Bash, the Crucial Exams Chat Bot
AI Bot
Data Protection & Encryption on AWS (SCS-C03) Flashcards
AWS Certified Security Specialty SCS-C03 Flashcards
| Front | Back |
| Can KMS auto rotate asymmetric keys? | No automatic rotation is not supported for asymmetric CMKs Only symmetric CMKs support automatic rotation |
| Can RDS snapshots be shared if encrypted? | Encrypted RDS snapshots cannot be shared publicly and require sharing the CMK with the target account or using export |
| How do key policies relate to IAM policies? | Key policies are the primary control for CMKs IAM policies can grant access only if the key policy allows the IAM principal to use the key |
| How do KMS grants improve performance? | Grants allow KMS to bypass some policy checks enabling high throughput cryptographic operations without repeated expensive evaluations |
| How do you schedule CMK deletion? | Use ScheduleKeyDeletion which sets a waiting period between 7 and 30 days before permanent deletion |
| How does ACM renew certificates? | ACM automatically renews eligible certificates before expiration and redeploys them to integrated services |
| How does EBS encryption work? | EBS uses KMS to encrypt volumes and snapshots at rest with a CMK EBS encryption is transparent to the instance |
| How does EBS snapshot encryption behave? | Snapshots of encrypted EBS volumes are encrypted and restoring from snapshots preserves encryption automatically |
| How does KMS audit key usage? | KMS logs cryptographic API calls and key usage to CloudTrail for detection and compliance |
| How does KMS handle cross region key replication? | Use multi region keys or reencrypt data keys and transfer ciphertext between regions MRKs simplify management |
| How does KMS key rotation work? | Automatic rotation can be enabled annually for symmetric CMKs KMS creates new key material and maintains aliases for continuity |
| How is RDS encryption applied? | RDS uses KMS CMKs to encrypt database storage and snapshots at rest and is enabled at instance creation time |
| How to protect KMS access across accounts? | Use key policy to allow cross account access or create grants or use resource based policies and IAM roles for cross account delegation |
| What are asymmetric CMKs used for? | Asymmetric CMKs are used for public key operations such as signing verifying encrypting and decrypting with a private key |
| What are SSE S3 SSE KMS and SSE C? | SSE S3 uses S3 managed keys SSE KMS uses KMS CMKs SSE C uses customer provided keys for server side encryption |
| What does AWS Certificate Manager ACM do? | ACM provisions manages and renews TLS certificates and integrates with many AWS services for automatic deployment |
| What is a custom key store? | A custom key store is a KMS key backed by a CloudHSM cluster giving you exclusive control over key material |
| What is a KMS grant token? | A grant token is provided to authorize the use of a recently created grant before it is fully consistent across KMS |
| What is a KMS grant? | A grant provides temporary and scoped permissions to use a CMK often to avoid repeated policy checks for high frequency operations |
| What is a KMS key policy? | A key policy is the primary resource policy attached to a CMK that defines who can use and manage the key |
| What is a multi region CMK MRK? | A multi region key is a KMS CMK that has replicas in other regions to simplify cross region encryption workflows |
| What is ACM Private CA? | ACM Private CA provides a managed private certificate authority for issuing internal TLS certificates within your organization |
| What is an external key store XKS in KMS? | XKS lets KMS delegate cryptographic operations to an external key manager so keys never enter AWS managed HSMs |
| What is AWS CloudHSM? | CloudHSM provides dedicated hardware security modules where you own and manage the keys with FIPS validated HSMs |
| What is AWS KMS CMK? | A customer managed CMK is a primary key in KMS used to encrypt data keys and control cryptographic operations |
| What is BYOK in AWS KMS? | Bring Your Own Key means importing your own key material into KMS or using an external key manager so you control the key origin |
| What is data at rest vs data in transit? | Data at rest is stored data on disks backups and databases Data in transit is data moving over networks |
| What is envelope encryption benefit? | Envelope encryption minimizes plaintext key exposure reduces KMS API calls and improves performance at scale |
| What is envelope encryption? | Encrypt data with a data key then encrypt the data key with a master key This reduces calls to KMS and limits plaintext key exposure |
| What is GenerateDataKeyWithoutPlaintext? | This operation returns only an encrypted data key never exposing the plaintext data key to the caller |
| What is key access control best practice? | Follow principle of least privilege use key policies grants and IAM together and enable logging and rotation |
| What is key material import for KMS? | Importing key material lets you upload your own symmetric key material into a KMS CMK instead of KMS generated material |
| What is KMS GenerateDataKey operation? | GenerateDataKey returns a plaintext data key and an encrypted copy used for envelope encryption |
| What is perfect forward secrecy PFS? | PFS ensures that compromise of a long term key does not compromise past session keys typically using ephemeral key exchange |
| What is ReEncrypt in KMS? | ReEncrypt rewraps ciphertext under a different CMK useful for key rotation or cross region replication |
| What is S3 client side encryption? | Client side encryption means data is encrypted before upload and the client manages the data keys and encryption process |
| What is SSE C tradeoff? | SSE C gives you control of keys but you must manage key delivery and secure transmission for each request |
| What is SSE KMS advantage over SSE S3? | SSE KMS provides centralized key control audit logging and fine grained IAM and key policy controls |
| What is the effect of disabling a CMK? | Disabling a CMK prevents cryptographic operations with that key without deleting it allowing safe temporary suspension |
| What is the KMS Decrypt operation used for? | Decrypt returns plaintext for ciphertext that was encrypted under a CMK when the caller has permission |
| What is the maximum deletion waiting period for a CMK? | The maximum waiting period is 30 days |
| What is the minimum deletion waiting period for a CMK? | The minimum waiting period is 7 days |
| What is TLS role in data in transit protection? | TLS encrypts data in transit provides server authentication and can provide client authentication when required |
| What states can a CMK be in? | Common CMK states include Enabled Disabled PendingDeletion and PendingImport |
| When use CloudHSM vs KMS? | Use CloudHSM when you need exclusive key control or specialized HSM features Use KMS for managed keys integrated with AWS services |
Focuses on data-at-rest and in-transit encryption: AWS KMS (CMKs, key policies, grants, rotation), CloudHSM, server/client-side encryption for S3/EBS/RDS, envelope encryption, TLS/ACM, BYOK, and key lifecycle and access controls.