KMS, Encryption Flashcards

1
Q

Which
of the fol­low­ing are true for KMS and En­cryp­tion?

A

CMKs can en­crypt/de­crypt data up to 4KB
DEKs have no lim­it on en­cryp­tion/de­cryp­tion
size

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which type of S3 en­cryp­tion in­volves en­cryp­tion
and de­cryp­tion be­ing per­formed by the S3 ser­vice -
but where keys are man­aged lo­cal­ly by your ap­pli­cation.

A

SSE - C – en­cryp­tion and de­cryp­tion is
han­dled by S3 while keys are man­aged lo­cal­ly

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A financial organization has created a custom KMS key with imported key material. The key is used to encrypt the data of a Java web application. To meet strict security compliance requirements, the KMS key must be rotated every 6 months.

Which of the following could help you achieve this requirement?

A

Set up a new customer-managed key with imported key material. Update the key alias or key ID to point to the new KMS key.

NOT Enable automatic key rotation is incorrect because a KMS key with imported key material cannot be rotated automatically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A company has an upcoming IT security audit and your manager instructed you to encrypt all objects being uploaded to their S3 bucket. You decided to implement server-side encryption by supplying your own encryption key.

Which of the following request headers is not valid when using server-side encryption with customer-provided encryption keys?

A

x-amz-server-side-encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A law firm uses an Amazon RDS DB instance to store data on their online inquiries and consultations. The firm is managing several Lambda functions that create, update, and delete records from the database. The DB credentials are hardcoded on the Lambda functions, which are used to connect to the database.

The SysOps administrator wants to improve the setup by ensuring that the DB credentials are not stored in plaintext and that the DB password is constantly rotated every 30 days.

What steps should the SysOps administrator perform to achieve the requirements in the MOST operationally efficient way?

A

Use AWS Secrets Manager secrets instead of environment variables to store database credentials. While creating the secret, select the database so that the Secrets Manager will use a Lambda function to rotate the password for the database automatically. Specify the automatic rotation schedule to 30 days. Modify all the Lambda functions to access the DB password from Secrets Manager.

NOT Utilize AWS Systems Manager Parameter Store to create secure strings for DB credentials. Build a new Lambda function and name it PasswordRotate. Schedule the new function to run every 30 days using Amazon EventBridge (Amazon CloudWatch) to generate a new password. Modify the environment variable on each Lambda function to access the secure strings stored in Parameter Store

How well did you know this?
1
Not at all
2
3
4
5
Perfectly