KMS, Encryption Flashcards
Which
of the following are true for KMS and Encryption?
CMKs can encrypt/decrypt data up to 4KB
DEKs have no limit on encryption/decryption
size
Which type of S3 encryption involves encryption
and decryption being performed by the S3 service -
but where keys are managed locally by your application.
SSE - C – encryption and decryption is
handled by S3 while keys are managed locally
A financial organization has created a custom KMS key with imported key material. The key is used to encrypt the data of a Java web application. To meet strict security compliance requirements, the KMS key must be rotated every 6 months.
Which of the following could help you achieve this requirement?
Set up a new customer-managed key with imported key material. Update the key alias or key ID to point to the new KMS key.
NOT Enable automatic key rotation is incorrect because a KMS key with imported key material cannot be rotated automatically.
A company has an upcoming IT security audit and your manager instructed you to encrypt all objects being uploaded to their S3 bucket. You decided to implement server-side encryption by supplying your own encryption key.
Which of the following request headers is not valid when using server-side encryption with customer-provided encryption keys?
x-amz-server-side-encryption
A law firm uses an Amazon RDS DB instance to store data on their online inquiries and consultations. The firm is managing several Lambda functions that create, update, and delete records from the database. The DB credentials are hardcoded on the Lambda functions, which are used to connect to the database.
The SysOps administrator wants to improve the setup by ensuring that the DB credentials are not stored in plaintext and that the DB password is constantly rotated every 30 days.
What steps should the SysOps administrator perform to achieve the requirements in the MOST operationally efficient way?
Use AWS Secrets Manager secrets instead of environment variables to store database credentials. While creating the secret, select the database so that the Secrets Manager will use a Lambda function to rotate the password for the database automatically. Specify the automatic rotation schedule to 30 days. Modify all the Lambda functions to access the DB password from Secrets Manager.
NOT Utilize AWS Systems Manager Parameter Store to create secure strings for DB credentials. Build a new Lambda function and name it PasswordRotate. Schedule the new function to run every 30 days using Amazon EventBridge (Amazon CloudWatch) to generate a new password. Modify the environment variable on each Lambda function to access the secure strings stored in Parameter Store