KMS and Encryption Flashcards
T or F You can encrypt the root device EBS volume, where the OS is installed, using OS level encryption.
True
How can you encrypt the root device volume, besides OS level encryption?
You can encrypt the root device volume, then create a copy of that snapshot with encryption. You can then make an AMI of this snapshot and deploy the encrypted root device volume.
How do you encrypt additional attached volumes?
using the console, CLI, or API
Encryption at rest is supported for the following:
- MySQL
- Oracle
- SQL Server
- PostgreSQL
- MariaDB
- Aurora
All of the above
How is encryption done in AWS
by using the AWS key management service (KMS)
True or false
Once your RDS instance is encrypted, the data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots.
True
T or F
You can encrypt an existing database in AWS
False
At the present time, encrypting an existing DB instance is not supported.
How can you encrypt an existing DB by getting creative?
You must first create a snapshot, make a copy of that snapshot and encrypt the copy. Then restore the copy to make it your current DB.
T or F
AWS KMS is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
True
T or F
AWS KMS is integrated with other AWS services including EBS, S3, Redshift, Elastic Transcoder, WorkMail, RDS, and other to make it simple to encrypt your data with encryption keys that you manage.
True
CMK = ____
Customer master key
CMK is made of which?
- alias
- creation date
- description
- key state
- key material (either customer provided or AWS provided)
All of the above
CMK can never be exported
T or F
True
These steps are for setting up a CMK:
- create alias and description
- choose material option
- define key administrative permissions
- IAM users/roles that can administer (but not use) the key through the KMS API
T or F
True
These are the steps to define key usage permissions
-IAM users/roles that can use the key to encrypt and decrypt data
T or F
True
CMK key material options
- use key generated key material
- your own key material
T or F
True
CMK is used to decrypt the data key, which is also referred to as the _____ key
envelope
Envelope key is used to ____ the data
decrypt
AWS ___ ____ ____ is a managed service that makes it easy for you to create and contro the enctyption keys used to encrypt your data.
key management service (KMS)
KMS keys can be used across regions
T or F
False
The ____ Master Key:
alias
creation date
description
key state
key material (either customer provided or AWS provided)
can never be exported
customer
setup a ____ masterkey:
- create alias and decription
- choose material option
define key admin permissions
- IAM users-roles that cna administer (but not use) the key through the KMS API
- define key usage permissino
- IAM users/roles that can use the key to encrypt and decrypt data.
customer
4 KMS API calls:
aws kms encrypt
aws kms decrypt
aws kms re-encrypt
aws kms enable-key-rotation
yes
the customer master key:
CMK is used to decrypt the ___ key
____ key is used to decrypt the data
data (envelope key)
envelope
T or F
you can export your customer master key
false
you can’t export your customer master key