Key Management Service (KMS) / Cognito Flashcards

1
Q

If you need to comply with the FIPS 140-2 Level 3 compliance standard which service would you use?

A

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which compliance standard does KMS adhere to?

FIPS X Level X

A

FIPS 140-2 Level 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

This AWS service makes it easy to create, control, and rotate encryption keys for your AWS data.

A

KMS - AWS Key Management Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which CLI command is used to generate a new key in KMS?

A

aws kms create-key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which CLI command is used to decrypt a ciphertext and then encrypt it again with KMS?

A

aws kms re-encrypt

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which type of Customer Master Key (CMK) uses 2 keys?

A

Asymmetric

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which type of CMK would you use to encrypt an S3 bucket using AES-256?

A

Symmetric

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following would you find in the metadata for a CMK?

A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data.

A

Key State

Key ID

Creation Date

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Three things about cognito…

A
  • Provides sign-up/sign-in integration for your app
  • Lets users access your app using social media accounts
  • Removes need to manage user accounts yourself
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The 3 components of Cognito

A
  • User Pools
  • Identity Pools
  • Sync (It uses SNS)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Facebook, Google, and Amazon are examples of which Web Federation component?

A

Identity Providers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Examples of common Web Identity Providers for Cognito

A

Identity Provider (IdP) a trusted provider of your user identity that lets you use authenticate to access other services. Identity Providers could be: Facebook, Amazon, Google, Twitter, Github, LinkedIn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which 3 common application actions can you manage using User Pools?

A

Sign-up
Sign-in
Account recovery
Account confirmation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

This Amazon Cognito component acts as a user directory to manage the actions for your app

A

Cognito User Pools

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Cognito Identity Pools provide this

A

Temporary AWS credentials to access services eg, S3, DynamoDB

ˈtɛmpəˌrɛri

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Cognito Sync uses this AWS service to send out notifications when data in the cloud changes

A

Simple Notification Service (SNS)

17
Q

What is AWS KMS?

What are its 4 features?

A
  • It’s a service that provides a highly available key generation, storage, management, and auditing solution for you to encrypt or digitally sign data
  • CMK (Customer Master Key)
  • FIPS 140-2 level 2 compliant
  • Types of keys (Symetric signle key, Asymetric 2 keys)
  • CloudTrail to audit keys access
18
Q

What is Cognito?

What are its 2 elements?

A
  • It’s decentralized managed authentication system
  • Components (User Pools, Identity Pools, Sync)
  • Types of I.Providers (OIDC OpenID Connect, SAML)
19
Q

What are the to types of identity providers in Cognito?

A
  • SAML (SSO)

- OIDC (Outh)

20
Q

Which is a secure way to build an authentication and authorization model for the APIs in API Gateway?

The API calls need to be authenticated based on OpenID identity providers such as Amazon or Facebook

A

Use Amazon Cognito user pools and a custom authorizer to authenticate and authorize users based on JSON Web Tokens.