Practice Test

True/False: It is impossible to manage and protect encryption keys on the AWS platform.

  • True
  • False

Answer: False

Explanation: AWS provides a variety of tools, such as AWS Key Management Service (KMS), to create, manage and protect encryption keys.

Multiple Select: Which AWS services can be used to manage encryption keys?

  • A) AWS IAM
  • B) AWS Storage Gateway
  • C) AWS KMS

Selected Answer: A) AWS IAM, C) AWS KMS

Explanation: AWS Identity and Access Management (IAM) and Key Management Service (KMS) are services specifically designed to create, manage, and protect encryption keys.

Single Select: What AWS service is primarily used for key rotation?

  • A) AWS S3
  • B) AWS Lambda
  • C) AWS KMS

Selected Answer: C) AWS KMS

Explanation: AWS Key Management Service (KMS) provides options to automate key rotation.

True/False: Using AWS KMS, you can create and manage symmetric and asymmetric encryption keys.

  • True
  • False

Answer: True

Explanation: AWS KMS allows for the creation and management of both symmetric and asymmetric encryption keys.

Multiple Select: Which of the following are benefits of using AWS KMS?

  • A) Centralized control over cryptographic keys
  • B) Integrated with AWS services
  • C) Not integrated with AWS CloudTrail

Selected Answer: A) Centralized control over cryptographic keys, B) Integrated with AWS services

Explanation: AWS KMS provides centralized control and is integrated with other AWS services but also integrated with AWS CloudTrail for auditing.

True/False: Once you delete a CMK (customer master key) in AWS KMS, it is immediately and permanently deleted.

  • True
  • False

Answer: False

Explanation: When you schedule a CMK for deletion, it is first moved to a waiting period before the key is finally deleted.

Single Select: Which AWS service provides automatic encryption key rotation every three years?

  • A) AWS IAM
  • B) AWS KMS
  • C) AWS CloudTrail

Selected Answer: B) AWS KMS

Explanation: AWS KMS provides automatic key rotation every three years.

Multiple Select: What are the two types of encryption keys in AWS KMS?

  • A) Symmetric keys
  • B) Asymmetric keys
  • C) Biometric keys

Selected Answer: A) Symmetric keys, B) Asymmetric keys

Explanation: AWS KMS provides support for Symmetric and Asymmetric encryption keys.

Single Select: Can you control access to your AWS KMS keys?

  • A) Yes
  • B) No

Selected Answer: A) Yes

Explanation: You can create IAM policies to control who can use and manage your keys.

True/False: The AWS service, Amazon S3, automatically encrypts data at rest.

  • True
  • False

Answer: True

Explanation: Amazon S3 automatically encrypts all data at rest by default.

Multiple Select: Which of the following AWS services is used for creating, managing, and controlling access to SSH keys?

  • A) AWS IAM
  • B) AWS EC2
  • C) AWS S3

Selected Answer: A) AWS IAM, B) AWS EC2

Explanation: AWS Identity and Access Management (IAM) and Amazon EC2 can be used to manage SSH encryption keys.

True/False: AWS automatically backs up all the encryption keys for you.

  • True
  • False

Answer: False

Explanation: While AWS manages the high-availability and physical security of your keys, it does not provide built-in backups of your keys.

Single Select: Which of the following services is not integrated with AWS KMS?

  • A) AWS Lambda
  • B) AWS S3
  • C) None of the Above

Selected Answer: C) None of the Above

Explanation: AWS KMS is integrated with AWS Lambda, AWS S3, and many other AWS services.

True/False: Key rotation in AWS KMS is enabled by default.

  • True
  • False

Answer: False

Explanation: Key rotation is not enabled by default in AWS KMS. It has to be enabled manually.

Single Select: In AWS, who is responsible for managing customer-created encryption keys?

  • A) AWS
  • B) The customer

Selected Answer: B) The customer

Explanation: As part of the AWS shared responsibility model, customers are responsible for managing encryption keys they’ve created.

Interview Questions

What is the purpose of AWS Key Management Service (KMS)?

AWS KMS is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data.

What is a Customer Master Key (CMK) in the context of AWS KMS?

A CMK is the fundamental building block of AWS KMS. CMK is a logical key that represents a master key in AWS KMS.

How can you protect your CMKs in AWS KMS?

AWS KMS provides various security controls for CMKs such as key policies, grants, or AWS Identity and Access Management (IAM) policies to help protect your keys.

Can an AWS KMS CMK be shared between AWS accounts?

Yes, a CMK can be shared with other AWS accounts via AWS KMS key policy by allowing the AWS account as a user of the key.

What is the relevance of the KeySpec parameter in GenerateDataKey operation in AWS KMS?

The KeySpec parameter defines the length of the data encryption key that is generated by AWS. This key is used to encrypt data locally on your system.

How many CMKs can you create in a single AWS account?

By default, AWS allows up to 3000 customer managed CMKs per AWS account per region.

How is encryption at rest achieved in AWS?

Encryption at rest in AWS can be achieved by enabling automatic encryption for your storage and database services using keys managed in AWS KMS.

How often are the underlying keys in AWS Key Management Service (KMS) rotated?

The underlying cryptographic key material for CMKs is automatically rotated every three years.

What is Envelope Encryption in AWS KMS?

Envelope Encryption is an AWS KMS feature where you use a CMK to generate a data key. You then use this data key to encrypt the data. The data key is then encrypted with the CMK and stored with the encrypted data.

How can you audit usage of your encryption keys in AWS KMS?

All use of your keys under AWS Key Management Service is logged in AWS CloudTrail, including API calls.

Can you import your own key material into AWS KMS?

Yes, AWS KMS supports the ability to import your own key material, giving you a choice in key management controls.

How can access to use CMKs be restricted?

Access to use CMKs can be restricted by the Key policy and AWS Identity and Access Management (IAM) policies.

What happens when a CMK is deleted in AWS KMS?

When a CMK is deleted, it remains in a deleted state for 30 days. During that time, the CMK cannot be used but it can be restored. After the 30-day waiting period, the key is removed from AWS KMS and cannot be restored.

Can you control who can manage key policies, grants, and tags on your AWS KMS keys?

Yes, by using IAM policies, you can control who can manage key policies, grants, and tags on your AWS KMS keys.

What controls does AWS provide to help manage and protect encryption keys?

AWS provides controls such as IAM policies, Key Policies, grants, and tags to help manage and protect encryption keys.

Leave a Reply

Your email address will not be published. Required fields are marked *