Encryption & Downtime Flashcards
True or False: For most AWS resources, encryption can only be enabled at the time of creation
True. If encryption is needed, make sure this is done at creation time.
If you have an existing EFS file system and need to encrypt it, how can this be done?
Create a new encrypted EFS filesystem and migrate your data to it.
If you have an existing RDS database and need to encrypt it, how can this be done?
Create a new encrypted RDS instance and migrate the data.
Can you encrypt an unencrypted EBS volume?
No
Can you unencrypt an encrypted EBS volume?
No
If you need to unencrypt data on an encrypted EBS volume, how can this be done?
You can migrate data between encrypted and unencrypted volumes.
How can you encrypt an existing unencrypted EBS volume?
Create a snapshot, copy the snapshot and apply encryption. Then restore the new encrypted snapshot to a new volume.
How can you encrypt an unencrypted S3 bucket?
At any time. Unlike other AWS services, S3 is more forgiving with encryption.
True or False: It is a good idea to stop your applications when migrating data?
True. This ensures no new data is missed, and does not negatively affect the performance of the application in production.
What, generally, do KMS and CoudHSM do?
Allow you to generate, store and manage cryptographic keys used to protect your data in AWS
What does an HSM do?
Used to protect the confidentiality of your keys.
What does KMS stand for?
Key managed Service
What does KMS do?
Allows you to generate, store and manage your encryption keys.
Is KMS dedicated or multi-tenant?
multi-tenant
Is KMS free-tier eligible?
Yes. Go try it out.