Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Arch > KMS > Flashcards

KMS Flashcards

1
Q

KMS is fully integrated with

A

with IAM for authorization so that makes the management of these rules very simple and centralized.

you can use it with CLI and AWS SDK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

KMS is integrated into

A
  1. EBS: encrypt volumes
  2. S3: server side encryption of objects
  3. Redshift: encryption of data
  4. RDS: encryption of data
  5. SSM: parameter store

use symmetric keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

two types of keys (exam)

A
  1. AES-256 bit symmetric (single key for encryption and decryption )
    necessary for envelope encryption
    (symmetric is more on the exam)
  2. RSA and ECC asymmetric key pairs: Used for encryption / decryption and for Sign/Verify

The public key is something you can download
but again, access to the private key is impossible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

access to AES-256 bit symmetric Customer Master Key

A

you actually never get access to the key unencrypted

you must use the KMS API to use that key and you actually never see the key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

asymmetric CMS scenarios (exam)

A
  1. to cryptographically verify a digital signature client-side without the need for a network connection.
  2. customers can use KMS to securely manage decryption of data that has been encrypted by a partner’s system that does not integrate with AWS APIs or have access to AWS account credentials.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Key Management Service: what features are offered

A
  1. manage keys and policies (create, rotate policies, disable, enable)
  2. audit key usage (CloudTrail)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

KMS pricing

A

three types of CMK:
- AWS managed service default customer master key, which is free so this is the idea when you go into EBS volume and use the AWS/EBS key, this is going to be free.

  • if you create your own keys, this is $1 per month and there is no free tier and
  • if you import your own keys,
    so if you have to generate them outside of KMS

you’re going to pay for each API call done to KMS so we’re talking about 3 cents per 10,000 calls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

So when would you use KMS?

A

you need to share some sensitive information

  1. database passwords,
  2. credentials for an external service,
  3. a private key of SSL certificates,

or anything you need to encrypted is going to be secret,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

the real value of KMS is that

A
  1. we actually don’t see the keys to encrypt the data or decrypt so the whole security belongs with AWS. We can only send data to KMS to decrypt and encrypt
  2. On top of it, KMS can rotate these keys for extra security.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

KMS has a limit,

A

and you can only encrypt up to 4 kilobytes of data per call and so, if you want to have more data encrypted,

then you need to use something called envelope encryption which is advanced and you only need to know in the certified developer exam.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

So, to give access to KMS to someone,

A

they need to make sure that

  1. the key policy allows the user to access the key
  2. as well the IAM policy to allow the API call
    and when these two things are together, then you get access to KMS key.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

KMS and regions

A

with your KMS keys are bound to a specific region. So that means that when you create a KMS key in region A it cannot be transmitted over to region B.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

So let’s say we have an encrypted EBS volume with KMS and a KMS key in the region eu-west-2 and we’d like to copy that volume across to a new region
for example, ap-southeast-2. So, because KMS keys are linked to a specific region you would need to do a specific operation.

A
  1. create a snapshot of your volume and any snapshot made from an encrypted volume is also encrypted with KMS and the same key.
  2. copy that snapshot over to the new region but you will specify a new KMS key to re-encrypt the data with
    and now you have a snapshot encrypted with KMS
    in the other region but with a new key.
  3. when you recreate a volume from that snapshot
    then that volume will be encrypted with a new KMS Key B.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

key policies

A

control access to KMS keys, without them you can’t control access

if you don’t specify a key policy, then no one can access your key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When you create a CMK programmatically—that is, with the AWS KMS API (including through the AWS SDKs and command line tools)—you have the option of providing the key policy for the new CMK. If you don’t provide one,

A

AWS KMS creates one for you.

This default key policy has one policy statement that gives the AWS account (root user) that owns the CMK full access to the CMK and enables IAM policies in the account to allow access to the CMK.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When you create a CMK with the AWS Management Console, you can choose

A

the IAM users, IAM roles, and AWS accounts that are given access to the CMK. The users, roles, and accounts that you choose are added to a default key policy that the console creates for you.

The default key policy created by the console allows the following permissions,
1. Allows access to the AWS account and enables IAM policies

  1. Allows key administrators to administer the CMK
  2. Allows key users to use the CMK
17
Q

So to give users access to KMS keys using this default KMS key policy

A

you just create the correct IM policy and attach it to the user.

18
Q

If you define a custom KMS key policy

A

you would specifically define the users and the roles they can access this specific KMS key and define who can administer the key

useful when you do cross-account access of your KMS key.

19
Q

So when you create a snapshots it would be encrypted with your own CMK, then you would attach a key policy to authorize cross-account access on that key.

A

This would be an example key policy in which we allow the target account to read our KMS key
then we would share the encrypted snapshots
and in the target account, we would create a copy of the snapshots which would be possible because we have access to the KMS key in our original accounts

and then finally, we would create a volume from that snapshots and this is how we was create and copy
a snapshot across accounts.

20
Q

if you want to encrypt more than 4 KB (exam)

A

we need to use Envelope Encryption

the main API is GenerateDataKey

21
Q

APIs for Encryption (exam)

A
  1. to encrypt less than 4 KB use Encrypt API
  2. more than 4KB GenerateDataKey
  3. GenerateDataKeyWithoutPlaintext: generate again DEK, but not to use right now, it’s to use at some point in the future. this DEK is the same, it’s also encrypted using this CMK we specify, but if you use it, we must decrypted afterwards, which is one extra step.

So the exam will try to trick you to perform envelope encryption right now, you need to use GenerateDataKey API not GenerateDataKeyWithoutPlaintext.

22
Q

APIs for Decryption (exam)

A
  1. to decrypt less than 4 KB use Decrypt API
23
Q

Envelope encryption how

A
  1. we’re going to use the SDK, and call the GenerateDataKey API, and we’ll specify a CMK,
  2. KMS will check again the IAM permission, making sure we can generate a data key.
  3. And if we can, then KMS will generate this data key for us, and will send us back a plain-text version of it.
    (DEK) and an encrypted version of the DEK
  4. now we can - client side - encrypt the big file client side using our own CPU with this DEK.
  5. And then we’re going to build an envelope around it,
    which is the final file. Inside we put the encrypted version of the DEK and the encrypted file
24
Q

How to decrypt envelope

A

So with a decrypt API we can only pass up to four kilobytes of data. Sowe’re going to decrypt the data encryption key, the DEK.

So I’ll pass through KMS, we’ll check the IAM permissions. And if everything is good with KMS, we’re able to decrypt that DEK.

So now we get the plain-text DEK. And with this plain-text DEK, we can look at the encrypted file and the plain-text DEK and decrypt it together, client side.

25
Q

AWS Encryption SDK

A

Envelope encryption is implemented in AWS Encryption SDK, there is a CLI tool and implementation in Java, Python etc

26
Q

Encryption SDK has a feature data key caching.

A

instead of recreating a new data key every time we want to encrypt an object, we can reuse them instead, so that you have less calls into KMS and it’s less expensive.

But there is a security trade-off because now you’re using the same data key encryption, data encryption key for many different files.

you can define the max age of your key, the max number of bytes that it should encrypt, or the max number of messages that should be encrypted by this DEK before moving on to the next DEK.

27
Q

if you want it to generate a random number,

A

then you have the API called GenerateRandom that will return a random byte string.

Arch (29 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions