KMS 4 Flashcards

1
Q

Key Operations

How do you monitor key usage for auditing and inspection?

A

CloudTrail and EventBridge

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Key Operations

Can you use EventBridge to trigger workflows when a key expires?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Key Operations

Can you use EventBridge to trigger workflows when a key creates a DEK?

A

No, use CloudTrail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Key Operations

Can you use EventBridge to trigger workflows when a key was rotated?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Key Operations

Can you use EventBridge to trigger workflows when a key decrypts data?

A

No, use CloudTrail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Deleting Keys

Can you delete keys?

A

Yes, but probably don’t. Disable them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Deleting Keys

Why is deleting a key bad?

A

Cannot recover any data encrypted with it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Deleting Keys

Scenario: deleted a key and need to get ciphertext back from something…what do you do?

A

Just abort the delete…have 7+ day waiting period before key really gone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Grants

Value prop for Grants?

A

Designed for giving temporary access to a single key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Grants

Example of an AWS system using a Grant?

A

EBS access a KMS key for volume encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Grants

Can Grants allow, deny, or both?

A

Only allow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Grants

How do Grants change the Key Policy?

A

They don’t – separate way to gain access to keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Grants

How do you delete a Grant?

A

Don’t – Grants go away after the operation concludes that needed them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Grants

How do you use a Grant to access a key?

important

A

Nothing explicit – just call the KMS API

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Grants

I have a Grant, but my API call failed, what happened?

important

A

Grants can take up to 5 minutes to be effective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Grants

How can you use Grants fast without the 5min propagation delay?

important

A

Grant Token

17
Q

Grants

How do Grant Tokens work?

important

A

Non-secret thing you get, pass it in KMS calls to gain immediate access via a Grant

18
Q

Grants

If Grant Tokens exist, why not just always use them?

A

They aren’t designed for this, plus, you’d have to coordinate using them

Grants should be somewhat transparent to the caller

19
Q

Grants

What happens if you try to do something your Grant doesn’t allow?

important

A

ValidationError

20
Q

Custom Key Stores

What are Custom Key Stores?

A

KMS front-end, dedicated CloudHSMs back-end

21
Q

Custom Key Stores

KMS with Custom Key Stores is what FIPS level?

A

Level 3 (same as CloudHSM since you’re using dedicated HSM)

22
Q

Custom Key Stores

3 limitations of Custom Key Stores?

A

Only symmetric keys, no automatic key rotation, no multi-region support

23
Q

Encryption Context

How does Encryption Context work?

A

Just like External ID with sts:AssumeRole

24
Q

Encryption Context

How do you use EC when encrypting/decrypting?

A

Pass a set of name-value pairs, decrypting must send the same ones

25
Q

Encryption Context

How do you secure the Encryption Context?

A

You don’t, EC considered non-secret

26
Q

Encryption Context

Why bother with Encryption Context?

A

Stops bugs and bad actors from just replacing one ciphertext value with another