KMS Flashcards
What is AWS Key Management Service?
AWS KMS is a managed service that makes it easy for you to create and control the customer master keys (CMKs)
What are CMKs?
Customer Master Keys are encryption keys that are used to encrypt your data
AWS CMKs are protected by ________
Hardware security modules (HSMs)
How to track the use of CMKs for auditing, regulatory and compliance needs?
KMS is integrated with CloudTrail to log the use of CMKs.
CloudTrail delivers the log files to ________
Amazon S3
What is Symmetric CMK?
Symmetric CMK represents single 256 bit secret encryption key that never leaves KMS unencrypted. To use symmetric CMK you must call AWS KMS
What is Asymmetric CMK?
Asymmetric CMK represents mathematically related public key and private key pair, where the private key never leaves AWS KMS unencrypted.
Where can Asymmetric CMKs be used?
Asymmetric CMKs can be used for encryption/decryption or signing/verification but not for both.
How is the asymmetric key used?
You can use public key within AWS KMS by calling AWS KMS API operations or download public key and use it outside of AWS KMS.
What is Symmetric Data key?
Symmetric data key is a symmetric encryption key that is used to encrypt data outside of KMS. The Symmetric data key is protected by Symmetric CMK in AWS KMS
What is Asymmetric Data key?
An asymmetric data key is an RSA or elliptic curve (ecc) key pair that consists of public key and private key where the private key is protected by symmetric CMK in AWS KMS.
What is AWS recommendation for using RSA and Elliptical Curve key usages?
AWS KMS recommends to use Elliptical Curve (ECC) keys for signing and use RSA keys for encryption and decryption, but not both. However AWS KMS cannot enforce restrictions on the use of data key pairs outside of AWS KMS.
When you create a Customer Master Key in KMS, by default you get a _________
Symmetric CMK
Symmetric keys are used in _________ encryption
Symmetric, which means the same key is used for encryption and decryption.
___________ keys are good choice? (Symm/Asymm)
Symmetric
AWS Services that are integrated with KMS use ________ CMKs and does not support encryption with _________ CMKs
Symmetric; Asymmetric
If your case requires encryption outside of AWS, by users that cannot access KMS, ___________ keys are good choice.
Asymmetric CMKs
If you are creating a CMK to encrypt the data stored and managed in AWS, use ______________ key.
Symmetric CMKs
What are the Asymmetric keys that KMS support?
- RSA CMKs
2. Elliptic Curve (ECC) CMKs
What are RSA CMKs
A CMK with RSA is used for for encryption and decryption or signing and verification (but not both). AWS KMS supports several key lengths for different security requirements.
What is Elliptic Curve (ECC) CMK?
A CMK with an elliptic curve key pair for signing and verification. AWS KMS supports several commonly-used curves.
The type of CMK that you create depends largely on ____________
how you plan to use the CMK, your security requirements, and your authorization requirements.
Use a ___________ for most use cases that require encrypting and decrypting data.
symmetric CMK
The symmetric encryption algorithm that AWS KMS uses is __________
fast, efficient, and assures the confidentiality and authenticity of data.
Symmetric Key supports authenticated encryption with ______________
additional authenticated data (AAD)
If your use case requires encryption outside of AWS by users who cannot call AWS KMS, __________ are a good choice.
asymmetric CMKs
To sign messages and verify signatures, you must use an_________
asymmetric CMK.
To perform public key encryption, you must use ___________;
__________key specs cannot be used for public key encryption.
asymmetric CMK with an RSA key spec; Elliptic curve (ECC)
The Decrypt operation fails if the data was encrypted under a public key from a CMK with a key usage of ________
SIGN_VERIFY.
_______ CMKs only support encryption and decryption.
Symmetric
AWS KMS does not store, manage, or track your _____ keys.
data
By default, ______ creates the key material for a CMK
AWS KMS
How to extract, export, view, or manage/delete the key material that is generated by AWS KMS
You cannot
You can create the key material for a CMK in the ________ associated with an ________
AWS CloudHSM cluster; AWS KMS custom key store.
_______ let you encrypt data in one AWS Region and decrypt it in a different AWS Region.
multi-Region CMKs,
the CMK includes metadata, such as its _________
key ID, creation date, description, and key state.
AWS KMS supports three types of CMKs:
- Customer Managed CMKs
- AWS Managed CMKs
- AWS Owned CMKs
What are Customer managed CMKs
Customer managed CMKs are CMKs in your AWS account that you create, own, and manage. You have full control over these CMKs,
What are AWS managed CMKs
AWS managed CMKs are CMKs in your account that are created, managed, and used on your behalf by an AWS service that is integrated with AWS KMS
What are AWS owned CMK
AWS owned CMKs are a collection of CMKs that an AWS service owns and manages for use in multiple AWS accounts. Although AWS owned CMKs are not in your AWS account, an AWS service can use its AWS owned CMKs to protect the resources in your account.
You can use_________ to generate, encrypt, and decrypt data keys.
symmetric customer master keys (CMKs)
You must use and manage ______ keys outside of AWS KMS.
data
AWS KMS cannot use a ________ key to encrypt data
data
_______ are asymmetric data keys that consist of a mathematically-related public key and private key.
Data key pairs
_________ are designed to be used for client-side encryption and decryption, or signing and verification outside of AWS KMS.
Data Key Pairs
To generate a cryptographic signature for a message, use the ______ key in the data key pair. Anyone with the _____ key can use it to verify that the message was signed with your private key and that it has not changed since it was signed.
private; public
What is a custom key store?
A custom key store is an AWS KMS resource that is associated with hardware security modules (HSMs) in a AWS CloudHSM cluster that you own and manage.
How do you create and manage CMKs in HSMs
When you create an AWS KMS customer master key (CMK) in your custom key store, AWS KMS generates a 256-bit, persistent, non-exportable Advanced Encryption Standard (AES) symmetric key in the associated AWS CloudHSM cluster. This key material never leaves your HSMs unencrypted. When you use a CMK in a custom key store, the cryptographic operations are performed in the HSMs in the cluster.
___________ act as names for your AWS KMS customer master keys (CMKs).
Key identifiers
What are the types of Key identifiers?
- Key ARN
- Key ID
- Alias ARN
- Alias Name
What is Key Material?
Key material is the secret string of bits used in a cryptographic algorithm.
If you use AWS KMS key material, you can enable _________ of your key material.
automatic rotation
y default, each CMK has _________ key material.However, you can create a set of _________with the same key material.
unique ; multi-Region keys
When you create a CMK with an ______ key material origin, the CMK has no key material. Later, you can import key material into the CMK.
External
When you use imported key material, you need to ____________
secure and manage that key material outside of AWS KMS, including replacing the key material if it expires.
The _______ determines whether the CMK is symmetric or asymmetric, the type of key material in the CMK, and the encryption algorithms or signing algorithms you can use with the CMK.
key spec
_________ is a CMK property that determines whether a CMK is used for encryption and decryption -or- signing and verification. You cannot choose both.
Key usage
Using a CMK for more than one type of operations makes the product of both operations _________
more vulnerable to attack.
What is Envelope encryption?
When you encrypt your data, your data is protected, but you have to protect your encryption key. One strategy is to encrypt it. Envelope encryption is the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key.
The top-level plaintext key encryption key is known as the ___________
master key.
Master keys stored in AWS KMS, _____________
Customer master keys (CMKs)
How to encrypt the same data under multiple master keys
Envelope Encryption
How to combine the strengths of multiple algorithms?
Envelope Encryption
All AWS KMS cryptographic operations with symmetric CMKs accept an ___________
encryption context
What is Encryption Context?
An optional set of key–value pairs that can contain additional contextual information about the data.
WS KMS uses the encryption context as ____________ to support authenticated encryption.
additional authenticated data (AAD)
You cannot specify an encryption context in a cryptographic operation with an ________ CMK.
asymmetric
When you create a CMK, you determine who can use and manage that CMK. These permissions are contained in a document called the _______
Key Policy
You cannot edit the key policy for an ___________
AWS managed CMK.
What is a grant?
A grant is a policy instrument that allows AWS principals to use AWS KMS customer master keys (CMKs) in cryptographic operations.
hen authorizing access to a CMK, grants are considered along with __________
key policies and IAM policies.
Grants are often used for _______ permissions
temporary; because you can create one, use its permissions, and delete it without changing your key policies or IAM policies.
The primary way to manage access to your AWS KMS CMKs is with __________
policies
In AWS KMS, you must attach _________ to your customer master keys (CMKs). These are called __________
resource-based policies ; key policies.
You can control access to your CMKs in these ways:
- Use the key policy
- Use IAM policies in combination with the key policy
- Use grants in combination with the key policy
A policy is a document that describes a set of permissions. The following are the basic elements of a policy.
- Resource
- Action
- Effect
- Principal
In a key policy, you use _________, which effectively means “this CMK.”
“*” for the resource
A key policy applies _____________
only to the CMK it is attached to.
What is Condition Key
Another policy element called a condition key to specify the circumstances in which a policy takes effect.
To support attribute-based access control (ABAC), AWS KMS provides______ that control access to a customer master key (CMK) based on its ________
condition keys; tags and aliases
The default key policy (SDK, API, CLI) has one policy statement that gives the _________ full access to the CMK and ________ in the account to allow access to the CMK.
AWS account (root user) that owns the CMK; enables IAM policies
You can use IAM policies, along with _______________, to control access to your customer master keys (CMKs) in AWS KMS.
key policies, grants, and VPC endpoint policies
To use an IAM policy to control access to a CMK,_______ must give the account permission to use IAM policies
the key policy for the CMK
All CMKs must have a ___ policy. ____ policies are optional.
key ; IAM
How to control access to multiple CMKs and provide permissions for the operations of several related AWS services.
IAM policies
_______ can create CMKs, use and manage the CMKs they create, and view all CMKs and IAM identities.
Power users
You can use an _________ to give IAM principals in your account the permissions of a power user.
AWS managed policy
Key administrators who don’t have permission to change key policies or create grants can control access to CMKs if they have permission to __________
manage tags or aliases.
What are global keys?
AWS defines global condition keys, a set of policy conditions keys for all AWS services that use IAM for access control.
. You can use global condition keys in AWS KMS _________
key policies and IAM policies.
Grants are commonly used by AWS services that integrate with AWS KMS to __________
encrypt your data at rest.
How is a grant created and deleted?
The service creates a grant on behalf of a user in the account, uses its permissions, and retires the grant as soon as its task is complete.
Each grant controls access to _______. The CMK_____________account.
just one CMK; can be in the same or a different AWS
Number of grants on each CMK
50000
You can use a grant to ____access and not ______
allow; deny
To bypass eventual consistency and use the grant immediately, use ________. It is not used after it is consistent
Grant token
You can use ______ to allow principals in a different AWS account to use a CMK.
grants
Grants for symmetric CMKs cannot allow ___________
the Sign, Verify, or GetPublicKey operations
Grants for asymmetric CMKs cannot allow _________
- operations that generate data keys or data key pairs
- operations related to automatic key rotation,
- operations related to imported key material
- operations related to CMKs in custom key stores.
What is a Grant constraint?
A condition that limits the permissions in the grant. Currently, AWS KMS supports grant constraints based on the encryption context in the request for a cryptographic operation.
What is Grant ID?
The unique identifier of a grant for a CMK.
What is grant token
A grant token is unique, non-secret, variable-length, base64-encoded string that represents a grant.
What is Grantee principal?
The identity that gets the permissions specified in the grant.
A grant must have _____ principal/s
atleast one
Grantee principal can be
User (including federated) or role
What does retire a grant mean?
It mean to terminate a grant.
What is a retiree principal?
Principal who can retire a grant.
What is revoke a grant
‘Key Administrator’ terminating a grant.
Each set of related multi-Region keys has the same ____________, so you can encrypt data in one AWS Region and decrypt it in a different AWS Region without re-encrypting or making a cross-Region call to AWS KMS.
key material and key ID
You must manage each multi-Region key _________, including creating aliases and tags, setting their key policies and grants, and enabling and disabling them selectively. (independently/Dependently)
independently
Multi-Region keys are ______(global/not global)
not global
You ______ convert an existing single-Region key to a multi-Region key (can/cannot )
cannot
When you replicate, AWS KMS creates a ________ in the specified Region with the _____________
replica key ; same key ID and other shared properties as the primary key.
Related multi-region key ARNs (Amazon Resource Names) differ only in the __________
Region field
Additional considerations for multi-Region keys include
- Synchronizing shared properties
- Changing the primary key
- Deleting multi-Region keys
For multi-region keys, You can enable and disable automatic key rotation only on a __________
primary key.
You ______ a replica key even if its primary key and all related replica keys are disabled.(can use/ cannot use)
can use
The following are the shared properties of multi-Region keys.
1. Key ID 2, Key Material 3. Key Origin 4. Key Spec 5. Key Usage 6. Automatic Key rotation
Because it is destructive and potentially dangerous to delete a CMK, AWS KMS requires you to set a waiting period of _______. The default waiting period is _______
7 – 30 days; 30 days.
Also, you cannot enable ______ for a CMK with imported key material. However, you can ________ a CMK with imported key material.
automatic key rotation ; manually rotate
AWS KMS supports custom key stores backed by __________
AWS CloudHSM clusters.
When you create an AWS KMS customer master key (CMK) in a custom key store, _______ generates and stores _______ key material for the CMK in__________ that you own and manage.
AWS KMS; non-extractable; an AWS CloudHSM cluster
When you use a CMK in a custom key store, the cryptographic operations are performed in the_________
HSMs in the cluster.
You might consider creating a custom key store if your organization has any of the following requirements:
- Key material cannot be stored in a shared environment.
- Key material must be subject to a secondary, independent audit path.
- The HSMs that generate and store key material must be certified at FIPS 140-2 Level 3.
When you create customer master keys (CMKs) in an AWS KMS custom key store, you view and manage the CMKs in _________
AWS KMS and AWS CloudHSM
You can create ________ CMKs with key material generated by AWS KMS in your custom key store. (asymmetric /symmetric )
symmetric
While the custom key store is disconnected, ______ cannot access it, and users cannot use the CMKs in the custom key store for cryptographic operations.
AWS KMS
AWS KMS does not support the following AWS KMS features in custom key stores.
- Asymmetric keys
- Asymmetric Data keys pairs
- Imported key material in CMKs
- Automatic Key rotation
- Multi-region keys
A _______ is a secure location for storing cryptographic keys.
key store
The default key store in ________
AWS KMS
When you create an AWS KMS CMK in your custom key store, AWS KMS generates a ________key in the associated AWS CloudHSM cluster. T
256-bit, persistent, non-exportable Advanced Encryption Standard (AES) symmetric
Every AWS KMS custom key store is associated with _________
one AWS CloudHSM cluster.
Each AWS CloudHSM cluster can be associated with ___________ custom key store/s
only one custom key store.
The HSM cluster must be initialized and active, and it must be in the same AWS account and Region as the __________
AWS KMS custom key store.
To create CMKs in the custom key store, its associated cluster it must contain at least _____ HSMs. All other operations require ____ HSMs.
two active; only one
You specify the cluster when you create the custom key store, and you ________ change it. (can/cannot). However, you can substitute any cluster that shares a
____________ with the original cluster.
cannot; backup history
