IAM, STS and Encryption

Question 1

We are setting up a lambda function which needs to communicate with a database by providing a user ID and a password. We need to encrypt these values so we have set up a CMK in KMS called ‘CipherDbConnectionValues’. In our environment variables section in Lambda we have selected encrypt in transit helpers, and the ‘CipherDbConnectionValues’. It appears that the encrypt side has worked, however when we call Decrypt in our lambda code we receive a message in the logs stating:”An error occurred (AccessDeniedException) when calling the Decrypt operation: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.We have checked the region and the key exists - what is wrong?

Answer 1

We need to give our lambda function permission in IAM to allow it call the Decrypt operation on the CipherDbConnectionValues key.

Question 2

I am creating an s3 buckey for my users within my organisation. I want to leverage IAM to do this. When I only had 2 users, this was simple as I created an IAM policy for each user assigning them R+W permission on a folder in my bucket - i.e. home/scott, home/sam. We are expanding however and are likely to 10’s to 100’s of staff and this is going to become unwieldy. How can I use IAM to assign permissions to a users folder WITHOUT creating multiple IAM policies?

Answer 2

You would use policy variables, specifically the ${aws:UserName} variable:”Action”:[“s3:”],”Effect”:”Allow”,”Resource”:[“arn:aws:s3:::the-bucket/home/${aws:username}/”]

Question 3

When using GetSessionToken with STS to return an MFA token, what FOUR things does the call return?

Answer 3

Session Token
Access Key
Secret Access Key
ExpirationDate

Question 4

What is envelope encryption?

Answer 4

With envelope encryption, the key used to encrypt the message is itself encrypted with another key. The other key is the client master key managed by AWS KMS

Question 5

At a high level, what three things are needed to encrypt data?

Answer 5

1. Some data to encyrpt2. A method to encrypt the data3. A crypto alogorithm

Question 6

In server side encryption, only the encryption happens on the server. Where does the decryption happen?

Answer 6

Also on the server

Question 7

What is the maximum amount of data that can be encrypted by KMS per call? If I need to encrypt more data than this, what do I need to do?

Answer 7

4KB. If we need to encrypt more data then we will need to use GenerateDataKey and encrypt the data locally

Question 8

What does the Encrypt API do with respect to KMS and what is the maximum size of data we can encrypt?

Answer 8

Encrypt API is used to encrypt up to 4KB using a CMK

Question 9

If I delete my IAM principal, what happens to any inline IAM policies assigned to that principal?

Answer 9

The inline policies will be deleted.

Question 10

Assume I have an EBS volume in eu-west-2. This volume is encrypted with KMS Key A. I need to copy this volume to AP-SouthEast2. What do I need to do?

Answer 10

You can’t use Key A in ap-southeast2 as keys are region locked. You would need to take a snapshot of the EBS volume using Key A, and then copy to ap-southeast2 while re-encrypting with a key from ap-southeast2. You can then restore the snapshot using the ap-southeast2 key.

Question 11

How many physical users can you have per IAM user?

Answer 11

ONE

Question 12

Which encryption type does AWS use for encrypt/decrypt and sign/verify operations?

Answer 12

Asymmetric

Question 13

You have been granted access (IAM) to an AWS parameter store and can retrieve an encrypted password. However when you try to decrypt the password, you get an error. Why?

Answer 13

IAM will get you access to the store - but you also need IAM permissions to KMS for decryption.

Question 14

Where are AWS SSO user permissions and access managed from?

Answer 14

AWS Organisations.

Question 15

What is the maximum size for an IAM policy? What impacts could this have?

Answer 15

2KB. This means if you are using inline policies, you run the risk of exceeding this size

Question 16

Can policy use be audited?

Answer 16

Yes, this allows you to see who has been using the policy and what they have done

Question 17

We have an IAM policy that allows principal * to stop and terminate EC2 instances. In this policy, there is a statement:”condition”:{“Bool”:{“aws:MultiFactorAuthPresent”: “true”}}What does this condition enforce, and what STS call would be used to return this policy?

Answer 17

This would be an StsGetSessionToken call as the MultiFactorAuthPresent condition requires the use of MFA to either stop or terminate an instance.

Question 18

With KMS, do you ever get access to the key unencrypted?

Answer 18

No. You never get access to the key unencrypted and all crypto ops need to be done via the KMS API

Question 19

In terms of encryption - does SSE-S3 use KMS?

Answer 19

No. In SSE-S3 encryption is handled by S3 - NOT KMS.

Question 20

Can IAM policies be versioned?

Answer 20

Yes

Question 21

How is a policy defined (in terms of language) ?

Answer 21

JSON

Question 22

If you don’t provide a specific KMS key policy when you create a key - what policy is created by default which user has access and what are the implications of this? Can a service such as cloud watch use the default key?

Answer 22

The default Key policy is created with access granted to the root user - which means users or roles in the entire AWS account can use the key. A service cannot by default use the default key policy as only users and roles have access.

Question 23

Can you access the unencrypted private key used for asymmetric encryption within AWS?

Answer 23

No.

Question 24

Where are Custom Key Stores stored in AWS (hint, not s3 or ebs) - think outside the box. Is this single or multi tennanted?

Answer 24

Single tenant CloudHSM

Question 25

What is a managed policy?

Answer 25

A predefined IAM policy created by Amazon

Question 26

What are the 3 IAM components?

Answer 26

Users, Groups, Roles

Question 27

In terms of Identity federation - what five sources can we federate with?

Answer 27

• Custom built IdP
• Cross Account Access
• SAML
• OIDC
• MSAD

Question 28

I am attempting to encrypt a log group in cloudwatch using a customer created CMK. When I run the command to associate the CMK with the group, I get the following:An error occurred (AccessDeniedException) when calling the AssociateKmsKey operation: The specified KMS key does not exist or is not allowed to be used with LogGroup I havn’t had any trouble with users or roles accessing the KMS key. so why can’t this key be used with the log group and what do I need to do to fix it?

Answer 28

We need to update our KEY POLICY to allow for the cloud watch SERVICE to access. By default, the key policy will allow any users or roles to access the key, but not services.

Question 29

For an RDS database, can we encrypt the underlying FILE SYSTEM either at the block or the file level? If I wanted to ensure an extra level of encryption over and above RDS KMS, how would I go about this?

Answer 29

You can’t encrypt the underlying filesystem of an RDS db, as that file system is never exposed to us. For extra security you would need to encrypt the key fields in the database via your application.

Question 30

There are two ways to test a policy - one of these is the policy simulator. What is the other?

Answer 30

You can use the –dry-run flag in the aws cli for those API’s that support it (such as the Ec2 API) to test if a command executed under that policy will succeed. The dry-run flag will not execute the actual command, but will test it against the policy to see if it would have succeeded.

Question 31

Can you version control and roll back a customer managed IAM policy? Can I determine who has used a customer managed policy and for what?

Answer 31

Yes. Customer managed policies are versioned, have central change management and can be rolled back. Policy use can be audited.

Question 32

There are three options available when it comes to controlling access keys within the AWS Key management infrastructure. Each has a different set of responsibilites for us as the user, and AWS as the service. What are they?

Answer 32

1. You control everything including the encryption method and the KMI
2. You control the encryption method, AWS controls the storage of the keys, and you supply the key management
3. AWS does everything.

Question 33

What is the role of LocalCryptoMaterialsCache, which encryption scheme uses it? What is the trade off?

Answer 33

The LocalCryptoMaterialsCache is an in memory data store which caches DEKs. Using this allows you to reduce the number of calls to KMS when using envelope encryption by caching the DEK. The trade off is that you are using the same DEK for multiple operations so there may be a security impact.

Question 34

Do changes to an IAM policy occur instantly?

Answer 34

No, policies may take time to replicate

Question 35

Are KMS Keys region based - I.e. Can you use a key created in one region in another region?

Answer 35

Keys are region based, and cannot be used across regions.

Question 36

How many IAM Roles should you have per application?

Answer 36

ONE

Question 37

Outside of KMS, can an EBS non-root volume be encrypted?

Answer 37

Yes, either at the block or the file system level via third party tools.

Question 38

Which of the following are asymmetric and symmetric encryption types?
AES-256
RSA
ECC KeyPairs

Answer 38

AES-256 is symmetric, the others are asymmetric

Question 39

What are the 3 types of customer master keys?

Answer 39

AWS Managed Key (default)User Created Keys in KMSUser imported keys

Question 40

I have a requirement to allow authentication functionality for AWS EC2 instances running linux between my on premise AD. Which AD connector type would I use for this?

Answer 40

AWS Simple AD will allow basic AD functions including auth against linux ec2 instances

Question 41

For cross account access in IAM - what two policies does the role in the TARGET account consist of and what do these specify? What needs to be set up in the SOURCE account in terms of IAM?

Answer 41

The TARGET account IAM consists of a PERMISSIONS policy to control access to AWS services and resources and a TRUST policy specifying who can assume a role and their external ID
The SOURCE account is given an IAM role which has a permissions policy allowing you to assume the TARGET role. The target issues short term credentials to allow access to the specified resources.

Question 42

Can you use third party tools to encrypt an instances ROOT volume via block level or file system level encryption?

Answer 42

No.

Question 43

Where would you use Identity Federation

Answer 43

Typically, if you are a large organisation with a number of users in a system such as AD, and you need to integrate this with AWS

Question 44

If I create my own CMK, how often will this be rotated?

Answer 44

every 12 months

Question 45

What is the output format of this command, and can I run decrypt directly on it?aws kms encrypt –key-id alias/TutorialKey –plaintext fileb://ExampleSecretFile.txt –output text –query CiphertextBlob –region ap-southeast-2 > ExampleSecretFileEncrypted.base64

Answer 45

the output is a Base64 representation of the encrypted data. You cannot run decrypt on this until you do a base64 decode to convert it to the binary blob.

Question 46

What is the difference between:
GenerateDataKey
GenerateDataKeyWithoutPlainText

and why would you use each? Are they symmetric or asymmetric keys?

Answer 46

GenerateDataKey is used for encrypting a file immediately. GenerateDataKeyWithoutPlainText is used when you want to encyrypt a file at some later stage and does not generate a plaintext DEK.

They are symmetric keys.

Question 47

What does the SecureTokenService (STS) allow for and over what time period?

Answer 47

STS a;llows the granting of limited temporary access to an aws resource for a period of 15 minutes to 1 hour

Question 48

If we receive a ThrottlingException for KMS, what 3 things can we do? (one is obvious, the other 2 not so much)

Answer 48

1. Use exponential backoff (obvious)2. Request a limit increase 3. Use envelope encryption and DEK caching.

Question 49

I have two AWS accounts, production and development. The producution account stores application logs in an S3 bucket, and has an associated role called ReadOnlyLogAccess for troubleshooting and is used by my DevOpsSupportGroup users group. Recently there have been some production issues and some performance testers need access to the production logs. The testers are in a Group called PerformanceTestLimitedAccess in the development account. What would the admins in each account need to do, and what would the flow be to grant access to the S3 bucket WITHOUT adding the testers to the DevOps group? Assume we need one off access for a limited time.

Answer 49

1. The admin in prod creates a role for the testers granting read only access to the bucket
2. The admin in the dev account grants members of the performance tester group permission to assume the role created by the prod admin.
3. Performance test user requests access to the role
4. STS returns role credentials
5. User accesses the bucket.

Question 50

if KMS operations use symmetric keys, then what is the use case for asymmetric keys with respect to AWS?

Answer 50

the use case for asymmetric encryption is for encryption outside of AWS by users who CANNOT CALL the KMS API.

Question 51

Why would you use AssumeRole vs AssumeRoleWithSAML when providing temporary credentials?

Answer 51

You would use AssumeRole to provide temp credentials for existing IAM users. You would use AssumeRoleWithSAML to provide credentials for a SAML based IDP and users external to IAM

Question 52

What is the principle of least privledge?

Answer 52

Giving the user the MINIMUM permissions to do their job

Question 53

If you don’t specify a key policy for a KMS key, can it be accessed?

Answer 53

No. A key policy is required to access a KMS key

Question 54

What standard does Identity Federation use?

Answer 54

SAML

Question 55

In client side encryption, the server must know our encryption scheme to accept the data - yes or no?

Answer 55

No, the data is encrypted client side so the server doesn’t need to know.

Question 56

What AWS service does the AssumeRole, DecodeAuthorisationMessage, GetSessionToken and GetCallerIdentity interact with? What do these calls do?

Answer 56

SecureTokenService.AssumeRole: Allows a role to be assumed by a user so they can interact with an AWS resource

DecodeAuthorisationMessage: Used to decode an error message returned from an API call

GetSessionToken: Retrieves an MFA token

GetCallerIdentity: Returns details about the IAM user or role used in the API call.

Question 57

What encryption technique requires the use of the GenerateDataKey API? What does this API return (2 things) ?

Answer 57

Envelope encryption uses GenerateDataKey to return1. A Data Encryption Key (DEK) in plain text.
2. A copy of the DEK encyrpted with the CMK

Question 58

There are 2 policies that need to be enacted to give a user access to KMS. One is an IAM policy allowing API calls to KMS. What is the other.

Answer 58

A Key policy allowing the user access to the key.

Question 59

With envelope encryption, what is the role of KMS when encrypting an object over 4kb in size?

Answer 59

In this case, the role of KMS is to encrypt your Data Encryption Key

Question 60

Does KMS use symmetric or asymmetric encryption? Whats the difference?

Answer 60

Symmetric. Symmetric requires a single key that needs to be shared among the people who need to receive the message while asymmetric encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating.

Question 61

Can I have more than one inline IAM policy per principal?

Answer 61

No. there is a strict 1:1 relationship between principal and inline policy

Question 62

By default, does an IAM user have access to Billing and Cost Management? If I needed to give a user access to cost management, what would I need to do?

Answer 62

By default, IAM users do not have access to the AWS Billing and Cost Management console. You or your account administrator must grant users access. You can do this by activating IAM user access to the Billing and Cost Management console and attaching an IAM policy to your users.

Question 63

When using STS - are the temporary credentials that are generated stored with you?

Answer 63

No. Temporary credentials are generated dynamically and provided on request.

Question 64

Do we need to create User Keys in KMS before using the encryption features for EBS, S3, etc?

Answer 64

No - we can use the default managed keys from AWS

Question 65

Can an ACL grant permissions to users in your account?

Answer 65

No. ACL’s can only grant cross account permissions