KMS 2 Flashcards

1
Q

Data Encryption Keys

How do you get around the 4 kb limit on plaintext?

A

Data Encryption Keys: a key you take away from KMS and use elsewhere (like EBS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Data Encryption Keys

Where do you create a DEK?

A

Have to use the API (not available on the console)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Data Encryption Keys

Are DEKs symmetric or asymmetric?

A

Either! Separate APIs for both

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Data Encryption Keys

What do you get back when you call GenerateDataKey?

A

Plaintext version of the DEK and a version encrypted with the KMS key that created it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Data Encryption Keys

Where are DEKs stored?

A

Nowhere (at lest not in KMS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Data Encryption Keys

What’s the typical use case after calling GenerateDataKey?

A

Use plaintext to encrypt something, store ciphertext and encrypted key together for later use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Data Encryption Keys

What happens to DEKs if you rotate the KMS key that created them?

A

Encrypted DEKs aren’t changed. They are out of the control of KMS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Data Encryption Keys

How does KMS encrypt using DEKs?

A

It doesn’t: that’s the whole point of DEKs: you take the key elsewhere and do it yourself

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Data Encryption Keys

How do you decrypt something with a DEK?

A

Pass encrypted DEK to KMS, get plaintext key, use it to decrypt data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Key Rotation

Can you auto-rotate AWS Managed keys?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Key Rotation

Can you turn-off auto-rotate for AWS Managed Keys?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Key Rotation

Can you auto-rotate Customer Managed Keys?

A

Only ones with AWS-provided key material

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Key Rotation

Can you turn off auto-rotate for customer managed keys?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Key Rotation

How often do keys auto-rotate, if enabled?

A

Once every year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Key Rotation

What happens when a KMS key is auto-rotated?

A

KMS keeps all previous key material so previously-encrypted material can still be decrypted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Key Rotation

What happens to the key ID when the key is rotated?

A

Stays the same

17
Q

Key Rotation

Do Multi-region keys auto-rotate?

A

Yes, if a single-region key of the same type can be auto-rotated

18
Q

Key Policies

What is the default permissions on a key?

A

Key Policy with allow “kms:*” on “root” arn (every principal in the account)

19
Q

Key Policies

What are the limitations on what you can put in a key Resource Policy?

A

Trick: Key Policies aren’t Resource Policies, they’re entirely different.

20
Q

Key Policies

Can a key allow some principals to encrypt but not decrypt?

A

Sure. Granular permission model

21
Q

Key Policies

How do you fix a key policy that denies access to your account?

A

Have to use root creds

22
Q

Key Policies

What happens if key policy doesn’t allow an IAM User, but the User’s permissions do allow?

A

Not allowed: KMS key policies are special – they’re not Resource Policies.

23
Q

Key Policies

What’s a good mental model for how Key Policies work?

important

A

They’re like cross-account Resource policies: both Key Policy and user policy have to allow

24
Q

Key Policies

What’s a good practice for systems that aren’t high-security?

A

Key policy trusts “root”, meaning all principals in the account, each Role/User grants perms