Section 18: AWS Security & Encryption: KMS, Encryption SDK, SSM Parameter Store, IAM & STS

Question 1

What is encryption in flight?

Answer 1

Encryption where data is encrypted before sending and decrypted after receiving

Question 2

What is necessary for encryption in fligth?

Answer 2

An HTTPS endpoint (SSL Certificate)

SSL Encryption / Decryption

Question 3

What does encryption in flight prevents?

Answer 3

MITM attacks

Question 4

What does MITM stand for?

Answer 4

Man In The Middle

Question 5

When and where is data encrypted when using server side encryption at rest?

Answer 5

Data is encrypted after being received by the server

Question 6

When using SSE, data is _____ before being sent.

Answer 6

decrypted

Question 7

What is the necessary thing that allows the server to encrypt data?

Answer 7

A key (usually a data key)

Question 8

Who is responsible for the management of encryption keys?

Answer 8

You decide, usually a key management service

Question 9

When and where is data encrypted when using client side encryption?

Answer 9

Data is encrypted by the client before being sent

Question 10

When using client side encryption, does the server ever decrypt the data?

Answer 10

No

Question 11

When using client side encryption, where will the data be decrypted?

Answer 11

By a receiving client

Question 12

What approach/process can you utilize to encrypt large data client side?

Answer 12

Envelope Encryption

Question 13

What is the result of data encryption?

Answer 13

Cyphertext

Question 14

What is cyphertext?

Answer 14

Ciphertext is encrypted text transformed from plaintext using an encryption algorithm

Question 15

How to go from cyphertext to plaintext?

Answer 15

Convert cyphertext to plaintext by decrypting it with a key

Question 16

What does AWS KMS stand for?

Answer 16

AWS Key Management Service

Question 17

What does AWS KMS make easy to do?

Answer 17

Create and manage cryptographic keys and control their usage across a wide range of AWS services and in your own applications

Question 18

What is AWS KMS integrated with for authorization?

Answer 18

IAM

Question 19

What is the maximum amount of data that KMS can encrypt?

Answer 19

4 KB

Question 20

What can you do if you need to encrypt more than 4 KB of data?

Answer 20

Use envelope encryption

Question 21

What do you need to do to give access to a key stored in KMS to someone?

Answer 21

Make sure the Key Policy allows the user

Make sure the IAM Policy allows the API calls

Question 22

What can you use to audit key usage?

Answer 22

CloudTrail

Question 23

What are the three types of Customer Master Keys available in KMS?

Answer 23

AWS Managed Service Default CMK
User Keys created in KMS
User Keys imported

Question 24

What is the cost of User Keys created in KMS?

Answer 24

1$/month

Question 25

What is the cost of User Keys imported in KMS?

Answer 25

1$/month

Question 26

What must imported keys be?

Answer 26

Must be 256-bit symmetric keys

Question 27

How much $ does KMS charge for API calls?

Answer 27

0.03$ / 10 000 calls

Question 28

What does KMS do first when receving Encrypt and Decrypt API calls?

Answer 28

Check IAM permissions

Question 29

What SDK helps us using the Envelope Encryption?

Answer 29

AWS Encryption SDK

Question 30

What API do we first need to call when we want to encrypt data using the envelope encryption process?

Answer 30

GenerateDataKey API

Question 31

What does the GenerateDataKey API returns us?

Answer 31

Plaintext data key and

Encrypted data key

Question 32

What should we do with the plaintext data key received from the GenerateDataKey API?

Answer 32

Encrypt our data client side and then discard the plain text data key right away

Question 33

What does DEK stand for?

Answer 33

Data Encryption Key

Question 34

What should we do first when we receive an envelope data?

Answer 34

Call the Decrypt API with the encrypted DEK

Question 35

What does the Decrypt API returns us when we pass it an encrypted key?

Answer 35

The plaintext DEK which has been decrypted using CMK

Question 36

What should we do first when we receive the plaintext DEK after calling the Decrypt API?

Answer 36

Client side decryption using the plaintext DEK

Question 37

What is the AWS Parameter Store?

Answer 37

Secure storage for configuration and secrets

Question 38

What does the Parameter Store leverages for secrets?

Answer 38

Seamless Encryption using KMS

Question 39

What does SSM provide for posterity?

Answer 39

Version tracking

Question 40

What are the two API that allows us to retrieve configurations/secret from SSM?

Answer 40

GetParameters

GetParametersByPath

Question 41

What does GetParametersByPath API returns us?

Answer 41

All the parameters within a certain path, for example:

/my-app/dev/

could return us

/my-app/dev/db-url
/my-app/dev/db-password

Question 42

What the main benefit of using AWS SSM?

Answer 42

Capability of rotation of secrets every X days

Question 43

Is it okay to grant a policy with “ * “ access to a service?

Answer 43

NO!

Question 44

What is the best practice for on premise server to get AWS credentials?

Answer 44

Call STS to obtain temporary security credentials

Question 45

Should ECS Tasks have their own role?

Answer 45

YES

Question 46

What environment variable should you use to tell ECS that a Task has its own role?

Answer 46

ECS_ENABLE_TASK_IAM_ROLE=true

Question 47

How should you go about creating a role for an AWS service?

Answer 47

Create the role and assign least-privileged permissions (policies)

Question 48

What is the best practice for providing cross account access?

Answer 48

Define an IAM Role for another account to access
Define which AWS accounts can access this IAM Role
Use AWS STS to retrieve credentials and impersonate the IAM role you have access to

Question 49

What is the API to use to retrieve credentials and impersonate an IAM Role?

Answer 49

AssumeRole API

Question 50

What are the available durations for temporary credentials to stay enabled?

Answer 50

15 minutes to 1 hour

Question 51

What are the three steps of the IAM authorization model?

Answer 51

1. If there is an explicit DENY, then DENY
2. If there is an explicit ALLOW, then ALLOW
3. Else DENY

Question 52

How are IAM Policies and S3 Bucket Policies evaluated when user tries an action on bucket?

Answer 52

The UNION of IAM Policies and S3 Bucket Policies will be evaluated

Question 53

What are dynamic Policies with IAM?

Answer 53

Policies which utilises Policy variables

Question 54

How would you assign each user of your organization a “folder” in a common S3 bucket?

Answer 54

By creating a dynamic policy with the ${aws:username} variable to define which S3 “folder” a user can access?

Question 55

What should dynamic policies affecting multiple users be assigned to?

Answer 55

Groups

Question 56

What are the three types of Policies in AWS IAM?

Answer 56

AWS Managed Policies
Customer Managed Policies
Inline Policies

Question 57

What is the preferred type of Policy to follow best practices?

Answer 57

Customer Managed Policy