytes (KiB) of data directly. Typically, you use KMS keys to protect data encryption keys (or data keys), which are then used to encrypt or decrypt larger amounts of data outside of the service. KMS keys never leave AWS KMS unencrypted, but data keys can. AWS KMS does not store, manage, or track your data keys.

Question 28

You typically use KMS keys in AWS KMS to encrypt your ____.

A. data encryption keys
B. S3 buckets
C. passwords
D. personal data

Question 28

You typically use KMS keys in AWS KMS to encrypt your ____.

A. data encryption keys
B. S3 buckets
C. passwords
D. personal data

Question 29

You typically use KMS keys in AWS KMS to encrypt your ____.

A. data encryption keys
B. S3 buckets
C. passwords
D. personal data

Question 30

Your team has two KMS keys,KMS key1 and KMS key2.The policy for KMS key1 allows access to the AWS account (root user). The policy for KMS key2 allows access to you and your coworker, River. River currently has no IAM policy. Which keys, if any, does River have access to?

A. River has no access to either KMS key.
B. River has access to only KMS key1.
C. River has access to only KMS key2.
D. River has access to both KMS key1 and KMS key2.

Answer 30

C. River has access to only KMS key2.

Explanation:
KMS key1’s key policy allows access to the AWS account (root user) and thereby enables IAM policies to allow access to KMS key1. Unfortunately, River cannot access KMS key1 because KMS key1’s key policy does not explicitly allow her access and she has no IAM policy that allows access. She can, however, access KMS key2 because the KMS key2’skey policy explicitly allows her access.

Question 31

You are in charge of choosing an encryption option for a set of newly acquired storage objects containing personal data. You have recently noticed a potential access issue with some of the other encryption keys using AWS server-side encryption with managed keys (SSE-S3).Which of the following is the best scenario for choosing an encryption option to prevent key access issues?

A. Choosing server-side encryption with managed keys (SSE -S3) because AWS provides the most secure key management by default.
B. Choosing server-side encryption with managed keys (SSE -S3) because it requires minimal configuration providing you more time to monitor key access.
C. Choosing server-side encryption with Key Management Service (KMS) because the the KMS monitors the encryption and decryption of objects.
D. Choosing server-side encryption with Key Management Service (KMS) because it allows you to define policies that define how keys are used.

Answer 31

D. Choosing server-side encryption with Key Management Service (KMS) because it allows you to define policies that define how keys are used.

Explanation:
Using KMS gives you far greater flexibility of how your keys are managed. For example, you are able to disable, rotate, and apply access controls to the KMS key, and audit against their usage using AWS Cloud Trail. SSE-S3 is a less appropriate option in this case because it manages the keys for you; similarly, using SSE -S3 makes the encryption process invisible to the end user, thus limiting your ability to understand or mitigate the encryption key issue. KMS allows for the monitoring in different ways of encryption and decryption processes by allowing the user access to these processes, not by doing it independently of the user.