Why This Cheat Sheet Matters for SCS-C02
This cheat sheet covers the most important KMS & Encryption concepts tested on the SCS-C02 (AWS Security Specialty) certification exam. It contains 4 sections with 16 key points that you should memorize before exam day. Master CMKs, key policies, grants, envelope encryption, key rotation, multi-region keys, cross-account key sharing, and encryption context for data protection. Use this as a quick-reference guide during your final review sessions.
4Sections
16Key Points
Key Types
- Symmetric (AES-256): default, most services use this
- Asymmetric (RSA/ECC): sign/verify or encrypt outside AWS
- HMAC: generate and verify message authentication codes
- Multi-Region: replicated keys with same key material for cross-region
Key Policy + Grants
- Key policy is required (resource-based) — IAM policies alone are insufficient
- Default key policy: allows root account full access (enables IAM policies)
- Grants: temporary, scoped permissions without changing key policy
- Grant tokens: use immediately after creating grant (eventual consistency)
Envelope Encryption
- GenerateDataKey → plaintext + encrypted data key
- Encrypt data with plaintext key, discard plaintext key
- Store encrypted data key alongside encrypted data
- Decrypt: KMS decrypts data key → use to decrypt data
Key Rotation & Management
- Automatic rotation: every year for symmetric CMKs (opt-in)
- On-demand rotation: create new key, re-encrypt data (manual)
- Imported keys: no automatic rotation (manual only)
- Deletion: 7–30 day waiting period, cannot be undone
Practice KMS Questions
Put your knowledge to the test with practice questions.