KMS 1

Question 1

KMS

Key feature of KMS, the Big Thing?

Answer 1

Keys in KMS never leave KMS.

Question 2

KMS

What’s the technical standard for keys?

important

Answer 2

FIPS 140-2 L2

must know down to the “L2” portion

Question 3

KMS

Why does the “L2” in the FIPS standard matter?

important

Answer 3

KMS only does L2; need CloudHSM for higher security levels

Question 4

KMS

Why trust KMS? Just keys stored on disk somewhere…

Answer 4

KMS uses hardware security modules (HSMs) behind the scenes

Question 5

KMS

Strong statement about all data at rest in KMS?

Answer 5

No data in KMS is ever stored on disk unencrypted

Question 6

AWS Managed Keys

Example of AWS managed keys?

Answer 6

“aws/redshift”, “aws/sqs”, “aws/lambda”

Question 7

AWS Managed Keys

Are AWS Managed Keys symmetric, asymmetric, or both?

Answer 7

Only symmetric

Question 8

AWS Managed Keys

What are AWS Managed Keys used for?

Answer 8

Services create and use them directly

Question 9

AWS Managed Keys

Why would you change the Key Policy on an AWS Managed Key?

Answer 9

You can’t (you can see it, but not change it)

Question 10

AWS Managed Keys

What can you do with AWS Managed Keys?

Answer 10

Nearly nothing. AWS Services use them.

Question 11

AWS Managed Keys

Are AWS Managed Keys regional, global, or something else?

Answer 11

Per-service, per-region, per-account

Question 12

AWS Managed Keys

How can you share KMS Managed Keys in an Organization between accounts?

Answer 12

Can’t

Question 13

AWS Managed Keys

Cost for AWS Managed Keys?

Answer 13

Pay per-use

Question 14

AWS Managed Keys

Why don’t I have a aws/sqs key?

Answer 14

You haven’t used SQS in this account in this region yet

created on 1st use

Question 15

AWS Managed Keys

What if I don’t want a service to use the default AWS managed key?

Answer 15

Some services allow you to use a CMK (like SSE-KMS for S3)

Question 16

Customer Managed Keys

How do you create Customer Managed Keys?

Answer 16

AWS creates the key material (default), or upload your own key material

Question 17

Customer Managed Keys

Cost structure for CMKs?

Answer 17

AWS-Managed pay only per-use fee, CMKs pay monthly + per-use fee

Question 18

Customer Managed Keys

What is a Customer Master Key?

Answer 18

Old name for Customer Managed Key

Question 19

Customer Managed Keys

Are CMKs regional, global, or something else?

Answer 19

Per-region, per-account

Question 20

Customer Managed Keys

Are CMKs symmetric, asymmetric, or both?

Answer 20

Can be either

Question 21

Encrypting and Decrypting

Max amount of data that KMS will encrypt or decrypt with KMS keys?

Answer 21

4 kb

Question 22

Encrypting and Decrypting

What do you get back when you send in data to encrypt?

Answer 22

Cipher text that also includes the ID of the key used to encrypt it

Question 23

Encrypting and Decrypting

Specific steps inside KMS to encrypt source data?

Answer 23

Reads encrypted key from disk > decrypts the key in memory > encrypts source data

Question 24

Digital Signing

Why bother with KMS to handle asymmetric keys for signatures?

Answer 24

Private key material in HSMs, use key policies to control access