KMS

Question 1

AWS Regional Services are services that operate in isolation from every other region and requires certain configuration to access and be accesed from other regions

Answer 1

True

Question 2

KMS is a regional service

Answer 2

True

Question 3

AWS KMS is a public service, it is available in aws Public zone

Answer 3

True

Question 4

KMS Features

Answer 4

1. Regional & Public Service(Can be Multi-Region enabled)
2. Create, Store and Manage Keys
3. Symmetric and Asymmetric Keys
4. Cryptographic operations (encrypt, decrypt & …)
5. Keys never leave KMS
6. Provides FIPS 140-2 (L2) Encryption standard

Question 5

KMS Keys Components

Answer 5

KMS Keys are logical -
ID,
date,
policy,
desc &
state

Question 6

KMS key max size

Answer 6

4kb

Question 7

KMS Role separation

Answer 7

Create Keys
Encrypt
Decrypt
Each of th ese operations require a separate permission

Question 8

KMS Data Encryption Key

Answer 8

DEK is used for encrypting Data >4kb
this kind of key is not stored within kms like the encryption key.
DEK - KMS hands you a Plaintext version and encryption key, you encrypt your data, and discard the plaintext version. In order to decrypt data, send encrypted Key back to KMS, and KMS will decrypt. Same DEK can be used to encrypt any number of files

Question 9

KMS Keys vs DEK

Answer 9

KMS Keys - KMS Handles the Encryption process, you provide the data =<4KB

DEK - KMS hands you a Plaintext version and encryption key, you encrypt your data, and discard the plaintext version. In order to decrypt data, send encrypted Key back to KMS, and KMS will decrypt. Same DEK can be used to encrypt any number of files

Question 10

KMS Decryption

Answer 10

KMS keys can not leave the region where it is generated, KMS keys cannot be extracted outside KMS. However, KMS offers Multi-region Keys

Question 11

Customer MAnaged Keys

Answer 11

Customer Managed Keys can highly be customized. Unlike AWS Managed Keys, in the key policy, they can be customized for cross-account, cross-region usage, etc

Question 12

KMS Key Rotation

Answer 12

AWS Managed Keys are rotated Automatically once a year(Fixed).

Customer Managed key can be configured anyhow

Question 13

Aliases

Answer 13

You cant create Aliases with KMS Keys.

Both Old/previous Keys are stored after rotation(So as data encrypted previously can still be decrypted)

However with DEK, Aliases can be used

Question 14

KMS Key Policy

Answer 14

This this is like an S3 resource Policy, the Policy is not Automatic. Trusted identity/resource must be explicitly specified, if not…

IAM Policy(kms) only gives the permission to create, encrypt, and decrypt, however, KMS Must trust the entity specified in the IAM Policy before anything can happen.

Question 15

Deleting a KMS Key

Answer 15

Deleting a KMS Key is not instantaneous, you would have to schedule a deletion >=7days

Question 16

KMS Key Delettion

Answer 16

Once a Delete operation is Called on, the specified key goes into delete pending deletion state for 7days. Within this Period, no cryptographic operation is allowed.

Advisably Disable your key instead of Delete when not sure.

Question 17

CFN Events data

Answer 17

A JSON document sent by Cloudformation to resources such as Lambda and other non AWS resources, this document contains instructions on mainly the desired properties that is expected. Then CFN receives back an OK message and registers the event as part of its Logical resource. Same is done during deletion, eg s3 buckets that wont allow deletion when not empty. This whole scenario is under **Cloudformation Custom Resources.

Question 18

Imported Key Rotation

Answer 18

Take note that you cannot enable automatic key rotation for a KMS key with imported key material, but you can manually rotate it by creating a new KMS key with imported key material.