Bash, the Crucial Exams Chat Bot
AI Bot
Data Protection & Encryption on AWS (SCS-C03) Flashcards
AWS Certified Security Specialty SCS-C03 Flashcards
Study our Data Protection & Encryption on AWS (SCS-C03) flashcards for the AWS Certified Security Specialty SCS-C03 exam with 45+ flashcards. View as flashcards, a searchable table, or as a fun matching game.
| Front | Back |
| Can KMS auto rotate asymmetric keys? | No automatic rotation is not supported for asymmetric CMKs Only symmetric CMKs support automatic rotation |
| Can RDS snapshots be shared if encrypted? | Encrypted RDS snapshots cannot be shared publicly and require sharing the CMK with the target account or using export |
| How do key policies relate to IAM policies? | Key policies are the primary control for CMKs IAM policies can grant access only if the key policy allows the IAM principal to use the key |
| How do KMS grants improve performance? | Grants allow KMS to bypass some policy checks enabling high throughput cryptographic operations without repeated expensive evaluations |
| How do you schedule CMK deletion? | Use ScheduleKeyDeletion which sets a waiting period between 7 and 30 days before permanent deletion |
| How does ACM renew certificates? | ACM automatically renews eligible certificates before expiration and redeploys them to integrated services |
| How does EBS encryption work? | EBS uses KMS to encrypt volumes and snapshots at rest with a CMK EBS encryption is transparent to the instance |
| How does EBS snapshot encryption behave? | Snapshots of encrypted EBS volumes are encrypted and restoring from snapshots preserves encryption automatically |
| How does KMS audit key usage? | KMS logs cryptographic API calls and key usage to CloudTrail for detection and compliance |
| How does KMS handle cross region key replication? | Use multi region keys or reencrypt data keys and transfer ciphertext between regions MRKs simplify management |
| How does KMS key rotation work? | Automatic rotation can be enabled annually for symmetric CMKs KMS creates new key material and maintains aliases for continuity |
| How is RDS encryption applied? | RDS uses KMS CMKs to encrypt database storage and snapshots at rest and is enabled at instance creation time |
| How to protect KMS access across accounts? | Use key policy to allow cross account access or create grants or use resource based policies and IAM roles for cross account delegation |
| What are asymmetric CMKs used for? | Asymmetric CMKs are used for public key operations such as signing verifying encrypting and decrypting with a private key |
| What are SSE S3 SSE KMS and SSE C? | SSE S3 uses S3 managed keys SSE KMS uses KMS CMKs SSE C uses customer provided keys for server side encryption |
| What does AWS Certificate Manager ACM do? | ACM provisions manages and renews TLS certificates and integrates with many AWS services for automatic deployment |
| What is a custom key store? | A custom key store is a KMS key backed by a CloudHSM cluster giving you exclusive control over key material |
| What is a KMS grant token? | A grant token is provided to authorize the use of a recently created grant before it is fully consistent across KMS |
| What is a KMS grant? | A grant provides temporary and scoped permissions to use a CMK often to avoid repeated policy checks for high frequency operations |
| What is a KMS key policy? | A key policy is the primary resource policy attached to a CMK that defines who can use and manage the key |
| What is a multi region CMK MRK? | A multi region key is a KMS CMK that has replicas in other regions to simplify cross region encryption workflows |
| What is ACM Private CA? | ACM Private CA provides a managed private certificate authority for issuing internal TLS certificates within your organization |
| What is an external key store XKS in KMS? | XKS lets KMS delegate cryptographic operations to an external key manager so keys never enter AWS managed HSMs |
| What is AWS CloudHSM? | CloudHSM provides dedicated hardware security modules where you own and manage the keys with FIPS validated HSMs |
| What is AWS KMS CMK? | A customer managed CMK is a primary key in KMS used to encrypt data keys and control cryptographic operations |
| What is BYOK in AWS KMS? | Bring Your Own Key means importing your own key material into KMS or using an external key manager so you control the key origin |
| What is data at rest vs data in transit? | Data at rest is stored data on disks backups and databases Data in transit is data moving over networks |
| What is envelope encryption benefit? | Envelope encryption minimizes plaintext key exposure reduces KMS API calls and improves performance at scale |
| What is envelope encryption? | Encrypt data with a data key then encrypt the data key with a master key This reduces calls to KMS and limits plaintext key exposure |
| What is GenerateDataKeyWithoutPlaintext? | This operation returns only an encrypted data key never exposing the plaintext data key to the caller |
| What is key access control best practice? | Follow principle of least privilege use key policies grants and IAM together and enable logging and rotation |
| What is key material import for KMS? | Importing key material lets you upload your own symmetric key material into a KMS CMK instead of KMS generated material |
| What is KMS GenerateDataKey operation? | GenerateDataKey returns a plaintext data key and an encrypted copy used for envelope encryption |
| What is perfect forward secrecy PFS? | PFS ensures that compromise of a long term key does not compromise past session keys typically using ephemeral key exchange |
| What is ReEncrypt in KMS? | ReEncrypt rewraps ciphertext under a different CMK useful for key rotation or cross region replication |
| What is S3 client side encryption? | Client side encryption means data is encrypted before upload and the client manages the data keys and encryption process |
| What is SSE C tradeoff? | SSE C gives you control of keys but you must manage key delivery and secure transmission for each request |
| What is SSE KMS advantage over SSE S3? | SSE KMS provides centralized key control audit logging and fine grained IAM and key policy controls |
| What is the effect of disabling a CMK? | Disabling a CMK prevents cryptographic operations with that key without deleting it allowing safe temporary suspension |
| What is the KMS Decrypt operation used for? | Decrypt returns plaintext for ciphertext that was encrypted under a CMK when the caller has permission |
| What is the maximum deletion waiting period for a CMK? | The maximum waiting period is 30 days |
| What is the minimum deletion waiting period for a CMK? | The minimum waiting period is 7 days |
| What is TLS role in data in transit protection? | TLS encrypts data in transit provides server authentication and can provide client authentication when required |
| What states can a CMK be in? | Common CMK states include Enabled Disabled PendingDeletion and PendingImport |
| When use CloudHSM vs KMS? | Use CloudHSM when you need exclusive key control or specialized HSM features Use KMS for managed keys integrated with AWS services |
About the Flashcards
Flashcards for the AWS Certified Security Specialty exam focus on cloud key management and encryption fundamentals. Use these cards to review terminology and core concepts such as data at rest versus data in transit, customer-managed keys and key policies, grants and lifecycle states, envelope encryption and data key operations.
The deck also tests operational and architectural topics: key rotation and deletion, multi-region key handling and re-encryption, HSMs and BYOK, server-side and client-side storage encryption, disk and database encryption behavior, TLS and certificate management, audit logging, and key access control best practices.
Topics covered in this flashcard deck:
- Key management concepts
- Envelope encryption
- Server-side vs client-side encryption
- Disk and database encryption
- HSMs and BYOK
- TLS and certificate management