KMS 4

Question 1

Key Operations

How do you monitor key usage for auditing and inspection?

Answer 1

CloudTrail and EventBridge

Question 2

Key Operations

Can you use EventBridge to trigger workflows when a key expires?

Answer 2

Yes

Question 3

Key Operations

Can you use EventBridge to trigger workflows when a key creates a DEK?

Answer 3

No, use CloudTrail

Question 4

Key Operations

Can you use EventBridge to trigger workflows when a key was rotated?

Answer 4

Yes

Question 5

Key Operations

Can you use EventBridge to trigger workflows when a key decrypts data?

Answer 5

No, use CloudTrail

Question 6

Deleting Keys

Can you delete keys?

Answer 6

Yes, but probably don’t. Disable them.

Question 7

Deleting Keys

Why is deleting a key bad?

Answer 7

Cannot recover any data encrypted with it

Question 8

Deleting Keys

Scenario: deleted a key and need to get ciphertext back from something…what do you do?

Answer 8

Just abort the delete…have 7+ day waiting period before key really gone

Question 9

Grants

Value prop for Grants?

Answer 9

Designed for giving temporary access to a single key

Question 10

Grants

Example of an AWS system using a Grant?

Answer 10

EBS access a KMS key for volume encryption

Question 11

Grants

Can Grants allow, deny, or both?

Answer 11

Only allow

Question 12

Grants

How do Grants change the Key Policy?

Answer 12

They don’t – separate way to gain access to keys

Question 13

Grants

How do you delete a Grant?

Answer 13

Don’t – Grants go away after the operation concludes that needed them

Question 14

Grants

How do you use a Grant to access a key?

important

Answer 14

Nothing explicit – just call the KMS API

Question 15

Grants

I have a Grant, but my API call failed, what happened?

important

Answer 15

Grants can take up to 5 minutes to be effective

Question 16

Grants

How can you use Grants fast without the 5min propagation delay?

important

Answer 16

Grant Token

Question 17

Grants

How do Grant Tokens work?

important

Answer 17

Non-secret thing you get, pass it in KMS calls to gain immediate access via a Grant

Question 18

Grants

If Grant Tokens exist, why not just always use them?

Answer 18

They aren’t designed for this, plus, you’d have to coordinate using them

Grants should be somewhat transparent to the caller

Question 19

Grants

What happens if you try to do something your Grant doesn’t allow?

important

Answer 19

ValidationError

Question 20

Custom Key Stores

What are Custom Key Stores?

Answer 20

KMS front-end, dedicated CloudHSMs back-end

Question 21

Custom Key Stores

KMS with Custom Key Stores is what FIPS level?

Answer 21

Level 3 (same as CloudHSM since you’re using dedicated HSM)

Question 22

Custom Key Stores

3 limitations of Custom Key Stores?

Answer 22

Only symmetric keys, no automatic key rotation, no multi-region support

Question 23

Encryption Context

How does Encryption Context work?

Answer 23

Just like External ID with sts:AssumeRole

Question 24

Encryption Context

How do you use EC when encrypting/decrypting?

Answer 24

Pass a set of name-value pairs, decrypting must send the same ones

Question 25

Encryption Context

How do you secure the Encryption Context?

Answer 25

You don’t, EC considered non-secret

Question 26

Encryption Context

Why bother with Encryption Context?

Answer 26

Stops bugs and bad actors from just replacing one ciphertext value with another