Infrastructure Security

Question 1

Can KMS be in several regions?

Answer 1

Yes can be multi region now

Question 2

What happens if key administrator deletes the KMS key?

Answer 2

all encrypted data is useless. Option can be disabled

Question 3

What resource-based access control mechanisms does KMS support?

Answer 3

Key policies and grants

Question 4

How long it takes to delete KMS keys?

Answer 4

Cannot delete KMS generated keys immediately. Gives minimum 7 day cooling period to rethink/undo. However, imported keys can be immediately deleted, be careful!

Question 5

What KMS keys can you delete immediately?

Answer 5

Imported keys

Question 6

How to allow other aws accounts to use your KMS key?

Answer 6

if you allow them access using ARN when creating key

Question 7

What is difference between:
If an S3 object is encrypted with S3-KMS and made public
If you encrypt using S3-SSE/AES-256

Answer 7

1. you CANNOT access it direct from URL without key
2. you CAN access it from URL since its transparent

Question 8

What’s difference between IAM user with admin policy and SystemAdmin policy?

Answer 8

IAM user with Admin policy can give/revoke themselves key access, but SystemAdmin policy cannot.

Question 9

What happens if KMS key is deleted/scheduled deletion

Answer 9

nobody including root user can access encrypted objects.

Question 10

What does InvalidKeyId error when using KMS key usually means

Answer 10

the KMS key is disabled

Question 11

How To import your own key into KMS?

Answer 11

1) download wrapping key and import token from KMS console 2) download OpenSSL and use commands from docs to generate key with wrapping key 3) upload key material and import token back into KMS console

Question 12

How many keys can each import token create in KMS?

Answer 12

Each import token can create only ONE custom key in KMS. Cannot reuse it, nor the wrapping key

Question 13

For what keys can you not enable automatic key rotation?

Answer 13

CANNOT enable automatic key rotation for CMK with imported key material. Can rotate manually by creating a new imported key and using alias to refer to new key

Question 14

What seperate permissions do KMS keys have?

Answer 14

KMS keys have separate “administrative permission” (create/delete) and “usage permissions” (use it)

Question 15

How often are AWS managed keys rotated?

Answer 15

AWS managed keys are rotated every 1 year (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-aws-managed-keys), cannot rotate yourself, cannot delete yourself. Previously it was every 3 years. The rotation interval for AWS managed keys changed in May 2022.

Question 16

How often can customer-managed customer master keys be rotated?

Answer 16

AWS generated customer-managed CMKs can rotate automatically every 1 year (disabled by default, enable it). Rotated keys and past keys are all are stored in KMS for decryption. They can also be rotated manually as often as want through pointing aliases to new KMS key. Have to self-manage applications to handle new key.

Question 17

What keys are manual rotation only?

Answer 17

CMK with custom imported material is manual rotation only.

Question 18

How to export any keys from KMS to other services?

Answer 18

Cannot export any keys from KMS to other services (like EC2 example above) because you dont get KMS public key. However, can create keys in CloudHSM and use those with EC2 etc

Question 19

What do KMS Grants allow?

Answer 19

KMS Grants allow use of CMK to other users in same/different account, have granular permissions (decrypt only etc)

Question 20

What can KMS grant only do?

Answer 20

Grant can only give ALLOW access, not DENY. Use key policies for static policies or for explicit deny.

Question 21

What does KMS ViaService condition do?

Answer 21

KMS ViaService condition allows/denies access to CMK to specific service calling it (eg: only EC2 can call CMK)

Question 22

How can KMS CMK be given cross account access?

Answer 22

by doing BOTH these steps: change key policy in KMS account AND add IAM policy for user/role in external account with “Resource: <ARN>”</ARN>

Question 23

What is encryption context?

Answer 23

“Encryption context” is a key value pair you can submit while encrypting data using KMS, and need to provide it again in addition to the decrypt permissions to decrypt that data. Additional layer of security. Encryption context is not obscure hidden data and is visible in CloudTrail. Other AWS services using KMS use this eg: EBS uses volumeID as encryption context so that only it can decrypt that volume when needed. S3 has different encryption context if using a bucket key and when using KMS key directly with S3 object.

Question 24

How can you have notifications for KMS?

Answer 24

KMS emits CloudWatch Events when CMK is rotated, deleted, or imported key material in CMK expires. Use it for notification

Question 25

How much data can CMK encrypt?

Answer 25

CMK can encrypt up-to 4kb, to encrypt data more than 4kb- use the datakey.

Question 26

How do datakey work?

Answer 26

When you create a datakey from CMK, it creates 2 sets of datakeys. 1. Plaintext datakey and 2. Encrypted datakey. You use the plaintext datakey to encrypt your data, then delete the plaintext data key. Store the encrypted data and encrypted data key together. CMK is used to encrypt data key and data key (plaintext data key) is used to encrypt actual data.

Question 27

What does key alias allows you to do?

Answer 27

A “key alias” allows applications to use a specific CMK independent of the Region or rotation schedule. It’s like CNAME that can be pointed to different targets

Question 28

How are Lambda environment variables be encrypted?

Answer 28

Lambda environment variables are encrypted using KMS can use your own CMK

Question 29

Is it possible to block upload of unencrypted objects to S3 by adding “s3:x-amz-server-side-encryption”:”aws:kms” condition in bucket policy

Answer 29

Yes

Question 30

How can IAM policy restrict creation of unencrypted EBS volumes

Answer 30

by checking for encryption flag yes on CreateVolume operation

Question 31

What should you Consider when a violation is detected?

Answer 31

Consider disabling CMK when a violation is detected instead of deleting it so that it can be re enabled and all existing encrypted data does not become inaccessible

Question 32

What does automatic rotation NOT work for?

Answer 32

• Asymmetric CMK
  
  • CMK in Custom Key Store
  • CMK that have imported key materials.

Question 33

What is AES256 used for in header x-amz-server-side-encryption?

Answer 33

used to specify SSE-S3 encryption

Question 34

What is aws:kms used for in header x-amz-server-side-encryption?

Answer 34

To specify KMS encryption

Question 35

Is automatic rotation supported for a CMK with imported key material?

Answer 35

NO. You cannot import different key material into a CMK, create a new key instead for different key material. Deleting a key must be very carefully thought out. Data can’t be decrypted if the corresponding CMK has been deleted

Question 36

What does creating and managing your own CMK gives you?

Answer 36

more flexibility, including the ability to create, rotate, disable, and define access controls, and to audit the encryption keys used to protect your data. You should be very careful about deleting a CMK and only do it if you no longer need to access any files that it was used to encrypt.

Question 37

What is benefits of using a customer managed key over AWS managed key?

Answer 37

key policy, monitoring, cross-account access

Question 38

What are options for protecting data at rest in S3?

Answer 38

Server-Side Encryption
Client-Side Encryption

Question 39

What is SSE in S3?

Answer 39

• You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.
  
  • 1. Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
  • 2. Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS). It also provide audit trail like when CMK was used and by whom
  • 3. Use Server-Side Encryption with Customer-Provided Keys (SSE-C)

Question 40

What is SSE-S3?

Answer 40

Server-Side Encryption with Amazon S3-Managed Keys

Question 41

What is SSE-KMS?

Answer 41

Server-Side Encryption with AWS KMS-Managed Keys. Also provides audit trail

Question 42

What is SSE-C?

Answer 42

Server-side Encryption with Customer-Provided Keys

Question 43

What is CLient-Side Encryption?

Answer 43

You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

Question 44

What does kms:ViaService condition do?

Answer 44

The kms:ViaService condition key limits use of an AWS KMS customer master key (CMK) to requests from specified AWS services. You can specify one or more services in each kms:ViaService condition key.

Question 45

How to import keys into EC2?

Answer 45

Creat private key, use it to create public key and import into EC2 instead of “create/choose a key” option

Question 46

What does each EBS volume encrypted have?

Answer 46

a unique encrypted Data Key generated by KMS and stored with it. if KMS key is same, the Data Key never changes and is also used for the snapshots created from the volume.

Question 47

How to Unencrypted root volumes can be encrypted?

Answer 47

1) taking snapshot of existing unencrypted volume 2) copy snapshot and encrypting the copied snapshot 3) create a volume from encrypted snapshot 4) stop exisiting unencrypted instance and detach volume 5) attach new encrypted volume and start instance

Question 48

Who can change encryption keys on EBS volumes?

Answer 48

Root users can change encryption keys on EBS volume to another key in same region

Question 49

How can AMIs copied to another region be encrypted?

Answer 49

AMIs copied to another region can be encrypted with keys in destination region, not existing keys on it

Question 50

What does deleting key pair from console NOT do?

Answer 50

Deleting a key pair from console DOES NOT delete it from instances using it, can still login using your private key

Question 51

What to do if you lose your key pair for an EC2 instance?

Answer 51

1) create a new key pair 2) stop original instance 3) launch temporary instance 4) detach the root volume from original instance and attach it to the temporary instance 5) add the new public key to authorized_keys on the original volume mounted to the temporary instance 6) unmount and detach the original volume from the temporary instance, and reattach it to the original instance 8) connect to the original instance using the new key pair →

Question 52

What do WAF rules match on?

Answer 52

IP, country, values in headers, regex strings, length of request, SQL injection and XSS (cross site scripting)

Question 53

What is Systems Manager Session Manager

Answer 53

Browser-based secure remote login to EC2 using Powershell or Bash ← SSM is AWS recommended approach

Question 54

What does SSM not need?

Answer 54

SSH keys or bastion host. Unless you use a VPC endpoint (recommended) SSM Session Manager requires outbound 443 access, but will not require opening any inbound ports in SGs.

Question 55

How to access SSM?

Answer 55

Need to give EC2 instance IAM role to access SSM. SSM allows IAM controls to limit users to specific instances

Question 56

Where is command history stored and where is connection history stored?

Answer 56

Command History: Cloudwatch
Connection History: Cloudtrail