AWS KMS & Encryption
Difficulty: hard
Overview
Key Types:
- AWS Managed Keys: Free, auto-rotated yearly. Cannot change policy. Used by aws/s3, aws/rds, etc.
- Customer Managed Keys (CMK): $1/month. Full control. Optional annual rotation. Cross-account capable.
- AWS Owned Keys: Internally managed by AWS. Not visible to you.
Encryption APIs:
- Encrypt: Up to 4 KB data directly.
- Decrypt: Decrypt KMS-encrypted data.
- GenerateDataKey: Plaintext DEK + encrypted DEK copy. For envelope encryption.
- GenerateDataKeyWithoutPlaintext: Encrypted DEK only. Decrypt when needed.
Envelope Encryption:
- GenerateDataKey → plaintext DEK + encrypted DEK.
- Encrypt large data locally with plaintext DEK.
- Store encrypted data + encrypted DEK.
- To decrypt: Decrypt encrypted DEK → plaintext DEK → decrypt data.
Why Envelope? KMS Encrypt handles max 4 KB. DEK is small; your data can be any size.
S3 Encryption: SSE-KMS (KMS keys, API call per object), SSE-S3 (AWS-managed, no KMS API calls), SSE-C (customer-provided key per request), Client-side.
KMS Key Policies: Root account must have access. Cannot rely on IAM alone without key policy. Cross-account: add external account to key policy; external account uses IAM.
Key Rotation: AWS Managed: annual automatic. CMK: optional annual. External (BYOK): manual only.
Practice Linked Questions
Q1. A developer needs to encrypt a 5 MB file using AWS KMS. The KMS Encrypt API rejects the request. What is the correct approach for encrypting large data?
Select one answer before revealing.
Q2. A company requires that all KMS key operations be logged and that only specific IAM roles can perform kms:Decrypt. The developer needs to ensure no other principal can use the key, even AWS account root. Which KMS feature enforces this?
Select one answer before revealing.
Q3. A Lambda function calls kms:GenerateDataKey on every invocation to encrypt user data. This is causing KMS API throttling (429 errors). How should the developer reduce KMS API calls without sacrificing security?
Select one answer before revealing.
Q4. A developer stores a Lambda function's database password in an environment variable encrypted with KMS. The function needs to decrypt the password at startup. Which KMS API should be called?
Select one answer before revealing.
Q5. A company has a KMS key used to encrypt S3 objects. They want to allow a Lambda in account B to decrypt these objects, but the KMS key is in account A. What configuration is required?
Select one answer before revealing.