AWS Key Management Service (AWS KMS)
AWS Key Management Service (AWS KMS) makes user-friendly management of cryptographic keys usable for encryption operations in AWS services and applications. When utilizing AWS KMS, one key decision to make is to choose between AWS managed keys and customer managed keys. Both of these key types are secure and resilient, but they serve different purposes, and understanding their differences and applications is vital, especially for the AWS Certified Developer – Associate (DVA-C02) exam.
AWS Managed Keys
AWS Managed Keys are the default encryption keys used by AWS services when you opt to encrypt your data at rest. AWS handles all aspects of these keys for you including creation, rotation, and destruction.
For example, if you choose to enable server-side encryption on an S3 bucket, AWS will automatically generate an AWS Managed Key for you which is unique to your account and the service that you’re using.
Key Identity
You cannot directly manage AWS-managed keys. However, you can specify these keys in requests and policy statements by using the Amazon Resource Name (ARN) of the related AWS service.
Example:
arn:aws:s3:::examplebucket
Key Access
All users and roles in an AWS account automatically have permissions to use the AWS-managed keys in that account to protect new resources. However, they don’t have access to change the keys or their policies.
Customer Managed Keys
Customer Managed Keys are keys inside AWS KMS that you create, own and manage. You have complete control over these keys, ranging from their key policies, rotation settings, and even their deletion.
For example, if you need to create and use a cryptographic key to encrypt or decrypt data outside of an AWS service, you’d be required to create a customer-managed key.
Key Identity
AWS KMS assigns a unique ID and ARN to each AWS KMS key when it is created, which you, as a key administrator can modify and use.
Example:
arn:aws:kms:us-east-2:111122223333:key/abcd1234-a123-456a-a12b-a123b4cd56ef
Key Access
The key administrators control all permissions to use, manage, and view a customer managed key. By default, the AWS account root user and the user who creates the key are the key administrators. However, you can designate another IAM user, role, or group as a key administrator.
Comparing the Key Types
- AWS Managed Key is less flexible and has restricted access, while Customer Managed Key offers full control over the lifecycle, policies, and usage of the key.
- AWS manages key rotation (every three years) for AWS Managed Key while for Customer Managed Key; administrators can choose to enable or disable key rotation.
- AWS Managed Key is free of cost, whereas Customer Managed Key comes with cost based on the usage.
Understanding the differences between AWS Managed Key and Customer Managed Key is essential for AWS Developers, giving them the ability to handle data encryption and decryption more effectively. Be sure to understand these key types and the circumstances in which they’re used, to ensure you’re ready for any questions on this topic in your AWS Certified Developer – Associate (DVA-C02) exam.
Practice Test
True or False: AWS managed keys can be deleted by the customer.
- Answer: False
Explanation: AWS managed keys are controlled by AWS, which means the customer has no deletion privileges.
Which of the following is a type of AWS managed key?
- A. AWS KMS keys
- B. AWS service keys
- C. AWS S3 keys
- D. AWS RDS keys
Answer: B. AWS service keys
Explanation: AWS service keys are an example of AWS managed keys.
True or False: Customer Managed AWS KMS keys can be rotated automatically.
- Answer: True
Explanation: One of the advantages of customer managed keys is that they support automatic key rotation.
What can be done with AWS managed keys but not with customer managed keys?
- A. Revoke
- B. Destroy
- C. Control
- D. None of these
Answer: D. None of these
Explanation: AWS managed keys cannot be revoked, destroyed or controlled by the customer.
True or False: Both AWS-managed and customer-managed keys offer a detailed key-usage audit trail through AWS CloudTrail.
- Answer: True
Explanation: Regardless of who controls the keys, both AWS-managed and customer-managed AWS KMS keys support AWS CloudTrail for auditing.
Who is responsible for creating and managing customer managed keys?
- A. AWS
- B. The customer
- C. Both
- D. None of the above
Answer: B. The customer
Explanation: As the name implies, customer-managed keys are created and managed on the customer’s behalf.
True or False: With AWS managed keys, customers can define and enforce key policies.
- Answer: False
Explanation: This is a characteristic of customer-managed keys where customers can define and enforce their own key policies.
Which of the following is true about AWS managed keys?
- A. They cannot be used outside of the service they are created in
- B. They can be rotated every three years
- C. They can be deleted at any time
- D. All of the above is false
Answer: A. They cannot be used outside of the service they are created in
Explanation: AWS managed keys are specific to the service in which they are created and cannot be used elsewhere.
True or False: Both AWS managed and customer managed keys provide the ability to generate a data key.
- Answer: True
Explanation: Regardless of who manages the keys, both types of keys can generate a data key.
What is a distinct advantage of Customer Managed AWS KMS keys?
- A. Lower cost
- B. More globally accessible
- C. Greater user control
- D. None of the above
Answer: C. Greater user control
Explanation: Customer managed keys provide users with more control, such as over key rotation and key policy.
True or False: AWS managed keys can be scheduled for deletion.
- Answer: False
Explanation: AWS controls the lifecycle for AWS managed keys and customers cannot schedule them for deletion.
True or False: Customer managed keys can be shared with other AWS accounts.
- Answer: True
Explanation: Customer managed keys can be shared with other AWS accounts, adding flexibility to user control.
Which of the following is true about Customer managed keys?
- A. They cannot be enabled or disabled
- B. They don’t support automatic rotation
- C. They can be shared with other AWS accounts
- D. They can be used across AWS services
Answer: C. They can be shared with other AWS accounts
Explanation: One of the characteristics of customer managed keys is that they can be shared with other AWS accounts.
True or False: Only AWS has access to the raw key material of AWS managed keys and customer managed keys.
- Answer: True
Explanation: To maintain security, only AWS has access to the raw key material, regardless of whether the key is AWS managed or customer managed.
Which of the following cannot be done with customer managed keys?
- A. Create
- B. Enable and disable
- C. Schedule for deletion
- D. None of the above
Answer: D. None of the above
Explanation: All of the above operations can be done with customer managed keys. These are the advantages that come with greater user control.
Interview Questions
What is a write-through caching strategy in AWS?
Write-through caching strategy involves the process of writing data through the cache memory while simultaneously writing the same data to the back-end storage.
What is a read-through caching strategy in AWS?
A read-through caching strategy involves loading data into the cache on a data miss. The application reads data from cache which performs a database query on a cache miss and subsequently caches the result for potential future requests.
What is the lazy loading caching strategy in AWS?
Lazy loading is a caching strategy that only loads data into the cache when a demand for that data occurs. If a request is made for data that is not in the cache, the cache retrieves it from the origin server, stores it, and serves it to the requester.
What does TTL stand for and what’s its role in caching strategy in AWS?
TTL stands for Time To Live. TTL is a value in data that signifies when the data should be discarded from the cache. It helps to ensure that the data in the cache is not stale or outdated.
In AWS ElasticCache, how can TTL be set for a key?
In AWS ElasticCache for Redis, the EXPIRE command is used to set a TTL for a key. Once the specified expire time has been reached, the key will automatically be deleted.
How does the write-around caching strategy differ from the write-through caching strategy in AWS?
The difference between the two strategies is that in write-around caching, the data is written directly to the permanent storage, bypassing the cache. This can reduce the cache being flooded with write operations.
What are the benefits of using TTL in AWS caching services?
TTL helps avoid old or stale data serving to the clients by ensuring it gets eventually evicted from the cache. It also helps manage the available cache memory by removing less frequently accessed items.
What is the principle of the read-through and write-through caching strategy?
The principle of the read-through and write-through caching strategy is to always keep the cache updated with the underlining persistent storage. When data is written or read, it goes through the cache to ensure the data in the cache is never stale.
How does Lazy Loading strategy help in terms of cost of resources?
Lazy Loading strategy saves cost of resources as it only loads data as per demand basis and avoids loading large amounts of data that may never be used.
What could be a downside of using the write-through caching strategy?
The downside of using write-through caching could be it’s slower than some other strategies like write-back because every write operation must be done twice before the write is considered complete.
extutorials.com