Security

Question 1

What does KMS stand for?

Answer 1

Key Management Service

Question 2

What is a KMS Key?

Answer 2

• A logical representation of a key
• A pointer to some underlying cryptographic material

Question 3

How large can data encrypted by KMS keys be?

Answer 3

Up to 4KB in size

Question 4

What is the pricing structure for KMS?

Answer 4

You pay per API call

Question 5

What are the three types of KMS Keys? What are the major differences between them?

Answer 5

• AWS Managed KMS Keys - (default) Only used by your service
• Customer Managed KMS Keys - Allow for key rotation
• AWS Owned KMS Keys - (rare) Used by AWS on a shared basis across many accounts

Question 6

What is the important conceptual difference between Symmetric KMS Keys and Asymmetric KMS Keys?

Answer 6

• Symmetric KMS Keys use the same key for encryption and decryption
• Asymmetric KMS Keys use a mathematically related public/private key pair

Question 7

What is the encryption algorithm used for Symmetric KMS Keys?

Answer 7

AES-256

Question 8

What is the encryption algorithm used for asymmetric KMS Keys?

Answer 8

RSA and/or Elliptic-Curve Cryptography

Question 9

What does ECC stand for (NOT the same as EC2)?

Answer 9

Elliptic-Curve Cryptography

Question 10

By default, what permissions are granted to a newly-created KMS Key?

Answer 10

full access to the KMS Key

Question 11

Suppose you edit a KMS Key’s access permissions such that you (the root user), no longer have access to the KMS Key. How do you regain access to the KMS Key?

Answer 11

You’ll have to contact AWS support

Question 12

What does SSM stand for?

Answer 12

AWS Systems Mananger

Question 13

What is AWS Parameter Store?

Answer 13

Secure, serverless storage for configuration and secrets

_{(Idea: Separate Data from Source Control)}

Question 14

How is data stored in AWS Parameter Store?

Answer 14

Data is stored hierarchically in trees

Question 15

How deep can an AWS Parameter Store tree go?

Answer 15

Up to 15 levels deep

Question 16

What is the pricing structure for Systems Manager Parameter Store?

Answer 16

There is no additional cost

_{(There is a limit on the number of parameters you can store)}

Question 17

What is the pricing structure for Secrets Manager?

Answer 17

You are charged per secret stored and per 10,000 API Request Calls

Question 18

What are the big benefits for Secrets Manager over Systems Manager Parameter Store?

Answer 18

With Secrets Manager, you can

• automatically rotate secrets
• generate random secrets

Question 19

What does DDoS stand for?

Answer 19

Distributed Denial-of-Service

Question 20

At a high level, what does AWS Shield do?

Answer 20

It protects against DDoS attacks

Question 21

What is the pricing structure for AWS Shield Standard?

Answer 21

Automatically enabled for all customers at no additional cost

Question 22

What type of attacks can AWS Shield Standard help guard against?

Answer 22

common layer 3 and layer 4 attacks

• SYN/UDP floods
• Reflection attacks

Question 23

Can KMS keys be used in a region different from the one in which they were created?

Answer 23

No

_{Keys generated by AWS KMS are only stored and used in the region in which they were created. They cannot be transferred to another region​.}

_{(Source: https://aws.amazon.com/kms/faqs/#:~:text=Keys%20generated%20by%20AWS%20KMS,be%20transferred%20to%20another%20region.)}