BrainyBeeBrainyBee
Exam Cram Sheet850 words

AWS Security Specialty Cram Sheet: Protecting Secrets and Keys

Design and implement controls to protect confidential data, credentials, secrets, and cryptographic key materials

AWS Certified Security - Specialty: Secrets & Key Management

This cram sheet focuses on Domain 5.3: Designing and implementing controls for confidential data, credentials, secrets, and cryptographic materials.

Topic Weighting

DomainExam PercentageTask 5.3 Importance
Domain 5: Data Protection22%High (Core focus on KMS and Secrets Manager)

[!IMPORTANT] Expect at least 5-8 questions specifically targeting the nuances of KMS key types and Secrets Manager rotation logic.

Key Concepts Summary

1. AWS Key Management Service (KMS)

  • Customer Master Keys (CMKs): Now called AWS KMS keys.
    • AWS Managed: Created by services; rotated automatically every 3 years (1095 days); policy cannot be changed.
    • Customer Managed: You control policies and rotation (every year/365 days or on-demand).
  • Imported Key Material: You provide the entropy.
    • Limitation: No automatic rotation.
    • Recovery: If deleted, you must re-import the same material with the same wrapping key.
  • Key Policies: The primary way to control access. If the key policy doesn't explicitly allow the root user or IAM, IAM policies alone are insufficient.

2. AWS Secrets Manager

  • Rotation: Uses Lambda to update credentials (e.g., RDS, Redshift). Supports staggered rotation to prevent downtime.
  • Cross-Region: Can replicate secrets to multiple regions for DR (Disaster Recovery).

3. Data Masking & Protection

  • CloudWatch Logs Data Protection: Uses pattern matching to mask PII/credentials in logs automatically.
  • SNS Message Data Protection: Prevents sensitive data from being published to subscribers through discovery/masking policies.

Mnemonics / Memory Triggers

  • "K-M-S": Keep My Secrets (but usually for encryption keys).
  • "S-M-R": Secrets Manager Rotates (Remember: Secrets Manager = Rotation; Parameter Store = Static).
  • "I-M-P-O-R-T": Individual Manual Process Only Rotation Time (Imported material requires manual rotation).

Visual Anchors

Secret Rotation Workflow

Loading Diagram...

Envelope Encryption Concept

\begin{tikzpicture}[node distance=2cm, every node/.style={draw, rectangle, align=center, minimum height=1cm}] \node (kms) {AWS KMS$KMS Key)}; \node (datakey) [right of=kms, xshift=2cm] {Data Key$Plaintext + Encrypted)}; \node (data) [below of=datakey] {Your Large Data$S3/EBS)};

code
\draw[->, thick] (kms) -- node[above] {Generates} (datakey); \draw[->, thick] (datakey) -- node[right] {Encrypts} (data); \node[draw=none, fill=yellow!20, font=\small] at (1,-1.5) {Master key never leaves KMS};

\end{tikzpicture}

Common Pitfalls

  • ❌ Don't assume IAM AdministratorAccess can use a KMS key if the Key Policy has been restricted.
  • ❌ Don't try to enable "Automatic Rotation" for imported key material; it is grayed out.
  • ❌ Don't use Secrets Manager for simple configuration strings (use SSM Parameter Store to save costs).
  • ❌ Don't forget that deleting a KMS Key has a mandatory waiting period (7–30 days).

Formula / Equation Sheet

KMS Key Policy Logic

Access=(Key Policy ALLOW)+(IAM Policy ALLOW if Key Policy allows Account Root)\text{Access} = (\text{Key Policy ALLOW}) + (\text{IAM Policy ALLOW if Key Policy allows Account Root})

FeatureAWS Managed KeyCustomer Managed KeyImported Material
Rotation3 Years (Fixed)1 Year (Opt-in)Manual Only
Policy EditNoYesYes
DeletionNoYes (7-30 days)Yes (Material only)

Worked Examples

Scenario: The External Audit Requirement

Problem: A compliance auditor requires that the organization uses encryption keys where the organization, not AWS, generates the entropy. However, the security team is concerned about accidental deletion.

Solution:

  1. Create a KMS key with Origin: External.
  2. Download the public key and import token.
  3. Wrap your own key material and upload it.
  4. Crucial step: Set an expiration date for the material if required, but maintain a secure backup of the original key material off-cloud, as AWS cannot recover it if deleted.

Practice Set

  1. Which service should you use to automatically rotate credentials for a third-party API key used by an AWS Lambda function?
  2. A developer is getting AccessDeniedException when calling kms:Decrypt, despite having kms:* permissions in their IAM policy. What is the most likely cause?
  3. How does CloudWatch Logs Data Protection handle Social Security Numbers found in application logs?
  4. What is the main difference between AWS Private CA and ACM (AWS Certificate Manager)?

Fact Recall Blanks

  • AWS Secrets Manager uses a(n) ___________ function to perform rotation logic.
  • The default rotation period for AWS Managed KMS keys is ___________ days.
  • To allow an IAM policy to grant access to a KMS key, the Key Policy must include a statement allowing the ___________ principal.
  • The only way to "rotate" imported key material is to create a new KMS key and update the ___________ in your application.
Click for Answers
  1. Lambda
  2. 1095
  3. Account (Root)
  4. Key ID / Alias
All AWS Certified Security - Specialty (SCS-C03) Study Resources

Ready to study AWS Certified Security - Specialty (SCS-C03)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free