Security

Question 1

What does KMS stand for?

Answer 1

Key Management Service

Question 2

What does CMK stand for?

Answer 2

Customer Master Key

Question 3

What is a CMK?

Answer 3

• A logical representation of a key
• A pointer to some underlying cryptographic material

Question 4

How large can data encrypted by CMKs be?

Answer 4

Up to 4KB in size

Question 5

What is the pricing structure for KMS?

Answer 5

You pay per API call

Question 6

What does FIPS stand for?

Answer 6

Federal Information Processing Standards

Question 7

What type of FIPS service is KMS?

Answer 7

KMS is a FIPS 140-2 Level 2 service

Question 8

What is a FIPS Level 2 service?

Answer 8

A service that can show evidence of tampering

Question 9

On the exam, if you see FIPS 140-2 Level 2, what should you think of?

Answer 9

KMS

Question 10

What are the three types of CMKs? What are the major differences between them?

Answer 10

• AWS Managed CMKs - (default) Only used by your service
• Customer Managed CMKs - Allow for key rotation
• AWS Owned CMKs - (rare) Used by AWS on a shared basis across many accounts

Question 11

What is the important conceptual difference between Symmetric CMKs and Asymmetric CMKs?

Answer 11

• Symmetric CMKs use the same key for encryption and decryption
• Asymmetric CMKs use a mathematically related public/private key pair

Question 12

What is the encryption algorithm used for Symmetric CMKs?

Answer 12

AES-256

Question 13

What is the encryption algorithm used for a**symmetric CMKs?

Answer 13

RSA and/or Elliptic-Curve Cryptography

Question 14

What does ECC stand for (NOT the same as EC2)?

Answer 14

Elliptic-Curve Cryptography

Question 15

By default, what permissions are granted to a newly-created CMK?

Answer 15

full access to the CMK

Question 16

Suppose you edit a CMK’s access permissions such that you (the root user), no longer have access to the CMK. How do you regain access to the CMK?

Answer 16

You’ll have to contact AWS support

Question 17

On the exam, if you see FIPS 140-2 Level 3, what should you think of?

Answer 17

HSM

Question 18

What is the major difference between KMS and HSM?

Answer 18

in HSM, you manage your own keys

Question 19

Suppose you are using HSM and you lose access to your keys. What can you do in this situation?

Answer 19

Nothing. HSM Keys are irretrivable if lost

Question 20

What does SSM stand for?

Answer 20

AWS Systems Mananger

Question 21

What is AWS Parameter Store?

Answer 21

Secure, serverless storage for configuration and secrets

_{(Idea: Separate Data from Source Control)}

Question 22

How is data stored in AWS Parameter Store?

Answer 22

Data is stored hierarchically in trees

Question 23

How deep can an AWS Parameter Store tree go?

Answer 23

Up to 15 levels deep

Question 24

What is the pricing structure for Systems Manager Parameter Store?

Answer 24

There is no additional cost

_{(There is a limit on the number of parameters you can store)}

Question 25

What is the pricing structure for Secrets Manager?

Answer 25

You are charged **per secret stored** and **per 10,000** **API Request Calls**

Question 26

What are the big benefits for Secrets Manager over Systems Manager Parameter Store?

Answer 26

With Systems Manager, you can * **automatically rotate secrets** * **generate random secrets**

Question 27

What does **DDoS** stand for?

Answer 27

**D**istributed **D**enial-**o**f-**S**ervice

Question 28

At a high level, what does **AWS Shield** do?

Answer 28

It **protects against DDoS attacks**

Question 29

What are the two types of AWS Shield?

Answer 29

* **AWS Shield Standard** * **AWS Shield Advanced**

Question 30

What is the pricing structure for AWS Shield Standard?

Answer 30

Automatically enabled for all customers at **no additional cost**

Question 31

What type of attacks can AWS Shield Standard help guard against?

Answer 31

**common layer 3 and layer 4 attacks** * SYN/UDP floods * Reflection attacks

Question 32

What is the pricing structure for AWS Shield Advanced?

Answer 32

**$3,000 per month per AWS Organization**

Question 33

What is offered in AWS Shield Advanced?

Answer 33

* Enhanced Protection for EC2, ELB, CloudFront, Global Accelerator, and Route 53 * 24/7 access to the DDoS Response Team * DDoS Cost Protection -- insurance against DDoS attacks that would affect your AWS Bill

Question 34

What does **DRT** stand for?

Answer 34

**DDoS Response Team**

Question 35

What does **AWS Firewall Manager** do?

Answer 35

It allows you to **centrally configure and manage firewall rules _across an AWS Organization_**

Question 36

Can KMS keys be used in a region different from the one in which they were created?

Answer 36

**No** _{Keys generated by AWS KMS are only stored and used in the region in which they were created. They cannot be transferred to another region​. (Source: https://aws.amazon.com/kms/faqs/#:~:text=Keys%20generated%20by%20AWS%20KMS,be%20transferred%20to%20another%20region.)}

Question 37

Why will most companies want to create more than one AWS account?

Answer 37

Multiple accounts **provide the highest level of resource and security isolation**