KMS, Encryption SDK, SSM Parameter Store, IAM & STS Flashcards
What is server-side encryption?
Data is encrypted after being received by the server and decrypted before sending. Data is stored encrypted using a key.
What is client-side encryption?
Data is encrypted on the client side and never decrypted by AWS. Only the client can decrypt it.
What is Envelope Encryption?
A data key is used to encrypt the data, and that key is itself encrypted using a master key (like KMS).
What is AWS KMS?
A fully managed service that lets you create and control encryption keys to encrypt your data.
How is KMS integrated into AWS?
It’s natively integrated with services like S3, EBS, RDS, Lambda, CloudTrail, and many more.
How can KMS API be used directly?
Via SDK or CLI using operations like Encrypt, Decrypt, GenerateDataKey, etc.
What are the types of KMS keys?
Symmetric (AES-256) and Asymmetric (RSA/ECC) key pairs.
Can you download the private key of a KMS asymmetric key?
❌ No — only the public key is downloadable.
What are AWS-owned vs. AWS-managed KMS keys?
AWS-owned keys are used by default and free. AWS-managed keys are per service (e.g., aws/rds) and also free.
What are customer-managed KMS keys?
Keys created and fully controlled by the user. Support rotation, auditing, access control.
What is the purpose of a KMS key policy?
To define who can use or administer the KMS key (similar to an IAM policy).
What happens if no custom KMS policy is provided?
A default policy gives full access to the root user of the AWS account.
How do you allow cross-account access with KMS?
By adding a custom KMS key policy that grants access to the other account’s principal
When should you use GenerateDataKey API?
When you need to encrypt data > 4KB, for example in envelope encryption.
What does GenerateDataKey return?
A plaintext data key and a copy encrypted with the KMS key.
What is GenerateDataKeyWithoutPlaintext used for?
Generates a data encryption key (DEK) but does not return the plaintext key—only the encrypted version.
What is GenerateRandom used for in KMS?
Returns secure random bytes for use in salts, nonces, or tokens.
What happens if KMS request quota is exceeded?
You receive a ThrottlingException — use exponential backoff.
How can you reduce KMS API calls?
Use data key caching (via the Encryption SDK) or S3 bucket keys
What is an S3 bucket key?
A bucket-level data key that reduces the number of KMS API calls when using SSE-KMS.
What is the benefit of using an S3 bucket key?
Reduces KMS usage/cost by up to 99% when encrypting large volumes in S3
What is AWS CloudHSM?
A hardware security module where you manage your own encryption keys on dedicated hardware.
How is CloudHSM different from KMS?
CloudHSM provides full key control; KMS is managed by AWS.
What compliance level does CloudHSM meet?
FIPS 140-2 Level 3 compliance
