KMS

Question 1

What is Encryption in flight?

Answer 1

Data is encrypted before sending and decrypted after receiving
• SSL certificates help with encryption (HTTPS)
• Encryption in flight ensures no MITM (man in the middle attack) can happen

Question 2

What is server side encryption at rest?

Answer 2

• Data is encrypted after being received by the server
• Data is decrypted before being sent
• It is stored in an encrypted form thanks to a key (usually a data key)
• The encryption / decryption keys must be managed somewhere and
the server must have access to it

Question 3

What is client side encryption?

Answer 3

• Data is encrypted by the client and never decrypted by the server
• Data will be decrypted by a receiving client
• The server should not be able to decrypt the data
• Could leverage Envelope Encryption

Question 4

Anytime you hear “encryption” for an AWS service what is it?

Answer 4

KMS

Question 5

What is KMS?

Answer 5

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control customer master keys (CMKs), the encryption keys used to encrypt your data

Question 6

What are the CMK types?

Answer 6

Symmetric (AES-256 keys)

Asymmetric (RSA and ECC key pairs)

Question 7

What type of CMK use AWS services that are integrated with KMS?

Answer 7

Symmetric

Question 8

What is Symmetric CMK?

Answer 8

single encryption key that is used to Encrypt and Decrypt

Question 9

What is Asymmetric CMK?

Answer 9

Public (Encrypt) and Private Key (Decrypt) pair (used by SSH)

Question 10

What is used for Asymmetric CMK?

Answer 10

for encryption outside of AWS by users who can’t call the KMS API

Question 11

What are the 3 types of CMK that you can create in KMS?

Answer 11

• AWS Managed Service Default CMK: free
• User Keys created in KMS: $1 / month
• User Keys imported (must be 256-bit symmetric key): $1 / month

Question 12

What are you able to do with your KMS keys and policies?

Answer 12

• Able to fully manage the keys & policies:
• Create
• Rotation policies
• Disable
• Enable

Question 13

How can you retrieve the key used to encrypt data by KMS?

Answer 13

you can never retrieve it

Question 14

What is the max data allowed by KMS per call?

Answer 14

4 KB, otherwise use envelope encryption

Question 15

Are KMS keys multi regions?

Answer 15

no, when you copy something encrypted cross region KMS reencrypt with a new key for the other region

Question 16

What are KMS Key Policies?

Answer 16

Control access to KMS keys, “similar” to S3 bucket policies, but you cannot access KMS without them and there is a default one

Question 17

What you must do to give access to KMS to someone?

Answer 17

o Make sure the Key Policy allows the user

o Make sure the IAM Policy allows the API calls

Question 18

How should you copy EBS snapshots accross regions?

Answer 18

1- Encrypt the volume using a KMS Key A
2- Create a snapshot
3- KMS Re-Encrypt the snapshot using a KMS Key B from Region B
4- Create volume from snapshot

Question 19

How is the default KMS Key Policy?

Answer 19

o Created if you don’t provide a specific KMS Key Policy
o Complete access to the key to the root user = entire AWS account
o Gives access to the IAM policies to the KMS key

Question 20

How is a custom KMS Key Policy?

Answer 20

o Define users, roles that can access the KMS key
o Define who can administer the key
o Useful for cross-account access of your KMS key

Question 21

How can you copy snapshots accross acounts?

Answer 21

1. Create a Snapshot, encrypted with your own CMK
2. Attach a KMS Key Policy to authorize cross-account access
3. Share the encrypted snapshot
4. (in target) Create a copy of the Snapshot, encrypt it with a KMS Key in your account
5. Create a volume from the snapshot

Question 22

What will help us to encrypt more than 4 KB by using Envelop Encryption?

Answer 22

The main API that will help us is the GenerateDataKey API

Question 23

What is the Encryption SDK?

Answer 23

The AWS Encryption SDK is a client-side encryption library designed to make it easy for everyone to encrypt and decrypt data using industry standards and best practices. It also exists as a CLI tool we can install

Question 24

What useful feature is provided by the Encryption SDK?

Answer 24

Data Key Caching:
o re-use data keys instead of creating new ones for each encryption
o Helps with reducing the number of calls to KMS with a security trade-off

Question 25

What uses the Encryption SDK for data key caching?

Answer 25

Use LocalCryptoMaterialsCache (max age, max bytes, max number of messages)

Question 26

What are the main APIs in KMS?

Answer 26

• Encrypt
• GenerateDataKey
• GenerateDataKeyWithoutPlaintext
• Decrypt
• GenerateRandom

Question 27

What is Encrypt API in KMS?

Answer 27

encrypt up to 4 KB of data through KMS

Question 28

What is GenerateDataKey API in KMS?

Answer 28

generates a unique symmetric data key (DEK)
o returns a plaintext copy of the data key
o AND a copy that is encrypted under the CMK that you specify

Question 29

What is GenerateDataKeyWithoutPlaintext API in KMS?

Answer 29

o Generate a DEK to use at some point (not immediately)

o DEK that is encrypted under the CMK that you specify (must use Decrypt later)

Question 30

What is Decrypt API in KMS?

Answer 30

decrypt up to 4 KB of data (including Data Encryption Keys)

Question 31

What is GenerateRandom API in KMS?

Answer 31

Returns a random byte string

Question 32

What happens when you exceed a request quota in KMS?

Answer 32

When you exceed a request quota, you get a ThrottlingException
• For cryptographic operations, they share a quota
• This includes requests made by AWS on your behalf (ex: SSE-KMS)

Question 33

How can you respond to KMS Throttling exceptions?

Answer 33

• use exponential backoff (backoff and retry)
• For GenerateDataKey, consider using key caching from the Encryption SDK
• You can request a Request Quotas increase through API or AWS support

Question 34

What API calls will leverage SSE-KMS?

Answer 34

• SSE-KMS leverages the GenerateDataKey & Decrypt KMS API calls
• These KMS API calls will show up in CloudTrail, helpful for logging

Question 35

What you need to perform SSE-KMS encryption?

Answer 35

To perform SSE-KMS, you need:
o A KMS Key Policy that authorizes the user / role
o An IAM policy that authorizes access to KMS
o Otherwise you will get an access denied error

Question 36

How can you force SSL to be used in your bucket?

Answer 36

To force SSL, create an S3 bucket policy with a DENY on the condition aws:SecureTransport = false

Question 37

What would happen if you allow on aws:SecureTransport = true in your bucket policy?

Answer 37

Using an allow on aws:SecureTransport = true would allow anonymous GetObject if using SSL

Question 38

How could you force SSE-KMS encryption in your bucket policy?

Answer 38

1. Deny incorrect encryption header: make sure it includes aws:kms (== SSE-KMS)
2. Deny no encryption header to ensure objects are not uploaded un-encrypted
   • Note: could swap 2) for S3 default encryption of SSE-KMS

Question 39

How can you encrypt CloudWatch logs with KMS keys?

Answer 39

Encryption is enabled at the log group level, by associating a CMK with a log group, either when you create the log group or after it exists.

Question 40

How can you associate a CMK with a log group using the CloudWatch console?

Answer 40

You cannot associate a CMK with a log group using the CloudWatch console. You must use the CloudWatch Logs API

Question 41

How can you associate a CMK with a log group using the CloudWatch Logs API?

Answer 41

associate-kms-key API call if the log group already exists

create-log-group API call if the log group doesn’t exist yet

Question 42

What you need to do in KMS to integrate it with CloudWatch Logs?

Answer 42

You need to edit the KMS Key Policy