AWS KMS, CloudHSM & Encryption Strategies
Difficulty: hard
Overview
AWS Key Management Service (KMS) is a managed encryption key service central to AWS data protection.
KMS Key Types:
| Type | Who manages | Auto-rotation | Cost | Notes |
|---|---|---|---|---|
| AWS Owned | AWS (internal) | Yes | Free | Not visible to customers |
| AWS Managed (aws/s3) | AWS | Annual (auto) | Free | Per-service, cannot customize |
| Customer Managed (CMK) | Customer | Optional (annual) | $1/month | Full control, cross-account |
| Imported (BYOK) | Customer | Manual only | $1/month | Must delete/re-import to rotate |
Envelope Encryption:
- Call KMS
GenerateDataKey→ get plaintext DEK + encrypted DEK - Encrypt large data locally with plaintext DEK (e.g., AES-256-GCM)
- Discard plaintext DEK from memory
- Store: encrypted data + encrypted DEK (alongside or in metadata)
- Decrypt: call KMS
Decrypton encrypted DEK → plaintext DEK → decrypt data
Why envelope encryption? KMS Encrypt API handles max 4 KB directly.
KMS Key Policies (critical exam topic):
- Every KMS key MUST have a key policy
- Including
arn:aws:iam::ACCOUNT:rootas principal delegates to IAM — without this, IAM policies are ignored - Cross-account: add the external account to the key policy AND the external account must have an IAM policy allowing KMS actions
S3 Bucket Keys:
- Reduce KMS API calls by up to 99% for SSE-KMS
- S3 generates a short-lived data key from KMS and uses it for multiple objects
- Reduces cost and throttling — recommended for high-throughput S3 workloads
CloudHSM:
- Single-tenant, dedicated HSM hardware in your VPC
- FIPS 140-2 Level 3 (KMS is Level 2)
- AWS has NO access to key material — customer has full exclusive control
- Use case: regulatory requirements mandating exclusive HSM control
- Can integrate with KMS as a custom key store
KMS Custom Key Store (CloudHSM-backed):
- KMS key material stored in CloudHSM, not KMS
- KMS API experience for applications
- Performance: slower than standard KMS (network round-trip to CloudHSM cluster)
Key Rotation Behavior:
- CMK rotation: new key material added; old material retained for decryption of existing ciphertext
- Key ID/ARN stays the same after rotation — no application changes needed
- Imported key material: NO automatic rotation — must manually re-import
Practice Linked Questions
Q1. Which type of KMS key is automatically rotated annually by AWS without any customer action?
Select one answer before revealing.
Q2. A developer uses GenerateDataKey to encrypt a 2 GB file. KMS returns a plaintext data key and an encrypted data key. After encrypting the file locally, what should the developer store alongside the encrypted file?
Select one answer before revealing.
Q3. A financial institution requires encryption keys stored in FIPS 140-2 Level 3 validated hardware with EXCLUSIVE customer control — AWS must have zero access to the key material. Which service meets this requirement?
Select one answer before revealing.
Q4. A KMS key policy contains: {"Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "kms:*"}. An IAM user in the same account has NO IAM policy. Can this user use the KMS key?
Select one answer before revealing.
Q5. Account A has a KMS CMK. Account B needs to use this key to encrypt/decrypt data. Which TWO steps are required to enable cross-account KMS access? (More than one answer may be correct — Select TWO.)
Select one answer before revealing.
Q6. A company enables automatic annual rotation for a Customer Managed Key (CMK). What happens to data encrypted with the OLD key material after rotation?
Select one answer before revealing.
Q7. A company uses SSE-KMS encryption for all S3 objects and is experiencing KMS ThrottlingExceptions due to high upload volume. What is the MOST cost-effective solution that does NOT require application code changes?
Select one answer before revealing.
Q8. A company must use keys generated from their on-premises HSM for encrypting AWS data (BYOK). Which statement about imported KMS key material is TRUE?
Select one answer before revealing.
Q9. Which S3 server-side encryption options use AWS KMS for key management? (More than one answer may be correct — Select TWO.)
Select one answer before revealing.
Q10. A company uses CloudHSM for key storage. They need these CloudHSM-generated keys to work with AWS services like RDS and EBS that use KMS APIs. What is the CORRECT approach?
Select one answer before revealing.
Q11. An S3 bucket should only accept PutObject requests that use SSE-KMS encryption with a specific CMK. Which bucket policy condition correctly enforces this?
Select one answer before revealing.
Q12. What is the maximum data size that AWS KMS can encrypt DIRECTLY using the kms:Encrypt API without envelope encryption?
Select one answer before revealing.
Q13. An AWS Certificate Manager (ACM) public certificate is automatically renewed before expiration. A developer tries to export the ACM public certificate to install on an on-premises web server. What happens?
Select one answer before revealing.
Q14. A company wants to allow an ECS task in Account A to read objects from an S3 bucket in Account B encrypted with a KMS CMK in Account B. The ECS task has an execution role in Account A. Which set of permissions is required? (More than one answer may be correct — Select THREE.)
Select one answer before revealing.