KMS and Encryption on AWS (ACG)

Question 1

What is AWS KMS?

Answer 1

AWS Key Management Service (KMS) manages your encryption keys.

Question 2

What is CMK?

Answer 2

Customer Master Key (CMK)

Question 3

What is a CMK alias?

Answer 3

Your app can refer to the alias when using the CMK.

Question 4

You can export CMKs. True or False?

Answer 4

FALSE

CMKs can never be exported outside of KMS.

Question 5

What are the basic steps to set up CMK?

Answer 5

• Create alias and description.
• Choose key material option - provide our own or KMS managed or CloudHSM
• Set up Key Administrative Permissions (IAM Users/Roles that can administer but not use the key through the KMS API)
• Key Usage Permissions - IAM Users/Roles that can use the key to encrypt and decrypt data

Question 6

What are the different keys supported by KMS?

Answer 6

AWS-Managed CMK
Customer-Managed CMK
Data Key

Question 7

What is the AWS KMS encrypt command?

Answer 7

aws kms encrypt

Encrypts plaintext into ciphertext by using a customer master key.

Question 8

What is the AWS KMS decrypt command?

Answer 8

aws kms decrypt

Question 9

What is the AWS KMS re-encrypt command?

Answer 9

aws kms re-encrypt

Decrypts ciphertext and re-encrypts with a new CMK if you wish.

Question 10

What command would you use to automatically rotate your key annually?

Answer 10

aws kms enable-key-rotation

Question 11

What command would you use to encrypt data over 4KB?

Answer 11

aws kms generate-data-key

Question 12

What is Envelope Encryption?

Answer 12

Encrypting the key that encrypts our data.

The CMK is used to encrypt the data key (or envelope key).

The data key encrypts our data.

Used for encrypting anything over 4KB

Avoids sending all your data into KMS over the network to encrypt/decrypt directly.

Remember the GenerateDataKey API call.

Question 13

What is the AWS managed service that allows you to create and control the encryption keys used to encrypt your data?

Answer 13

AWS KMS

Question 14

Which command can you use to encrypt a plaintext file using a CMK?

Answer 14

aws kms encrypt

Question 15

Envelope encryption is used to protect your encryption key. True or False?

Answer 15

TRUE

Question 16

You cannot use AWS managed keys in cryptographic operations directly. True or False?

Answer 16

TRUE

Question 17

What is the name of the practice of encrypting plaintext data with a data key, and then encrypting the data key under another key?

Answer 17

Envelope encryption

Question 18

You would like KMS to rotate your encryption keys on a yearly basis. Which API command can you use to configure this?

Answer 18

aws kms enable-key-rotation

Question 19

You are working on a project which requires a key management solution. Your security architect has confirmed that a multi-tenant solution is fine. Which solution do you recommend?

Answer 19

KMS

KMS is multi-tenant, whereas CloudHSM is dedicated hardware. S3 encryption and client-side encryption are not key management solutions.

Question 20

You can export (copy out of the AWS KMS service in plaintext) your customer master key. True or False?

Answer 20

FALSE

You cannot export (copy out of the AWS KMS service in plaintext) your customer master key.

Question 21

KMS encryption keys are global by default. True or False?

Answer 21

FALSE

KMS encryption keys are global by default.