EBS 2 Flashcards

1
Q

Encryption

How are volumes encrypted?

A

With KMS key (no SSE-S3 equiv.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Encryption

Low-level, what’s the encryption architeucture for EBS?

A

Data Encryption Key (DEK) stored on volume. DEK encrypted by KMS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Encryption

What happens when EC2 mounts an encrypted EBS volume?

A

/EC2/ gets KMS key and decryptes the DEK. EC2 low-level does the decryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Encryption

What data is encrypted / managed by KMS for EBS?

A

ONLY the DEKs. KMS doesn’t do anything with data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Encryption

Why is storing the DEK with the volume secure?

A

Steal a volume: data encrypted by DEK, DEK encrypted by KMS. … good luck :-)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Encryption

Are DEKs shared between any volumes?

A

Each volume gets a unique DEK unless it’s a clone from a snapshot since the snapshot contains the original (encrypted) DEK.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Encryption

How do you add/remove encryption on an EBS volume?

A

You don’t…period. Mount on EC2, use dd(1) to duplicate onto (un)encrypted volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Encryption

How is the OS involved with encrypted EBS volumes?

A

Not at all. Encryption is in the EC2 product on droplets, not part of OS or EBS product.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Encryption

Encryption strength for EBS?

A

AES-256

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Encryption

What is the cost for encrypted EBS volumes?

A

zero

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Encryption

What do you do inside the EC2 OS when you turn on EBS encryption?

A

Nothing: encryption happens outside the guest OS; volume appears unencrypted to OS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Encryption

What should you do if you’re security conscious and launch lots of EC2?

important

A

Set account-wide default to encrypt EBS by default with KMS shared key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly