Exam AWS Certified Security - Specialty topic 1 question 190 discussion

Answer: A,C. This question is poorly worded. A. Correct. When SSE-KMS is enabled, S3 won't return an object if the user doesn't have permissions to use the CMK to decrypt. If the user does have permissions, they'll get clear-text data back, not encrypted. Limits cryptanalysis necessary for "key wear-out". B. Incorrect since S3 doesn't encrypt/decrypt objects within KMS - only the data-encryption keys. The objects are encrypted/decrypted in S3. C. Correct - limits blast radius. D. Incorrect the data is larger than the very small 4KB limit for data-encryption using a CMK directly. S3 doesn't do this anyway - it creates DEKs for each object (which is why C is applicable for blast-radius). E. Cryptographic wear-out is a loose term that describes a condition where enough data has been encrypted by a key to make cryptanalyis somewhat feasible. Signing a master key would have no effect.

B & C. D wrong as single master key doesn’t encrypt all data. For huge data it’s the data key that encrypts the data.

C is correct. I would pick A alongside it as well.

Controlling everything from one place is the most simple and efficient way to manage crypto. A KMS (Key Management Server) should audit security-relevant events by detecting and recording the event, the date and time of the event, and the identity or role of the entity initiating the event. Auditing the cryptographic key lifecycle to identify the state transitions of the key. Auditing and monitoring brings transparency in crypto operations in the organization. CD

B and C, C is obvious, but for B, You are correct that S3 is responsible for encrypting the data that is stored in the service. However, the encryption is performed using keys that are managed by KMS, which is what is meant by the statement that encryption is performed within the secure boundary of the KMS service. When an object is encrypted in S3, it uses a data key provided by KMS to encrypt the data. This means that the keys used for encryption are managed by KMS, which is a secure and controlled environment, and minimizes the risk of key compromise.

. When you use SSE-KMS to protect your data without an S3 Bucket Key, Amazon S3 uses an individual AWS KMS data key for every object. It makes a call to AWS KMS every time a request is made against a KMS-encrypted object.

What is cryptographic wear-out? It's the threshold when you've used the same key to encrypt so much data that you should probably switch to a new key before you encrypt any more.

Cryptographic wear out needs ability to access encrypted data, A & C

A & C are the only possible answers

B - correct because from link: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html " The objects are encrypted using server-side encryption with either Amazon S3-managed keys (SSE-S3) or AWS KMS keys stored in AWS Key Management Service (AWS KMS) (SSE-KMS)." D - after reading a lot, found this wording finally under this section "S3 Bucket Keys for SSE-KMS" in this link: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-key.html "When you use SSE-KMS to protect your data without an S3 Bucket Key, Amazon S3 uses an individual AWS KMS data key for every object. It makes a call to AWS KMS every time a request is made against a KMS-encrypted object." There is SSE-KMS, SSE-C (customer managed) & SSE-S3 managed encryption methods. Our question is about SSE-KMS, the above line says S3 uses unique data key for individual object.

If we take step back to this poorly writen q / a I would go with A and C.

who ever say D is please go and study

A - OK - there is no possibility to access/download an encrypted object without having permissions to key B - wrong - S3 is encrypting not KMS C - OK - if bigger than 4kb D - wrong - 1. it will lead to cryptographic wear-out 2. There is a data key for object >4kb E - wrong - encryption envelope is for data key

I think Dayquil has a point and C..D.. are the answers. This is a poorly worded question.

B and C

A+C would be the best answer.

C & D final answer friends pls confirm.