KMS 4 Flashcards
Key Operations
How do you monitor key usage for auditing and inspection?
CloudTrail and EventBridge
Key Operations
Can you use EventBridge to trigger workflows when a key expires?
Yes
Key Operations
Can you use EventBridge to trigger workflows when a key creates a DEK?
No, use CloudTrail
Key Operations
Can you use EventBridge to trigger workflows when a key was rotated?
Yes
Key Operations
Can you use EventBridge to trigger workflows when a key decrypts data?
No, use CloudTrail
Deleting Keys
Can you delete keys?
Yes, but probably don’t. Disable them.
Deleting Keys
Why is deleting a key bad?
Cannot recover any data encrypted with it
Deleting Keys
Scenario: deleted a key and need to get ciphertext back from something…what do you do?
Just abort the delete…have 7+ day waiting period before key really gone
Grants
Value prop for Grants?
Designed for giving temporary access to a single key
Grants
Example of an AWS system using a Grant?
EBS access a KMS key for volume encryption
Grants
Can Grants allow, deny, or both?
Only allow
Grants
How do Grants change the Key Policy?
They don’t – separate way to gain access to keys
Grants
How do you delete a Grant?
Don’t – Grants go away after the operation concludes that needed them
Grants
How do you use a Grant to access a key?
important
Nothing explicit – just call the KMS API
Grants
I have a Grant, but my API call failed, what happened?
important
Grants can take up to 5 minutes to be effective