Security Flashcards
What is a CMK?
- A logical representation of a key
- A pointer to some underlying cryptographic material
What is AWS Parameter Store?
Secure, serverless storage for configuration and secrets
(Idea: Separate Data from Source Control)
Suppose you are using HSM and you lose access to your keys. What can you do in this situation?
Nothing. HSM Keys are irretrivable if lost
What is the important conceptual difference between Symmetric CMKs and Asymmetric CMKs?
- Symmetric CMKs use the same key for encryption and decryption
- Asymmetric CMKs use a mathematically related public/private key pair
What does ECC stand for (NOT the same as EC2)?
Elliptic-Curve Cryptography
What does AWS Firewall Manager do?
It allows you to centrally configure and manage firewall rules across an AWS Organization
What are the two types of AWS Shield?
- AWS Shield Standard
- AWS Shield Advanced
What is the encryption algorithm used for Symmetric CMKs?
AES-256
Can KMS keys be used in a region different from the one in which they were created?
No
Keys generated by AWS KMS are only stored and used in the region in which they were created. They cannot be transferred to another region.
(Source: https://aws.amazon.com/kms/faqs/#:~:text=Keys%20generated%20by%20AWS%20KMS,be%20transferred%20to%20another%20region.)
What type of FIPS service is KMS?
KMS is a FIPS 140-2 Level 2 service
What does KMS stand for?
Key Management Service
What is the pricing structure for KMS?
You pay per API call
On the exam, if you see FIPS 140-2 Level 3, what should you think of?
HSM
On the exam, if you see FIPS 140-2 Level 2, what should you think of?
KMS
How large can data encrypted by CMKs be?
Up to 4KB in size
What is the pricing structure for Systems Manager Parameter Store?
There is no additional cost
(There is a limit on the number of parameters you can store)
What is a FIPS Level 2 service?
A service that can show evidence of tampering
Why will most companies want to create more than one AWS account?
Multiple accounts provide the highest level of resource and security isolation
At a high level, what does AWS Shield do?
It protects against DDoS attacks
How is data stored in AWS Parameter Store?
Data is stored hierarchically in trees
What is offered in AWS Shield Advanced?
- Enhanced Protection for EC2, ELB, CloudFront, Global Accelerator, and Route 53
- 24/7 access to the DDoS Response Team
- DDoS Cost Protection – insurance against DDoS attacks that would affect your AWS Bill
What does SSM stand for?
AWS Systems Mananger
What type of attacks can AWS Shield Standard help guard against?
common layer 3 and layer 4 attacks
- SYN/UDP floods
- Reflection attacks
What is the pricing structure for AWS Shield Standard?
Automatically enabled for all customers at no additional cost
How deep can an AWS Parameter Store tree go?
Up to 15 levels deep
What is the major difference between KMS and HSM?
in HSM, you manage your own keys
What are the three types of CMKs? What are the major differences between them?
- AWS Managed CMKs - (default) Only used by your service
- Customer Managed CMKs - Allow for key rotation
- AWS Owned CMKs - (rare) Used by AWS on a shared basis across many accounts
What does CMK stand for?
Customer Master Key
Suppose you edit a CMK’s access permissions such that you (the root user), no longer have access to the CMK. How do you regain access to the CMK?
You’ll have to contact AWS support
What is the pricing structure for Secrets Manager?
You are charged per secret stored and per 10,000 API Request Calls
What does DRT stand for?
DDoS Response Team
What is the encryption algorithm used for a**symmetric CMKs?
RSA and/or Elliptic-Curve Cryptography
What is the pricing structure for AWS Shield Advanced?
$3,000 per month per AWS Organization
What does FIPS stand for?
Federal Information Processing Standards
