🃏 Encryption & Data Protection Flashcards

Test your knowledge of KMS, envelope encryption, S3 encryption, Secrets Manager, and key management.

Card 1 of 10

Question

What is the difference between KMS key policy and IAM policy?

Click to reveal answer

Answer

Key policy is required and is the primary access control for a CMK. IAM policies can only grant access if the key policy allows the account (default key policy does this).

Click to flip back

All Encryption & Data Protection Flashcards

1

Q: What is the difference between KMS key policy and IAM policy?

A: Key policy is required and is the primary access control for a CMK. IAM policies can only grant access if the key policy allows the account (default key policy does this).

2

Q: What is a KMS grant?

A: A temporary permission to use a CMK without modifying the key policy. Used by AWS services (EBS, RDS) to encrypt/decrypt on your behalf. Revokable.

3

Q: When should you use SSE-KMS with S3 bucket keys?

A: When you have high request volume. Bucket key reduces KMS API calls (and cost) by generating a short-lived key per bucket instead of per-object.

4

Q: What is the difference between SSE-KMS and SSE-C?

A: SSE-KMS: AWS manages key in KMS, audit trail in CloudTrail. SSE-C: customer provides key per request, AWS uses it to encrypt/decrypt but does not store it.

5

Q: How does Secrets Manager rotation work?

A: Lambda creates new credential (createSecret), sets in target (setSecret), tests (testSecret), then promotes to current (finishSecret). Versioning: AWSCURRENT/AWSPREVIOUS/AWSPENDING.

6

Q: What is CloudHSM vs KMS?

A: CloudHSM: dedicated HSM, you manage keys entirely, FIPS 140-2 Level 3. KMS: shared multi-tenant, AWS manages HSMs, FIPS 140-2 Level 2 (or Level 3 with custom key store).

7

Q: What is a KMS custom key store?

A: Links KMS to your CloudHSM cluster. CMK operations happen in your dedicated HSMs. Gives KMS convenience with CloudHSM control. FIPS 140-2 Level 3.

8

Q: What is encryption context in KMS?

A: Key-value pairs included in encryption/decryption calls. Must match to decrypt. Logged in CloudTrail. Adds authentication layer (non-secret metadata).

9

Q: What is S3 Object Lock compliance mode vs governance mode?

A: Compliance: nobody (including root) can delete/overwrite until retention expires. Governance: users with s3:BypassGovernanceRetention can override.

10

Q: How do you encrypt existing unencrypted S3 objects?

A: Use S3 Batch Operations to copy objects in-place with encryption settings. Or set default encryption and re-upload. Cannot retroactively encrypt in-place without copy.

More SCS-C02 Flashcard Decks

🃏IAM & Access Control Flashcards10 cards🃏Detection & Response Flashcards10 cards🃏Network & Edge Security Flashcards10 cards🃏Governance & Compliance Flashcards10 cards
← SCS-C02 Study HubFree Mock Exam30-Day Study Plan