KMS and Encryption Flashcards

1
Q

T or F You can encrypt the root device EBS volume, where the OS is installed, using OS level encryption.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How can you encrypt the root device volume, besides OS level encryption?

A

You can encrypt the root device volume, then create a copy of that snapshot with encryption. You can then make an AMI of this snapshot and deploy the encrypted root device volume.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How do you encrypt additional attached volumes?

A

using the console, CLI, or API

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Encryption at rest is supported for the following:

  1. MySQL
  2. Oracle
  3. SQL Server
  4. PostgreSQL
  5. MariaDB
  6. Aurora
A

All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How is encryption done in AWS

A

by using the AWS key management service (KMS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

True or false

Once your RDS instance is encrypted, the data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

T or F

You can encrypt an existing database in AWS

A

False

At the present time, encrypting an existing DB instance is not supported.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How can you encrypt an existing DB by getting creative?

A

You must first create a snapshot, make a copy of that snapshot and encrypt the copy. Then restore the copy to make it your current DB.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

T or F

AWS KMS is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

T or F

AWS KMS is integrated with other AWS services including EBS, S3, Redshift, Elastic Transcoder, WorkMail, RDS, and other to make it simple to encrypt your data with encryption keys that you manage.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CMK = ____

A

Customer master key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CMK is made of which?

  1. alias
  2. creation date
  3. description
  4. key state
  5. key material (either customer provided or AWS provided)
A

All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CMK can never be exported

T or F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

These steps are for setting up a CMK:

  • create alias and description
  • choose material option
  • define key administrative permissions
  • IAM users/roles that can administer (but not use) the key through the KMS API

T or F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

These are the steps to define key usage permissions

-IAM users/roles that can use the key to encrypt and decrypt data

T or F

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CMK key material options

  • use key generated key material
  • your own key material

T or F

A

True

17
Q

CMK is used to decrypt the data key, which is also referred to as the _____ key

A

envelope

18
Q

Envelope key is used to ____ the data

A

decrypt

19
Q

AWS ___ ____ ____ is a managed service that makes it easy for you to create and contro the enctyption keys used to encrypt your data.

A

key management service (KMS)

20
Q

KMS keys can be used across regions

T or F

A

False

21
Q

The ____ Master Key:

alias

creation date

description

key state

key material (either customer provided or AWS provided)

can never be exported

A

customer

22
Q

setup a ____ masterkey:

  • create alias and decription
  • choose material option

define key admin permissions

  • IAM users-roles that cna administer (but not use) the key through the KMS API
  • define key usage permissino
  • IAM users/roles that can use the key to encrypt and decrypt data.
A

customer

23
Q

4 KMS API calls:

aws kms encrypt

aws kms decrypt

aws kms re-encrypt

aws kms enable-key-rotation

A

yes

24
Q

the customer master key:

CMK is used to decrypt the ___ key

____ key is used to decrypt the data

A

data (envelope key)

envelope

25
Q

T or F

you can export your customer master key

A

false

you can’t export your customer master key