Data Protection

Question 1

What is a CMK ?

Answer 1

A CMK is a customer or amazon managed key that is stored in a FIPS 140-2 Hardware Security Module (HSM)

Question 2

Can you interact with the CMK outside of the KMS service ?

Answer 2

No

Question 3

How can you interact with the CMK ?

Answer 3

API, CLI, Console and Code

Question 4

What are the three common properties every CMK has ?

Answer 4

KeyId, Alias and ARN

Question 5

What is the data key ?

Answer 5

This is a key thats derived from the CMK and is responsible for the actual cryptographic operations

Question 6

Can you use the data key outside of KMS ?

Answer 6

Yes - You can call the GenerateDataKey api call, save the data key to a file, base 64 decode it and use it

Question 7

How can you scale KMS ?

Answer 7

Store datakey in memory, use multiple keys

Question 8

What is a CMK grant ?

Answer 8

It as a programatic way of giving a subset of the permissions contained in the key policy to a service or caller.

Question 9

Are CMK grants automatically removed ?

Answer 9

No you must remove them after the operation that required them has finished.

Question 10

Why use CMK grants ?

Answer 10

They are an easy non permanent way of giving access to a keys operations in a least privilege manner.

Question 11

What is the default key policy ?

Answer 11

This is assigned to every key on creation and at its most basic gives the root user of the org kms:* in order to prevent lockout.

Question 12

What is the division of responsibilities in KMS ?

Answer 12

There is a clear division between those that can administer the keys and those that can use them.

Question 13

Can you create a CMK grant for a CMK in a different account ?

Answer 13

Yes

Question 14

Can CMK grants deny permissions ?

Answer 14

No

Question 15

Why use a CMK grant token ?

Answer 15

With CMK grants there is eventual consistency when being deleted, created or used a grant token allows for immediate use and the effect to be immediate.

Question 16

What is the CMK grant limit per key ?

Answer 16

50000

Question 17

Can a CMK grant create a grant ?

Answer 17

Yes via kms:CreateGrant

Question 18

What is the danger of key deletion ?

Answer 18

Deleting a key means that you cannot decrypt information thats been encrypted with that key.

Question 19

What is a safer alternative to key deletion ?

Answer 19

Marking the key as disabled

Question 20

What are the key rotation properties of KMS ?

Answer 20

AWS managed keys are rotated every two years and for customer managed CMKs every one year.

Question 21

What is the kms:CallerAccount condition for ?

Answer 21

Controls which accounts have access to the keys permissions

Question 22

What is the kms:ViaService condition for ?

Answer 22

Controls which services have access to the keys permissions

Question 23

Can you have a dedicated HSM ?

Answer 23

Yes

Question 24

When a key is marked with a status of import what does this mean ?

Answer 24

That it doesnt have any key material

Question 25

What is the advantage of generating your own key material for KMS Keys ?

Answer 25

The ability to prove key material creation from an approved source that meets your randomness requirements
Use key material from your own infrastructure with AWS services
Gain the ability to expire key material or delete it or make it available again
Own the original copy of the key material outside of AWS for additional durability and disaster recovery

Question 26

Can you have a rotation policy of less that a year with a customer CMK ?

Answer 26

Yes by selectively adding and removing the key material.

Question 27

What key options are there for KMS ?

Answer 27

Amazon managed, Customer Managed, Externally created and then imported into KMS

Question 28

Can I modify an AWS managed key ?

Answer 28

No - It is created and managed by amazon you have no control over its naming or tagging or the permissions created

Question 29

Can I delete a key immediately ?

Answer 29

No you can only mark it for deletion between 7 and 30 days

Question 30

Can a key marked for deletion still be used for encryption ?

Answer 30

No

Question 31

What is an encryption context ?

Answer 31

A key value pair or pairs sent in the decryption operation that can be checked before the operation succeeds. It is recommended that this is not secret information because it is stored in clear text in cloudtrail as part of the request.