KMS

Question 1

Resilience of KMS

Answer 1

Regionally and Public Service (within in AWS Public Zone, but still requires permissions to access the service)

Question 2

Main role of KMS

Answer 2

Create, Store and Manage Keys.

Question 3

KMS is used for

Answer 3

Encryption and decryption (plain text to cipher text and vice versa)

Question 4

features of KMS

Answer 4

Supports both asymmetric and symmetric encryption
Cryptographic operations (encryptions and decryption)

Question 5

Security of KMS

Answer 5

Keys never leave KMS

Provides FIPS 140-2 (L2) US security standard.

Question 6

Uses of CMK

Answer 6

KMS uses CMKs for cryptographic operations, also used by user, application and AWS services.

Question 7

CMK is

Answer 7

Logical and it is just a container which has the physical backing key.

Question 8

CMK contains

Answer 8

Key Policy
Key ID
Key Date
Description 
State (active or inactive) Key

Question 9

Features of CMK

Answer 9

CMK contain physical backing key which is managed by KMS and used for cryptographic operations.
Physical key can be imported or generated by KMS.

Can be used to perform cryptographic operations on data of size 4KB.

Question 10

Security of CMK

Answer 10

CMK is restricted within KMS (in a particular region created) and cannot be extracted outside KMS.

Question 11

Types of CMK and Key rotation.

Answer 11

AWS Managed CMK (Completely managed by AWS)
Key Rotated - Once in 3 years (Enabled by default)
Customer Managed CMK (Can edit the key policy to allow other AWS accounts to access our key)
Key Rotated - Once a year. (Optional to enable or disable)

Question 12

What is Key rotation ?

Answer 12

Process of changing the physical backing key.

CMK will retain all the previous keys and the current keys.

Question 13

Alias

Answer 13

Can create a alias for CMK (Regionally Resilient)

Question 14

Working of CMK and KMS

Answer 14

Choose a region and create a new key which will creates CMK using createKey operation (creates a container contains a physical backing key)

This is what KMS Creates,Stores and Manages.

CMKs are not stored without encryption on disk permanently.

Question 15

Encryption using CMK

Answer 15

User will request Encrypt Operation by providing data and specifying the CMK and KMS accepts the data assuming the user has permissions to perform encrypt
operation.

Then decrypts the key and uses the key along with the data to generate cipher text.

Question 16

Decryption using CMK

Answer 16

User will request decrypt operation by only providing the data (CMK data is encoded within the encrypted data), then KMS decrypts the corresponding CMK and decrypts the encrypted data and generate plain text.

assuming the user has permissions to perform decrypt operation.

Question 17

Security of CMK and KMS

Answer 17

CMKs never leave KMS and every operation requires permissions

Question 18

Role separation

Answer 18

User 1 -> Only creating and managing keys.

User 2-> Only perform cryptographic operations.

Question 19

DEKs

Answer 19

KMS generate -> CMK -> CMKs generate DEK using generateDataKey operation.

All three linked so KMS knows which DEK belongs to which CMK.

But KMS does not manage store DEK (only generates DEKs) we or the AWS service should handle cryptographic operations using on our data.

Question 20

Condition for DEK

Answer 20

Used to perform cryptographic operations on data size greater than 4KB

Question 21

Versions of DEKs

Answer 21

Plain text Key and Encrypted Key

Question 22

Working of DEKs

Answer 22

DEK is encrypted by CMK when it is generated and decrypted key can be generated by CMK assuming we have permissions.

Question 23

Encryption using DEK

Answer 23

Encrypt plain text data with plain text version of DEK and get the cipher text and discard plain text DEK.
So we have encrypted DEK and cipher text.

this process is not handled by KMS we have to handle it or the service.

We can use the same DEK for millions of files.

Question 24

Decryption using DEK

Answer 24

Pass the encrypted DEK to KMS and call decrypt operation using the corresponding CMK and get the plain text DEK and decrypt the data and then discard the decrypted DEK.

Question 25

Key Policy

Answer 25

Every CMK has a Key policy (type of resource policy).

For Customer managed CMK we can modify the key policy.

Question 26

Chain of trust

Answer 26

Explicitly set the keys to trust the AWS account.
The account can manage the key by setting IAM policies to IAM users assuming we have permissions to grant permissions.

account trusts IAM, account is trusted by key policy.

Question 27

Role separation

Answer 27

Can grant permission to create and manage keys but cannot control cryptographic operations.