KMS and Encryption Flashcards
T or F You can encrypt the root device EBS volume, where the OS is installed, using OS level encryption.
True
How can you encrypt the root device volume, besides OS level encryption?
You can encrypt the root device volume, then create a copy of that snapshot with encryption. You can then make an AMI of this snapshot and deploy the encrypted root device volume.
How do you encrypt additional attached volumes?
using the console, CLI, or API
Encryption at rest is supported for the following:
- MySQL
- Oracle
- SQL Server
- PostgreSQL
- MariaDB
- Aurora
All of the above
How is encryption done in AWS
by using the AWS key management service (KMS)
True or false
Once your RDS instance is encrypted, the data stored at rest in the underlying storage is encrypted, as are its automated backups, read replicas, and snapshots.
True
T or F
You can encrypt an existing database in AWS
False
At the present time, encrypting an existing DB instance is not supported.
How can you encrypt an existing DB by getting creative?
You must first create a snapshot, make a copy of that snapshot and encrypt the copy. Then restore the copy to make it your current DB.
T or F
AWS KMS is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
True
T or F
AWS KMS is integrated with other AWS services including EBS, S3, Redshift, Elastic Transcoder, WorkMail, RDS, and other to make it simple to encrypt your data with encryption keys that you manage.
True
CMK = ____
Customer master key
CMK is made of which?
- alias
- creation date
- description
- key state
- key material (either customer provided or AWS provided)
All of the above
CMK can never be exported
T or F
True
These steps are for setting up a CMK:
- create alias and description
- choose material option
- define key administrative permissions
- IAM users/roles that can administer (but not use) the key through the KMS API
T or F
True
These are the steps to define key usage permissions
-IAM users/roles that can use the key to encrypt and decrypt data
T or F
True