Encryption

Question 1

Encryption in flight (SSL)

Answer 1

Data is encrypted before sending and decrypted after receiving i.e. public/private key encryption, HTTPS

Question 2

Server side encryption at rest

Answer 2

Data is encrypted after being received by the server

Question 3

Client side encryption

Answer 3

Data is encrypted by the client and never decrypted by the server

Question 4

KMS (Key Management Service)

Answer 4

Anytime you hear “encryption” for an AWS service, it’s most likely KMS
• Easy way to control access to your data, AWS manages keys for us
• Fully integrated with IAM for authorisation

Question 5

KMS Key Policies

Answer 5

Control access to KMS keys, “similar” to S3 bucket policies the difference being it controls access to the keys

Question 6

SSM Parameter Store

Answer 6

Secure storage for configuration and secrets (API Keys)

- Allow to assign a TTL to a parameter (expiration date) to force updating or deleting sensitive data such as passwords

Question 7

AWS Secrets Manager

Answer 7

Newer service, meant for storing secrets

• Capability to force rotation of secrets every X days

Question 8

CloudHSM

Answer 8

Provisioned encryption hardware for stricter compliance

Question 9

AWS Shield

Answer 9

Prevents DDOS attacks

Question 10

AWS WAF

Answer 10

Web Application Firewall - Protects your web applications from common web exploits such as SQL injection, cross site scripting XSS

Can be deployed onto Application Load Balancer, API Gateways, CloudFront

Question 11

AWS Firewall Manager

Answer 11

Manage rules for your firewall in all accounts of an AWS Organisation