KMS 3 Flashcards
Cross-Account, Cross-Region
Is KMS regional, zonal, global, or something else?
Regional (but you can do some cross-region things)
Cross-Account, Cross-Region
How would you export a KMS key to move it to another region?
Can’t. Key material is locked away in a single region.
Cross-Account, Cross-Region
Can you use a KMS key across accounts?
Not with AWS Managed keys, yes with Customer Managed Keys
Cross-Account, Cross-Region
Can you use KMS keys in multiple regions?
Yes, Multi-Region Keys or make a cross-region API call
Cross-Account, Cross-Region
What is identical across all keys that are part of a Multi-Region Key?
ID and key material (encrypt and decrypt anywhere)
Cross-Account, Cross-Region
What is different across all keys that are part of a Multi-Region Key?
Key policies (permissions)
Cross-Account, Cross-Region
Can an AWS-Managed Key be multi-region?
Never
Cross-Account, Cross-Region
Can a CMK be multi-region?
Yes
Cross-Account, Cross-Region
How does S3 (for example) use Multi-Region Keys for cross-region replication?
It doesn’t. It decrypts and re-encrypts objects in the target region with region-specific KMS keys
Cross-Account, Cross-Region
How do you create a key in a new region and add it to a multi-region key?
Can’t: Multi-region keys set up when you create the key, replicated elsewhere.
Cross-Account, Cross-Region
Help! A field was encrypted with a CMK in us-east-1, but I’m in us-west-1. What do I do?
Make a call from us-west-1 to us-east-1 and ask KMS to decrypt it. Just cross-region call.
Cross-Account, Cross-Region
Can CMKs be migrated between regions?
No
Cross-Account, Cross-Region
How do you change a key to be multi-region?
Can’t, decided when you create the key
Cross-Account, Cross-Region
What can’t be used for a multi-region key?
Custom key stores
because they are backed by CloudHSM
Cross-Account, Cross-Region
Can you delete a replica key?
Sure, goes away
Cross-Account, Cross-Region
Can you delete a multi-region primary key?
Yes, but it removes all replica keys too
Cross-Account, Cross-Region
What happens if the primary key fails?
Nothing, replica keys are complete copies
Cross-Account, Cross-Region
Operationally, what do you do when a primary fails?
A replica becomed the primary
Cross-Account, Cross-Region
How do you figure out the key ID for each replica?
All keys have the same ID (but different ARN prefixes since different regions)
Cross-Account, Cross-Region
When should you use multi-region keys?
Multi-region distributed app: low-latency access in each region
Asymmetric Keys
What do you use symmetric keys for?
Encrypt/decrypt
Asymmetric Keys
What do you use asymmetric keys for?
Encrypt/decrypt OR sign/verify, but not both
Asymmetric Keys
What can you do with RSA keys?
Encrypt/decrypt OR sign/verify, but not both
Asymmetric Keys
What can you do with Elliptic Curve keys
sign/verify (only)
Asymmetric Keys
How do you get an asymmetric key out of KMS?
Public key can come out, private key never leaves KMS
Asymmetric Keys
How do you sign a file using KMS asymmetric key?
< 4kb -> send the whole thing, else send a hash of the large file
Asymmetric Keys
How do you verify a file signed by a KMS asymmetric key?
Call KMS Verify API with file or hash
or do it yourself if you have the public key
