Security Flashcards

1
Q

What does KMS stand for?

A

Key Management Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does CMK stand for?

A

Customer Master Key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a CMK?

A
  • A logical representation of a key
  • A pointer to some underlying cryptographic material
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How large can data encrypted by CMKs be?

A

Up to 4KB in size

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the pricing structure for KMS?

A

You pay per API call

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does FIPS stand for?

A

Federal Information Processing Standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What type of FIPS service is KMS?

A

KMS is a FIPS 140-2 Level 2 service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a FIPS Level 2 service?

A

A service that can show evidence of tampering

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

On the exam, if you see FIPS 140-2 Level 2, what should you think of?

A

KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the three types of CMKs? What are the major differences between them?

A
  • AWS Managed CMKs - (default) Only used by your service
  • Customer Managed CMKs - Allow for key rotation
  • AWS Owned CMKs - (rare) Used by AWS on a shared basis across many accounts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the important conceptual difference between Symmetric CMKs and Asymmetric CMKs?

A
  • Symmetric CMKs use the same key for encryption and decryption
  • Asymmetric CMKs use a mathematically related public/private key pair
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the encryption algorithm used for Symmetric CMKs?

A

AES-256

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the encryption algorithm used for a**symmetric CMKs?

A

RSA and/or Elliptic-Curve Cryptography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does ECC stand for (NOT the same as EC2)?

A

Elliptic-Curve Cryptography

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

By default, what permissions are granted to a newly-created CMK?

A

full access to the CMK

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Suppose you edit a CMK’s access permissions such that you (the root user), no longer have access to the CMK. How do you regain access to the CMK?

A

You’ll have to contact AWS support

17
Q

On the exam, if you see FIPS 140-2 Level 3, what should you think of?

A

HSM

18
Q

What is the major difference between KMS and HSM?

A

in HSM, you manage your own keys

19
Q

Suppose you are using HSM and you lose access to your keys. What can you do in this situation?

A

Nothing. HSM Keys are irretrivable if lost

20
Q

What does SSM stand for?

A

AWS Systems Mananger

21
Q

What is AWS Parameter Store?

A

Secure, serverless storage for configuration and secrets

(Idea: Separate Data from Source Control)

22
Q

How is data stored in AWS Parameter Store?

A

Data is stored hierarchically in trees

23
Q

How deep can an AWS Parameter Store tree go?

A

Up to 15 levels deep

24
Q

What is the pricing structure for Systems Manager Parameter Store?

A

There is no additional cost

(There is a limit on the number of parameters you can store)

25
Q

What is the pricing structure for Secrets Manager?

A

You are charged per secret stored and per 10,000 API Request Calls

26
Q

What are the big benefits for Secrets Manager over Systems Manager Parameter Store?

A

With Systems Manager, you can

  • automatically rotate secrets
  • generate random secrets
27
Q

What does DDoS stand for?

A

Distributed Denial-of-Service

28
Q

At a high level, what does AWS Shield do?

A

It protects against DDoS attacks

29
Q

What are the two types of AWS Shield?

A
  • AWS Shield Standard
  • AWS Shield Advanced
30
Q

What is the pricing structure for AWS Shield Standard?

A

Automatically enabled for all customers at no additional cost

31
Q

What type of attacks can AWS Shield Standard help guard against?

A

common layer 3 and layer 4 attacks

  • SYN/UDP floods
  • Reflection attacks
32
Q

What is the pricing structure for AWS Shield Advanced?

A

$3,000 per month per AWS Organization

33
Q

What is offered in AWS Shield Advanced?

A
  • Enhanced Protection for EC2, ELB, CloudFront, Global Accelerator, and Route 53
  • 24/7 access to the DDoS Response Team
  • DDoS Cost Protection – insurance against DDoS attacks that would affect your AWS Bill
34
Q

What does DRT stand for?

A

DDoS Response Team

35
Q

What does AWS Firewall Manager do?

A

It allows you to centrally configure and manage firewall rules across an AWS Organization

36
Q

Can KMS keys be used in a region different from the one in which they were created?

A

No

Keys generated by AWS KMS are only stored and used in the region in which they were created. They cannot be transferred to another region​.

(Source: https://aws.amazon.com/kms/faqs/#:~:text=Keys%20generated%20by%20AWS%20KMS,be%20transferred%20to%20another%20region.)

37
Q

Why will most companies want to create more than one AWS account?

A

Multiple accounts provide the highest level of resource and security isolation