Key Management Service (KMS) / Cognito

Question 1

If you need to comply with the FIPS 140-2 Level 3 compliance standard which service would you use?

Answer 1

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.

Question 2

Which compliance standard does KMS adhere to?

FIPS X Level X

Answer 2

FIPS 140-2 Level 2

Question 3

This AWS service makes it easy to create, control, and rotate encryption keys for your AWS data.

Answer 3

KMS - AWS Key Management Service

Question 4

Which CLI command is used to generate a new key in KMS?

Answer 4

aws kms create-key

Question 5

Which CLI command is used to decrypt a ciphertext and then encrypt it again with KMS?

Answer 5

aws kms re-encrypt

Question 6

Which type of Customer Master Key (CMK) uses 2 keys?

Answer 6

Asymmetric

Question 7

Which type of CMK would you use to encrypt an S3 bucket using AES-256?

Answer 7

Symmetric

Question 8

Which of the following would you find in the metadata for a CMK?

A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data.

Answer 8

Key State

Key ID

Creation Date

Question 9

Three things about cognito…

Answer 9

• Provides sign-up/sign-in integration for your app
• Lets users access your app using social media accounts
• Removes need to manage user accounts yourself

Question 10

The 3 components of Cognito

Answer 10

• User Pools
• Identity Pools
• Sync (It uses SNS)

Question 11

Facebook, Google, and Amazon are examples of which Web Federation component?

Answer 11

Identity Providers

Question 12

Examples of common Web Identity Providers for Cognito

Answer 12

Identity Provider (IdP) a trusted provider of your user identity that lets you use authenticate to access other services. Identity Providers could be: Facebook, Amazon, Google, Twitter, Github, LinkedIn

Question 13

Which 3 common application actions can you manage using User Pools?

Answer 13

Sign-up
Sign-in
Account recovery
Account confirmation

Question 14

This Amazon Cognito component acts as a user directory to manage the actions for your app

Answer 14

Cognito User Pools

Question 15

Cognito Identity Pools provide this

Answer 15

Temporary AWS credentials to access services eg, S3, DynamoDB

ˈtɛmpəˌrɛri

Question 16

Cognito Sync uses this AWS service to send out notifications when data in the cloud changes

Answer 16

Simple Notification Service (SNS)

Question 17

What is AWS KMS?

What are its 4 features?

Answer 17

• It’s a service that provides a highly available key generation, storage, management, and auditing solution for you to encrypt or digitally sign data
• CMK (Customer Master Key)
• FIPS 140-2 level 2 compliant
• Types of keys (Symetric signle key, Asymetric 2 keys)
• CloudTrail to audit keys access

Question 18

What is Cognito?

What are its 2 elements?

Answer 18

• It’s decentralized managed authentication system
• Components (User Pools, Identity Pools, Sync)
• Types of I.Providers (OIDC OpenID Connect, SAML)

Question 19

What are the to types of identity providers in Cognito?

Answer 19

• SAML (SSO)

- OIDC (Outh)

Question 20

Which is a secure way to build an authentication and authorization model for the APIs in API Gateway?

The API calls need to be authenticated based on OpenID identity providers such as Amazon or Facebook

Answer 20

Use Amazon Cognito user pools and a custom authorizer to authenticate and authorize users based on JSON Web Tokens.