S3 6

Question 1

Encryption: theory

What are the two types of keys used in S3 object encryption?

Answer 1

Data Encryption Keys (DEKs) and Key Encryption Keys or master keys

Question 2

Encryption: theory

What is a DEK?

Answer 2

Per-object key created by a Key Encryption Key

Question 3

Encryption: theory

Informal name for a Key Encryption Key, noting its use?

Answer 3

“Wrapping key”

Question 4

Encryption: theory

What’s the informal name for using a two-stage key set up for encryption?

Answer 4

“Envelope encryption”

Question 5

Encryption: SSE

How do you encrypt a bucket?

Answer 5

Technically can’t. Objects are encrypted, not buckets.

Question 6

Encryption: SSE

What are three types of server-side encryption?

Answer 6

SSE-S3, SSE-C, SSE-KMS

Question 7

Encryption: SSE

What is bucket default encryption?

Answer 7

Set on whole bucket. If PutObject isn’t explicit, this is the type of encryption used.

Question 8

Encryption: SSE

How do you force a certain level of encryption across a whole bucket?

Answer 8

Can’t, but can set conditions on s3:PutObject in Policies

Question 9

Encryption: SSE-S3

How does SSE-S3 work?

Answer 9

S3 creates and manages the keys, not visible to users at all.

Question 10

Encryption: SSE-S3

Specific sequence for SSE-S3 PutObject?

Answer 10

S3 creates symkey, encrypts obj. S3 master key encrypts object-specific key, stores with object, tosses original key.

Question 11

Encryption: SSE-S3

Specific sequence for SSE-S3 GetObject?

Answer 11

Get encrypted object key, unencrypt with S3 master key, use object key to unencrypt object.

Question 12

Encryption: SSE-S3

What type of key + cipher does SSE-S3 use?

Answer 12

AES-256 symmetric, block-cipher key

Question 13

Encryption: SSE-KMS

How does SSE-KMS work?

Answer 13

Similar to SSE-S3 sequence, but KMS holds onto the root key

Question 14

Encryption: SSE-KMS

What specifically does KMS send back when S3 asks for an object key during PutObject?

Answer 14

New unencrypted object key + encrypted version of same key

Question 15

Encryption: SSE-KMS

What does S3 do with the un- and encrypted keys sent from KMS for PutObject?

Answer 15

Encrypt obj with unencrypted key, toss it, store encrypted obj and encrypted key.

Question 16

Encryption: SSE-KMS

What does S3 send and get back from KMS on GetObject?

Answer 16

Send encrypted object key, get unencrypted object key (uses KMS key to decrypt it)

Question 17

Encryption: SSE-KMS

Can you use customer-uploaded keys in KMS for SSE-KMS?

Answer 17

Yes

Question 18

Encryption: SSE-KMS

What’s the down-side of custom KMS keys for SSE-KMS?

Answer 18

You manage the key rotation and re-encryption of S3 objects with previous KMS key

Question 19

Encryption: SSE-KMS

How do you handle key rotation and object re-encryption with AWS-managed SSE-KMS?

Answer 19

You don’t, all of this is automatic and done for you.

Question 20

Encryption: SSE-KMS

What are S3 Bucket Keys?

Answer 20

Keys created by KMS, stored unencrypted with the bucket

Question 21

Encryption: SSE-KMS

Can you use S3 Bucket Keys with KMS?

Answer 21

Yes, that’s literally what it’s designed for

Question 22

Encryption: SSE-KMS

Can you use S3 Bucket Keys with SSE-S3?

Answer 22

No, KMS unused for all SSE-S3 operations

Question 23

Encryption: SSE-KMS

Advantage of using S3 Bucket Keys?

Answer 23

Save money

Question 24

Encryption: SSE-KMS

What happens with S3 Bucket Keys on PutObject?

Answer 24

S3 Bucket key used to create object key and encrypted object key, same as with SSE-KMS

Question 25

Encryption: SSE-KMS

What happens with S3 Bucket Keys on GetObject?

Answer 25

Encrypted object key decrypted with S3 Bucket key, unencrypted obj key decrypts object

Question 26

Encryption: SSE-KMS

What kinds of KMS keys are automatically tracked and audited with CloudTrail?

Answer 26

All of them: AWS-managed and customer managed keys.