Security Flashcards

1
Q

What is KMS?

A

Key Management Service

  • FIPS L2 compliance
  • Public Region wide service
  • Asymmetric and symmetric keys
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is Secrets Manager

A

Secrets Management Service

  • store secrets encrypted
  • uses KMS behind the scenes
  • uses custom lambda function for key rotation
  • most of the managed db services on aws support secrets rotation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How are secrets rotated?

A

A lambda performs the secret rotation at an interval you specify.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Are secrets cross-region?

A

No, they are local to a region. Replication must be deliberately performed to propagate them to a different region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does it mean when an EC2 instance has an attached IAM role to it?

A
  • Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances, enabling the applications on those instances to use your credentials to sign requests, while protecting your credentials from other users. However, it’s challenging to securely distribute credentials to each instance, especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups. You must also be able to update the credentials on each instance when you rotate your AWS credentials.
  • We designed IAM roles so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the typical steps to associate an IAM role with an EC2 instance?

A

Create an IAM role.

Define which accounts or AWS services can assume the role.

Define which API actions and resources the application can use after assuming the role.

Specify the role when you launch your instance, or attach the role to an existing instance.

Have the application retrieve a set of temporary credentials and use them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is CMK?

A

Customer Master Key

  • logical container for actual key
  • Generated or imported
  • Encrypt upto 4KB of data
  • region specific

AWS Managed
- automatically rotates keys every 3 years

Customer Managed - created by the customer, flexible
- rotation is optional, once a year

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

DEK?

A

Data Encryption Keys

  • generated using CMK
  • works on > 4KB data
  • “GenerateDataKey” operation to generate one
  • linked to a specific CMK
  • KMS does not store the DEK, it provides it to you
  • KMS only generates it and gives it to you for use in your encryption tool
  • you would encrypt it using the plaintext version of the key and discard the plaintext key
  • You are left with ciphertext and the encrypted DEK which you store with the data.
  • To decrypt you provide the encrypted DEK to KMS which then returns you a decrypted key with which you decrypt your data, then discard the decrypted key.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly