-
Timed Mode 3 – file-sharing service and data encryption
updated 2 years, 10 months ago
2 Members
·
2
Posts
-
One of the correct answers is “Encrypt data in S3 and Glacier using AWS provided encryption services, and store the encryption keys in KMS.” Correct me if I’m wrong, but I believe KMS never stores DEKs, it generates them but doesn’t store them. It’s not the case with CMKs, but they can only encrypt files up to 4kb, and the scenario doesn’t mention that the files would be up to max 4kb in size. So I understood the answer differently, and this option probably meant to say something like “Encrypt data in S3 and Glacier using AWS provided encryption services with keys provided by the KMS”. Does it make sense?
-
Hi slawoj,
Thanks for the feedback.
AWS KMS generates data keys which are used to encrypt data locally in the AWS service or your application. The data keys are themselves encrypted under a CMK you define. Data keys are not retained or managed by AWS KMS. AWS services encrypt your data and store an encrypted copy of the data key along with the encrypted data. When a service needs to decrypt your data, it requests AWS KMS to decrypt the data key using your CMK. If the user requesting data from the AWS service is authorized to decrypt under your CMK, the AWS service will receive the decrypted data key from AWS KMS. The AWS service then decrypts your data and returns it in plaintext.
Reference: https://aws.amazon.com/kms/faqs/
The data keys are encrypted under a CMK you define in AWS KMS which makes the “Encrypt data in S3 and Glacier using AWS provided encryption services, and store the encryption keys in KMS.” option correct. CMKs are encryption keys since they are used to encrypt the data keys stored in AWS.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to help you pass your AWS exam on your first try!
Regards,
Wayne @ Tutorials Dojo
Log in to reply.