MCQS on Fundamentals of AWS KMS | AWS Key Management Service
AWS KMS (Key Management Service) is a secure and fully managed encryption key management solution offered by AWS. This set of 25 MCQs will help you test your understanding of AWS KMS fundamentals, including Customer Master Keys (CMKs), key policies, symmetric and asymmetric keys, and integration with AWS services.
Chapter 1: Fundamentals of AWS KMS MCQs
1. What is the primary function of AWS KMS?
a) Key generation and management for encryption
b) Data visualization and analysis
c) Network monitoring
d) API development
2. What are Customer Master Keys (CMKs) used for in AWS KMS?
a) Managing AWS IAM users
b) Encrypting and decrypting data keys
c) Monitoring application logs
d) Setting up AWS EC2 instances
3. Which of the following is a key feature of AWS KMS?
a) Auto-scaling infrastructure
b) Centralized key management
c) High availability zones
d) Load balancing
4. AWS KMS supports which two types of keys?
a) Symmetric and asymmetric keys
b) Public and private keys only
c) Encryption and decryption keys only
d) None of the above
5. What is a key policy in AWS KMS?
a) A set of rules for managing EC2 instances
b) A JSON document that defines access permissions for a CMK
c) A security group for encryption
d) A predefined AWS IAM role
6. Symmetric keys in AWS KMS are primarily used for:
a) Data encryption and decryption with the same key
b) Encrypting network packets
c) Digital signatures
d) Generating access logs
7. Asymmetric keys in AWS KMS allow for:
a) Deleting CMKs automatically
b) Using separate keys for encryption and decryption
c) Simultaneous key management across regions
d) Integrating with Amazon S3 only
8. What does the encryption context in AWS KMS provide?
a) Access logs for encrypted files
b) Additional security by ensuring context consistency during encryption and decryption
c) Automatic deletion of CMKs
d) Audit trails for AWS IAM users
9. Which AWS service is commonly integrated with AWS KMS for data encryption?
a) Amazon S3
b) AWS CloudWatch
c) AWS CodePipeline
d) Amazon SageMaker
10. What is the primary benefit of integrating AWS KMS with AWS CloudTrail?
a) Encrypting sensitive data
b) Tracking all API calls and access to encryption keys
c) Enabling faster data access
d) Monitoring database performance
11. How does AWS KMS handle key rotation?
a) Automatically rotates keys every 90 days
b) Requires manual rotation by administrators
c) Allows optional automatic key rotation for symmetric CMKs every year
d) Does not support key rotation
12. What is the maximum size of data that can be encrypted directly using AWS KMS?
a) 1 KB
b) 4 KB
c) 10 KB
d) 16 KB
13. What happens if you delete a CMK in AWS KMS?
a) The CMK can be restored within a specified retention period
b) All associated data is automatically decrypted
c) The deletion is immediate and irreversible
d) The key is archived for future use
14. Which AWS KMS feature supports encryption of data-at-rest?
a) AWS IAM roles
b) AWS KMS API
c) Key management and integration with storage services like Amazon S3
d) Key policy replication
15. What is the default encryption algorithm used in AWS KMS for symmetric keys?
a) RSA-2048
b) SHA-256
c) AES-256
d) MD5
16. In AWS KMS, who is responsible for managing key permissions?
a) AWS administrators only
b) IAM users and roles defined in the key policy
c) CloudWatch services
d) S3 bucket owners
17. Which API operation is used to create a new CMK in AWS KMS?
a) CreateKey
b) GenerateKey
c) AddKey
d) NewCMK
18. What is a data key in AWS KMS?
a) A key that encrypts large amounts of data
b) A key used to encrypt and decrypt CMKs
c) A key derived from a CMK for data encryption and decryption
d) A key that provides access to AWS resources
19. How does AWS KMS protect keys at rest?
a) By replicating them across multiple regions
b) By storing them in a hardware security module (HSM)
c) By encrypting them using S3 bucket policies
d) By applying user-defined tags
20. What does AWS KMS use to ensure high availability of CMKs?
a) Multi-region replication
b) Fault-tolerant key storage in multiple HSMs
c) Automatic backups
d) Continuous monitoring by AWS CloudWatch
21. AWS KMS supports integration with which database service for encryption?
a) Amazon DynamoDB
b) Amazon RDS
c) Amazon Redshift
d) All of the above
22. Which operation is used to decrypt data in AWS KMS?
a) DecryptData
b) DecryptKey
c) Decrypt
d) UnlockKey
23. How does AWS KMS facilitate compliance?
a) By providing pre-built compliance reports
b) By enabling audit trails and secure encryption key management
c) By integrating with AWS Config only
d) By encrypting IAM roles
24. Which AWS CLI command allows you to list all CMKs?
a) aws kms describe-keys
b) aws kms list-keys
c) aws kms show-keys
d) aws kms get-keys
25. AWS KMS can integrate with which of the following storage services?
a) Amazon S3
b) Amazon EBS
c) Amazon Glacier
d) All of the above
Answer Table
| Qno | Answer (Option with the text) |
|---|---|
| 1 | a) Key generation and management for encryption |
| 2 | b) Encrypting and decrypting data keys |
| 3 | b) Centralized key management |
| 4 | a) Symmetric and asymmetric keys |
| 5 | b) A JSON document that defines access permissions for a CMK |
| 6 | a) Data encryption and decryption with the same key |
| 7 | b) Using separate keys for encryption and decryption |
| 8 | b) Additional security by ensuring context consistency during encryption and decryption |
| 9 | a) Amazon S3 |
| 10 | b) Tracking all API calls and access to encryption keys |
| 11 | c) Allows optional automatic key rotation for symmetric CMKs every year |
| 12 | b) 4 KB |
| 13 | a) The CMK can be restored within a specified retention period |
| 14 | c) Key management and integration with storage services like Amazon S3 |
| 15 | c) AES-256 |
| 16 | b) IAM users and roles defined in the key policy |
| 17 | a) CreateKey |
| 18 | c) A key derived from a CMK for data encryption and decryption |
| 19 | b) By storing them in a hardware security module (HSM) |
| 20 | b) Fault-tolerant key storage in multiple HSMs |
| 21 | d) All of the above |
| 22 | c) Decrypt |
| 23 | b) By enabling audit trails and secure encryption key management |
| 24 | b) aws kms list-keys |
| 25 | d) All of the above |