AWS Key Management Store (KMS) Quiz
144 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

Which of the following is NOT a characteristic of an AWS KMS key?

  • It can be exported from KMS. (correct)
  • It can encrypt data up to 4KB in size.
  • It includes metadata such as the key ID, creation date, description, and key state.
  • It can be used to generate, encrypt, and decrypt Data Encryption Keys (DEKs).
  • What type of KMS key is managed by AWS and cannot be rotated or have its key policies changed by the user?

  • Symmetric KMS Keys
  • AWS Managed KMS Keys (correct)
  • Customer Managed KMS Keys
  • Asymmetric KMS Keys
  • What is the maximum data size that a KMS key can encrypt?

  • 16KB
  • 1MB
  • 1KB
  • 4KB (correct)
  • Which of the following is a valid way to manage a Customer Managed KMS key?

    <p>Creating an alias for the KMS key.</p> Signup and view all the answers

    What is the primary difference between Symmetric and Asymmetric KMS keys?

    <p>Symmetric KMS keys use a single key for both encryption and decryption, while Asymmetric KMS keys use separate keys for encryption and decryption.</p> Signup and view all the answers

    Which of the following is NOT a benefit of using AWS KMS?

    <p>Ability to export KMS keys for use in external applications.</p> Signup and view all the answers

    What happens to a Customer Managed KMS key when the AWS account it's associated with is deleted?

    <p>The key is automatically deleted.</p> Signup and view all the answers

    Which of the following statements accurately describes the role of Data Encryption Keys (DEKs) in KMS?

    <p>DEKs are used to encrypt data that is then encrypted again using a KMS key.</p> Signup and view all the answers

    What is the maximum number of KMS keys you can create per account per region?

    <p>1000</p> Signup and view all the answers

    What is the default waiting period for deleting a KMS key?

    <p>30 days</p> Signup and view all the answers

    What is the purpose of the 'aws kms encrypt' API?

    <p>To encrypt data using a KMS key</p> Signup and view all the answers

    Which of these is NOT an AWS KMS API mentioned in the content?

    <p>aws kms get-key-policy</p> Signup and view all the answers

    What method does AWS KMS use to encrypt data in AWS services and client-side toolkits?

    <p>Envelope encryption</p> Signup and view all the answers

    What is the purpose of the 'aws kms generate-data-key-without-plaintext' API?

    <p>To generate a data key without its plaintext</p> Signup and view all the answers

    What is the primary limitation of AWS managed KMS keys regarding their usage?

    <p>You cannot use them directly in cryptographic operations.</p> Signup and view all the answers

    What is a unique characteristic of AWS owned KMS keys?

    <p>They are owned and managed by AWS services.</p> Signup and view all the answers

    How does AWS KMS handle data encryption keys?

    <p>It must be used to manage data encryption keys outside of its service.</p> Signup and view all the answers

    What is the purpose of the GenerateDataKey API in AWS KMS?

    <p>To create a data encryption key using a KMS key.</p> Signup and view all the answers

    What best defines a custom key store in AWS KMS?

    <p>A feature that integrates AWS CloudHSM with KMS for key management.</p> Signup and view all the answers

    What happens to requests made for decrypting data keys under KMS?

    <p>They are logged in AWS CloudTrail for tracking.</p> Signup and view all the answers

    Which of the following is not a function of AWS KMS?

    <p>Performing encryption in transit.</p> Signup and view all the answers

    What is a key management function that KMS supports?

    <p>Setting usage policies on KMS keys.</p> Signup and view all the answers

    Why are AWS KMS keys regional?

    <p>Because each key is restricted to specific AWS regions.</p> Signup and view all the answers

    Which statement about data keys generated by AWS KMS is correct?

    <p>They are encrypted and stored as part of the data they protect.</p> Signup and view all the answers

    What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?

    <p>7 days</p> Signup and view all the answers

    What is the purpose of GenerateDataKeyWithoutPlaintext API in AWS KMS?

    <p>To generate a data key without plaintext</p> Signup and view all the answers

    What is the maximum number of master keys that can be created per account per region in AWS KMS?

    <p>1000</p> Signup and view all the answers

    What is the purpose of Enable-key-rotation API in AWS KMS?

    <p>To enable key rotation</p> Signup and view all the answers

    What is the method used by AWS KMS to encrypt data in AWS services and client-side toolkits?

    <p>Envelope encryption</p> Signup and view all the answers

    What happens to a scheduled key deletion in AWS KMS during the waiting period?

    <p>It can be cancelled</p> Signup and view all the answers

    What can be done with a Customer Managed KMS key?

    <p>Its key policies can be modified.</p> Signup and view all the answers

    Which statement accurately describes the key material of a KMS key?

    <p>Key material is created by AWS KMS by default.</p> Signup and view all the answers

    Which of the following is a limitation of AWS KMS regarding KMS keys?

    <p>KMS keys can encrypt data only up to 4KB.</p> Signup and view all the answers

    What is true about the permissions associated with Customer Managed KMS keys?

    <p>They can have IAM policies that restrict their usage.</p> Signup and view all the answers

    What distinguishes AWS Managed KMS keys from Customer Managed KMS keys?

    <p>Customer Managed KMS keys are created by user discretion.</p> Signup and view all the answers

    Which statement is NOT true regarding AWS KMS keys?

    <p>AWS KMS keys can be reused across different regions without restriction.</p> Signup and view all the answers

    What are KMS keys primarily used for within AWS KMS?

    <p>To encrypt and decrypt data.</p> Signup and view all the answers

    How does AWS KMS handle the exporting of KMS keys?

    <p>KMS keys cannot be exported at all.</p> Signup and view all the answers

    What governs the use and access of AWS KMS keys?

    <p>IAM roles and policies</p> Signup and view all the answers

    Which statement about AWS owned KMS keys is accurate?

    <p>They remain fully under the control of AWS services.</p> Signup and view all the answers

    What happens to Data Encryption Keys (DEKs) managed by AWS KMS?

    <p>They must be managed outside of AWS KMS.</p> Signup and view all the answers

    For which scenario is a Custom Key Store in AWS KMS specifically designed?

    <p>To store master keys in HSMs securely</p> Signup and view all the answers

    Which statement correctly describes the fees associated with AWS managed KMS keys?

    <p>Usage can incur fees depending on the service.</p> Signup and view all the answers

    How are requests to use master keys logged in AWS KMS?

    <p>In AWS CloudTrail</p> Signup and view all the answers

    In what context can AWS KMS keys not be used directly by users?

    <p>In cryptographic operations directly</p> Signup and view all the answers

    What does the GenerateDataKey API do in AWS KMS?

    <p>Generates a data key using a KMS key</p> Signup and view all the answers

    Which type of keys requires you to have CloudHSM resources to use custom key stores?

    <p>Custom KMS keys</p> Signup and view all the answers

    What is a unique feature of KMS compared to AWS Secrets Manager?

    <p>KMS is designed specifically for encryption key management.</p> Signup and view all the answers

    What is the purpose of scheduling a customer master key for deletion?

    <p>To verify the impact of deleting a key on applications and users</p> Signup and view all the answers

    Which API is used to generate a data key that is used to encrypt data?

    <p>aws kms generate-data-key</p> Signup and view all the answers

    What is the limit on the number of KMS keys that can be created per account per region?

    <p>1000</p> Signup and view all the answers

    What happens to a scheduled key deletion during the waiting period?

    <p>The key deletion can be cancelled</p> Signup and view all the answers

    What is the primary method used by AWS KMS to encrypt data in AWS services and client-side toolkits?

    <p>Envelope encryption</p> Signup and view all the answers

    What is the minimum waiting period for deleting a customer master key and associated metadata?

    <p>7 days</p> Signup and view all the answers

    Which of these statements accurately describes the use of AWS managed KMS keys?

    <p>They are managed by AWS services on behalf of users.</p> Signup and view all the answers

    What is the primary purpose of Data Encryption Keys (DEKs) in AWS KMS?

    <p>To encrypt and decrypt data directly.</p> Signup and view all the answers

    Which of the following accurately describes the role of AWS CloudHSM in AWS KMS?

    <p>It is an optional service that can be used for storing and managing keys.</p> Signup and view all the answers

    Which of the following is a feature of AWS KMS that allows for increased control over key management?

    <p>The ability to create and manage KMS keys in an AWS CloudHSM cluster.</p> Signup and view all the answers

    How does AWS KMS ensure the security of master keys stored in a custom key store?

    <p>The master keys are never stored in plaintext and all operations are performed within the HSMs.</p> Signup and view all the answers

    Which statement accurately describes the interaction between AWS KMS and AWS services when decrypting data?

    <p>AWS services request AWS KMS to decrypt the data key using the master key.</p> Signup and view all the answers

    What is the primary difference between AWS managed KMS keys and Customer Managed KMS keys?

    <p>AWS managed keys are controlled by AWS services, while Customer Managed keys are managed by users.</p> Signup and view all the answers

    Which of the following actions can be performed on a Customer Managed KMS key?

    <p>Changing the key policy to grant permissions to specific users or roles.</p> Signup and view all the answers

    What is a key management function that KMS supports?

    <p>Managing and rotating master keys.</p> Signup and view all the answers

    Which of the following statements accurately describes the fees associated with AWS managed KMS keys?

    <p>Users are not charged for AWS managed KMS keys unless they exceed the free tier limits.</p> Signup and view all the answers

    What is a distinguishing characteristic of Customer Managed KMS keys compared to AWS Managed KMS keys?

    <p>Customer Managed KMS keys allow you to control their key policies, IAM policies, and grants.</p> Signup and view all the answers

    What is a key limitation of AWS Managed KMS keys?

    <p>They cannot be rotated or have their key policies changed.</p> Signup and view all the answers

    What is a primary function of a KMS key in AWS KMS?

    <p>To encrypt and decrypt data, both directly and through Data Encryption Keys (DEKs).</p> Signup and view all the answers

    What is the maximum size of data that a KMS key can encrypt directly?

    <p>4 KB</p> Signup and view all the answers

    Which of the following is a key distinction between symmetric and asymmetric KMS keys?

    <p>Symmetric KMS keys use the same key for encryption and decryption, while asymmetric KMS keys use separate keys.</p> Signup and view all the answers

    What is the role of Data Encryption Keys (DEKs) in AWS KMS?

    <p>DEKs are used to encrypt data, which is then encrypted again using the KMS key.</p> Signup and view all the answers

    Which of the following is NOT a valid way to manage a Customer Managed KMS key?

    <p>Changing the key policy of an AWS Managed KMS key.</p> Signup and view all the answers

    What is the primary purpose of the GenerateDataKey API in AWS KMS?

    <p>To generate a Data Encryption Key (DEK) that can be used to encrypt data.</p> Signup and view all the answers

    What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?

    <p>7 days</p> Signup and view all the answers

    What is the purpose of the 'aws kms re-encrypt' API?

    <p>To update the key material for a master key</p> Signup and view all the answers

    What happens to a scheduled key deletion in AWS KMS during the waiting period?

    <p>The key deletion can be cancelled</p> Signup and view all the answers

    What is the advantage of using envelope encryption with AWS KMS?

    <p>It generates data keys that can be used to encrypt data</p> Signup and view all the answers

    What is the limit on the number of data keys that can be derived using a master key and used in your application?

    <p>Unlimited</p> Signup and view all the answers

    What happens to AWS managed master keys created on your behalf for use within supported AWS services?

    <p>They do not count against the KMS key limit</p> Signup and view all the answers

    What crucial element does a KMS key contain for encrypting and decrypting data?

    <p>Key material</p> Signup and view all the answers

    Which action is NOT allowed with AWS Managed KMS keys?

    <p>Rotate key policies</p> Signup and view all the answers

    What happens to the private keys of asymmetric KMS keys in AWS KMS?

    <p>They remain encrypted within AWS KMS.</p> Signup and view all the answers

    Which of the following statements is true about Customer Managed KMS keys?

    <p>They incur fees for monthly usage and excess usage.</p> Signup and view all the answers

    How many bytes can a KMS key encrypt at most for a single operation?

    <p>4096 bytes</p> Signup and view all the answers

    Which of the following is a feature of Customer Managed KMS keys?

    <p>They allow the creation of aliases referring to the key.</p> Signup and view all the answers

    What is a key characteristic of AWS KMS keys regarding their exportation?

    <p>They can never be exported out of KMS.</p> Signup and view all the answers

    Which statement best describes the differences in management between AWS Managed KMS keys and Customer Managed KMS keys?

    <p>Customer Managed KMS keys allow for rotation and management.</p> Signup and view all the answers

    What is a characteristic of AWS owned KMS keys?

    <p>They are owned and managed by AWS services.</p> Signup and view all the answers

    What must a user do with data encryption keys once they are generated?

    <p>Manage and use these keys outside of AWS KMS.</p> Signup and view all the answers

    How does AWS KMS handle logging of key usage?

    <p>All requests to use master keys are logged in AWS CloudTrail.</p> Signup and view all the answers

    What is the role of the GenerateDataKey API in AWS KMS?

    <p>To create a data encryption key using a KMS key.</p> Signup and view all the answers

    In which scenario are data encryption keys typically used?

    <p>To encrypt large amounts of data and other encryption keys.</p> Signup and view all the answers

    Which statement about AWS KMS keys is true?

    <p>KMS supports both symmetric and asymmetric key types.</p> Signup and view all the answers

    What is a unique feature of a Custom Key Store in AWS KMS?

    <p>Key material never leaves the HSMs in plaintext.</p> Signup and view all the answers

    How are the fees structured for AWS managed KMS keys?

    <p>Fees are incurred only when keys are actively used beyond the free tier.</p> Signup and view all the answers

    What governs the access and management of keys in AWS KMS?

    <p>IAM users and roles.</p> Signup and view all the answers

    Which statement about the AWS Key Management Service (KMS) is accurate?

    <p>KMS operations involving keys are logged for auditing purposes.</p> Signup and view all the answers

    What is the minimum waiting period for deleting a customer master key and associated metadata in AWS KMS?

    <p>7 days</p> Signup and view all the answers

    What is the purpose of the 'aws kms re-encrypt' API?

    <p>To re-encrypt data keys with a new master key</p> Signup and view all the answers

    What is the limit on the number of data keys that can be derived using a master key and used in your application or by AWS services?

    <p>No limit</p> Signup and view all the answers

    What happens to a scheduled key deletion in AWS KMS during the waiting period?

    <p>The key can be cancelled during the waiting period</p> Signup and view all the answers

    What is the method used by AWS KMS to encrypt data in AWS services and client-side toolkits?

    <p>Envelope encryption</p> Signup and view all the answers

    What counts towards the limit of 1000 KMS keys per account per region?

    <p>Both enabled and disabled keys</p> Signup and view all the answers

    Which of the following statements accurately describes the role of Data Encryption Keys (DEKs) in AWS KMS?

    <p>DEKs are used to encrypt data that is then further encrypted using the KMS key.</p> Signup and view all the answers

    Which of these options accurately describes the distinction between Customer Managed KMS keys and AWS Managed KMS keys?

    <p>Customer Managed KMS keys are managed by the user, while AWS Managed KMS keys are managed by AWS services.</p> Signup and view all the answers

    Which of the following is NOT a valid way to manage a Customer Managed KMS key?

    <p>Exporting the key material for use outside of AWS.</p> Signup and view all the answers

    What is a unique characteristic of AWS owned KMS keys?

    <p>They are managed by AWS services and cannot be rotated or have their key policies changed by the user.</p> Signup and view all the answers

    Which of the following statements accurately describes the key material of a KMS key?

    <p>The key material is used to encrypt and decrypt DEKs.</p> Signup and view all the answers

    Which of the following is NOT a function of AWS KMS?

    <p>Providing a solution for storing and managing passwords.</p> Signup and view all the answers

    Which statement is NOT true regarding AWS KMS keys?

    <p>AWS KMS keys can be exported for use outside of AWS.</p> Signup and view all the answers

    What is the purpose of scheduling a customer master key for deletion?

    <p>To initiate a process that will permanently delete the key and its associated metadata after a waiting period.</p> Signup and view all the answers

    Which of these statements accurately describes the handling of data encryption keys (DEKs) by AWS KMS?

    <p>AWS KMS generates, encrypts, and decrypts DEKs, but does not store or manage them.</p> Signup and view all the answers

    Which of the following statements is TRUE regarding AWS managed KMS keys?

    <p>AWS managed KMS keys can be subject to fees for excessive usage, but some AWS services may cover these costs.</p> Signup and view all the answers

    How does AWS KMS handle the encryption and decryption of data in AWS services?

    <p>AWS services encrypt data using DEKs, and KMS encrypts the DEK using the master key and stores both securely.</p> Signup and view all the answers

    What is the primary difference between AWS managed KMS keys and Customer Managed KMS keys?

    <p>AWS managed KMS keys are owned and managed by AWS, while Customer Managed KMS keys are managed by users in their AWS account.</p> Signup and view all the answers

    What is the primary purpose of the GenerateDataKey API in AWS KMS?

    <p>To create and manage data encryption keys (DEKs) for encrypting data.</p> Signup and view all the answers

    What is the purpose of the 'aws kms enable-key-rotation' API?

    <p>To enable automatic key rotation for a KMS key.</p> Signup and view all the answers

    Why are AWS KMS keys regional?

    <p>To ensure data locality and compliance with regional regulations.</p> Signup and view all the answers

    Which of the following is NOT a feature of the AWS KMS custom key store?

    <p>It allows you to manage AWS owned KMS keys directly within your custom key store.</p> Signup and view all the answers

    What is the primary difference between AWS KMS and Secrets Manager?

    <p>AWS KMS is primarily used for encrypting data at rest, while Secrets Manager is designed for storing and managing sensitive data such as passwords and API keys.</p> Signup and view all the answers

    Which of the following is TRUE about AWS owned KMS keys?

    <p>AWS owned KMS keys are used to encrypt and decrypt data within a specific AWS service and cannot be accessed directly.</p> Signup and view all the answers

    When scheduling a customer master key for deletion, what is the minimum waiting period that can be configured?

    <p>7 days</p> Signup and view all the answers

    Which API is used to encrypt data using a data key generated by AWS KMS?

    <p>aws kms encrypt</p> Signup and view all the answers

    Which of the following statements accurately describes the purpose of AWS KMS Envelope Encryption?

    <p>Data keys are used to encrypt data, and those data keys are then encrypted using master keys.</p> Signup and view all the answers

    What is the maximum number of KMS keys that can be created per account per region?

    <p>1000</p> Signup and view all the answers

    What is the primary purpose of the Enable-key-rotation API in AWS KMS?

    <p>To enable automatic rotation of the key material for a KMS key.</p> Signup and view all the answers

    Which statement accurately describes the relationship between AWS managed master keys and the KMS key limit?

    <p>AWS managed master keys do not count towards the KMS key limit.</p> Signup and view all the answers

    Which of these statements about AWS Managed KMS keys is TRUE?

    <p>They are created, managed, and used on your behalf by an AWS service integrated with KMS.</p> Signup and view all the answers

    What is the maximum data size a KMS key can encrypt?

    <p>4KB</p> Signup and view all the answers

    Which of these actions can be performed on a Customer Managed KMS key?

    <p>Schedule a KMS key for deletion without actually deleting it.</p> Signup and view all the answers

    What is the primary difference between Symmetric and Asymmetric KMS keys?

    <p>Symmetric keys use the same key for encryption and decryption, while asymmetric keys use different keys for encryption and decryption.</p> Signup and view all the answers

    What is the purpose of a Data Encryption Key (DEK)?

    <p>To directly encrypt and decrypt user data.</p> Signup and view all the answers

    What is NOT a function of AWS KMS?

    <p>Exporting KMS keys to external systems.</p> Signup and view all the answers

    Which of the following is TRUE about the cryptographic material of a KMS key?

    <p>It is stored in an encrypted form within the KMS service, and it never leaves AWS KMS unencrypted.</p> Signup and view all the answers

    Which of the following scenarios is specifically designed for the use of a Custom Key Store in AWS KMS?

    <p>Using a hardware security module (HSM) for storing sensitive key material.</p> Signup and view all the answers

    Which of these options are the true statements about AWS owned KMS keys?

    <p>AWS owned KMS keys are owned and managed by AWS.</p> Signup and view all the answers

    What happens to a data key after it is generated using the GenerateDataKey API in KMS?

    <p>It is stored in a secure location outside of AWS KMS, and the user is responsible for managing and tracking it.</p> Signup and view all the answers

    What is a primary benefit of using a Custom Key Store in AWS KMS?

    <p>It allows you to store KMS master keys in your own CloudHSM cluster, enhancing security and control.</p> Signup and view all the answers

    Which of these is a key management function that AWS KMS does NOT allow?

    <p>Directly managing the cryptographic operations with data encryption keys.</p> Signup and view all the answers

    What is the primary purpose of AWS KMS?

    <p>To manage and control the encryption keys used for protecting data at rest.</p> Signup and view all the answers

    Which of the following is TRUE about master keys in a Custom Key Store?

    <p>They are never exported from the CloudHSM cluster.</p> Signup and view all the answers

    How does KMS ensure that the appropriate users can access and use master keys?

    <p>By assigning specific permissions to IAM users and roles.</p> Signup and view all the answers

    How does KMS ensure that data can be decrypted by authorized users?

    <p>KMS grants temporary permissions to users to decrypt data based on the master key policy.</p> Signup and view all the answers

    Which of the following statements is TRUE about AWS KMS key material?

    <p>It can be stored in both symmetric and asymmetric forms.</p> Signup and view all the answers

    What is the main purpose of the Enable-key-rotation API in KMS?

    <p>To automatically rotate KMS keys on a regular basis.</p> Signup and view all the answers

    Study Notes

    AWS Key Management Store (KMS)

    • AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
    • Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).

    KMS Keys

    • KMS keys consist of metadata including key ID, creation date, description, and key state.
    • Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
    • A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.

    Key Types

    • Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
    • AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
    • AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.

    Data Encryption Keys

    • Data keys are used for encrypting large amounts of data and other data encryption keys.
    • AWS KMS does not store or manage these data keys; they must be handled externally.
    • The GenerateDataKey API creates data encryption keys using KMS keys.

    KMS Functionality

    • Utilizes hardware security modules (HSMs) for protecting KMS keys.
    • Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
    • All requests to master keys are logged in AWS CloudTrail for tracking usage.

    Key Management and Policies

    • Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
    • KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
    • Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.

    Custom Key Store

    • Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
    • Ensures keys remain secure and in plaintext only within HSMs.

    Key Deletion

    • Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
    • Default waiting period is 30 days, and deletion can be canceled during this time.

    Important APIs

    • Encrypt and Decrypt for encrypting/decrypting data.
    • Re-encrypt for changing the encryption key used.
    • GenerateDataKey for creating a data encryption key.

    KMS Envelope Encryption

    • Integrates with AWS clients using envelope encryption for better data security.
    • Data keys are encrypted using master keys through KMS to secure the data itself.

    Limits and Recommendations

    • Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
    • It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
    • There are no restrictions on the number of data keys that can be generated from master keys.

    AWS Key Management Store (KMS)

    • AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
    • Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).

    KMS Keys

    • KMS keys consist of metadata including key ID, creation date, description, and key state.
    • Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
    • A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.

    Key Types

    • Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
    • AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
    • AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.

    Data Encryption Keys

    • Data keys are used for encrypting large amounts of data and other data encryption keys.
    • AWS KMS does not store or manage these data keys; they must be handled externally.
    • The GenerateDataKey API creates data encryption keys using KMS keys.

    KMS Functionality

    • Utilizes hardware security modules (HSMs) for protecting KMS keys.
    • Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
    • All requests to master keys are logged in AWS CloudTrail for tracking usage.

    Key Management and Policies

    • Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
    • KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
    • Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.

    Custom Key Store

    • Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
    • Ensures keys remain secure and in plaintext only within HSMs.

    Key Deletion

    • Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
    • Default waiting period is 30 days, and deletion can be canceled during this time.

    Important APIs

    • Encrypt and Decrypt for encrypting/decrypting data.
    • Re-encrypt for changing the encryption key used.
    • GenerateDataKey for creating a data encryption key.

    KMS Envelope Encryption

    • Integrates with AWS clients using envelope encryption for better data security.
    • Data keys are encrypted using master keys through KMS to secure the data itself.

    Limits and Recommendations

    • Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
    • It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
    • There are no restrictions on the number of data keys that can be generated from master keys.

    AWS Key Management Store (KMS)

    • AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
    • Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).

    KMS Keys

    • KMS keys consist of metadata including key ID, creation date, description, and key state.
    • Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
    • A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.

    Key Types

    • Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
    • AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
    • AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.

    Data Encryption Keys

    • Data keys are used for encrypting large amounts of data and other data encryption keys.
    • AWS KMS does not store or manage these data keys; they must be handled externally.
    • The GenerateDataKey API creates data encryption keys using KMS keys.

    KMS Functionality

    • Utilizes hardware security modules (HSMs) for protecting KMS keys.
    • Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
    • All requests to master keys are logged in AWS CloudTrail for tracking usage.

    Key Management and Policies

    • Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
    • KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
    • Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.

    Custom Key Store

    • Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
    • Ensures keys remain secure and in plaintext only within HSMs.

    Key Deletion

    • Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
    • Default waiting period is 30 days, and deletion can be canceled during this time.

    Important APIs

    • Encrypt and Decrypt for encrypting/decrypting data.
    • Re-encrypt for changing the encryption key used.
    • GenerateDataKey for creating a data encryption key.

    KMS Envelope Encryption

    • Integrates with AWS clients using envelope encryption for better data security.
    • Data keys are encrypted using master keys through KMS to secure the data itself.

    Limits and Recommendations

    • Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
    • It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
    • There are no restrictions on the number of data keys that can be generated from master keys.

    AWS Key Management Store (KMS)

    • AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
    • Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).

    KMS Keys

    • KMS keys consist of metadata including key ID, creation date, description, and key state.
    • Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
    • A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.

    Key Types

    • Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
    • AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
    • AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.

    Data Encryption Keys

    • Data keys are used for encrypting large amounts of data and other data encryption keys.
    • AWS KMS does not store or manage these data keys; they must be handled externally.
    • The GenerateDataKey API creates data encryption keys using KMS keys.

    KMS Functionality

    • Utilizes hardware security modules (HSMs) for protecting KMS keys.
    • Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
    • All requests to master keys are logged in AWS CloudTrail for tracking usage.

    Key Management and Policies

    • Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
    • KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
    • Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.

    Custom Key Store

    • Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
    • Ensures keys remain secure and in plaintext only within HSMs.

    Key Deletion

    • Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
    • Default waiting period is 30 days, and deletion can be canceled during this time.

    Important APIs

    • Encrypt and Decrypt for encrypting/decrypting data.
    • Re-encrypt for changing the encryption key used.
    • GenerateDataKey for creating a data encryption key.

    KMS Envelope Encryption

    • Integrates with AWS clients using envelope encryption for better data security.
    • Data keys are encrypted using master keys through KMS to secure the data itself.

    Limits and Recommendations

    • Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
    • It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
    • There are no restrictions on the number of data keys that can be generated from master keys.

    AWS Key Management Store (KMS)

    • AWS KMS is a managed service for encrypting data, providing key storage, management, and auditing.
    • Centrally manages and securely stores AWS KMS keys, previously known as customer master keys (CMKs).

    KMS Keys

    • KMS keys consist of metadata including key ID, creation date, description, and key state.
    • Supports both symmetric and asymmetric keys, with symmetric keys remaining encrypted within AWS KMS.
    • A KMS key can encrypt data up to 4KB and is unable to be exported from KMS.

    Key Types

    • Customer Managed KMS keys: Created and managed within user accounts; users have complete control and incur monthly fees.
    • AWS Managed KMS keys: Created and managed by integrated AWS services; users cannot modify them and incur no monthly fees, but charges may apply for excessive use.
    • AWS Owned KMS keys: Managed by AWS services, invisible to users; no fees are associated, and they don’t count against account limits.

    Data Encryption Keys

    • Data keys are used for encrypting large amounts of data and other data encryption keys.
    • AWS KMS does not store or manage these data keys; they must be handled externally.
    • The GenerateDataKey API creates data encryption keys using KMS keys.

    KMS Functionality

    • Utilizes hardware security modules (HSMs) for protecting KMS keys.
    • Integrates seamlessly with various AWS services, such as Lambda, S3, EBS, DynamoDB, and SQS.
    • All requests to master keys are logged in AWS CloudTrail for tracking usage.

    Key Management and Policies

    • Users determine usage policies for KMS keys to specify which users can encrypt/decrypt data.
    • KMS supports both symmetric and asymmetric keys but is limited to encryption at rest (not in transit).
    • Key management functions include creating, enabling, disabling keys, and deleting them after a configurable waiting period.

    Custom Key Store

    • Combines AWS CloudHSM controls with AWS KMS ease of use, allowing users to generate key material within a CloudHSM cluster.
    • Ensures keys remain secure and in plaintext only within HSMs.

    Key Deletion

    • Users can schedule deletion of customer master keys with a waiting period of 7 to 30 days, allowing assessment of impact before permanent deletion.
    • Default waiting period is 30 days, and deletion can be canceled during this time.

    Important APIs

    • Encrypt and Decrypt for encrypting/decrypting data.
    • Re-encrypt for changing the encryption key used.
    • GenerateDataKey for creating a data encryption key.

    KMS Envelope Encryption

    • Integrates with AWS clients using envelope encryption for better data security.
    • Data keys are encrypted using master keys through KMS to secure the data itself.

    Limits and Recommendations

    • Up to 1000 KMS keys can be created per account per region, including both enabled and disabled keys.
    • It’s advisable to delete disabled keys no longer in use to manage limits efficiently.
    • There are no restrictions on the number of data keys that can be generated from master keys.

    AWS Key Management Store (KMS)

    • AWS KMS is a managed service for data encryption and key management.
    • Provides a reliable storage, management, and auditing solution for encryption across AWS services.
    • Centrally manages and securely stores encryption keys, known as AWS KMS keys.

    KMS Key Composition

    • A KMS key includes metadata such as key ID, creation date, description, and key state.
    • Contains key material used for encryption and decryption of data.
    • Supports symmetric and asymmetric KMS keys.
    • Key material remains encrypted within AWS KMS, ensuring security.

    Types of KMS Keys

    • Customer Managed KMS Keys:
      • Created and managed by the customer.
      • Allows full control over key policies, IAM policies, and grants.
      • Incur fees for creation and usage beyond the free tier.
    • AWS Managed KMS Keys:
      • Created and managed by AWS services for the customer's account.
      • Limited control over rotation and key policies.
      • No monthly fee for these keys.
    • AWS Owned KMS Keys:
      • Owned by AWS services for use across multiple accounts.
      • No visibility or management required by the customer.
      • No fees associated with these keys.

    Data Encryption Keys (DEKs)

    • Used for encrypting larger datasets and other data encryption keys.
    • Generated, encrypted, and decrypted using AWS KMS keys.
    • Managed outside of AWS KMS; KMS doesn't store or track these keys.

    Key Management Capabilities

    • Usage policies determine which users can perform encryption and decryption.
    • KMS keys can be generated within KMS or imported from external infrastructure.
    • Encrypted data must be handled within HSMs in certified environments.

    KMS Integration and Compliance

    • Works with various AWS services including Lambda, S3, EBS, EFS, DynamoDB, and SQS.
    • Requests for master key usage are logged via AWS CloudTrail for auditing.
    • Validated by compliance standards such as PCI DSS Level 1 and FIPS 140-2 Level 2.
    • Specifically designed for encryption key management, distinct from Secrets Manager.

    Key Deletion and Management

    • Keys can be scheduled for deletion with a waiting period of 7 to 30 days, defaulting to 30 days.
    • Deletion can be canceled during the waiting period to assess impact on applications.

    APIs for KMS Operations

    • Key APIs include:
      • Encrypt: Encrypt data.
      • Decrypt: Decrypt data.
      • Re-encrypt: Change encryption without intervention.
      • Enable-key-rotation: Automatically rotate keys.
      • GenerateDataKey: Create a data encryption key.

    KMS Limits

    • Maximum of 1000 KMS keys per account per region, including enabled and disabled keys.
    • No limits on the number of data keys derivable from a master key.
    • Identify and delete unused disabled keys to manage limits effectively.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Description

    Test your knowledge of AWS Key Management Store (KMS), a managed service for encrypting data, managing and storing keys, and controlling encryption across AWS services.

    More Like This

    Use Quizgecko on...
    Browser
    Browser