MCQS on Intermediate AWS KMS Operations | AWS Key Management Service
Here’s a set of 25 multiple-choice questions (MCQs) for Chapter 2: Intermediate AWS KMS Operations, divided by topics. These questions explore key management, encryption and decryption, permissions, and integration with workflows in AWS KMS. The answers are provided at the end in a tabular format.
Introduction
Looking to improve your knowledge of AWS KMS Key Management Service? This carefully curated list of AWS KMS questions and answers is ideal for mastering intermediate operations such as key management, encryption, permissions, and integration with application workflows. Perfect for AWS learners and professionals seeking deeper insights.
Key Management: Creation, Rotation, and Deletion
- What is the primary purpose of AWS KMS keys?
a) Data compression
b) Encrypting and decrypting data
c) Database optimization
d) Data migration - Which type of key does AWS KMS primarily support?
a) Asymmetric only
b) Symmetric and asymmetric
c) Public key only
d) RSA keys only - Key rotation in AWS KMS ensures:
a) Faster encryption
b) Periodic replacement of keys for enhanced security
c) Multi-region access to keys
d) Automatic data backup - What happens to a KMS key marked for deletion?
a) It is deleted immediately
b) It is disabled and scheduled for deletion
c) It remains active but is restricted
d) It becomes read-only - How long can the key deletion waiting period be in AWS KMS?
a) 7–30 days
b) 1–7 days
c) 7–365 days
d) Unlimited
Using AWS KMS for Data Encryption and Decryption
- AWS KMS integrates with which of the following services for encryption?
a) S3 and DynamoDB only
b) All AWS services that support encryption
c) Only RDS databases
d) CloudTrail and CloudWatch - Envelop encryption in AWS KMS involves:
a) Using multiple master keys
b) Wrapping data keys with a KMS key
c) Combining encryption and hashing
d) Encrypting data directly without keys - To decrypt data in AWS KMS, the user must:
a) Have access to the encrypted file
b) Use the AWS CLI only
c) Be authorized to use the KMS key
d) Manually rotate the key - The GenerateDataKey API in AWS KMS is used for:
a) Rotating keys
b) Creating a plaintext data key and encrypted copy
c) Decrypting large datasets
d) Scheduling key deletion - Which of the following encryption algorithms is NOT supported by AWS KMS?
a) AES-256
b) RSA
c) SHA-512
d) ECC
Permissions and Access Control with Key Policies and IAM
- What is the default key policy when creating a new AWS KMS key?
a) Public access to all users
b) Full access to the AWS account root user
c) Restricted access to administrators only
d) Automatically set to deny all actions - IAM policies can grant permissions to use AWS KMS keys by:
a) Specifying the key ARN
b) Modifying default encryption settings
c) Using AWS SSO
d) Changing the access policy in S3 - Which condition operator is often used in key policies?
a) StringEquals
b) IpAddress
c) Null
d) All of the above - To allow cross-account access to a KMS key, what must be included in the key policy?
a) The IAM role of the external account
b) The ARN of the external account
c) A trust relationship
d) None of the above - Which action is required to restrict KMS key deletion?
a) Set a deny policy in IAM
b) Enable logging in CloudTrail
c) Disable automatic rotation
d) Add a condition in the key policy
Integration with Application Workflows
- AWS KMS can be integrated into workflows using:
a) AWS SDKs
b) AWS Systems Manager
c) Lambda functions
d) All of the above - Which API is used to encrypt data in a custom application?
a) Encrypt
b) Decrypt
c) GenerateDataKeyPair
d) DescribeKey - To securely store secrets in AWS, which service uses KMS keys?
a) AWS Secrets Manager
b) CloudTrail
c) EC2
d) Amazon RDS - For audit logging of AWS KMS operations, which service is required?
a) AWS CloudWatch Logs
b) AWS CloudTrail
c) AWS Config
d) None of the above - Which programming language is NOT supported by the AWS KMS SDK?
a) Python
b) Ruby
c) COBOL
d) Java
Additional Questions
- Data encrypted with a KMS key can be decrypted:
a) Only with the same key
b) With any key in the same region
c) Using a generated access token
d) None of the above - To monitor key usage, you would use:
a) AWS Config
b) AWS CloudTrail
c) Amazon Inspector
d) None of the above - When importing a key into AWS KMS, you must:
a) Use a symmetric algorithm
b) Create a key alias
c) Provide a key material expiration date
d) Use a third-party encryption tool - What is a key alias in AWS KMS used for?
a) Renaming existing keys
b) Providing a user-friendly reference to a key
c) Enabling key rotation
d) Linking multiple keys together - Which of these scenarios does NOT use AWS KMS?
a) Encrypting files on an EC2 instance
b) Managing API keys for third-party apps
c) Storing credit card numbers securely in S3
d) Encrypting logs in CloudTrail
Answer Key
| Qno | Answer |
|---|---|
| 1 | b) Encrypting and decrypting data |
| 2 | b) Symmetric and asymmetric |
| 3 | b) Periodic replacement of keys for enhanced security |
| 4 | b) It is disabled and scheduled for deletion |
| 5 | c) 7–365 days |
| 6 | b) All AWS services that support encryption |
| 7 | b) Wrapping data keys with a KMS key |
| 8 | c) Be authorized to use the KMS key |
| 9 | b) Creating a plaintext data key and encrypted copy |
| 10 | c) SHA-512 |
| 11 | b) Full access to the AWS account root user |
| 12 | a) Specifying the key ARN |
| 13 | d) All of the above |
| 14 | b) The ARN of the external account |
| 15 | d) Add a condition in the key policy |
| 16 | d) All of the above |
| 17 | a) Encrypt |
| 18 | a) AWS Secrets Manager |
| 19 | b) AWS CloudTrail |
| 20 | c) COBOL |
| 21 | a) Only with the same key |
| 22 | b) AWS CloudTrail |
| 23 | c) Provide a key material expiration date |
| 24 | b) Providing a user-friendly reference to a key |
| 25 | b) Managing API keys for third-party apps |