KMS

Question 1

What is AWS Key Management Service?

Answer 1

AWS KMS is a managed service that makes it easy for you to create and control the customer master keys (CMKs)

Question 2

What are CMKs?

Answer 2

Customer Master Keys are encryption keys that are used to encrypt your data

Question 3

AWS CMKs are protected by ________

Answer 3

Hardware security modules (HSMs)

Question 4

How to track the use of CMKs for auditing, regulatory and compliance needs?

Answer 4

KMS is integrated with CloudTrail to log the use of CMKs.

Question 5

CloudTrail delivers the log files to ________

Answer 5

Amazon S3

Question 6

What is Symmetric CMK?

Answer 6

Symmetric CMK represents single 256 bit secret encryption key that never leaves KMS unencrypted. To use symmetric CMK you must call AWS KMS

Question 7

What is Asymmetric CMK?

Answer 7

Asymmetric CMK represents mathematically related public key and private key pair, where the private key never leaves AWS KMS unencrypted.

Question 8

Where can Asymmetric CMKs be used?

Answer 8

Asymmetric CMKs can be used for encryption/decryption or signing/verification but not for both.

Question 9

How is the asymmetric key used?

Answer 9

You can use public key within AWS KMS by calling AWS KMS API operations or download public key and use it outside of AWS KMS.

Question 10

What is Symmetric Data key?

Answer 10

Symmetric data key is a symmetric encryption key that is used to encrypt data outside of KMS. The Symmetric data key is protected by Symmetric CMK in AWS KMS

Question 11

What is Asymmetric Data key?

Answer 11

An asymmetric data key is an RSA or elliptic curve (ecc) key pair that consists of public key and private key where the private key is protected by symmetric CMK in AWS KMS.

Question 12

What is AWS recommendation for using RSA and Elliptical Curve key usages?

Answer 12

AWS KMS recommends to use Elliptical Curve (ECC) keys for signing and use RSA keys for encryption and decryption, but not both. However AWS KMS cannot enforce restrictions on the use of data key pairs outside of AWS KMS.

Question 13

When you create a Customer Master Key in KMS, by default you get a _________

Answer 13

Symmetric CMK

Question 14

Symmetric keys are used in _________ encryption

Answer 14

Symmetric, which means the same key is used for encryption and decryption.

Question 15

___________ keys are good choice? (Symm/Asymm)

Answer 15

Symmetric

Question 16

AWS Services that are integrated with KMS use ________ CMKs and does not support encryption with _________ CMKs

Answer 16

Symmetric; Asymmetric

Question 17

If your case requires encryption outside of AWS, by users that cannot access KMS, ___________ keys are good choice.

Answer 17

Asymmetric CMKs

Question 18

If you are creating a CMK to encrypt the data stored and managed in AWS, use ______________ key.

Answer 18

Symmetric CMKs

Question 19

What are the Asymmetric keys that KMS support?

Answer 19

1. RSA CMKs

2. Elliptic Curve (ECC) CMKs

Question 20

What are RSA CMKs

Answer 20

A CMK with RSA is used for for encryption and decryption or signing and verification (but not both). AWS KMS supports several key lengths for different security requirements.

Question 21

What is Elliptic Curve (ECC) CMK?

Answer 21

A CMK with an elliptic curve key pair for signing and verification. AWS KMS supports several commonly-used curves.

Question 22

The type of CMK that you create depends largely on ____________

Answer 22

how you plan to use the CMK, your security requirements, and your authorization requirements.

Question 23

Use a ___________ for most use cases that require encrypting and decrypting data.

Answer 23

symmetric CMK

Question 24

The symmetric encryption algorithm that AWS KMS uses is __________

Answer 24

fast, efficient, and assures the confidentiality and authenticity of data.

Question 25

Symmetric Key supports authenticated encryption with ______________

Answer 25

additional authenticated data (AAD)

Question 26

If your use case requires encryption outside of AWS by users who cannot call AWS KMS, __________ are a good choice.

Answer 26

asymmetric CMKs

Question 27

To sign messages and verify signatures, you must use an_________

Answer 27

asymmetric CMK.

Question 28

To perform public key encryption, you must use ___________;
__________key specs cannot be used for public key encryption.

Answer 28

asymmetric CMK with an RSA key spec; Elliptic curve (ECC)

Question 29

The Decrypt operation fails if the data was encrypted under a public key from a CMK with a key usage of ________

Answer 29

SIGN_VERIFY.

Question 30

_______ CMKs only support encryption and decryption.

Answer 30

Symmetric

Question 31

AWS KMS does not store, manage, or track your _____ keys.

Answer 31

data

Question 32

By default, ______ creates the key material for a CMK

Answer 32

AWS KMS

Question 33

How to extract, export, view, or manage/delete the key material that is generated by AWS KMS

Answer 33

You cannot

Question 34

You can create the key material for a CMK in the ________ associated with an ________

Answer 34

AWS CloudHSM cluster; AWS KMS custom key store.

Question 35

_______ let you encrypt data in one AWS Region and decrypt it in a different AWS Region.

Answer 35

multi-Region CMKs,

Question 36

the CMK includes metadata, such as its _________

Answer 36

key ID, creation date, description, and key state.

Question 37

AWS KMS supports three types of CMKs:

Answer 37

1. Customer Managed CMKs
2. AWS Managed CMKs
3. AWS Owned CMKs

Question 38

What are Customer managed CMKs

Answer 38

Customer managed CMKs are CMKs in your AWS account that you create, own, and manage. You have full control over these CMKs,

Question 39

What are AWS managed CMKs

Answer 39

AWS managed CMKs are CMKs in your account that are created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS

Question 40

What are AWS owned CMK

Answer 40

AWS owned CMKs are a collection of CMKs that an AWS service owns and manages for use in multiple AWS accounts. Although AWS owned CMKs are not in your AWS account, an AWS service can use its AWS owned CMKs to protect the resources in your account.

Question 41

You can use_________ to generate, encrypt, and decrypt data keys.

Answer 41

symmetric customer master keys (CMKs)

Question 42

You must use and manage ______ keys outside of AWS KMS.

Answer 42

data

Question 43

AWS KMS cannot use a ________ key to encrypt data

Answer 43

data

Question 44

_______ are asymmetric data keys that consist of a mathematically-related public key and private key.

Answer 44

Data key pairs

Question 45

_________ are designed to be used for client-side encryption and decryption, or signing and verification outside of AWS KMS.

Answer 45

Data Key Pairs

Question 46

To generate a cryptographic signature for a message, use the ______ key in the data key pair. Anyone with the _____ key can use it to verify that the message was signed with your private key and that it has not changed since it was signed.

Answer 46

private; public

Question 47

What is a custom key store?

Answer 47

A custom key store is an AWS KMS resource that is associated with hardware security modules (HSMs) in a AWS CloudHSM cluster that you own and manage.

Question 48

How do you create and manage CMKs in HSMs

Answer 48

When you create an AWS KMS customer master key (CMK) in your custom key store, AWS KMS generates a 256-bit, persistent, non-exportable Advanced Encryption Standard (AES) symmetric key in the associated AWS CloudHSM cluster. This key material never leaves your HSMs unencrypted. When you use a CMK in a custom key store, the cryptographic operations are performed in the HSMs in the cluster.

Question 49

___________ act as names for your AWS KMS customer master keys (CMKs).

Answer 49

Key identifiers

Question 50

What are the types of Key identifiers?

Answer 50

1. Key ARN
2. Key ID
3. Alias ARN
4. Alias Name

Question 51

What is Key Material?

Answer 51

Key material is the secret string of bits used in a cryptographic algorithm.

Question 52

If you use AWS KMS key material, you can enable _________ of your key material.

Answer 52

automatic rotation

Question 53

y default, each CMK has _________ key material.However, you can create a set of _________with the same key material.

Answer 53

unique ; multi-Region keys

Question 54

When you create a CMK with an ______ key material origin, the CMK has no key material. Later, you can import key material into the CMK.

Answer 54

External

Question 55

When you use imported key material, you need to ____________

Answer 55

secure and manage that key material outside of AWS KMS, including replacing the key material if it expires.

Question 56

The _______ determines whether the CMK is symmetric or asymmetric, the type of key material in the CMK, and the encryption algorithms or signing algorithms you can use with the CMK.

Answer 56

key spec

Question 57

_________ is a CMK property that determines whether a CMK is used for encryption and decryption -or- signing and verification. You cannot choose both.

Answer 57

Key usage

Question 58

Using a CMK for more than one type of operations makes the product of both operations _________

Answer 58

more vulnerable to attack.

Question 59

What is Envelope encryption?

Answer 59

When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.

Question 60

The top-level plaintext key encryption key is known as the ___________

Answer 60

master key.

Question 61

Master keys stored in AWS KMS, _____________

Answer 61

Customer master keys (CMKs)

Question 62

How to encrypt the same data under multiple master keys

Answer 62

Envelope Encryption

Question 63

How to combine the strengths of multiple algorithms?

Answer 63

Envelope Encryption

Question 64

All AWS KMS cryptographic operations with symmetric CMKs accept an ___________

Answer 64

encryption context

Question 65

What is Encryption Context?

Answer 65

An optional set of key–value pairs that can contain additional contextual information about the data.

Question 66

WS KMS uses the encryption context as ____________ to support authenticated encryption.

Answer 66

additional authenticated data (AAD)

Question 67

You cannot specify an encryption context in a cryptographic operation with an ________ CMK.

Answer 67

asymmetric

Question 68

When you create a CMK, you determine who can use and manage that CMK. These permissions are contained in a document called the _______

Answer 68

Key Policy

Question 69

You cannot edit the key policy for an ___________

Answer 69

AWS managed CMK.

Question 70

What is a grant?

Answer 70

A grant is a policy instrument that allows AWS principals to use AWS KMS customer master keys (CMKs) in cryptographic operations.

Question 71

hen authorizing access to a CMK, grants are considered along with __________

Answer 71

key policies and IAM policies.

Question 72

Grants are often used for _______ permissions

Answer 72

temporary; because you can create one, use its permissions, and delete it without changing your key policies or IAM policies.

Question 73

The primary way to manage access to your AWS KMS CMKs is with __________

Answer 73

policies

Question 74

In AWS KMS, you must attach _________ to your customer master keys (CMKs). These are called __________

Answer 74

resource-based policies ; key policies.

Question 75

You can control access to your CMKs in these ways:

Answer 75

1. Use the key policy
2. Use IAM policies in combination with the key policy
3. Use grants in combination with the key policy

Question 76

A policy is a document that describes a set of permissions. The following are the basic elements of a policy.

Answer 76

1. Resource
2. Action
3. Effect
4. Principal

Question 77

In a key policy, you use _________, which effectively means “this CMK.”

Answer 77

“*” for the resource

Question 78

A key policy applies _____________

Answer 78

only to the CMK it is attached to.

Question 79

What is Condition Key

Answer 79

Another policy element called a condition key to specify the circumstances in which a policy takes effect.

Question 80

To support attribute-based access control (ABAC), AWS KMS provides______ that control access to a customer master key (CMK) based on its ________

Answer 80

condition keys; tags and aliases

Question 81

The default key policy (SDK, API, CLI) has one policy statement that gives the _________ full access to the CMK and ________ in the account to allow access to the CMK.

Answer 81

AWS account (root user) that owns the CMK; enables IAM policies

Question 82

You can use IAM policies, along with _______________, to control access to your customer master keys (CMKs) in AWS KMS.

Answer 82

key policies, grants, and VPC endpoint policies

Question 83

To use an IAM policy to control access to a CMK,_______ must give the account permission to use IAM policies

Answer 83

the key policy for the CMK

Question 84

All CMKs must have a ___ policy. ____ policies are optional.

Answer 84

key ; IAM

Question 85

How to control access to multiple CMKs and provide permissions for the operations of several related AWS services.

Answer 85

IAM policies

Question 86

_______ can create CMKs, use and manage the CMKs they create, and view all CMKs and IAM identities.

Answer 86

Power users

Question 87

You can use an _________ to give IAM principals in your account the permissions of a power user.

Answer 87

AWS managed policy

Question 88

Key administrators who don’t have permission to change key policies or create grants can control access to CMKs if they have permission to __________

Answer 88

manage tags or aliases.

Question 89

What are global keys?

Answer 89

AWS defines global condition keys, a set of policy conditions keys for all AWS services that use IAM for access control.

Question 90

. You can use global condition keys in AWS KMS _________

Answer 90

key policies and IAM policies.

Question 91

Grants are commonly used by AWS services that integrate with AWS KMS to __________

Answer 91

encrypt your data at rest.

Question 92

How is a grant created and deleted?

Answer 92

The service creates a grant on behalf of a user in the account, uses its permissions, and retires the grant as soon as its task is complete.

Question 93

Each grant controls access to _______. The CMK_____________account.

Answer 93

just one CMK; can be in the same or a different AWS

Question 94

Number of grants on each CMK

Answer 94

50000

Question 95

You can use a grant to ____access and not ______

Answer 95

allow; deny

Question 96

To bypass eventual consistency and use the grant immediately, use ________. It is not used after it is consistent

Answer 96

Grant token

Question 97

You can use ______ to allow principals in a different AWS account to use a CMK.

Answer 97

grants

Question 98

Grants for symmetric CMKs cannot allow ___________

Answer 98

the Sign, Verify, or GetPublicKey operations

Question 99

Grants for asymmetric CMKs cannot allow _________

Answer 99

1. operations that generate data keys or data key pairs
2. operations related to automatic key rotation,
3. operations related to imported key material
4. operations related to CMKs in custom key stores.

Question 100

What is a Grant constraint?

Answer 100

A condition that limits the permissions in the grant. Currently, AWS KMS supports grant constraints based on the encryption context in the request for a cryptographic operation.

Question 101

What is Grant ID?

Answer 101

The unique identifier of a grant for a CMK.

Question 102

What is grant token

Answer 102

A grant token is unique, non-secret, variable-length, base64-encoded string that represents a grant.

Question 103

What is Grantee principal?

Answer 103

The identity that gets the permissions specified in the grant.

Question 104

A grant must have _____ principal/s

Answer 104

atleast one

Question 105

Grantee principal can be

Answer 105

User (including federated) or role

Question 106

What does retire a grant mean?

Answer 106

It mean to terminate a grant.

Question 107

What is a retiree principal?

Answer 107

Principal who can retire a grant.

Question 108

What is revoke a grant

Answer 108

‘Key Administrator’ terminating a grant.

Question 109

Each set of related multi-Region keys has the same ____________, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS.

Answer 109

key material and key ID

Question 110

You must manage each multi-Region key _________, including creating aliases and tags, setting their key policies and grants, and enabling and disabling them selectively. (independently/Dependently)

Answer 110

independently

Question 111

Multi-Region keys are ______(global/not global)

Answer 111

not global

Question 112

You ______ convert an existing single-Region key to a multi-Region key (can/cannot )

Answer 112

cannot

Question 113

When you replicate, AWS KMS creates a ________ in the specified Region with the _____________

Answer 113

replica key ; same key ID and other shared properties as the primary key.

Question 114

Related multi-region key ARNs (Amazon Resource Names) differ only in the __________

Answer 114

Region field

Question 115

Additional considerations for multi-Region keys include

Answer 115

1. Synchronizing shared properties
2. Changing the primary key
3. Deleting multi-Region keys

Question 116

For multi-region keys, You can enable and disable automatic key rotation only on a __________

Answer 116

primary key.

Question 117

You ______ a replica key even if its primary key and all related replica keys are disabled.(can use/ cannot use)

Answer 117

can use

Question 118

The following are the shared properties of multi-Region keys.

Answer 118

1. Key ID
2, Key Material
3. Key Origin
4. Key Spec
5. Key Usage
6. Automatic Key rotation

Question 119

Because it is destructive and potentially dangerous to delete a CMK, AWS KMS requires you to set a waiting period of _______. The default waiting period is _______

Answer 119

7 – 30 days; 30 days.

Question 120

Also, you cannot enable ______ for a CMK with imported key material. However, you can ________ a CMK with imported key material.

Answer 120

automatic key rotation ; manually rotate

Question 121

AWS KMS supports custom key stores backed by __________

Answer 121

AWS CloudHSM clusters.

Question 122

When you create an AWS KMS customer master key (CMK) in a custom key store, _______ generates and stores _______ key material for the CMK in__________ that you own and manage.

Answer 122

AWS KMS; non-extractable; an AWS CloudHSM cluster

Question 123

When you use a CMK in a custom key store, the cryptographic operations are performed in the_________

Answer 123

HSMs in the cluster.

Question 124

You might consider creating a custom key store if your organization has any of the following requirements:

Answer 124

1. Key material cannot be stored in a shared environment.
2. Key material must be subject to a secondary, independent audit path.
3. The HSMs that generate and store key material must be certified at FIPS 140-2 Level 3.

Question 125

When you create customer master keys (CMKs) in an AWS KMS custom key store, you view and manage the CMKs in _________

Answer 125

AWS KMS and AWS CloudHSM

Question 126

You can create ________ CMKs with key material generated by AWS KMS in your custom key store. (asymmetric /symmetric )

Answer 126

symmetric

Question 127

While the custom key store is disconnected, ______ cannot access it, and users cannot use the CMKs in the custom key store for cryptographic operations.

Answer 127

AWS KMS

Question 128

AWS KMS does not support the following AWS KMS features in custom key stores.

Answer 128

1. Asymmetric keys
2. Asymmetric Data keys pairs
3. Imported key material in CMKs
4. Automatic Key rotation
5. Multi-region keys

Question 129

A _______ is a secure location for storing cryptographic keys.

Answer 129

key store

Question 130

The default key store in ________

Answer 130

AWS KMS

Question 131

When you create an AWS KMS CMK in your custom key store, AWS KMS generates a ________key in the associated AWS CloudHSM cluster. T

Answer 131

256-bit, persistent, non-exportable Advanced Encryption Standard (AES) symmetric

Question 132

Every AWS KMS custom key store is associated with _________

Answer 132

one AWS CloudHSM cluster.

Question 133

Each AWS CloudHSM cluster can be associated with ___________ custom key store/s

Answer 133

only one custom key store.

Question 134

The HSM cluster must be initialized and active, and it must be in the same AWS account and Region as the __________

Answer 134

AWS KMS custom key store.

Question 135

To create CMKs in the custom key store, its associated cluster it must contain at least _____ HSMs. All other operations require ____ HSMs.

Answer 135

two active; only one

Question 136

You specify the cluster when you create the custom key store, and you ________ change it. (can/cannot). However, you can substitute any cluster that shares a
____________ with the original cluster.

Answer 136

cannot; backup history