Infrastructure Security Flashcards
Can KMS be in several regions?
Yes can be multi region now
What happens if key administrator deletes the KMS key?
all encrypted data is useless. Option can be disabled
What resource-based access control mechanisms does KMS support?
Key policies and grants
How long it takes to delete KMS keys?
Cannot delete KMS generated keys immediately. Gives minimum 7 day cooling period to rethink/undo. However, imported keys can be immediately deleted, be careful!
What KMS keys can you delete immediately?
Imported keys
How to allow other aws accounts to use your KMS key?
if you allow them access using ARN when creating key
What is difference between:
If an S3 object is encrypted with S3-KMS and made public
If you encrypt using S3-SSE/AES-256
- you CANNOT access it direct from URL without key
- you CAN access it from URL since its transparent
What’s difference between IAM user with admin policy and SystemAdmin policy?
IAM user with Admin policy can give/revoke themselves key access, but SystemAdmin policy cannot.
What happens if KMS key is deleted/scheduled deletion
nobody including root user can access encrypted objects.
What does InvalidKeyId error when using KMS key usually means
the KMS key is disabled
How To import your own key into KMS?
1) download wrapping key and import token from KMS console 2) download OpenSSL and use commands from docs to generate key with wrapping key 3) upload key material and import token back into KMS console
How many keys can each import token create in KMS?
Each import token can create only ONE custom key in KMS. Cannot reuse it, nor the wrapping key
For what keys can you not enable automatic key rotation?
CANNOT enable automatic key rotation for CMK with imported key material. Can rotate manually by creating a new imported key and using alias to refer to new key
What seperate permissions do KMS keys have?
KMS keys have separate “administrative permission” (create/delete) and “usage permissions” (use it)
How often are AWS managed keys rotated?
AWS managed keys are rotated every 1 year (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-aws-managed-keys), cannot rotate yourself, cannot delete yourself. Previously it was every 3 years. The rotation interval for AWS managed keys changed in May 2022.
How often can customer-managed customer master keys be rotated?
AWS generated customer-managed CMKs can rotate automatically every 1 year (disabled by default, enable it). Rotated keys and past keys are all are stored in KMS for decryption. They can also be rotated manually as often as want through pointing aliases to new KMS key. Have to self-manage applications to handle new key.
What keys are manual rotation only?
CMK with custom imported material is manual rotation only.
How to export any keys from KMS to other services?
Cannot export any keys from KMS to other services (like EC2 example above) because you dont get KMS public key. However, can create keys in CloudHSM and use those with EC2 etc
What do KMS Grants allow?
KMS Grants allow use of CMK to other users in same/different account, have granular permissions (decrypt only etc)
What can KMS grant only do?
Grant can only give ALLOW access, not DENY. Use key policies for static policies or for explicit deny.
What does KMS ViaService condition do?
KMS ViaService condition allows/denies access to CMK to specific service calling it (eg: only EC2 can call CMK)
How can KMS CMK be given cross account access?
by doing BOTH these steps: change key policy in KMS account AND add IAM policy for user/role in external account with “Resource: <ARN>”</ARN>