KMS

Question 1

What type of service is KMS? (regional, AZ, global)

Answer 1

Regional

Question 2

Is KMS private or public?

Answer 2

KMS is a public service

Question 3

Where can KMS be accessed from?

Answer 3

Anywhere, it resides in the AWS public zone.

Question 4

What are the main operations that KMS can perform?

Answer 4

Create, store and manage keys.

Question 5

Can KMS handle both, symmetric and asymmetric keys?

Answer 5

Yes

Question 6

Can keys leave KMS?

Answer 6

Never

Question 7

What US security standard is KMS compliant to?

Answer 7

FIPS 140-2 (L2). Some features complaint to L3.

Question 8

What is a CMK?

Answer 8

It is a customer master key

Question 9

What is CMK used for?

Answer 9

Cryptographic operations

Question 10

What is max data that a CMK can encrypt/decrypt?

Answer 10

4KB of data in size

Question 11

What are the attributes of a CMK?

Answer 11

Key ID, key policy, description, state and creation date.

Question 12

What is a DEK?

Answer 12

Data encryption keys are keys generated by KMS from a CMK to encrypt data larger than 4 KB in size.

Question 13

Is the use of CMKs tracked? And DEKs?

Answer 13

CMKs yes, DEKs no.

Question 14

Are DEKs stored in KMS?

Answer 14

No, they are discarded one provided to a service or user.

Question 15

What is used to decrypt a DEK?

Answer 15

The same CMK that was used to create him

Question 16

DEK - architecture encryption

Answer 16

1. DEK is generated
2. Data is ecrypted with plaintext version of the DEK
3. Plaintext version of the DEK is discarded.
4. Encrypted DEK is stored with encrypted data.

Question 17

DEK - architecture decryption

Answer 17

1. The encrypted DEK is provided to KMS
2. KMS returns the decrypted version of the DEK
3. You can use the plaintext version of the DEK to decrypt the data.

Question 18

Can you extract a CMK?

Answer 18

No, CMKs never leave KMS in the region they are stored in.

Question 19

How are all the interactions with CMK done?

Answer 19

Via the KMS API

Question 20

Who can create AWS managed CMKs?

Answer 20

Only AWS creates them automatically when a service needs to use KMS

Question 21

Who creates customer managed CMKs?

Answer 21

A customer, they are created explicitly.

Question 22

Can you edit the Key policy of a CMK?

Answer 22

Only for Customer managed CMKs.

Question 23

What is the only type of CKM that allows you to modify its key policy?

Answer 23

Customer managed CMKs.

Question 24

Which CMKs can be used to allow other AWS accounts access to CMK to perform operations?

Answer 24

Customer managed CMKs.

Question 25

How often are AWS managed CMKs rotated?

Answer 25

every 1095 days (3 years)

Question 26

Are AWS managed CMKs rotated by default?

Answer 26

Yes.

Question 27

Do Customer managed CMKs rotate by default?

Answer 27

No, but if enabled they rotate every year.

Question 28

What is the content of CMKs?

Answer 28

Current backing key.

Previous backing keys (result of rotation)

Question 29

Are you allowed to create aliases for KMS keys?

Answer 29

Yes

Question 30

What are the geographical limitations of KMS key aliases?

Answer 30

Each alias is created in a region. There could be multiple regions using the same alias but the keys would be different.

Question 31

What are key policies?

Answer 31

They are a kind of resource policy that is attached to CMKs.

Question 32

How many key policies can a CMK have?

Answer 32

only one

Question 33

What is one of the most important thing to consider about key policies and permissions?

Answer 33

KMS has to be explicitly told that keys trust the AWS account that they are in.

Question 34

Describe how can an IAM user have permissions to interact with a KMS key?

Answer 34

You always need a key policy in place so the key trusts the account and so that the account can manage it by applying IAM permission policies to IAM users in that account.

Key -> account –> IAM –> IAM users.