KMS and Encryption

Question 1

T or F You can encrypt the root device EBS volume, where the OS is installed, using OS level encryption.

Answer 1

True

Question 2

How can you encrypt the root device volume, besides OS level encryption?

Answer 2

You can encrypt the root device volume, then create a copy of that snapshot with encryption. You can then make an AMI of this snapshot and deploy the encrypted root device volume.

Question 3

How do you encrypt additional attached volumes?

Answer 3

using the console, CLI, or API

Question 4

Encryption at rest is supported for the following:

1. MySQL
2. Oracle
3. SQL Server
4. PostgreSQL
5. MariaDB
6. Aurora

Answer 4

All of the above

Question 5

How is encryption done in AWS

Answer 5

by using the AWS key management service (KMS)

Question 6

True or false

Once your RDS instance is encrypted, the data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots.

Answer 6

True

Question 7

T or F

You can encrypt an existing database in AWS

Answer 7

False

At the present time, encrypting an existing DB instance is not supported.

Question 8

How can you encrypt an existing DB by getting creative?

Answer 8

You must first create a snapshot, make a copy of that snapshot and encrypt the copy. Then restore the copy to make it your current DB.

Question 9

T or F

AWS KMS is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

Answer 9

True

Question 10

T or F

AWS KMS is integrated with other AWS services including EBS, S3, Redshift, Elastic Transcoder, WorkMail, RDS, and other to make it simple to encrypt your data with encryption keys that you manage.

Answer 10

True

Question 11

CMK = ____

Answer 11

Customer master key

Question 12

CMK is made of which?

1. alias
2. creation date
3. description
4. key state
5. key material (either customer provided or AWS provided)

Answer 12

All of the above

Question 13

CMK can never be exported

T or F

Answer 13

True

Question 14

These steps are for setting up a CMK:

• create alias and description
• choose material option
• define key administrative permissions
• IAM users/roles that can administer (but not use) the key through the KMS API

T or F

Answer 14

True

Question 15

These are the steps to define key usage permissions

-IAM users/roles that can use the key to encrypt and decrypt data

T or F

Answer 15

True

Question 16

CMK key material options

• use key generated key material
• your own key material

T or F

Answer 16

True

Question 17

CMK is used to decrypt the data key, which is also referred to as the _____ key

Answer 17

envelope

Question 18

Envelope key is used to ____ the data

Answer 18

decrypt

Question 19

AWS ___ ____ ____ is a managed service that makes it easy for you to create and contro the enctyption keys used to encrypt your data.

Answer 19

key management service (KMS)

Question 20

KMS keys can be used across regions

T or F

Answer 20

False

Question 21

The ____ Master Key:

alias

creation date

description

key state

key material (either customer provided or AWS provided)

can never be exported

Answer 21

customer

Question 22

setup a ____ masterkey:

• create alias and decription
• choose material option

define key admin permissions

• IAM users-roles that cna administer (but not use) the key through the KMS API
• define key usage permissino
• IAM users/roles that can use the key to encrypt and decrypt data.

Answer 22

customer

Question 23

4 KMS API calls:

aws kms encrypt

aws kms decrypt

aws kms re-encrypt

aws kms enable-key-rotation

Answer 23

yes

Question 24

the customer master key:

CMK is used to decrypt the ___ key

____ key is used to decrypt the data

Answer 24

data (envelope key)

envelope

Question 25

T or F

you can export your customer master key

Answer 25

false

you can’t export your customer master key