🔐
AWS SCS-C01
  • Practice Test Scores
  • Domain 1 - Incident Response
    • Incident Response
    • Exposed AWS Access Keys
    • Compromised EC2 Instance
    • How do you report abuse of AWS resources?
    • GuardDuty
    • Penetration Testing
  • Domain 2 - Logging & Monitoring
    • Some Basics
    • Inspector
    • Security Hub
    • AWS WAF
    • Systems Manager
    • Systems Manager Features
    • CloudWatch Logs
    • Athena
    • CloudTrail
    • Config
    • Trusted Advisor
    • CloudTrail Log File Integrity
    • Macie
    • S3 Event Notifications
    • VPC Flow Logs
    • Centralized Logging Architecture
  • Domain 3 - Infrastructure Security
    • Bastion Hosts
    • Site-to-Site VPN
    • VPC Peering
    • VPC Endpoints
    • Network ACL
    • Firewall vs IPS vs IDS
    • EBS
    • CloudFront
    • Shield
    • Mitigating DDoS Attacks
    • EC2 Key Pair Troubleshooting
    • EC2 Tenancy
    • Artifact
    • Lambda@Edge
    • Simple Email Service (SES)
    • DNS Support in VPC
  • Domain 4 - Identity & Access Management
    • Organizations
    • IAM Policy Evaluation Logic
    • Understanding IAM Policies
    • IAM Tutorial: Delegate access across AWS accounts using IAM roles
    • External ID
    • iptables
    • IAM policy elements: Version
    • IAM policy elements: Variables and tags
    • Policy elements: Principal and NotPrincipal
    • IAM policy elements: Condition
    • Security Token Service (STS)
    • Identity federation in AWS
    • Enabling SAML for your AWS resources
    • Single Sign-On
    • Cognito
    • Directory Service
    • Trusts in Active Directory
    • Example S3 Bucket Policies
    • Cross-account access to S3 buckets using Resource-based policies and IAM policies
    • S3 Access Control Lists (ACLs)
    • Presigned URLs
    • S3 Versioning
    • S3 Cross-Region Replication (CRR)
    • S3 Object Lock
    • Configuring MFA-protected API access
    • IAM Permission Boundaries
  • Domain 5 - Data Protection
  • CloudHSM
  • Key Management Service (KMS)
  • Symmetric CMKs vs Asymmetric CMKs
  • Data Key Caching
  • Deleting KMS CMKs
  • Default KMS Key Policy
  • Managing access to KMS CMKs
  • KMS CMK Key Types
  • Rotating KMS CMKs
  • Example Key Policies for KMS Questions
  • KMS Grants
  • KMS CLI Commands
  • Importing key material in KMS
  • KMS Condition Keys
  • Migrating Encrypted KMS Data Across Regions
  • KMS Encryption Context
  • CloudHSM vs KMS
  • S3 Data Encryption
  • Application Load Balancer (ALB)
  • ELB Listeners Part 1
  • ELB Listeners Part 2
  • AWS Certificate Manager (ACM)
  • Glacier
  • DynamoDB Encryption
  • AWS Secrets Manager
  • Summaries
    • Domain 1
    • Domain 2
    • Domain 3
    • Domain 4
    • Domain 5
Powered by GitBook
On this page
  • AWS Certificate Manager (ACM)
  • CloudHSM
  • DynamoDB Encryption Client
  • CloudTrail Encryption
  • Key Management Service (KMS)
  • Key Rotation
  • How to import key material in KMS
  • How deleting CMKs affects EBS Volumes
  • Asymmetric Keys
  • Elastic Load Balancers (ELBs)
  • Glacier Vault
  • Server-side Encryption
  • Scenario: No access to KMS but full EC2 Access trying to access encrypted EBS Volume
  • Secrets Manager
  • Other ELB Things
  • How Systems Manager Parameter Store uses KMS
  • Troubleshooting CMK issues in Parameter Store

Was this helpful?

  1. Summaries

Domain 5

AWS Certificate Manager (ACM)

  • ACM does not copy certificates across AWS Regions.

  • To use a certificate with ELB in a different Region, you must request a new certificate for each Region in which you plan to use it.

  • To use an ACM certificate with CloudFront, you must request the certificate in the US East (N. Virginia) region and certificates in this region are distributed to all the geographic locations.

  • You cannot copy ACM-managed certificates between regions at this time.

  • DNS validation = Validate your ownership of a domain by adding a CNAME record to your DNS configuration.

  • Email validation = An approval request email is sent to the registered domain owner for each domain name in the certificate request.

  • A wildcard domain name matches any first level subdomain or hostname in a domain, e.g. you can use the name *.example.com to protect www.example.com, images.example.com, and any other subdomain that ends with .example.com.

CloudHSM

  • CloudHSM provides hardware security modules in AWS.

  • It protects your keys with exclusive, single-tenant access to tamper-resistant HSM instances in your own VPC.

  • A cluster is a collection of individual HSMs that CloudHSM keeps in sync.

  • AWS recommend that you have a minimum of two HSMs in each cluster, with each HSM in different Availability Zones within an AWS Region for high availability.

DynamoDB Encryption Client

  • It is a software library that helps you to protect your table data before you send it to DynamoDB.

CloudTrail Encryption

  • By default, the log files delivered by CloudTrail to your bucket are encrypted by AWS server-side encryption with S3-managed encryption keys (SSE-S3).

  • To provide a security layer that is directly manageable, you can instead use server-side encryption with KMS-managed keys (SSE-KMS) for your CloudTrail log files.

Key Management Service (KMS)

  • KMS lets you control customer master keys (CMKs), the encryption keys used to encrypt your data.

  • All KMS cryptographic operations with symmetric CMKs accept an encryption context (AAD), an optional set of key-value pairs that can contain additional contextual information about the data.

  • Keys are only stored and used in the region in which they were created and cannot be transferred to another region.

  • A grant is a policy instrument that allows AWS principals to use KMS CMKs in cryptographic operations for temporary permissions.

  • The ARN for the principal in the key policy must be root account, even if it is an IAM user.

Key Rotation

  • Key rotation changes only the CMK's backing key, which is the cryptographic material that is used in encryption operations; the CMK is the same logical resource, regardless of whether or how many times its backing key changes.

  • Automatic key rotation is disabled by default on customer managed CMKs.

Type of CMK?

Can manage CMK?

Used only for one AWS account?

Automatic rotation?

Customer managed CMK

Yes

Yes

Optional. Every 365 days (1 year).

AWS managed CMK

No

Yes

Required. Every 1095 days (3 years).

AWS owned CMK

No

No

Varies

  • Manual key rotation is a good solution for CMKs that are not eligible for automatic key rotation, such as asymmetric CMKs and imported key stores CMKs and when you want to control the rotation frequency.

How to import key material in KMS

  1. Create a symmetric CMK with no key material whose origin is EXTERNAL.

  2. Download the public key and import token - These items protect the import of your key material to KMS. The import token contains metadata to ensure that your key material is imported correctly.

  3. Encrypt the key material - Use the public key that you downloaded in step 2 to encrypt the key material that you created on your own system.

  4. Import the key material - Upload the encrypted key material and the import token.

  5. KMS records an entry in your CloudTrail log when you create the CMK or do anything else with it.

How deleting CMKs affects EBS Volumes

  1. You create an encrypted EBS volume and specify a CMK.

  2. EBS asks KMS to use your CMK to generate an encrypted data key for the volume and EBS stores the encrypted data key with the volume.

  3. When you attach the EBS volume to an EC2 instance, the data key persists in memory as long as the EBS volume is attached to the EC2 instance.

  4. You schedule the CMK for deletion, which makes it unusable. This has no immediate effect on the EC2 instance or the EBS volume, because EC2 is using the plaintext data key (not the CMK).

  5. However, when the encrypted EBS volume is detached from the EC2 instance, EBS removes the plaintext key from memory, so the next time the encrypted EBS volume is attached to an EC2 instance, the attachment fails, because EBS cannot use the CMK to decrypt the volume's encrypted data key. SO BACK UP THE DATA OFTEN!!

Asymmetric Keys

  • Represents a mathematically related public key and private key pair.

  • You can give the public key to anyone, even if they're not trusted, but the private key must be kept secret.

  • In an asymmetric CMK, the private key is created in KMS and never leaves KMS unencrypted.

  • To use the private key, you must call KMS.

  • Use the public key within KMS by calling the KMS API operations or you can download the public key and use it outside of KMS.

  • KMS supports two types of asymmetric CMKs:

    • RSA CMKs: CMK with an RSA key pair for encryption and decryption or signing and verification (but not both).

    • Elliptic Curve (ECC) CMKs: CMK with an elliptic curve key pair for signing and verification.

Elastic Load Balancers (ELBs)

  • ALB can be integrated with WAF for Layer 7 attacks.

  • A listener is a process that checks for connection requests and it is configured with a protocol and a port for front-end (client to load balancer) connections, and a protocol and a port for back-end (load balancer to back-end instance) connections.

  • If the front-end connection uses TCP or SSL, then your back-end connections can use either TCP or SSL and vice versa with HTTP and HTTPS, i.e. if the front-end connection uses HTTP or HTTPS, then your back-end connections can use either HTTP or HTTPS.

  • SSL termination or SSL offloading decrypts and verifies data on the ELB instead of the application server - it "terminates"/"offloads" the SSL connection.

  • SSL bridging decrypts SSL traffic on the ELB and then re-encrypts it before sending it to the EC2 Instance - it "bridges" the SSL connection.

  • If the host uses custom proprietary protocols, then it needs to be a CLB with a TCP listener.

Glacier Vault

  • An archive can be any data such as a photo, video or document and is a base unit of storage.

  • A vault is a container for storing archives.

  • Jobs can perform a select query on an archive, retrieve an archive, or get an inventory of a vault.

  • You can specify controls such as “write once read many” (WORM) in a vault lock policy and lock the policy from future edits.

  • After the 24 hour window ends, the lock ID expires, the vault automatically exits the InProgress state, and the vault lock policy is removed from the vault.

  • You can set a vault lock by calling initiate-vault-lock.

  • You can abort the vault locking process by calling AbortVaultLock.

Server-side Encryption

  • Server-side Encryption with S3-managed encryption keys (SSE-S3):

    • Each object is encrypted with a unique key and it encrypts the key itself with a master key that it regularly rotates. Also, it uses one of the strongest block ciphers available, AES-256, to encrypt your data.

  • Server-side Encryption using KMS CMKs (SSE-KMS):

    • Similar to SSE-S3, but with some additional benefits and charges for using this service.

    • There are separate permissions for the use of a CMK that provides added protection against unauthorized access of your objects in S3 and it also provides you with an audit trail that shows when your CMK was used and by whom.

  • Server-side Encryption with customer-provided encryption keys (SSE-C):

    • Customer manages the encryption keys and S3 manages the encryption, as it writes to disks, and decryption, when you access your objects.

Scenario: No access to KMS but full EC2 Access trying to access encrypted EBS Volume

  • It needs access to decrypt the EBS volume kms:Decypt!!!

Secrets Manager

  • Helps you protect secrets needed to access your applications, services, and IT resources.

  • Supports multiple versions of a secret exist to support rotation of a secret.

  • Built-in integrations for MySQL, PostgreSQL, and Aurora on RDS, and can rotate credentials for these databases natively.

  • Enabling rotation causes the secret to rotate immediately after you save that rotation configuration and this can cause some problems, e.g. applications can break because it thinks it has "invalid credentials."

Other ELB Things

  • Predefined security policies for your HTTPS/SSL listeners allow you meet compliance and security standards that require disabling certain TLS protocol versions or using deprecated ciphers.

  • When migrating from CLB to ALB, you may have issues related to connection for the older devices because the cipher suites in the ALB might be blocking the connection.

  • ELBs support Perfect Forward Secrecy which provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key and this prevents the decoding of captured data, even if the secret long-term key is compromised but to use it, you need to enable ECDHE key-exchange

How Systems Manager Parameter Store uses KMS

  • With Parameter Store, you can create secure string parameters, which are parameters that have a plaintext parameter name and an encrypted parameter value.

  • Parameter Store uses KMS to encrypt and decrypt the parameter values of secure string parameters.

  • It uses KMS CMKs to encrypt and decrypt the parameter values of secure string parameters when you create or change them.

  • It only supports symmetric CMKs.

Troubleshooting CMK issues in Parameter Store

  • These are the most common Parameter Store problems:

    • Credentials that an application is using do not have permission to perform the specified action on the CMK - Run the application with different credentials or revise the IAM or key policy that is preventing the operation.

    • CMK is not found - Typically happens when you use an incorrect identifier for the CMK - Find the correct identifiers for the CMK and try the command again.

    • CMK is not enabled - Parameter Store returns an InvalidKeyId exception with a detailed error message from KMS.

PreviousDomain 4

Last updated 4 years ago

Was this helpful?