MCQS on Advanced AWS KMS Features and Techniques | AWS Key Management Service

Prepare for your AWS certification with these AWS KMS Key Management Service questions and answers. This set focuses on advanced AWS KMS features, covering topics such as cross-region key management, asymmetric key operations, custom key stores with HSM backing, and monitoring with AWS CloudTrail. Test your knowledge with these scenario-based multiple-choice questions.

Chapter 3: Advanced AWS KMS Features and Techniques

Cross-Region and Multi-Account Key Management

1. What is a primary benefit of using cross-region key replication in AWS KMS?
   a) Reduced key management overhead
   b) Improved security through geographical isolation
   c) Faster key rotation
   d) Automatic data encryption
2. Which AWS service is essential for sharing KMS keys across multiple accounts?
   a) AWS Organizations
   b) AWS Lambda
   c) AWS Direct Connect
   d) Amazon Redshift
3. What is required to enable cross-account access to a KMS key?
   a) A pre-signed URL
   b) IAM policy and KMS key policy
   c) VPC endpoint configuration
   d) Cross-region replication
4. When using a KMS key across regions, the data must be:
   a) Compressed
   b) Re-encrypted with the target region’s key
   c) Converted to plain text
   d) Signed using an asymmetric key
5. Which of the following is NOT true about cross-region KMS operations?
   a) Keys must be manually synchronized
   b) They improve disaster recovery
   c) Keys can be independently managed in each region
   d) Automatic replication of keys is supported

Asymmetric Key Operations: Signing and Key Pair Management

6. What is an advantage of using asymmetric keys in AWS KMS?
   a) They provide higher throughput than symmetric keys
   b) They allow for signing and verification operations
   c) They can only be used with Amazon S3
   d) They eliminate the need for key rotation
7. Asymmetric key pairs in AWS KMS consist of:
   a) Private and public keys
   b) Encryption and decryption keys
   c) Primary and secondary keys
   d) Static and dynamic keys
8. Which operation is only possible with asymmetric keys?
   a) Data encryption
   b) Key rotation
   c) Digital signature verification
   d) Key material import
9. In AWS KMS, asymmetric keys are ideal for:
   a) Managing multiple accounts
   b) Encrypting bulk data
   c) Digital signatures and public key encryption
   d) Replicating data across regions
10. To verify a digital signature in AWS KMS, you need:
    a) The private key
    b) The public key
    c) The data key
    d) The HSM module

Custom Key Store and HSM Backed Keys

11. What is a Custom Key Store in AWS KMS?
    a) A key store exclusively for symmetric keys
    b) A dedicated resource for storing hardware-backed keys
    c) A shared database for managing encryption keys
    d) A centralized dashboard for viewing all keys
12. Which hardware device is required for a custom key store in AWS KMS?
    a) EC2 instance
    b) AWS Nitro System
    c) CloudHSM cluster
    d) Lambda function
13. What is the benefit of using HSM-backed keys in AWS KMS?
    a) Improved key lifecycle management
    b) Physical control over key material
    c) Automatic cross-region replication
    d) Reduced key usage costs
14. Custom key stores in AWS KMS are primarily used when:
    a) Key management is outsourced to AWS entirely
    b) Compliance requirements demand control over key material
    c) Keys are shared across multiple regions
    d) Data is encrypted for short-term use
15. Which of the following is a prerequisite for setting up a custom key store?
    a) An IAM policy for key usage
    b) A CloudHSM cluster
    c) Multi-account permissions
    d) Encryption context

Auditing and Monitoring: AWS CloudTrail and Key Usage

16. Which service provides logs for monitoring KMS key usage?
    a) Amazon CloudWatch
    b) AWS CloudTrail
    c) AWS Config
    d) Amazon Inspector
17. What is captured in AWS CloudTrail logs for KMS operations?
    a) Key policies only
    b) Encrypted data content
    c) API requests to AWS KMS
    d) Rotation schedules
18. How can you monitor the use of a specific KMS key in AWS?
    a) Using Amazon QuickSight
    b) By enabling detailed monitoring in CloudWatch
    c) By filtering AWS CloudTrail logs
    d) Through KMS dashboards
19. Which of the following is true about auditing KMS key usage?
    a) It only applies to symmetric keys
    b) Audit logs cannot be exported outside AWS
    c) Access patterns can be tracked using CloudTrail logs
    d) Logs are automatically deleted after 90 days
20. When a key is used in AWS KMS, the audit trail includes:
    a) The encrypted data
    b) The region where the key was accessed
    c) The user who accessed the key
    d) The algorithm used for encryption
21. How can you ensure compliance with key usage policies in AWS KMS?
    a) By creating strict IAM roles
    b) By enabling AWS Config rules for KMS
    c) By integrating AWS Glue
    d) By storing keys in S3 buckets
22. What is the role of AWS Config in monitoring KMS keys?
    a) Rotating the keys automatically
    b) Tracking configuration changes to key policies
    c) Encrypting data across regions
    d) Setting up key usage dashboards
23. To restrict access to a KMS key for specific users, you should:
    a) Use encryption context
    b) Modify the KMS key policy
    c) Disable the key temporarily
    d) Update the IAM group permissions
24. Which CloudTrail log event indicates key deletion?
    a) DeleteKeyPolicy
    b) ScheduleKeyDeletion
    c) RevokeKeyUsage
    d) RotateKey
25. Key rotation in AWS KMS can be tracked by:
    a) Enabling auto-rotation in CloudWatch
    b) Reviewing CloudTrail events
    c) Scheduling periodic audits in Config
    d) Generating a key rotation report

Answers