Professional Documents
Culture Documents
same CMK.
2. S2N - Signal To Noise is AWS answer to open source TLS - OpenSSL.
Small code footprint, in GitHub via Apache License.
3. Symmetric encryption is great for local files in laptop etc. not for
transferring to others as there is no secure way to send the KEY.
4. Asymmetric encryption makes it easier to exchange keys - public
key is used to encrypt and private + public key is needed to decrypt.
Only one party needs to generate the private key and keep it safely.
This method is used by SSL/TLS and SSH.
5. Signing - Send an acknowledgement signed with private key.
Receiver can use the public key to verify that the acknowledgement
indeed came from the private key holder.
6. Steganography - embed encrypted data in another image. Receiver
uses private key to decrypt
16. SSE-KMS for S3, IAM role separation - store and replication
1. KMS - regional and public service. Keys NEVER leave KMS. FIPS
140-2 L2. Some people may have permission to create keys but not
use them to encrypt data - that is Role separation. DEKs can be used
to encrypt data larger than 4KB. DEK is encrypted using CMK. YOU do
the encryption using DEK - not KMS. CMK isolated to a region. AWS
managed is rotated every 3 years. Customer managed - you have to
set rotation - always 1 year.
2. Replicate keys from one AWS region to another. No need to run
multiple decrypt and encrypt operations. Integrated with S3 and
DynamoDB encryption Client.
17. RDS primary node deployment failure, Replicas - minimum uptime
guarantee
1. RDS Multi-AZ Access only via CNAME - to Primary in one AZ.
Synchronous Replication to Standby but users cannot access it.
Disk Writes to Primary and Standby happens in Parallel - no lag.
When Primary FAILS, RDS switches CNAME to Standby - there will
be a brief disruption.
2. Extra cost for Standby - it is in the SAME region - just different AZ.
Take backups from Standby - no performance impact. It is NOT fault
tolerant.
3. RDS Read Replicas - can be in AZs of same region or another
region. AWS manages all inter region traffic with encryption. Uses
Asynchronous Replication. 5x direct read replicas per DB instance.
RR offer near realtime RPO. RR can be promoted quickly to handle
writes - low RTO. Cannot be used to write scaling. Use Provisioned
IOPS storage to improve read performance of RDS
4. Aurora uses Cluster Topology - very different than RDS. Standby can
be used for reads under normal operations. Uses SHARED cluster
4.