Section 18: AWS Security & Encryption: KMS, Encryption SDK, SSM Parameter Store, IAM & STS Flashcards
What is encryption in flight?
Encryption where data is encrypted before sending and decrypted after receiving
What is necessary for encryption in fligth?
An HTTPS endpoint (SSL Certificate)
SSL Encryption / Decryption
What does encryption in flight prevents?
MITM attacks
What does MITM stand for?
Man In The Middle
When and where is data encrypted when using server side encryption at rest?
Data is encrypted after being received by the server
When using SSE, data is _____ before being sent.
decrypted
What is the necessary thing that allows the server to encrypt data?
A key (usually a data key)
Who is responsible for the management of encryption keys?
You decide, usually a key management service
When and where is data encrypted when using client side encryption?
Data is encrypted by the client before being sent
When using client side encryption, does the server ever decrypt the data?
No
When using client side encryption, where will the data be decrypted?
By a receiving client
What approach/process can you utilize to encrypt large data client side?
Envelope Encryption
What is the result of data encryption?
Cyphertext
What is cyphertext?
Ciphertext is encrypted text transformed from plaintext using an encryption algorithm
How to go from cyphertext to plaintext?
Convert cyphertext to plaintext by decrypting it with a key
What does AWS KMS stand for?
AWS Key Management Service
What does AWS KMS make easy to do?
Create and manage cryptographic keys and control their usage across a wide range of AWS services and in your own applications
What is AWS KMS integrated with for authorization?
IAM
What is the maximum amount of data that KMS can encrypt?
4 KB
What can you do if you need to encrypt more than 4 KB of data?
Use envelope encryption
What do you need to do to give access to a key stored in KMS to someone?
Make sure the Key Policy allows the user
Make sure the IAM Policy allows the API calls
What can you use to audit key usage?
CloudTrail
What are the three types of Customer Master Keys available in KMS?
AWS Managed Service Default CMK
User Keys created in KMS
User Keys imported
What is the cost of User Keys created in KMS?
1$/month
What is the cost of User Keys imported in KMS?
1$/month
What must imported keys be?
Must be 256-bit symmetric keys
How much $ does KMS charge for API calls?
0.03$ / 10 000 calls
What does KMS do first when receving Encrypt and Decrypt API calls?
Check IAM permissions
What SDK helps us using the Envelope Encryption?
AWS Encryption SDK
What API do we first need to call when we want to encrypt data using the envelope encryption process?
GenerateDataKey API
What does the GenerateDataKey API returns us?
Plaintext data key and
Encrypted data key
What should we do with the plaintext data key received from the GenerateDataKey API?
Encrypt our data client side and then discard the plain text data key right away
What does DEK stand for?
Data Encryption Key
What should we do first when we receive an envelope data?
Call the Decrypt API with the encrypted DEK
What does the Decrypt API returns us when we pass it an encrypted key?
The plaintext DEK which has been decrypted using CMK
What should we do first when we receive the plaintext DEK after calling the Decrypt API?
Client side decryption using the plaintext DEK
What is the AWS Parameter Store?
Secure storage for configuration and secrets
What does the Parameter Store leverages for secrets?
Seamless Encryption using KMS
What does SSM provide for posterity?
Version tracking
What are the two API that allows us to retrieve configurations/secret from SSM?
GetParameters
GetParametersByPath
What does GetParametersByPath API returns us?
All the parameters within a certain path, for example:
/my-app/dev/
could return us
/my-app/dev/db-url
/my-app/dev/db-password
What the main benefit of using AWS SSM?
Capability of rotation of secrets every X days
Is it okay to grant a policy with โ * โ access to a service?
NO!
What is the best practice for on premise server to get AWS credentials?
Call STS to obtain temporary security credentials
Should ECS Tasks have their own role?
YES
What environment variable should you use to tell ECS that a Task has its own role?
ECS_ENABLE_TASK_IAM_ROLE=true
How should you go about creating a role for an AWS service?
Create the role and assign least-privileged permissions (policies)
What is the best practice for providing cross account access?
Define an IAM Role for another account to access
Define which AWS accounts can access this IAM Role
Use AWS STS to retrieve credentials and impersonate the IAM role you have access to
What is the API to use to retrieve credentials and impersonate an IAM Role?
AssumeRole API
What are the available durations for temporary credentials to stay enabled?
15 minutes to 1 hour
What are the three steps of the IAM authorization model?
- If there is an explicit DENY, then DENY
- If there is an explicit ALLOW, then ALLOW
- Else DENY
How are IAM Policies and S3 Bucket Policies evaluated when user tries an action on bucket?
The UNION of IAM Policies and S3 Bucket Policies will be evaluated
What are dynamic Policies with IAM?
Policies which utilises Policy variables
How would you assign each user of your organization a โfolderโ in a common S3 bucket?
By creating a dynamic policy with the ${aws:username} variable to define which S3 โfolderโ a user can access?
What should dynamic policies affecting multiple users be assigned to?
Groups
What are the three types of Policies in AWS IAM?
AWS Managed Policies
Customer Managed Policies
Inline Policies
What is the preferred type of Policy to follow best practices?
Customer Managed Policy
