KMS 2

Question 1

Data Encryption Keys

How do you get around the 4 kb limit on plaintext?

Answer 1

Data Encryption Keys: a key you take away from KMS and use elsewhere (like EBS)

Question 2

Data Encryption Keys

Where do you create a DEK?

Answer 2

Have to use the API (not available on the console)

Question 3

Data Encryption Keys

Are DEKs symmetric or asymmetric?

Answer 3

Either! Separate APIs for both

Question 4

Data Encryption Keys

What do you get back when you call GenerateDataKey?

Answer 4

Plaintext version of the DEK and a version encrypted with the KMS key that created it

Question 5

Data Encryption Keys

Where are DEKs stored?

Answer 5

Nowhere (at lest not in KMS)

Question 6

Data Encryption Keys

What’s the typical use case after calling GenerateDataKey?

Answer 6

Use plaintext to encrypt something, store ciphertext and encrypted key together for later use

Question 7

Data Encryption Keys

What happens to DEKs if you rotate the KMS key that created them?

Answer 7

Encrypted DEKs aren’t changed. They are out of the control of KMS.

Question 8

Data Encryption Keys

How does KMS encrypt using DEKs?

Answer 8

It doesn’t: that’s the whole point of DEKs: you take the key elsewhere and do it yourself

Question 9

Data Encryption Keys

How do you decrypt something with a DEK?

Answer 9

Pass encrypted DEK to KMS, get plaintext key, use it to decrypt data

Question 10

Key Rotation

Can you auto-rotate AWS Managed keys?

Answer 10

Yes

Question 11

Key Rotation

Can you turn-off auto-rotate for AWS Managed Keys?

Answer 11

No

Question 12

Key Rotation

Can you auto-rotate Customer Managed Keys?

Answer 12

Only ones with AWS-provided key material

Question 13

Key Rotation

Can you turn off auto-rotate for customer managed keys?

Answer 13

Yes

Question 14

Key Rotation

How often do keys auto-rotate, if enabled?

Answer 14

Once every year

Question 15

Key Rotation

What happens when a KMS key is auto-rotated?

Answer 15

KMS keeps all previous key material so previously-encrypted material can still be decrypted

Question 16

Key Rotation

What happens to the key ID when the key is rotated?

Answer 16

Stays the same

Question 17

Key Rotation

Do Multi-region keys auto-rotate?

Answer 17

Yes, if a single-region key of the same type can be auto-rotated

Question 18

Key Policies

What is the default permissions on a key?

Answer 18

Key Policy with allow “kms:*” on “root” arn (every principal in the account)

Question 19

Key Policies

What are the limitations on what you can put in a key Resource Policy?

Answer 19

Trick: Key Policies aren’t Resource Policies, they’re entirely different.

Question 20

Key Policies

Can a key allow some principals to encrypt but not decrypt?

Answer 20

Sure. Granular permission model

Question 21

Key Policies

How do you fix a key policy that denies access to your account?

Answer 21

Have to use root creds

Question 22

Key Policies

What happens if key policy doesn’t allow an IAM User, but the User’s permissions do allow?

Answer 22

Not allowed: KMS key policies are special – they’re not Resource Policies.

Question 23

Key Policies

What’s a good mental model for how Key Policies work?

important

Answer 23

They’re like cross-account Resource policies: both Key Policy and user policy have to allow

Question 24

Key Policies

What’s a good practice for systems that aren’t high-security?

Answer 24

Key policy trusts “root”, meaning all principals in the account, each Role/User grants perms