KMS 3 Flashcards
Cross-Account, Cross-Region
Is KMS regional, zonal, global, or something else?
Regional (but you can do some cross-region things)
Cross-Account, Cross-Region
How would you export a KMS key to move it to another region?
Can’t. Key material is locked away in a single region.
Cross-Account, Cross-Region
Can you use a KMS key across accounts?
Not with AWS Managed keys, yes with Customer Managed Keys
Cross-Account, Cross-Region
Can you use KMS keys in multiple regions?
Yes, Multi-Region Keys or make a cross-region API call
Cross-Account, Cross-Region
What is identical across all keys that are part of a Multi-Region Key?
ID and key material (encrypt and decrypt anywhere)
Cross-Account, Cross-Region
What is different across all keys that are part of a Multi-Region Key?
Key policies (permissions)
Cross-Account, Cross-Region
Can an AWS-Managed Key be multi-region?
Never
Cross-Account, Cross-Region
Can a CMK be multi-region?
Yes
Cross-Account, Cross-Region
How does S3 (for example) use Multi-Region Keys for cross-region replication?
It doesn’t. It decrypts and re-encrypts objects in the target region with region-specific KMS keys
Cross-Account, Cross-Region
How do you create a key in a new region and add it to a multi-region key?
Can’t: Multi-region keys set up when you create the key, replicated elsewhere.
Cross-Account, Cross-Region
Help! A field was encrypted with a CMK in us-east-1, but I’m in us-west-1. What do I do?
Make a call from us-west-1 to us-east-1 and ask KMS to decrypt it. Just cross-region call.
Cross-Account, Cross-Region
Can CMKs be migrated between regions?
No
Cross-Account, Cross-Region
How do you change a key to be multi-region?
Can’t, decided when you create the key
Cross-Account, Cross-Region
What can’t be used for a multi-region key?
Custom key stores
because they are backed by CloudHSM
Cross-Account, Cross-Region
Can you delete a replica key?
Sure, goes away
