Infrastructure Security Flashcards

1
Q

Can KMS be in several regions?

A

Yes can be multi region now

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What happens if key administrator deletes the KMS key?

A

all encrypted data is useless. Option can be disabled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What resource-based access control mechanisms does KMS support?

A

Key policies and grants

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How long it takes to delete KMS keys?

A

Cannot delete KMS generated keys immediately. Gives minimum 7 day cooling period to rethink/undo. However, imported keys can be immediately deleted, be careful!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What KMS keys can you delete immediately?

A

Imported keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How to allow other aws accounts to use your KMS key?

A

if you allow them access using ARN when creating key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is difference between:
If an S3 object is encrypted with S3-KMS and made public
If you encrypt using S3-SSE/AES-256

A
  1. you CANNOT access it direct from URL without key
  2. you CAN access it from URL since its transparent
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What’s difference between IAM user with admin policy and SystemAdmin policy?

A

IAM user with Admin policy can give/revoke themselves key access, but SystemAdmin policy cannot.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What happens if KMS key is deleted/scheduled deletion

A

nobody including root user can access encrypted objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does InvalidKeyId error when using KMS key usually means

A

the KMS key is disabled

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How To import your own key into KMS?

A

1) download wrapping key and import token from KMS console 2) download OpenSSL and use commands from docs to generate key with wrapping key 3) upload key material and import token back into KMS console

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How many keys can each import token create in KMS?

A

Each import token can create only ONE custom key in KMS. Cannot reuse it, nor the wrapping key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

For what keys can you not enable automatic key rotation?

A

CANNOT enable automatic key rotation for CMK with imported key material. Can rotate manually by creating a new imported key and using alias to refer to new key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What seperate permissions do KMS keys have?

A

KMS keys have separate “administrative permission” (create/delete) and “usage permissions” (use it)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How often are AWS managed keys rotated?

A

AWS managed keys are rotated every 1 year (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-aws-managed-keys), cannot rotate yourself, cannot delete yourself. Previously it was every 3 years. The rotation interval for AWS managed keys changed in May 2022.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How often can customer-managed customer master keys be rotated?

A

AWS generated customer-managed CMKs can rotate automatically every 1 year (disabled by default, enable it). Rotated keys and past keys are all are stored in KMS for decryption. They can also be rotated manually as often as want through pointing aliases to new KMS key. Have to self-manage applications to handle new key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What keys are manual rotation only?

A

CMK with custom imported material is manual rotation only.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How to export any keys from KMS to other services?

A

Cannot export any keys from KMS to other services (like EC2 example above) because you dont get KMS public key. However, can create keys in CloudHSM and use those with EC2 etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What do KMS Grants allow?

A

KMS Grants allow use of CMK to other users in same/different account, have granular permissions (decrypt only etc)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What can KMS grant only do?

A

Grant can only give ALLOW access, not DENY. Use key policies for static policies or for explicit deny.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does KMS ViaService condition do?

A

KMS ViaService condition allows/denies access to CMK to specific service calling it (eg: only EC2 can call CMK)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How can KMS CMK be given cross account access?

A

by doing BOTH these steps: change key policy in KMS account AND add IAM policy for user/role in external account with “Resource: <ARN>”</ARN>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is encryption context?

A

“Encryption context” is a key value pair you can submit while encrypting data using KMS, and need to provide it again in addition to the decrypt permissions to decrypt that data. Additional layer of security. Encryption context is not obscure hidden data and is visible in CloudTrail. Other AWS services using KMS use this eg: EBS uses volumeID as encryption context so that only it can decrypt that volume when needed. S3 has different encryption context if using a bucket key and when using KMS key directly with S3 object.

24
Q

How can you have notifications for KMS?

A

KMS emits CloudWatch Events when CMK is rotated, deleted, or imported key material in CMK expires. Use it for notification

25
Q

How much data can CMK encrypt?

A

CMK can encrypt up-to 4kb, to encrypt data more than 4kb- use the datakey.

26
Q

How do datakey work?

A

When you create a datakey from CMK, it creates 2 sets of datakeys. 1. Plaintext datakey and 2. Encrypted datakey. You use the plaintext datakey to encrypt your data, then delete the plaintext data key. Store the encrypted data and encrypted data key together. CMK is used to encrypt data key and data key (plaintext data key) is used to encrypt actual data.

27
Q

What does key alias allows you to do?

A

A “key alias” allows applications to use a specific CMK independent of the Region or rotation schedule. It’s like CNAME that can be pointed to different targets

28
Q

How are Lambda environment variables be encrypted?

A

Lambda environment variables are encrypted using KMS can use your own CMK

29
Q

Is it possible to block upload of unencrypted objects to S3 by adding “s3:x-amz-server-side-encryption”:”aws:kms” condition in bucket policy

A

Yes

30
Q

How can IAM policy restrict creation of unencrypted EBS volumes

A

by checking for encryption flag yes on CreateVolume operation

31
Q

What should you Consider when a violation is detected?

A

Consider disabling CMK when a violation is detected instead of deleting it so that it can be re enabled and all existing encrypted data does not become inaccessible

32
Q

What does automatic rotation NOT work for?

A
  • Asymmetric CMK
    • CMK in Custom Key Store
    • CMK that have imported key materials.
33
Q

What is AES256 used for in header x-amz-server-side-encryption?

A

used to specify SSE-S3 encryption

34
Q

What is aws:kms used for in header x-amz-server-side-encryption?

A

To specify KMS encryption

35
Q

Is automatic rotation supported for a CMK with imported key material?

A

NO. You cannot import different key material into a CMK, create a new key instead for different key material. Deleting a key must be very carefully thought out. Data can’t be decrypted if the corresponding CMK has been deleted

36
Q

What does creating and managing your own CMK gives you?

A

more flexibility, including the ability to create, rotate, disable, and define access controls, and to audit the encryption keys used to protect your data. You should be very careful about deleting a CMK and only do it if you no longer need to access any files that it was used to encrypt.

37
Q

What is benefits of using a customer managed key over AWS managed key?

A

key policy, monitoring, cross-account access

38
Q

What are options for protecting data at rest in S3?

A

Server-Side Encryption
Client-Side Encryption

39
Q

What is SSE in S3?

A
  • You request Amazon S3 to encrypt your object before saving it on disks in its data centers and decrypt it when you download the objects.
      1. Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
      1. Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS). It also provide audit trail like when CMK was used and by whom
      1. Use Server-Side Encryption with Customer-Provided Keys (SSE-C)
40
Q

What is SSE-S3?

A

Server-Side Encryption with Amazon S3-Managed Keys

41
Q

What is SSE-KMS?

A

Server-Side Encryption with AWS KMS-Managed Keys. Also provides audit trail

42
Q

What is SSE-C?

A

Server-side Encryption with Customer-Provided Keys

43
Q

What is CLient-Side Encryption?

A

You can encrypt data client-side and upload the encrypted data to Amazon S3. In this case, you manage the encryption process, the encryption keys, and related tools.

44
Q

What does kms:ViaService condition do?

A

The kms:ViaService condition key limits use of an AWS KMS customer master key (CMK) to requests from specified AWS services. You can specify one or more services in each kms:ViaService condition key.

45
Q

How to import keys into EC2?

A

Creat private key, use it to create public key and import into EC2 instead of “create/choose a key” option

46
Q

What does each EBS volume encrypted have?

A

a unique encrypted Data Key generated by KMS and stored with it. if KMS key is same, the Data Key never changes and is also used for the snapshots created from the volume.

47
Q

How to Unencrypted root volumes can be encrypted?

A

1) taking snapshot of existing unencrypted volume 2) copy snapshot and encrypting the copied snapshot 3) create a volume from encrypted snapshot 4) stop exisiting unencrypted instance and detach volume 5) attach new encrypted volume and start instance

48
Q

Who can change encryption keys on EBS volumes?

A

Root users can change encryption keys on EBS volume to another key in same region

49
Q

How can AMIs copied to another region be encrypted?

A

AMIs copied to another region can be encrypted with keys in destination region, not existing keys on it

50
Q

What does deleting key pair from console NOT do?

A

Deleting a key pair from console DOES NOT delete it from instances using it, can still login using your private key

51
Q

What to do if you lose your key pair for an EC2 instance?

A

1) create a new key pair 2) stop original instance 3) launch temporary instance 4) detach the root volume from original instance and attach it to the temporary instance 5) add the new public key to authorized_keys on the original volume mounted to the temporary instance 6) unmount and detach the original volume from the temporary instance, and reattach it to the original instance 8) connect to the original instance using the new key pair →

52
Q

What do WAF rules match on?

A

IP, country, values in headers, regex strings, length of request, SQL injection and XSS (cross site scripting)

53
Q

What is Systems Manager Session Manager

A

Browser-based secure remote login to EC2 using Powershell or Bash ← SSM is AWS recommended approach

54
Q

What does SSM not need?

A

SSH keys or bastion host. Unless you use a VPC endpoint (recommended) SSM Session Manager requires outbound 443 access, but will not require opening any inbound ports in SGs.

55
Q

How to access SSM?

A

Need to give EC2 instance IAM role to access SSM. SSM allows IAM controls to limit users to specific instances

56
Q

Where is command history stored and where is connection history stored?

A

Command History: Cloudwatch
Connection History: Cloudtrail