Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

AWS S3 - SAA-C02 > Object encryption > Flashcards

Object encryption Flashcards

1
Q

Can a bucket be encrypted?

A

No, only objects are encrypted

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Can you use different encryption methods within the same bucket?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What methods of encryption is S3 capable of supporting?

A

Client-side encryption and Server-side encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What type of encryption are SSE and client-side encryption?

A

They are methods of encryption at rest

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

When are the objects encrypted when using client-side encryption?

A

Encrypted by the client before they leave.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Does AWS see any data when using client-side encryption?

A

No, AWS only receives cypher data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Who has the burden of encryption and decryption when using client-side encryption?

A

The encryption burden is on the customer and not AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Does AWS see any data when using server-side encryption?

A

Yes, the data arrives in plaintext to S3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who has the burden of encryption and decryption when using server-side encryption?

A

AWS will handle some or all of the processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is SSE-C?

A

Server-side encryption with provided keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Can the client provide keys when using Server-side encryption?

A

Yes, with SSE-C.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Does AWS see the raw data when using SSE-C?

A

Yes, AWS uses the keys that were provided by the client to encrypt/decrypt the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Who manages encryption and decryption when using SSE-C?

A

AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Who is responsible of the management of keys when using SSE-C?

A

The client

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Who has the burden of encryption/decryption when using SSE-C?

A

AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the main advantage of SSE-C over Client-side encryption?

A

Offload CPU requirements for encryption/decryption

17
Q

What are the SSE-C Encryption Steps?

A
  1. Provide object + encryption key to S3
  2. Object is encrypted by S3 using the provided key.
  3. A hash of the key is taken and stored with the object
  4. The key is discarded after the hash is taken
  5. The encrypted data and the hash are stored
18
Q

What are the SSE-C Decryption Steps?

A
  1. Tell S3 what object to decrypt and provide key
  2. If the key is correct (hash comparison), then the object is decrypted
  3. The key is discarded and the decrypted object is provided.
19
Q

Name some UCs for SSE-C

A
  1. When management of the keys must be controlled outside of AWS
  2. When CPU offload can be useful
20
Q

What is SSE-S3 AES256?

A

Server-side encryption with Amazon S3 managed keys

21
Q

Who handles encryption and decryption when using SSE-S3?

22
Q

Who handles key generation and management when using SSE-S3?

23
Q

Name 3 disadvantages of using SSE-S3?

A
  1. Not good for regulatory environments - where keys and access to keys must be controlled.
  2. No way to control key material rotation
  3. No role separation - full S3 admin can decrypt any data.
24
Q

Name one advantage of using SSE-S3

A

Very little overhead.

25
What are the SSE-S3 Encryption Steps?
1. Provide object to S3 2. S3 generates fully managed and rotated **master key** automatically. 3. S3 generates a key specific for each object that is uploaded. 4. The master key is used to encrypt the specific object key, and the unencrypted version of that key is discarded. 5. The encrypted file and encrypted key are stored side by side in S3.
26
What is SSE-KMS?
Server-side encryption with customer master keys stored in KMS
27
Who handles keys and encryption processes when using SSE-KMS?
AWS
28
Who handles the master keys when using SSE-KMS?
KMS
29
How does AWS perform the encryption of objects when using SSE-KMS?
Every time an object is uploaded to a bucket, S3 works with KMS to create an AWS managed CMK and this is the default key that is used in the future. Every time an object is uploaded, S3 uses a dedicated key (DEK) to encrypt it.
30
SSE-KMS Encryption Steps
1. S3 is provided a plaintext version of the data encryption key as well as an encrypted version. 2. The data is encrypted with the plaintext key and the key discarded. 3. The encrypted key is stored alongside the encrypted object.
31
Can you use Customer managed CMKs when using SSE-KMS?
Yes, you can decide to use customer managed CMKs.
32
What are the benefits of using Customer managed CMKs when using SSE-KMS?
Role separation, control of permissions and usage of Key material
33
When using Customer managed CMKs with SSE-KMS, what do you need to access and decrypt an object?
Access to the CMK. No access to KMS key means no access to the object.
34
Can an full S3 admin decrypt an object that was encrypted with SSE-KMS?
Only if he has access to the CMK that was used to encrypt the object.

AWS S3 - SAA-C02 (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions