AWS Key Management Service (KMS)
| Overview |
|---|
| AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs. |
1. A company is using a Redshift cluster to store their data warehouse. There is a requirement from the Internal IT Security team to encrypt data for the Redshift database. How can this be achieved?
A. Encrypt the EBS volumes of the underlying EC2 Instances.
B. Use AWS KMS Customer Default master key.
C. Use SSL/TLS for encrypting the data.
D. Use S3 Encryption.
B. Use AWS KMS Customer Default master key.
Amazon Redshift uses a hierarchy of encryption keys to encrypt the database. You can use either AWS Key Management Service (AWS KMS) or a hardware security module (HSM) to manage the top-level encryption keys in this hierarchy. The process that Amazon Redshift uses for encryption differs depending on how you manage keys.
For more information on Redshift encryption, please visit the following URL:
https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-db-encryption.html
2. A customer wants to create a stream of EBS Volumes in AWS. The data on the volume is required to be encrypted at rest. How can this be achieved?
A. Create an SSL Certificate and attach it to the EBS Volume.
B. Use KMS to generate encryption keys which can be used to encrypt the volume.
C. Use CloudFront in front of the EBS Volume to encrypt all requests.
D. Use EBS Snapshots to encrypt the requests.
B. Use KMS to generate encryption keys which can be used to encrypt the volume.
For more information on using KMS, please refer to the below URL:
https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html Option A is incorrect since SSL helps to encrypt data in transit.
Option C is incorrect because it also does not help in encrypting the data at rest.
Option D is incorrect because the snapshot of an unencrypted volume is also unencrypted.
3. The security policy of an organization requires an application to encrypt data before writing to the disk. Which solution should the organization use to meet this requirement?
A. AWS KMS API
B. AWS Certificate Manager
C. API Gateway with STS
D. IAM Access Key
A. AWS KMS API
Option B is incorrect – The AWS Certificate Manager can be used to generate SSL certificates to encrypt traffic in transit, but not at rest.
Option C is incorrect – It is used for issuing tokens while using the API gateway for traffic in transit.
Option D is used for secure access to EC2 Instances.
AWS Documentation mentions the following on AWS KMS:
AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with other AWS services including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon Elastic Transcoder, Amazon WorkMail, Amazon Relational Database Service (Amazon RDS), and others to make it simple to encrypt your data with encryption keys that you manage.
For more information on AWS KMS, please visit the following URL:
https://docs.aws.amazon.com/kms/latest/developerguide/overview.html
4. Your IT Security department has mandated that all data on EBS volumes created for underlying EC2 Instances needs to be encrypted. Which of the following can help achieve this?
A. AWS KMS
B. AWS Certificate Manager
C. API Gateway with STS
D. IAM Access Key
A. AWS KMS
Option B is in – The AWS Certificate manager can be used to generate SSL certificates used to encrypt traffic in transit, but not at rest. Option C is in – This is used for issuing tokens when using the API gateway for traffic in transit. Option D is in – This is used for secure access to EC2 Instances. The AWS Documentation mentions the following on AWS KMS: AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. AWS KMS is integrated with other AWS services including Amazon Elastic Block Store (Amazon EBS), Amazon Simple Storage Service (Amazon S3), Amazon Redshift, Amazon Elastic Transcoder, Amazon WorkMail, Amazon Relational Database Service (Amazon RDS), and others to make it simple to encrypt your data with encryption keys that you manage. For more information on AWS KMS, please visit the following URL: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html