KMS

Question 1

What is KMS?

Answer 1

Key Management Service. Easy to create and control encryption keys used to encrypt your data

Question 2

What is CMK?

Answer 2

Customer Master Key

encrypt/decrypt data up to 4KB

Used to generate/encrypt/decrypt/data key

Question 3

What is a data key

Answer 3

Used to encrypt/decrypt data (typically data over 4KB)

Question 4

Is KMS a global or regional service?

Answer 4

regional

Question 5

2 types of keys supported by KMS

Answer 5

Symmetric

Asymmetric

Question 6

What are the key material origin options for KMS?

Answer 6

KMS

External (own key)

Custom Key Store (Cloud HSM)

Question 7

What is Cloud HSM

Answer 7

Next level service to KMS. It is more money. It is mostly for customers in highly regulated environments. Own hardware.

Question 8

KMS call to rotate key each year

Answer 8

aws kms enable-key-rotation

Question 9

How can you audit which keys and resources are used and when in KMS?

Answer 9

KMS is integrated with CloudTrail

Question 10

Envelope Encryption

Answer 10

encrypt plaintext data with data key

encrypt data key with master key

Question 11

What permissions do you need from KMS to perform a multipart upload with encription using a CMK for S3?

Answer 11

kms: Decrypt
kme: GenerateDataKey*