Practice Test

True or False: It is recommended to rotate your AWS access keys regularly in order to ensure the security of your AWS resources.

  • True
  • False

Answer: True

Explanation: Regularly rotating access keys minimizes the risk of the keys being compromised, thus improving the security of your AWS resources.

What is the best practice in regards to the frequency of key rotations in AWS?

  • A. Daily
  • B. Monthly
  • C. As needed
  • D. Yearly

Answer: C. As needed

Explanation: It is best practice to rotate AWS access keys as needed, depending on use case, compliance requirements, and risk tolerance.

What AWS service provides the functionality for key rotation?

  • A. AWS Identity and Access Management (IAM)
  • B. AWS Key Management Service (KMS)
  • C. AWS Elastic Compute Cloud (EC2)
  • D. AWS Simple Storage Service (S3)

Answer: B. AWS Key Management Service (KMS)

Explanation: AWS KMS provides the functionality for rotating cryptographic keys.

True or False: Key rotation is not necessary for AWS managed keys.

  • True
  • False

Answer: False

Explanation: Even for AWS managed keys, it is considered best practice to enable automatic key rotation.

Which AWS service is NOT involved in the process of key rotation?

  • A. AWS Secrets Manager
  • B. AWS Lambda
  • C. AWS Elastic MapReduce
  • D. AWS CloudTrail

Answer: C. AWS Elastic MapReduce

Explanation: AWS Elastic MapReduce is not directly involved in the process of key rotation, unlike the other services listed which can handle, trigger, or log key rotations.

After rotating access keys, is it necessary to update any applications or services that use them?

  • A. Yes
  • B. No

Answer: A. Yes

Explanation: After rotating keys, it is important to update all applications and services that use them to prevent disruption in access.

In which of these scenarios would key rotation not be immediately required?

  • A. When a key has been compromised or is at risk of being compromised.
  • B. When a key hasn’t been used in a long time.
  • C. When a new employee is given access to a system.
  • D. After a key has been lost.

Answer: B. When a key hasn’t been used in a long time.

Explanation: Unused keys do not necessarily require immediate rotation, unless there’s a possibility they have been compromised.

Which AWS IAM policy allows for the rotation of access keys?

  • A. iam:UpdateAccessKey
  • B. iam:CreateAccessKey
  • C. iam:DeleteAccessKey
  • D. All of the above

Answer: D. All of the above

Explanation: The process of rotating AWS IAM access keys involves creating, deleting, and updating the keys.

Can you still use the old key until it expires after key rotation in AWS KMS?

  • A. Yes
  • B. No

Answer: A. Yes

Explanation: AWS KMS retains the old key for decryption operations but new data will be encrypted under the new key.

True or False: Key rotation in AWS requires system downtime.

  • True
  • False

Answer: False

Explanation: Key rotation in AWS can occur without downtime as AWS services are designed to operate and interact with each other efficiently.

With AWS KMS, how regularly does automatic key rotation occur?

  • A. Every 3 years.
  • B. Every year.
  • C. Every 6 months.
  • D. Every month.

Answer: B. Every year.

Explanation: When you enable automatic key rotation for a customer managed key in AWS KMS, the service automatically rotates the key every year.

True or False: AWS KMS allows for manual key rotation.

  • True
  • False

Answer: True

Explanation: AWS KMS allows for both automatic and manual key rotation. When you manually rotate keys, you must also distribute the new key and update all applications that use the old key.

True or False: AWS RDS supports automatic key rotation.

  • True
  • False

Answer: False

Explanation: At this time, AWS RDS does not support automatic key rotation.

Is the AWS KMS key rotation process asynchronous or synchronous?

  • A. Asynchronous
  • B. Synchronous

Answer: A. Asynchronous

Explanation: AWS KMS key rotation is asynchronous, meaning it doesn’t impact your applications or AWS services using the key.

True or False: AWS Secrets Manager automatically rotates the secrets it securely stores.

  • True
  • False

Answer: True

Explanation: AWS Secrets Manager protects access to applications, services, and IT resources, without the upfront investment and on-going maintenance costs of operating your own infrastructure. It can be configured to automatically rotate the secrets it manages. This prevents the long-term, heavy-use of secrets, thereby reducing risk.

Interview Questions

What is AWS Key Management Service (KMS)?

AWS Key Management Service (KMS) is a managed service that simplifies the creation and control of encryption keys used to encrypt data.

How does AWS KMS manage the lifecycle of keys?

AWS KMS provides an automated solution for key rotation which can be enabled or disabled for each AWS KMS key individually.

What is AWS KMS key rotation?

AWS Key Management Service (KMS) key rotation refers to the process of retiring an old cryptographic key and replacing it with a new one at regular intervals.

How often does AWS KMS perform key rotation when key rotation is enabled?

With AWS Key Management Service (KMS) when key rotation is enabled, AWS KMS automatically rotates the key every year.

How does enabling key rotation benefit data security?

By rotating keys, you reduce the potential impact of a key getting compromised. The older the key, the more data is likely to have been encrypted with it, and the more damaging it could be if the key were compromised.

If a data key was created using an AWS KMS CMK and then the CMK was rotated, can the older data still be decrypted?

Yes, even after a CMK is rotated, the older data keys that were generated using the CMK can still be used to decrypt data.

Should the older keys be deleted after key rotation in AWS KMS?

No, older keys should not be deleted after key rotation because these keys are used to decrypt older data that was encrypted using these keys.

Does AWS KMS support manual rotation of keys?

Yes, AWS KMS supports manual rotation of keys. This can be done by creating a new CMK and mapping the alias from the old CMK to the new CMK.

Is there any cost associated with key rotation in AWS KMS?

No, there is no additional charge for rotating keys in AWS Key Management Service (KMS).

What types of keys does AWS KMS provide?

AWS KMS offers two types of keys: Customer Master Keys (CMKs) that can create, rotate, disable, delete, define usage policies for, and audit the use of the keys, and data keys that AWS KMS generates on your behalf.

Can you enforce mandatory key rotation for all keys in an AWS account?

No, key rotation is not mandatory in AWS KMS and can be enabled or disabled for each key individually.

Is key rotation in AWS KMS immediate?

No, key rotation in AWS KMS is not immediate. It occurs once every year for a given key from the time it was created or last rotated.

Do you need to re-encrypt the existing data after AWS KMS key rotation?

No, existing data does not need to be re-encrypted after key rotation. The old keys are stored to decrypt any data encrypted with them.

How do you enable key rotation in AWS KMS?

To enable key rotation in AWS Key Management Service (KMS), you navigate to the AWS KMS console, select a key, and then choose the “Key Rotation” section in the key details page.

Which AWS services can automatically use rotated keys to encrypt data?

AWS Services like Amazon S3, Amazon EBS, and Amazon Redshift automatically use the new keys generated after key rotation to encrypt data.

Leave a Reply

Your email address will not be published. Required fields are marked *