Security

Question 1

Describe Key Management Service

Answer 1

Regional encryption/decryption service;
Billed per API call
It is complaint with Federal Information Processing Standards level 2
Customer Managed Key types:
AWS Managed CMK: Free
Customer Managed CMK: Key rotation; controlled via key policies and can be enabled/disabled
AWS Owned CMK: Invisible for customers

Question 2

Symmetric VS Asymmetric CMKs

Answer 2

Symmetric: Same key for both encryption and decryption
AES-256;Import your own key;
Asymmetric: Public/Private key pair; RSA and ECC; AWS services integrated with KMS, don’t support asymmetric;

Question 3

How/Why KMS key rotation works?

Answer 3

Each KMS key can have an alias. The application points to the alias only. When the key is rotated (yearly), the application does not need to change the code/configuration

Question 4

Cloud HSM

Answer 4

Needed for strict regulatory compliance 
FIPS 140-2 Level 3
Single tenant, dedicated hardware, multi-AZ cluster
Industry-standards API (no AWS APIs)
PKCS#11
Java Cryptography Extension (JCE)
Microsoft CryptoNG (CNG)

Question 5

Systems Manager Parameter Store (SSM)

Answer 5

It is an amazing serverless service storage for configuration and secrets that can be used to inject environment variables into applications.
For example, we define /prod/db/server and /prod/db/password. We then allow the application to retrieve/decrypt the /prod. The application will be able to retrieve the tree of parameter stores.

Values can be stored encrypted (KMS) or plaintext
Store parameters in hierarchies (via paths such as /dev/app/rms or /prd/db/mysql/password)
Track version
Set TTL to values