AWS KMS Exam Practice

Question 1

What does AWS KMS provide?

A) Virtual servers
B) Key management and encryption
C) Database service
D) DNS hosting

Answer 1

B) Key management and encryption

Question 2

Which two types of keys are used in KMS?

A) Access Keys and Secret Keys
B) CMKs and Data Keys
C) RSA and ECC Keys
D) S3 Keys and IAM Keys

Answer 2

B) CMKs and Data Keys

Question 3

What is a CMK used for?

A) Encrypt EC2 instances
B) Encrypt and decrypt data keys
C) Configure VPC routing
D) Monitor CloudWatch metrics

Answer 3

B) Encrypt and decrypt data keys

Question 4

Which key encrypts your data directly in KMS?

A) Data Key
B) IAM Key
C) Access Key
D) AWS Managed Key

Answer 4

A) Data Key

Question 5

Which CMK type uses a public/private key pair?

A) Symmetric CMK
B) Asymmetric CMK
C) AWS-managed CMK
D) Data Key

Answer 5

B) Asymmetric CMK

Question 6

Which key type can be used for digital signatures?

A) Symmetric CMK
B) Asymmetric CMK
C) Data Key
D) AWS-managed CMK

Answer 6

B) Asymmetric CMK

Question 7

Which CMK type is automatically created and managed by AWS?

A) Customer-managed CMK
B) AWS-managed CMK
C) AWS-owned CMK
D) Data Key

Answer 7

B) AWS-managed CMK

Question 8

In envelope encryption, what encrypts the actual data?

A) CMK
B) Data Key
C) IAM Key
D) AWS-managed CMK

Answer 8

B) Data Key

Question 9

Which policy is the primary mechanism to control who can use a CMK?

A) IAM policy
B) Key policy
C) Access key
D) Data Key

Answer 9

B) Key policy

Question 10

Which KMS option is used to encrypt S3 objects?

A) SSE-S3
B) SSE-KMS
C) SSE-C
D) AES-256

Answer 10

B) SSE-KMS

Question 11

How do you enable annual key rotation?

A) Enable rotation for AWS-managed CMK
B) Enable rotation for customer-managed CMK
C) Use CloudTrail
D) Create a new Data Key

Answer 11

B) Enable rotation for customer-managed CMK

Question 12

How can a Lambda function get temporary access to a CMK?

A) Attach IAM policy
B) Use a KMS grant
C) Both A and B
D) Create a new CMK manually

Answer 12

C) Both A and B

Question 13

What happens to data if its CMK is deleted?

A) Remains encrypted but accessible
B) Becomes irrecoverable
C) Automatically decrypted
D) Backed up in S3

Answer 13

B) Becomes irrecoverable

Question 14

Which AWS service does NOT integrate with KMS?

A) S3
B) RDS
C) Lambda
D) Route 53

Answer 14

D) Route 53

Question 15

For large datasets, which encryption method is recommended?

A) Direct encryption
B) Envelope encryption
C) AWS-managed encryption
D) Manual AES

Answer 15

B) Envelope encryption

Question 16

Which CMK type is automatically created and managed by AWS?

A) Customer-managed CMK
B) AWS-managed CMK
C) AWS-owned CMK
D) Data Key,B

Answer 16

B) AWS-managed CMK

Question 17

Which CMK type can be automatically rotated?

A) AWS-owned CMK
B) Customer-managed CMK
C) Data Key
D) Access Key

Answer 17

B) Customer-managed CMK

Question 18

Which of the following controls KMS key access?

A) IAM policies
B) Key policies
C) Grants
D) All of the above

Answer 18

D) All of the above

Question 19

Which KMS encryption method is recommended for large datasets?

A) Direct Encryption
B) Envelope Encryption
C) Manual Key Management
D) Server-side encryption with AES

Answer 19

B) Envelope Encryption

Question 20

Can a CMK be used across multiple regions?

A) Yes
B) No
C) Only for S3
D) Only for Lambda

Answer 20

B) No

Question 21

Which service records all KMS key usage for auditing?

A) CloudWatch
B) CloudTrail
C) S3
D) Lambda

Answer 21

B) CloudTrail

Question 22

What is the minimum waiting period before a CMK can be deleted?

A) 0 days
B) 7 days
C) 30 days
D) 60 days

Answer 22

B) 7 days

Question 23

What is AWS KMS?

Answer 23

AWS Key Management Service (KMS) is a managed service that makes it easy to create and control cryptographic keys used to encrypt data across AWS services and applications.

Question 24

What are the two types of keys in AWS KMS?

Answer 24

Customer Master Keys (CMKs) and Data Keys. CMKs can be customer-managed or AWS-managed.

Question 25

What is a CMK (Customer Master Key)?

Answer 25

A CMK is a logical key in KMS used to encrypt and decrypt data keys and to control access to encrypted data.

Question 26

What is a Data Key in KMS?

Answer 26

A Data Key is a key generated by KMS to encrypt your data directly. It can be generated in plaintext or encrypted form by a CMK.

Question 27

What are the types of CMKs in AWS KMS?

Answer 27

1. AWS-managed CMKs: Automatically created and managed by AWS. 2. Customer-managed CMKs: Created, managed, and controlled by the customer. 3. AWS-owned CMKs: Used internally by AWS services; cannot be seen by customers.,

Question 28

Can CMKs be rotated automatically?

Answer 28

Yes, customer-managed CMKs can have automatic key rotation enabled, typically once per year

Question 29

What is the difference between symmetric and asymmetric CMKs?

Answer 29

Symmetric CMKs use a single key for encryption and decryption. Asymmetric CMKs use a key pair (public and private) for encryption/decryption or signing/verification.

Question 30

Which KMS key type supports digital signatures?

Answer 30

Asymmetric CMKs.

Question 31

What are the two main ways to use KMS for encryption?

Answer 31

1. Envelope Encryption: Data is encrypted with a Data Key . 2. Direct Encryption: Data is encrypted directly using a CMK (not recommended for large data)

Question 32

What is envelope encryption?

Answer 32

A method where a Data Key encrypts the data and the Data Key is encrypted with a CMK. It improves performance and security.

Question 33

Can you use KMS keys across different AWS regions?

Answer 33

No, CMKs are region-specific. You must create a key in each region where it is needed

Question 34

How does KMS control access to keys?

Answer 34

Through IAM policies, key policies, and optionally grants for temporary permissions

Question 35

What is the difference between an IAM policy and a KMS key policy?

Answer 35

IAM policy grants AWS identity permissions to perform KMS actions. Key policy is the primary mechanism for controlling who can use and manage a CMK and can override IAM permissions if strict.

Question 36

Can KMS be integrated with AWS CloudTrail?

Answer 36

Yes, KMS logs all key usage through CloudTrail for auditing

Question 37

You want to encrypt S3 objects using a KMS key you manage. Which option would you use?

Answer 37

SSE-KMS (Server-Side Encryption with KMS-managed keys).

Question 38

How do you ensure a KMS key can be automatically rotated each year?

Answer 38

Enable automatic key rotation for the customer-managed CMK.

Question 39

A Lambda function needs temporary access to encrypt data with a CMK. How can this be granted?

Answer 39

Use KMS grants or attach an IAM policy that allows the Lambda role to use the CMK.

Question 40

Can you immediately delete a CMK in KMS?

Answer 40

No, KMS requires a 7–30 day pending deletion period to prevent accidental deletion

Question 41

What happens if a CMK used to encrypt data is deleted?

Answer 41

Data encrypted with that key becomes irrecoverable once the CMK is fully deleted.

Question 42

Name 3 AWS services that integrate with KMS for encryption.

Answer 42

Amazon S3, Amazon EBS, Amazon RDS (also Lambda, Redshift, DynamoDB, etc.),KMS

Question 43

Which KMS encryption option is recommended for large datasets?

Answer 43

Envelope encryption using Data Keys and CMKs.