About This Flashcard Deck
This flashcard deck contains 10 cards covering key Encryption & Data Protection concepts for the SCS-C02 exam. Test your knowledge of KMS, envelope encryption, S3 encryption, Secrets Manager, and key management. Use active recall by attempting to answer each question before revealing the answer. Research shows that flashcard-based active recall is one of the most effective study techniques for certification exams.
Question
What is the difference between KMS key policy and IAM policy?
Click to reveal answer
Answer
Key policy is required and is the primary access control for a CMK. IAM policies can only grant access if the key policy allows the account (default key policy does this).
Click to flip back
All Encryption & Data Protection Flashcards
Q: What is the difference between KMS key policy and IAM policy?
A: Key policy is required and is the primary access control for a CMK. IAM policies can only grant access if the key policy allows the account (default key policy does this).
Q: What is a KMS grant?
A: A temporary permission to use a CMK without modifying the key policy. Used by AWS services (EBS, RDS) to encrypt/decrypt on your behalf. Revokable.
Q: When should you use SSE-KMS with S3 bucket keys?
A: When you have high request volume. Bucket key reduces KMS API calls (and cost) by generating a short-lived key per bucket instead of per-object.
Q: What is the difference between SSE-KMS and SSE-C?
A: SSE-KMS: AWS manages key in KMS, audit trail in CloudTrail. SSE-C: customer provides key per request, AWS uses it to encrypt/decrypt but does not store it.
Q: How does Secrets Manager rotation work?
A: Lambda creates new credential (createSecret), sets in target (setSecret), tests (testSecret), then promotes to current (finishSecret). Versioning: AWSCURRENT/AWSPREVIOUS/AWSPENDING.
Q: What is CloudHSM vs KMS?
A: CloudHSM: dedicated HSM, you manage keys entirely, FIPS 140-2 Level 3. KMS: shared multi-tenant, AWS manages HSMs, FIPS 140-2 Level 2 (or Level 3 with custom key store).
Q: What is a KMS custom key store?
A: Links KMS to your CloudHSM cluster. CMK operations happen in your dedicated HSMs. Gives KMS convenience with CloudHSM control. FIPS 140-2 Level 3.
Q: What is encryption context in KMS?
A: Key-value pairs included in encryption/decryption calls. Must match to decrypt. Logged in CloudTrail. Adds authentication layer (non-secret metadata).
Q: What is S3 Object Lock compliance mode vs governance mode?
A: Compliance: nobody (including root) can delete/overwrite until retention expires. Governance: users with s3:BypassGovernanceRetention can override.
Q: How do you encrypt existing unencrypted S3 objects?
A: Use S3 Batch Operations to copy objects in-place with encryption settings. Or set default encryption and re-upload. Cannot retroactively encrypt in-place without copy.