1
Q
Where are KMS encryption keys located?
A
They strictly remain within a region - they can’t be exported or used to decrypt data in another region
2
Q
What does a CMK consist of?
A
An alias, creation data, description and key state
3
Q
What are the broad IAM roles for KMS?
A
Administrative permissions and usage permissions
4
Q
What are the main CLI commands to use KMS?
A
Encrypt, decrypt, re-encrypt and enable-key-rotation
5
Q
How often are CMKs rotated?
A
If AWS is used as the key material, once a year if rotation is enabled
Otherwise, it’s up to the customer
6
Q
How does KMS use CMKs?
A
It uses envelope encryption - the CMK is used to encrypt the data key which works on the actual files
