Security

Question 1

What is a CMK?

Answer 1

• A logical representation of a key
• A pointer to some underlying cryptographic material

Question 2

What is AWS Parameter Store?

Answer 2

Secure, serverless storage for configuration and secrets

_{(Idea: Separate Data from Source Control)}

Question 3

Suppose you are using HSM and you lose access to your keys. What can you do in this situation?

Answer 3

Nothing. HSM Keys are irretrivable if lost

Question 4

What is the important conceptual difference between Symmetric CMKs and Asymmetric CMKs?

Answer 4

• Symmetric CMKs use the same key for encryption and decryption
• Asymmetric CMKs use a mathematically related public/private key pair

Question 5

What does ECC stand for (NOT the same as EC2)?

Answer 5

Elliptic-Curve Cryptography

Question 6

What does AWS Firewall Manager do?

Answer 6

It allows you to centrally configure and manage firewall rules across an AWS Organization

Question 7

What are the two types of AWS Shield?

Answer 7

• AWS Shield Standard
• AWS Shield Advanced

Question 8

What is the encryption algorithm used for Symmetric CMKs?

Answer 8

AES-256

Question 9

Can KMS keys be used in a region different from the one in which they were created?

Answer 9

No

_{Keys generated by AWS KMS are only stored and used in the region in which they were created. They cannot be transferred to another region​.}

_{(Source: https://aws.amazon.com/kms/faqs/#:~:text=Keys%20generated%20by%20AWS%20KMS,be%20transferred%20to%20another%20region.)}

Question 10

What type of FIPS service is KMS?

Answer 10

KMS is a FIPS 140-2 Level 2 service

Question 11

What does KMS stand for?

Answer 11

Key Management Service

Question 12

What is the pricing structure for KMS?

Answer 12

You pay per API call

Question 13

On the exam, if you see FIPS 140-2 Level 3, what should you think of?

Answer 13

HSM

Question 14

On the exam, if you see FIPS 140-2 Level 2, what should you think of?

Answer 14

KMS

Question 15

How large can data encrypted by CMKs be?

Answer 15

Up to 4KB in size

Question 16

What is the pricing structure for Systems Manager Parameter Store?

Answer 16

There is no additional cost

_{(There is a limit on the number of parameters you can store)}

Question 17

What is a FIPS Level 2 service?

Answer 17

A service that can show evidence of tampering

Question 18

Why will most companies want to create more than one AWS account?

Answer 18

Multiple accounts provide the highest level of resource and security isolation

Question 19

At a high level, what does AWS Shield do?

Answer 19

It protects against DDoS attacks

Question 20

How is data stored in AWS Parameter Store?

Answer 20

Data is stored hierarchically in trees

Question 21

What is offered in AWS Shield Advanced?

Answer 21

• Enhanced Protection for EC2, ELB, CloudFront, Global Accelerator, and Route 53
• 24/7 access to the DDoS Response Team
• DDoS Cost Protection – insurance against DDoS attacks that would affect your AWS Bill

Question 22

What does SSM stand for?

Answer 22

AWS Systems Mananger

Question 23

What type of attacks can AWS Shield Standard help guard against?

Answer 23

common layer 3 and layer 4 attacks

• SYN/UDP floods
• Reflection attacks

Question 24

What is the pricing structure for AWS Shield Standard?

Answer 24

Automatically enabled for all customers at no additional cost

Question 25

How deep can an AWS Parameter Store tree go?

Answer 25

Up to **15 levels deep**

Question 26

What is the major difference between KMS and HSM?

Answer 26

in HSM, **you manage your own keys**

Question 27

What are the three types of CMKs? What are the major differences between them?

Answer 27

* **AWS Managed CMKs** - (default) Only used by your service * **Customer Managed CMKs** - Allow for _key rotation_ * **AWS Owned CMKs** - (rare) Used by AWS on a shared basis across many accounts

Question 28

What does **CMK** stand for?

Answer 28

**C**ustomer **M**aster **K**ey

Question 29

Suppose you edit a CMK's access permissions such that you (the root user), no longer have access to the CMK. How do you regain access to the CMK?

Answer 29

**You'll have to contact AWS support**

Question 30

What is the pricing structure for Secrets Manager?

Answer 30

You are charged **per secret stored** and **per 10,000** **API Request Calls**

Question 31

What does **DRT** stand for?

Answer 31

**DDoS Response Team**

Question 32

What is the encryption algorithm used for *a**symmetric* CMKs?

Answer 32

**RSA** and/or **Elliptic-Curve Cryptography**

Question 33

What is the pricing structure for AWS Shield Advanced?

Answer 33

**$3,000 per month per AWS Organization**

Question 34

What does **FIPS** stand for?

Answer 34

**F**ederal **I**nformation **P**rocessing **S**tandards