← Interview Prep Portal | Cyberspace Tech Solutions Main Site Book 1-on-1
Module 04 · Multi-Cloud Security Curriculum

Cloud Data Security & Encryption

Master data classification, encryption at rest and in transit, secrets management, tokenization, key management, DLP, and ransomware-resilient backup strategies.

20
Interview Q&As
25
MCQ Questions
4
Simulations
8
Hours Content

Topics Covered

TopicKey Services
Data Classification & SensitivityAWS Macie, Azure Purview, GCP DLP API
Encryption at RestSSE-S3, SSE-KMS, SSE-C, Azure SSE, GCP CMEK
Encryption in TransitTLS 1.2/1.3, HTTPS enforcement
Secrets ManagementAWS Secrets Manager, Azure Key Vault, GCP Secret Manager, HashiCorp Vault
Tokenization & MaskingPCI-DSS, static vs dynamic masking
Key ManagementAWS KMS, Azure Key Vault, GCP Cloud KMS, HSM
Backup & DRS3 Object Lock, Azure immutable blobs, 3-2-1-1-0 rule
Ransomware ProtectionVersioning, MFA delete, air-gapped backups
💡 Interview Focus: Know the difference between SSE-S3 / SSE-KMS / SSE-C cold. Understand when to use tokenization vs encryption. Be able to design a ransomware-resilient backup strategy. Secrets management anti-patterns (hardcoded credentials) come up in every cloud security interview.
Core Concepts · ~20 min reading

Data Security Fundamentals

Data Classification

LevelDescriptionExamplesControls
PublicFreely shareablePress releases, product docsMinimal
InternalInternal use onlyInternal wikis, meeting notesAccess controls
ConfidentialSensitive business dataSalary data, financial forecastsEncryption + strict access
RestrictedHighly sensitive, regulatedPII, PHI, credit cards (PAN)Encryption + DLP + audit + MFA
Cloud tagging: Apply classification labels as resource tags (AWS) or labels (Azure/GCP) to enforce policies automatically via CSPM tools.

AWS Encryption at Rest (S3)

MethodKey OwnerAudit TrailUse Case
SSE-S3AWS manages keyNo per-key CloudTrailBasic compliance, low overhead
SSE-KMSAWS KMS (customer controls)Yes — full CloudTrail auditPHI, PCI, regulatory data
SSE-CCustomer provides key per requestNo KMS loggingCustomer controls key material
Client-SideCustomer encrypts before uploadYour own logsZero trust of cloud provider

Secrets Management — Do vs Don't

Anti-patterns: Hardcoded credentials in source code, secrets in environment variables checked into git, API keys in plain text config files, long-lived access keys never rotated, shared credentials across teams.
PlatformServiceKey Features
AWSSecrets ManagerAuto rotation, RDS integration, CloudTrail audit, cross-account access
AWSSystems Manager Parameter StoreHierarchical storage, SecureString (KMS encrypted), lower cost
AzureKey VaultKeys + secrets + certificates, RBAC or access policies, HSM-backed Premium tier
GCPSecret ManagerVersioning, IAM access, automatic rotation, audit via Cloud Audit Logs
Multi-cloudHashiCorp VaultDynamic secrets (ephemeral, no long-lived creds), multi-cloud, plugin-based

Tokenization vs Encryption

FeatureEncryptionTokenization
Reversible?Yes (with key)Yes (via token vault) or No (vaultless)
Original data stored?Encrypted form storedOriginal replaced; token in vault
Mathematical relationshipYes (key + algorithm)No (random mapping)
PCI-DSS scope reductionPartialSignificant (tokens are not PAN)
Use caseData in transit, storageCredit card numbers, SSNs

Ransomware-Resilient Backup Strategy

  • 3-2-1-1-0 Rule: 3 copies, 2 different media types, 1 offsite, 1 offline/air-gapped, 0 errors verified by restore testing
  • S3 Object Lock (WORM): Compliance or Governance mode — objects cannot be deleted or overwritten for a set retention period
  • MFA Delete (S3): Requires MFA to permanently delete object versions or disable versioning
  • Azure Immutable Blob Storage: Time-based retention or legal hold — even storage account owner cannot delete
  • Cross-account backups: Store backups in a separate AWS account with restricted access — compromised account can't delete backups
  • Air-gapped: Backups with no network connectivity to production — physically isolated
Interview Q&A · 20 Questions

Interview Questions & Model Answers

1What is data classification and how is it implemented in cloud?Easy
Data classification is the process of organizing data by sensitivity level to apply appropriate security controls.

Common levels: Public → Internal → Confidential → Restricted

Cloud implementation:
  • Resource tagging (AWS tags, Azure labels, GCP labels) — e.g., Classification: Restricted
  • Automated discovery: AWS Macie (S3 PII/PHI detection), Azure Purview, GCP DLP API
  • CSPM tools enforce policies based on tags (block public access on Restricted buckets)
  • IAM policies tied to classification tags (only HR can access HR-tagged data)
💡 Without classification, you can't apply proportional controls — a public document gets the same protection as credit card data, wasting resources or leaving sensitive data exposed.
2What is the difference between SSE-S3, SSE-KMS, and SSE-C in AWS?Medium
MethodKey OwnerCloudTrail AuditControl Level
SSE-S3AWS fully manages keyNo per-object key eventsLow (AWS decides)
SSE-KMSCustomer-controlled KMS keyYes — every decrypt loggedHigh (set policy, rotate, audit)
SSE-CCustomer provides key with each requestNo KMS loggingMaximum (AWS never stores key)
💡 SSE-KMS is the most commonly used for regulated workloads. The CloudTrail audit of every decryption event is essential for compliance (HIPAA, PCI-DSS). SSE-C requires the customer to securely manage and transmit keys with each API call.
3What is a Customer-Managed Key (CMK) and when would you use it?Medium
A CMK (now called a KMS key in AWS) is an encryption key created, owned, and managed by the customer in AWS KMS, Azure Key Vault, or GCP Cloud KMS — rather than an AWS/provider-managed key.

When to use CMK:
  • Regulatory requirement to control key lifecycle (GDPR, HIPAA, PCI-DSS)
  • Need to audit all access to encrypted data via CloudTrail
  • Need to revoke access instantly (disable/delete the key — all encrypted data becomes inaccessible)
  • Multi-tenant SaaS where each tenant needs their own key
  • Need cross-account or cross-service encryption
💡 CMK "right to be forgotten": Under GDPR, you can cryptographically erase data by deleting the CMK — all data encrypted with it becomes permanently unreadable, no need to find and delete every file.
4What is the difference between encryption at rest and encryption in transit?Easy
  • Encryption at rest: Protects data while stored on disk, database, or object storage. Ensures data is unreadable if storage media is stolen or accessed without authorization. Examples: AES-256 for S3 objects, RDS encryption, disk encryption (BitLocker, dm-crypt).
  • Encryption in transit: Protects data moving over networks from interception. Prevents man-in-the-middle attacks. Examples: TLS 1.2/1.3 for HTTPS, mTLS for microservices, VPN for network traffic.
Both are required — encrypting only at rest means data is exposed during transmission, and vice versa.
💡 FIPS 140-2: US government standard for cryptographic modules. Cloud HSMs that meet FIPS 140-2 Level 3 are required for many government and financial workloads.
5What is AWS Secrets Manager and how does it differ from Parameter Store?Medium
FeatureSecrets ManagerParameter Store
Cost$0.40/secret/monthFree (standard), $0.05/advanced
Automatic rotationYes (native Lambda rotation)No (manual or custom)
RDS integrationNative auto-rotation for RDS passwordsNo
Secret sizeUp to 64KBUp to 8KB (advanced: 8KB)
Cross-accountYes (resource-based policy)Limited
Best forDatabase passwords, API keys (need rotation)Config values, feature flags, non-sensitive params
💡 Use Secrets Manager for credentials that must rotate. Use Parameter Store for configuration values and non-secret parameters. Both integrate with IAM and KMS.
6What is Azure Key Vault and what types of objects does it store?Easy
Azure Key Vault is a cloud service for safeguarding cryptographic keys, secrets, and certificates.

Object types:
  • Keys: RSA or EC keys used for encryption/signing. Can be software-protected or HSM-protected (Premium tier). Operations: encrypt, decrypt, sign, verify, wrapKey, unwrapKey.
  • Secrets: Any string value (passwords, connection strings, API keys). Versioned, with expiry policies.
  • Certificates: X.509 certificates with integrated renewal (Let's Encrypt, DigiCert integration).
Access models: Vault Access Policies (legacy) or Azure RBAC (preferred).
💡 Key Vault Premium uses FIPS 140-2 Level 2 HSMs. Managed HSM (dedicated) uses FIPS 140-2 Level 3 — required for highest compliance workloads.
7What is tokenization and how does it differ from encryption?Medium
Tokenization replaces sensitive data (e.g., a credit card number) with a non-sensitive placeholder token that has no mathematical relationship to the original data.

Key differences:
  • Encryption: Original data transformed using algorithm + key; decryptable with key; ciphertext still mathematically related to plaintext
  • Tokenization: Original data replaced with random token stored in a vault; no algorithm to reverse without the vault; token by itself is useless to attacker
PCI-DSS: Tokenization removes card data from PCI scope — systems handling only tokens don't need to meet PCI requirements. Encryption keeps data in scope (still cardholder data, just encrypted).
💡 Example: A credit card 4111-1111-1111-1111 → token 7829-4521-9834-3301. The token maps to the real card only in the secure token vault. If the token is stolen, it's worthless.
8What is data masking and when is it used?Easy
Data masking replaces sensitive data with realistic but fictitious data, preserving format while removing actual values.

Types:
  • Static masking: Creates a masked copy of the database (for dev/test environments). Original data permanently replaced in the copy.
  • Dynamic masking: Masks data on-the-fly as it's returned to unauthorized users. The original data stays in the database unchanged — only the response is masked based on the user's role.
Use cases:
  • Providing production-like data to developers without exposing PII
  • Non-production environments (staging, QA, analytics)
  • Call center agents seeing masked card numbers (last 4 digits only)
💡 Azure SQL Dynamic Data Masking and Oracle Data Masking are common implementations. AWS Glue DataBrew supports data masking for ETL pipelines.
9What is key rotation and why is it important?Medium
Key rotation is the process of replacing an old cryptographic key with a new one on a scheduled basis.

Why important:
  • Limits the window of exposure if a key is compromised
  • Regulatory requirements (PCI-DSS requires annual rotation of cryptographic keys)
  • Reduces the amount of data encrypted with any single key (limits blast radius)
Cloud implementation:
  • AWS KMS: automatic annual rotation (enable with one click); key material changes but key ID stays the same — no re-encryption of data needed
  • Azure Key Vault: rotation policy with notification and auto-rotation
  • Secrets Manager: automatic rotation for database passwords via Lambda
💡 In AWS KMS automatic rotation, the old key material is retained for decrypting old data. New encryptions use the new material. The key ARN stays the same — no application changes needed.
10What is FIPS 140-2 and why does it matter?Hard
FIPS 140-2 (Federal Information Processing Standard) is a US government standard that specifies security requirements for cryptographic modules (hardware or software).

Levels:
  • Level 1: Basic algorithm correctness
  • Level 2: Tamper-evidence (seals); most cloud HSM services
  • Level 3: Tamper-resistance (attempts to destroy keys on tampering); required for highest assurance
  • Level 4: Full envelope protection against physical attacks
Why it matters: Required for US Federal government workloads (FedRAMP), financial services (some), and healthcare. AWS KMS, Azure Key Vault, and GCP Cloud KMS operate FIPS 140-2 validated hardware.
💡 AWS CloudHSM provides dedicated FIPS 140-2 Level 3 hardware — for when you need to "bring your own key" material and the cloud provider must never have access to it.
11What is S3 Object Lock and how does it protect against ransomware?Medium
S3 Object Lock implements WORM (Write Once Read Many) storage — objects cannot be deleted or overwritten for a set retention period, even by the root account.

Modes:
  • Governance mode: Users with special IAM permission can override/delete
  • Compliance mode: No one (including root) can delete during retention period — immutable
Ransomware protection: If an attacker gains access and tries to encrypt/delete backups, Object Lock prevents deletion. Even if attacker has S3 delete permissions, the lock blocks them. This ensures you always have clean backups to restore from.
💡 Combined with versioning + MFA delete + cross-account replication = a highly ransomware-resilient backup strategy. This is the AWS-recommended approach for backup protection.
12What is AWS Macie?Easy
AWS Macie is a data security service that uses machine learning to automatically discover, classify, and protect sensitive data in Amazon S3.

What it does:
  • Discovers PII (names, addresses, SSNs, phone numbers), PHI, financial data (credit card numbers, bank accounts), credentials (API keys, private keys in files)
  • Alerts on public S3 buckets, unencrypted buckets, and buckets shared with external accounts
  • Provides sensitive data findings with severity levels
  • Integrates with Security Hub and EventBridge for automated response
💡 Macie is essential for GDPR compliance — it helps locate all personal data, a requirement for data subject rights (right to erasure). Equivalent: Azure Purview, GCP DLP API.
13How would you prevent a data breach from a misconfigured cloud storage bucket?Hard
Defense in depth approach:
  • Prevention: Enable S3 Block Public Access at account level (overrides all bucket policies); use SCPs to deny public bucket creation org-wide; use Azure Policy to deny public blob access
  • Detection: AWS Macie scans for sensitive data in public buckets; AWS Config rule s3-bucket-public-read-prohibited; Security Hub findings for public buckets; CSPM tools (Wiz, Prisma Cloud) with real-time drift detection
  • Response: EventBridge rule triggers Lambda to auto-remediate (set bucket to private); alert SOC via SNS; revoke any public access
  • Access control: Enforce bucket policies requiring aws:SecureTransport (HTTPS only); require encryption via bucket policy
💡 In 2022, Samsung exposed 190GB of source code via a misconfigured GitLab. In 2019, Capital One breach involved SSRF + S3 read access. Misconfigurations are the #1 cloud breach cause.
14What is the difference between static and dynamic data masking?Medium
FeatureStatic MaskingDynamic Masking
WhenAt data extraction timeAt query time (real-time)
Original dataReplaced in the copyUnchanged in database
Use caseDev/test/analytics environmentsProduction — role-based views
ExampleMasked database for QA teamSupport agent sees ***-1234 for cards
RiskMasked copy must also be securedOriginal data still at risk if bypassed
15What is an HSM (Hardware Security Module)?Medium
An HSM is a dedicated physical computing device that safeguards and manages cryptographic keys, performing encryption/decryption operations inside a tamper-resistant hardware boundary. Keys are never exposed outside the HSM.

Cloud HSMs:
  • AWS CloudHSM: dedicated single-tenant HSM, FIPS 140-2 Level 3, customer fully controls the HSM (AWS cannot access keys)
  • Azure Dedicated HSM / Managed HSM
  • GCP Cloud HSM (backing for Cloud KMS)
When needed: Regulatory requirements mandating FIPS 140-2 Level 3, customer-controlled key material, digital signing for code/documents, Certificate Authority operations.
💡 AWS KMS uses HSMs internally but is multi-tenant and AWS has access. CloudHSM is single-tenant — you manage the HSM user/credentials and AWS has zero access to keys.
16How does GCP CMEK (Customer-Managed Encryption Key) work?Medium
GCP CMEK allows customers to use their own encryption keys (stored in Google Cloud KMS or an external KMS) to encrypt Google Cloud resources instead of Google-managed keys.

How it works:
  • Customer creates a key in Cloud KMS
  • Customer grants the GCP service's service account cloudkms.cryptoKeyEncrypterDecrypter permission on the key
  • When GCP stores data, it calls KMS to encrypt; when reading, calls KMS to decrypt
  • Customer can revoke the key grant — GCP service loses access to all data encrypted with it (cryptographic erasure)
CSEK: Customer-Supplied Encryption Keys — customer provides the key with each API request. GCP never stores it. Used for maximum isolation.
💡 CMEK applies to BigQuery, Cloud Storage, Pub/Sub, Spanner, Compute Engine disks, and more. Key rotation and audit via Cloud Audit Logs are supported.
17What is a data lifecycle policy and how is it used?Easy
A data lifecycle policy automates the movement and deletion of data across storage tiers based on age or access patterns, reducing cost and enforcing data retention compliance.

Examples:
  • S3 Lifecycle: Move objects to S3 Standard-IA after 30 days → Glacier after 90 days → delete after 365 days
  • Azure Blob Lifecycle Management: Move to Cool tier after 30 days, Archive after 90 days, delete after 7 years
  • GCP Object Lifecycle: Delete objects older than 365 days, transition to Nearline/Coldline/Archive storage
Compliance use: GDPR right to erasure — automatically delete data after its retention period expires.
💡 Lifecycle policies work with classification tags. Restricted data (PHI, PII) may have a 7-year legal hold; internal data may expire after 1 year.
18What are immutable backups and why are they critical for ransomware defense?Medium
Immutable backups are backups that cannot be modified, overwritten, or deleted for a set retention period — even by administrators, backup software, or attackers with stolen credentials.

Why critical for ransomware:
  • Ransomware operators increasingly target and delete backups before encrypting production data
  • If backups are in the same account/environment, compromised credentials can wipe them
  • Immutable backups guarantee a clean copy exists regardless of attacker access level
Implementations:
  • S3 Object Lock (Compliance mode) — even root cannot delete
  • Azure Immutable Blob Storage (time-based or legal hold)
  • Cross-account backups in a separate AWS organization with SCP blocking deletion
💡 Test your backups! The "0" in 3-2-1-1-0 means zero errors on restore test. Organizations frequently discover their backups are corrupt only when they need them.
19What is cross-region replication and when is it needed?Easy
Cross-region replication (CRR) automatically copies objects/data from a source region to a destination region in real time or near real time.

When needed:
  • Disaster recovery: If primary region becomes unavailable, data available in DR region
  • Compliance: Data sovereignty requires copies in specific countries/regions
  • Latency: Serving data to users closer to a different region
  • Backup: Geographic separation of backup from production
AWS: S3 Cross-Region Replication (CRR) — requires versioning enabled on both buckets. Also: DynamoDB global tables, RDS cross-region read replicas.
💡 CRR does NOT protect against accidental deletion if delete replication is enabled (deletions replicate too). Use Object Lock + CRR for full ransomware protection.
20How would you implement DLP in a multi-cloud environment?Hard
A layered approach:
  • Discovery: AWS Macie (S3), GCP DLP API (GCS, BigQuery), Azure Purview (Storage, SQL) — scan for PII/PHI/PCI across all clouds
  • Classification tagging: Auto-tag resources with discovered sensitivity levels
  • Prevention policies:
    • Block sharing sensitive data externally (S3 bucket policies, Azure Policy)
    • Email DLP (Microsoft Purview, Google Workspace DLP) to prevent sensitive data leaving via email
    • Endpoint DLP for data leaving devices
  • CASB: For SaaS apps — Microsoft Defender for Cloud Apps or Netskope inspect SaaS traffic for sensitive data
  • Centralized monitoring: Aggregate DLP alerts in SIEM for cross-cloud visibility
💡 DLP is most effective when classification is accurate. Garbage-in-garbage-out: if data isn't properly classified, DLP policies can't protect it or generate too many false positives.

MCQ Quiz · 25 Questions

Multiple Choice Questions

Progress:
0 / 25
Simulation 1

Encryption Method Selector

Choose the best encryption approach for each scenario.

Simulation 2

Secrets Management Anti-Pattern Detector

Identify whether each approach is Secure or Insecure.

Simulation 3

Data Classification Exercise

Classify each data item into the correct sensitivity level.

Simulation 4

Backup Strategy Evaluator

Rate each backup configuration for ransomware resilience.

🎉

Module 04 Complete!