AWS Security & Encryption

Question 1

How do you prevent a man in the middle attack?

Answer 1

Encryption in Flight (SSL) - SSL certificates allow for HTTPS encryption. Data is encrypted before sending and decrypted after receiving.

Question 2

How does a server protect data?

Answer 2

Server side encryption at rest - data is encrypted after being received by the server, and decrypted before being sent. This encryption is enabled by a data key, and is a separate process to SSL.

Question 3

How can a client protect data?

Answer 3

Client side encryption - data is encrypted by the client and never decrypted by the server - instead is is decrypted by a receiving client

Question 4

How can you analyse KMS Key usage?

Answer 4

Can audit KMS Key usage using CloudTrail

Question 5

What type of KMS keys do AWS services that are integrated with KMS use?

Answer 5

Symmetric keys (AES-256)
- Single encryption key used for both encryption and decryption
- Never get access to the KMS Key unencrypted - must call KMS API to use

Question 6

How would you allow encryption by users outside of AWS, who can’t call the KMS API?

Answer 6

Asymmetric keys (RSA & ECC key pairs)
- Public (encrypt) and Private (decrypt) pairs
- Public key is downloadable, but cannot access the private key unencrypted

Question 7

How would you move an encrypted EBS volume across regions?

Answer 7

Would need to create a snapshot of the volume, then reencrypt with a different KMS key (KMS keys cannot be used across regions).
- Move the new snapshot across and restore.

Question 8

How can you control access to KMS keys?

Answer 8

KMS Key Policies - similar to bucket policy, except default access for a key with no policy is no access

Question 9

What is the default key policy, and when is it created?

Answer 9

Created if you don’t provide a specific key policy
- complete access to the key to the root user

Question 10

How can you allow cross-account access of a KMS key?

Answer 10

Create a custom key policy and allow access for specific account

Question 11

What is the max size limit for KMS encryption via the Encrypt API?

Answer 11

4kb

Question 12

How do you encrypt > max size limit for Encrypt API?

Answer 12

Use Envelope Encryption using the GenerateDataKey API (generates a unique symmetric data key - DEK - and returns a plaintext copy of the DEK along with a copy encrypted using the CMK you specify)

Question 13

What calls should you use for envelope encryption - for both ‘now’ and ‘in the future’?

Answer 13

GenerateDataKey for ‘now’
GenerateDataKeyWithoutPlaintext for ‘in the future’

Question 14

How would you avoid getting a ThrottlingException for KMS?

Answer 14

• Reduce number of calls via Exponential Backoff
• For GenerateDataKey, cache the DEK (caching is available through the Encryption SDK)
• Request a Request Quota increase through API or AWS support

Question 15

How can you reduce the number of KMS calls made by S3?

Answer 15

Use SSE-KMS encryption
- A ‘S3 bucket key’ is generated, and is used to encrypt KMS objects with new data keys

Question 16

What is the architectural difference between KMS and CloudHSM?

Answer 16

KMS - AWS manages the software for encryption
CloudHSM - AWS provisions encryption hardware (Hardware Security Module)

Question 17

What is a use case for CloudHSM?

Answer 17

SSE-C : server side encryption with customer owned keys. the HSM is using customer keys entirely.

Question 18

What is a high level functional difference between KMS and CloudHSM?

Answer 18

HSM uses IAM permissions to perform CRUD operations on an HSM Cluster, and CloudHSM Software is used to manage the keys and users.
- KMS performs all of the above using IAM permissions

Question 19

Describe the CloudHSM flow for encrypting and EBS Volume, and give a benefit of this setup.

Answer 19

• Configure a KMS Custom Key Store with CloudHSM
• Associate the EBS volume with the Custom Key Store

The Custom Key Store logs key usage to CloudTrail

Question 20

What is the purpose of SSM Parameter Store?

Answer 20

Secure storage for configuration and secrets

Question 21

How can you access parameters from the SSM Parameter store?

Answer 21

GetParameters or GetParametersByPath API

Question 22

What is a key difference between the standard and advanced parameter tiers?

Answer 22

Max size of a param: 4KB for standard, 8kb for advanced

Question 23

What are some features of Parameter Policies? What tier is this available to?

Answer 23

• Assign TTL to a parameter to force update or delete of sensitive data
• Can assign multiple policies at a time.

Advanced Tier only

Question 24

What service would you use to store secrets that are regularly rotated for security?

Answer 24

AWS Secrets Manager
- Can force rotation of secrets on a schedule
- Secrets are encrypted using KMS

Question 25

How do Multi-Region Secrets work?

Answer 25

Replicate secrets across regions
- Secrets Manager keeps read replicas in sync with the primary Secret

Question 26

How can you automatically generate a managed password for RDS & Aurora with CloudFormation?

Answer 26

Under Resources.{ClusterName}.Properties, add ManageMasterUserPassword: true
- This will generate an admin password for the DB and automatically create a Secret for this password within Secrets Manager.

Question 27

How can you generate a secret with a dynamic reference for RDS & Aurora with CloudFormation?

Answer 27

Define the secret under Resources (AWS::SecretsManager::Secret), and pass that in as a dynamic reference to the DB Instance definition (for username and password)
- Also have to link the declared Secret to the DB instance (AWS::SecretsManager::SecretTargetAttachment)

Question 28

Give some differences between SSM Parameter Store and Secrets Manager

Answer 28

Secrets manager provides automatic rotation of secrets by invoking Lambda (generates a new password for the specified service, and stores the password in Secrets manager), and KMS encryption in mandatory.
- Parameter Store has no secret rotation, and encryption is optional

Question 29

How can you replicate Rotation of parameters in Parameter Store?

Answer 29

Set up CloudWatch events to invoke Lambda every 30 days and update the desired parameter.

Question 30

How can you encrypt CloudWatch Logs with KMS keys?

Answer 30

Encryption is enabled at the log group level, by associating a CMK with a log group
- Must use the CloudWatch Logs API, cannot use the console
- associate-kms-key (if log group already exists) or create-log-group, providing the key as a param

Note: Key Policy must allow the key to be associated with CloudWatch

Question 31

How can you store secrets within a CodeBuild?

Answer 31

Don’t store secrets in env. variables as plaintext.
- Configure the env. variables to pull in value from Parameter Store or Secrets Manager

Question 32

What is an option for storing/processing highly sensitive data within AWS?

Answer 32

Nitro Enclaves - isolated compute environment for Personally Identifiable Information (PII), healthcare, financial…
- Fully isolated machines that only run authorized (signed) code
- Use cases: securing private keys, processing credit cards

Question 33

How can Parameter Store enable you to keep track of changes to parameters?

Answer 33

Parameter Store provides version tracking of configurations/secrets