Practice Test

True or False: Encryption in transit guarantees the safety of data when it is stationary or stored.

  • False

Answer: False

Explanation: Encryption in transit secures data during transmission, not when it is stored or at rest.

Which of these is not an encryption option for AWS?

  • A. AWS Key Management Service (KMS)
  • B. AWS Certificate Manager
  • C. AWS Shield
  • D. AWS CloudHSM

Answer: C. AWS Shield

Explanation: AWS Shield is a managed Distributed Denial of Service (DDoS) protection services, not an encryption service.

True or False: AWS supports both server-side encryption and client-side encryption?

  • True

Answer: True

Explanation: AWS supports both server-side encryption (data is encrypted after arriving at AWS) and client-side encryption (data is encrypted before being transferred to AWS).

Encryption at rest applies to which of the following?

  • A. Data in transit
  • B. Stored data
  • C. Data being processed
  • D. None of the above

Answer: B. Stored data

Explanation: Encryption at rest is designed to protect saved or stored data.

What does AWS S3 use to encrypt data at rest?

  • A. SSL/TLS
  • B. HTTPS
  • C. AES-256
  • D. SSH

Answer: C. AES-256

Explanation: AWS S3 uses server-side encryption with Amazon S3-managed keys (SSE-S3) or AWS KMS keys (SSE-KMS) to encrypt data at rest.

True or False: AWS CloudTrail supports encryption in transit automatically.

  • True

Answer: True

Explanation: AWS CloudTrail automatically encrypts all log file data in transit to the CloudTrail API and to the Amazon S3 bucket.

What does AWS use to secure data in transit between AWS services?

  • A. AES-256
  • B. HTTPS
  • C. SSE-KMS
  • D. SSL/TLS

Answer: B. HTTPS

Explanation: AWS uses HTTPS to secure data in transit between AWS services.

What is AWS CloudHSM primarily used for?

  • A. Denial of service protection
  • B. Hardware-based key storage for regulatory compliance
  • C. Data leak protection
  • D. None of the above

Answer: B. Hardware-based key storage for regulatory compliance

Explanation: AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys.

True or False: Only server-side encryption is allowed for data at rest in AWS.

  • False

Answer: False

Explanation: AWS allows you to implement both server-side and client-side encryption for data at rest depending on your requirements and application design.

Amazon Aurora automatically encrypts data at rest using ____?

  • A. AES-128
  • B. AES-256
  • C. HTTPS
  • D. SSH

Answer: B. AES-256

Explanation: Aurora automatically encrypts data at rest using keys you manage through AWS Key Management Service (KMS) and data in transit using Secure Sockets Layer (SSL) or Transport Layer Security (TLS) with AES-256 encryption.

True or False: AWS Certificate Manager is used to manage SSL/TLS certificates.

  • True

Answer: True

Explanation: AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources.

Which of these can you use for key management in AWS?

  • A. AWS Key Management Service (KMS)
  • B. AWS CloudHSM
  • C. Both
  • D. Neither

Answer: C. Both

Explanation: Both AWS Key Management Service (KMS) and AWS CloudHSM provide options for key management in AWS.

True or False: AWS Key Management Service supports integrating with AWS services to encrypt data in transit and at rest.

  • True

Answer: True

Explanation: The AWS Key Management Service can be used to control and manage keys for encrypting data across a range of AWS services.

HTTPS uses which protocol to encrypt data in transit?

  • A. AES-256
  • B. SSL/TLS
  • C. SSH
  • D. SSE-KMS

Answer: B. SSL/TLS

Explanation: HTTPS stands for Hypertext Transfer Protocol Secure. It uses SSL/TLS under the hood for data encryption in transit.

True or False: Encryption options in AWS do not include a service for creating and maintaining cryptographic keys.

  • False

Answer: False

Explanation: AWS provides AWS Key Management Service (KMS) for creating and managing cryptographic keys and controls across a wide range of AWS services and in your applications.

Interview Questions

What is data encryption at rest in the context of AWS?

Encryption at rest is a data protection method that involves encoding data when it’s stored or “at rest”, such as in an Amazon S3 bucket or a DynamoDB table.

What is data encryption in transit in the context of AWS?

Encryption in transit refers to the process of protecting data while it is being transferred between systems or services within AWS, like data transfers from user devices to Amazon EC2 instances, or from EC2 instances to S3 buckets.

Name two AWS services that operate with encryption in transit.

Two AWS services that operate with encryption in transit are AWS Direct Connect and Amazon VPC.

How does AWS KMS contribute to encryption at rest?

AWS Key Management Service (KMS) allows you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. It’s integrated with other AWS services making it easier to encrypt data at rest and manage the keys.

Can you encrypt existing unencrypted resources on AWS?

Yes, AWS provides various services that allow users to add encryption to previously unencrypted resources.

Name some services that support encryption at rest in AWS?

Amazon RDS, Amazon S3, Amazon EBS, Amazon Redshift, and Amazon DynamoDB are some services that support encryption at rest in AWS.

How can Amazon SES protect data in transit?

Amazon Simple Email Service (SES) encrypts emails at the application layer using Transport Layer Security (TLS).

How does AWS ensure encryption for S3 bucket?

AWS S3 provides features like Server Side Encryption (S3-SSE) and Server Side Encryption with KMS keys (S3-SSE-KMS) to ensure encryption for data at rest in S3 buckets.

Does Amazon use any encryption standard to ensure the security of database instances?

Yes, Amazon RDS encryption uses the industry standard AES-256 encryption algorithm to encrypt database instances.

What is the key management service that is used for creating and controlling the encryption keys that decrypt your data?

AWS Key Management Service (KMS) is the service that is used for creating and controlling the encryption keys that decrypt your data.

Is encryption mandatory for databases stored in AWS?

While it’s not mandatory to encrypt database in AWS, it is highly recommended for an added layer of data protection.

Does AWS offer client-side encryption for S3?

Yes, AWS does offer client-side encryption where data is encrypted before it’s moved into S3 for storage.

What type of encryption does Amazon EBS use?

Amazon EBS uses AES-256 algorithm for encrypting volumes, and the keys used for encryption are managed and protected by the AWS Key Management Service (KMS).

How does AWS Direct Connect ensure data security in transit?

AWS Direct Connect ensures data security in transit by establishing a dedicated, private network connection from your network to AWS which lowers the risk of data being tampered or lost in transit.

Which AWS service allows for the configuration of encryption in transit through HTTPS endpoints?

Amazon API Gateway supports HTTPS endpoints and therefore allows the configuration for encryption in transit.

Leave a Reply

Your email address will not be published. Required fields are marked *