Management Flashcards
Master Account
AWS account used to create the AWS Organization
Administrative Root
Top most container in AWS organization hierarchy
Service Control Policy (SCP)
defines the AWS service actions, such as Amazon EC2 RunInstances, that are available for use in different accounts within an organization
How do you migrate accounts between organizations?
Use AWS console for a few accounts and API or CLI for many
Need root or IAM access to both the member and master accounts
Resource Group
service that lets you manage and automate tasks on large numbers of resources at one time
a resource is an entity that you can work with. Examples include an Amazon EC2 instance, an AWS CloudFormation stack, or an Amazon S3 bucket.
A resource group is a collection of AWS resources that are all in the same AWS Region, and that match the criteria specified in the group’s query. In Resource Groups, there are two types of queries you can use to build a group. Both query types include resources that are specified in the format AWS::service::resource
Queries can be based on tags or cloud formation stacks
AWS KMS
Key Management Store provides
high available key storage, management, and auditing to encrypt data with custom apps and AWS services
Can also send data directly to KMS to be encrypted by a CMK
Validated by many compliance schemes (e.g. PCI DSS, FIPS)
CMK
Customer Master Key
Keys stored in AWS KMS which are managed by customer but stored by AWS
They can be generated by KMS, or in AWS CloudHSM cluster or imported from customer key management infrastructure
How do you restrict access to keys in KMS?
With IAM users, roles and policies you set usage policies on keys that determine which users/services can use them to encrypt or decrypt data and under what conditions
How does KMS audit, what does it audit?
All request to use master keys are logged in CloudTrail
who used the key and when they used the key and in what context is logged
AWS Secret Manager
Store, distributes and rotates credentials (keys, username/password, secrets) securely
Difference between KMS and Secret Manager?
KMS is built to encrypt and decrypt data with managed keys
Secret Manager is meant to store and distribute secrets
KMS Features
- Manage keys - create, import custom, delete disable or re-enable keys
- Control access with IAM users and roles to manage keys and encrypt/decrypt data
- Crete, use delete custom key stores
- Rotate keys on annual basis
- Audit key usage in CloudTrail
What service does using automated custom keystores require?
KMS
CloudHSM
Data Key
AWS service or client app encrypts data with data key and stores encrypted key alongside data
KMS master key can decrypt data key so that it can be used to decrypt data
Data key not stored or managed by KMS
KMS Key Deletion
You can schedule key deletion with configurable waiting period from 7 - 30 days
Default waiting period 30 days
Waiting period allows you to cancel key deletion during waiting period to adjust to impacts or mistakes
