📋 KMS & Encryption Cheat Sheet

Quick-reference for KMS key types, key policies, grants, envelope encryption, rotation, and cross-account key management.

Key Types

  • Symmetric (AES-256): default, most services use this
  • Asymmetric (RSA/ECC): sign/verify or encrypt outside AWS
  • HMAC: generate and verify message authentication codes
  • Multi-Region: replicated keys with same key material for cross-region

Key Policy + Grants

  • Key policy is required (resource-based) — IAM policies alone are insufficient
  • Default key policy: allows root account full access (enables IAM policies)
  • Grants: temporary, scoped permissions without changing key policy
  • Grant tokens: use immediately after creating grant (eventual consistency)

Envelope Encryption

  • GenerateDataKey → plaintext + encrypted data key
  • Encrypt data with plaintext key, discard plaintext key
  • Store encrypted data key alongside encrypted data
  • Decrypt: KMS decrypts data key → use to decrypt data

Key Rotation & Management

  • Automatic rotation: every year for symmetric CMKs (opt-in)
  • On-demand rotation: create new key, re-encrypt data (manual)
  • Imported keys: no automatic rotation (manual only)
  • Deletion: 7–30 day waiting period, cannot be undone

Practice KMS Questions

Put your knowledge to the test with practice questions.

KMS Questions →Full SCS-C02 Quiz

More SCS-C02 Cheat Sheets

📋IAM & Access Control Cheat Sheet📋GuardDuty & Threat Detection Cheat Sheet📋S3 Security Cheat Sheet📋Security Incident Response Cheat Sheet📋Compliance & Governance Cheat Sheet
← SCS-C02 Study HubFree Mock Exam7-Day Study Plan