KMS and Encryption Flashcards
It is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.
AWS Key Management Service
How to Set Up CMK?
Create alias and description then Choose key material option.
IAM users and roles that can administer (but not use) the key through the KMS API.
Key Administrative Permissions
IAM users and roles that can use the key to encrypt and decrypt data.
Key Usage Permissions
It is used on your behalf with the AWS services integrated with KMS.
AWS Managed CMK
KSM that you create, own and manage yourself. Used to encrypt, decrypt files up to 4KB
and generate the data key
Customer-Managed CMK
Encryption key that you can use to encrypt data, including large amounts of data.
Data Key
You can use a CMK to ____________________ data keys
generate, encrypt, and decrypt
Encrypting the key that encrypts our data.
Envelope Encryption
The CMK is used to encrypt the____________?
data key (or envelope key).
The ________ encrypts our data.
data key
Envelope Encryption Used for encrypting anything over _______. ?
4KB
By using envelope encryption this avoids _______________. ?
Sending all your data into KMS over the network.
KMS API Call that is use to encrypts plaintext into ciphertext by using a customer master key.
aws kms encrypt
KMS API Call that is use to decrypts ciphertext and then re-encrypts using a CMK that you
specify. (e.g. when you change the CMK or manually rotate the CMK .
aws kms re-encrypt
