Exam Cram Sheet865 words
AWS Certified Security Specialty: Data at Rest Controls Cram Sheet
Design and implement controls for data at rest
Exam Cram: Design and Implement Controls for Data at Rest
This cram sheet focuses on Domain 5 of the AWS Certified Security - Specialty (SCS-C03) exam. It covers the encryption, integrity, and lifecycle management of persistent data across AWS storage services.
Topic Weighting
| Domain | Total Weight | Data at Rest Estimated Focus |
|---|---|---|
| Domain 5: Data Protection | 24% | ~12-14% (High Priority) |
Key Concepts Summary
1. AWS KMS vs. CloudHSM
- AWS KMS: Multi-tenant, FIPS 140-2 Level 2 (Level 3 for HSM backing), managed service, highly scalable.
- CloudHSM: Single-tenant, FIPS 140-2 Level 3, dedicated hardware, requires manual management of high availability and backups.
2. S3 Encryption Options
- SSE-S3 (AES-256): Managed by S3. No additional cost for keys. No visibility into key usage in CloudTrail.
- SSE-KMS: Managed by KMS. Provides audit trail (CloudTrail) and granular IAM permissions. Supports DSSE-KMS (Dual-layer) for specialized compliance.
- SSE-C: Customer provides the key. AWS does not store the key; if you lose it, data is gone.
- Client-Side: Data is encrypted before it reaches AWS.
3. S3 Object Lock & Integrity
- Governance Mode: Users with special permissions (
s3:BypassGovernanceRetention) can alter/delete. - Compliance Mode: No one (including root) can delete until the retention period expires.
- Legal Hold: Indefinite lock; no expiration date; must be manually removed.
4. Backup & Lifecycle
- AWS Backup: Centralized policy-based backup for EBS, RDS, EFS, DynamoDB, and S3.
- Data Lifecycle Manager (DLM): Focused specifically on automating EBS snapshots.
Visual Anchors
KMS Key Hierarchy
Loading Diagram...
S3 Object Lock Decision Tree
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
Common Pitfalls
- The Root Fallacy: Believing the Root user can delete objects in S3 Compliance Mode. They cannot.
- EBS Encryption: You cannot encrypt an existing unencrypted volume directly. You must take a snapshot and copy that snapshot to an encrypted state.
- KMS Grants vs. Policies: Policies are permanent; Grants are temporary and often used by AWS services (like EBS) to act on your behalf.
- Cross-Region Replication (CRR): To replicate encrypted S3 objects, the destination bucket must have permissions to use the KMS key, and the replication configuration must explicitly enable it.
Mnemonics / Memory Triggers
[!TIP] "C-K-S" (For S3 Server-side Encryption)
- C: Customer Key (SSE-C)
- K: KMS Key (SSE-KMS)
- S: S3-Managed Key (SSE-S3)
[!TIP] "G-C-L" (Object Lock escalation)
- Governance: "Gatekeeper" can delete.
- Compliance: "Can't" delete (Even Root).
- Legal: "Life-long" (Until manual release).
Formula / Equation Sheet
| Feature | KMS Symmetric | KMS Asymmetric | CloudHSM |
|---|---|---|---|
| Max Data Size | 4 KB directly | Varies (RSA/ECC) | High throughput |
| CloudTrail? | Yes | Yes | Limited (HSM Logs) |
| FIPS Level | 140-2 Level 2 | 140-2 Level 2 | 140-2 Level 3 |
| Rotation | Automatic (1 year) | Manual Only | Manual Only |
Worked Examples
Scenario: The Encrypted Snapshot Move
Problem: You have an unencrypted EBS volume in us-east-1 and need to move it to us-west-2 while ensuring it is encrypted at rest in the destination.
Step-by-Step Solution:
- Snapshot: Create a snapshot of the unencrypted volume in
us-east-1. - Copy & Encrypt: Use the
CopySnapshotaction. Selectus-west-2as the destination and check the Encrypt box. Select the KMS key in the destination region. - Create Volume: Create a new EBS volume from the encrypted snapshot in
us-west-2.
Practice Set
- Which KMS feature allows a service to use a key without a permanent IAM policy change?
- Answer: KMS Grant.
- You need to ensure S3 objects cannot be deleted for 5 years, even by the account administrator. Which tool is appropriate?
- Answer: S3 Object Lock in Compliance Mode.
- What is the primary difference between S3 versioning and S3 Object Lock?
- Answer: Versioning protects against accidental overwrites (keeps history); Object Lock protects against deletion of specific versions.
- A security policy requires FIPS 140-2 Level 3 and VPC-only access for key management. Which service?
- Answer: AWS CloudHSM.
- How do you encrypt an RDS database that was created without encryption?
- Answer: Take a snapshot, copy snapshot to a new encrypted snapshot, restore DB from the encrypted snapshot.
Recall Blanks
- Envelope Encryption is the practice of encrypting data with a Data Key, and then encrypting that key with a Master Key.
- KMS Customer Managed Keys (CMK) can be rotated every 1 year automatically if enabled.
- To use SSE-C, the customer must provide the key in the HTTP Header of every request.
- AWS Backup can centralize the management of S3 Lifecycle and Snapshot schedules across accounts via AWS Organizations.