Key Management Service (KMS) / Cognito Flashcards
If you need to comply with the FIPS 140-2 Level 3 compliance standard which service would you use?
AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.
Which compliance standard does KMS adhere to?
FIPS X Level X
FIPS 140-2 Level 2
This AWS service makes it easy to create, control, and rotate encryption keys for your AWS data.
KMS - AWS Key Management Service
Which CLI command is used to generate a new key in KMS?
aws kms create-key
Which CLI command is used to decrypt a ciphertext and then encrypt it again with KMS?
aws kms re-encrypt
Which type of Customer Master Key (CMK) uses 2 keys?
Asymmetric
Which type of CMK would you use to encrypt an S3 bucket using AES-256?
Symmetric
Which of the following would you find in the metadata for a CMK?
A customer master key (CMK) is a logical representation of a master key. The CMK includes metadata, such as the key ID, creation date, description, and key state. The CMK also contains the key material used to encrypt and decrypt data.
Key State
Key ID
Creation Date
Three things about cognito…
- Provides sign-up/sign-in integration for your app
- Lets users access your app using social media accounts
- Removes need to manage user accounts yourself
The 3 components of Cognito
- User Pools
- Identity Pools
- Sync (It uses SNS)
Facebook, Google, and Amazon are examples of which Web Federation component?
Identity Providers
Examples of common Web Identity Providers for Cognito
Identity Provider (IdP) a trusted provider of your user identity that lets you use authenticate to access other services. Identity Providers could be: Facebook, Amazon, Google, Twitter, Github, LinkedIn
Which 3 common application actions can you manage using User Pools?
Sign-up
Sign-in
Account recovery
Account confirmation
This Amazon Cognito component acts as a user directory to manage the actions for your app
Cognito User Pools
Cognito Identity Pools provide this
Temporary AWS credentials to access services eg, S3, DynamoDB
ˈtɛmpəˌrɛri
Cognito Sync uses this AWS service to send out notifications when data in the cloud changes
Simple Notification Service (SNS)
What is AWS KMS?
What are its 4 features?
- It’s a service that provides a highly available key generation, storage, management, and auditing solution for you to encrypt or digitally sign data
- CMK (Customer Master Key)
- FIPS 140-2 level 2 compliant
- Types of keys (Symetric signle key, Asymetric 2 keys)
- CloudTrail to audit keys access
What is Cognito?
What are its 2 elements?
- It’s decentralized managed authentication system
- Components (User Pools, Identity Pools, Sync)
- Types of I.Providers (OIDC OpenID Connect, SAML)
What are the to types of identity providers in Cognito?
- SAML (SSO)
- OIDC (Outh)
Which is a secure way to build an authentication and authorization model for the APIs in API Gateway?
The API calls need to be authenticated based on OpenID identity providers such as Amazon or Facebook
Use Amazon Cognito user pools and a custom authorizer to authenticate and authorize users based on JSON Web Tokens.
