Encryption & Downtime

Question 1

True or False: For most AWS resources, encryption can only be enabled at the time of creation

Answer 1

True. If encryption is needed, make sure this is done at creation time.

Question 2

If you have an existing EFS file system and need to encrypt it, how can this be done?

Answer 2

Create a new encrypted EFS filesystem and migrate your data to it.

Question 3

If you have an existing RDS database and need to encrypt it, how can this be done?

Answer 3

Create a new encrypted RDS instance and migrate the data.

Question 4

Can you encrypt an unencrypted EBS volume?

Answer 4

No

Question 5

Can you unencrypt an encrypted EBS volume?

Answer 5

No

Question 6

If you need to unencrypt data on an encrypted EBS volume, how can this be done?

Answer 6

You can migrate data between encrypted and unencrypted volumes.

Question 7

How can you encrypt an existing unencrypted EBS volume?

Answer 7

Create a snapshot, copy the snapshot and apply encryption. Then restore the new encrypted snapshot to a new volume.

Question 8

How can you encrypt an unencrypted S3 bucket?

Answer 8

At any time. Unlike other AWS services, S3 is more forgiving with encryption.

Question 9

True or False: It is a good idea to stop your applications when migrating data?

Answer 9

True. This ensures no new data is missed, and does not negatively affect the performance of the application in production.

Question 10

What, generally, do KMS and CoudHSM do?

Answer 10

Allow you to generate, store and manage cryptographic keys used to protect your data in AWS

Question 11

What does an HSM do?

Answer 11

Used to protect the confidentiality of your keys.

Question 12

What does KMS stand for?

Answer 12

Key managed Service

Question 13

What does KMS do?

Answer 13

Allows you to generate, store and manage your encryption keys.

Question 14

Is KMS dedicated or multi-tenant?

Answer 14

multi-tenant

Question 15

Is KMS free-tier eligible?

Answer 15

Yes. Go try it out.

Question 16

What is the use case for KMS?

Answer 16

For encryption needs where multi-tenancy is permitted.

Question 17

KMS uses Symmetric key cryptography. What is this?

Answer 17

Symmetric key cryptography uses the same algorithm and key to both encrypt and decrypt digital data.

Question 18

What kind of cryptography does AWS KMS use?

Answer 18

Symmetric key cryptography

Question 19

What is CloudHSM?

Answer 19

Hardware Security Module instance. Dedicated, and not shared with other tenants.

Question 20

True or False: CloudHSM is a shared, multi-tentant service?

Answer 20

False. It is dedicated.

Question 21

Is CloudHSM free-tier eligible?

Answer 21

No.

Question 22

What is the use case for CloudHSM?

Answer 22

For compliance that restricts the use of multi-tenant key management services.

Question 23

What compliance does CloudHSM meet?

Answer 23

FIPS 140-2 Level 3 compliance

Question 24

What is FIPS 140-2

Answer 24

US Government standard for HSMs which include tamper-evident physical security mechanisms

Question 25

What kind of cryptography does CloudHSM use?

Answer 25

Symmetric or asymmetric cryptography

Question 26

What is asymmetric cryptography?

Answer 26

a different algorythm and key for encryption and decryption operations.