KMS Flashcards
This deck aims to help retain concepts related to the AWS KMS service.
Does KMS support only asymmetric encryption keys?
No, KMS supports both symmetric and asymmetric encryption keys
Which cryptographic operations is KMS capable of?
Encryption and decryption
Are KMS keys used directly to encrypt data?
No, KMS keys are used to generate Data Encryption Keys (DEKs), which are used to encrypt data
What is the maximum size of data that KMS keys can work on?
Up to 4KB in size (4,096 bytes to be precise)
How is access to KMS keys provided?
Access must be explicitly provided through the KMS key resource-based policy
In the scenario of key rotation, how does KMS decrypt data that was previously encrypted by an older key?
KMS retains previous keys so that data encrypted before rotation can still be decrypted
How would you describe the KMS scope?
KMS is a regional and public service
Can KMS keys leave KMS unencrypted?
No, KMS keys never leave KMS unencrypted
What types of keys does KMS feature?
- AWS-owned keys
- AWS-managed keys
- Customer-managed keys
Which type of KMS keys are created, owned, and managed by you in your AWS account?
Customer-managed keys
Which type of KMS keys in your AWS account are created, managed, and used on your behalf by an AWS service integrated with AWS KMS?
AWS-managed Keys
Which type of KMS keys are owned and managed by an AWS service for use in multiple AWS accounts?
AWS-owned Keys
What CLI command is used to encrypt data using AWS KMS?
aws kms encrypt \
--key-id <key_id> \
--plaintext fileb://<file_name>.txt \
--output text \
--query CiphertextBlob \
| base64 --decode > <file_name>.encWhat CLI command is used to decrypt data using AWS KMS?
aws kms decrypt \
--ciphertext-blob fileb://<file_name>.enc \
--output text \
--query Plaintext \
| base64 --decode > <file_name>.txt
