Domain 6: Security Flashcards
What kind of attack does Encryption in Flight prevent?
Man in the middle (MITM) attack
When does the server decrypt a Client Side encrypted object?
Never
What is the encryption type for S3-SSE?
AES-256
What is the HTTP/S header for for S3-SSE?
“x-amz-server-side-encryption”: “AES256”
What are the advantages of S3-KMS over S3-SSE?
User control, audit trail, rotation of keys
What is the HTTP/S header for S3-KMS?
“x-amz-server-side-encryption”: “aws:kms”
What must be included in the header for an SSE-CS request?
Data Key
When is data encrypted during an SSE-CS request?
On S3, then the Data Key is discarded
What is another term for Encryption in Flight?
SSL / TLS
What are the encryption options in the web S3 UI?
None, S3-SSE, S3-KMS
When can the Customer Master Key be retrieved by the User in KMS?
Never
What is the maximum data size that be encrypted via KMS per call?
4KB
What should be used if more than 4KB of data needs to be encrypted in a KMS call?
Envelope encryption
What must be done to give someone access to KMS?
Make sure Key Policy allows the user, make sure IAM policy allows API calls
What are the three types of KMS Customer Master Keys?
AWS Managed Default (Free); User Keys in KMS ($1/month); User Imported Keys ($1/month) must be 256 symmetric
How are KMS API calls charged?
3 cents per 10,000 calls
What is the only service in AWS that allows in-place encryption?
S3
Who manages the encryption keys when using an HSM?
Customer
What level of compliance does CloudHSM offer?
FIPS 140-2 Level 3
Is CloudHSM multi-AZ?
Yes