AWS CloudHSM

Question 1

When we use a CloudHSM what are we doing with the data?

Answer 1

• Minimizing physical access
• Minimizing logical access
• Providing
• -Confidentiality
• -Integetery
• -Availability

Question 2

What is a CloudHSM?

Answer 2

Provides HSM as a service, you

Question 3

I need a CloudHSM, what do I need to do?

Answer 3

• Create a CloudHSM cluster
• Select a VPC
• Create 3 subnets in VPC one in each AZ

Question 4

Why would you need a CloudHSM over KMS?

Answer 4

You need an industry standard interface and libs, like,

• PKCS#11
• Java Crypto Extention (JCE)
• Microsoft CryptoNG

Question 5

I have an application that requires the use of PKCS#11, what AWS service do I need?

Answer 5

CloudHSM,KMS does not support standard interface.

Question 6

How is the HSM functionality put in you VPC subnets, is it a VM or something else?

Answer 6

Each CloudHSM in the cluster is exposed in the VPN subnet using an endpoint interface(ENI). There will be an endpoint interface in each of the three subnets in three separate AZ’s

Question 7

What level of FIPS does CloudHSM support?

Answer 7

FIPS140-3

Question 8

Does Wha have higher FIPS, KMS or CloudHSM, state levels?

Answer 8

CloudHSM = FIPS140-3
KMS = FIPS140-2

Question 9

I want to use the CloudHSM from my on-prem over both VPN and Direct connect, is this possible and how?

Answer 9

Yes, as the CloudHSM is exposed as an ENI, you can access from on-prem network through VPN or DirectConnect.

Question 10

Can I give AWS a physical cloud appliance and use it in my VPC?

Answer 10

No.

Question 11

Is the CloudHSM highly available and why?

Answer 11

Yes, it is, it is provisioned as a cluster across three AZs in a VPC.

Question 12

How is an AWS CloudHSM integrated into your VPC?

Answer 12

The AWS CloudHSM is delivered as an ENS in your subnet.

Question 13

Is an HSM highly available by default?

Answer 13

No, you have to create a cluster across the AZs and each HSM hets delivered an ENI in you subnets.

Question 14

What is the FIPS rating on KMS?

Answer 14

FIPS 140-3 (KMS is= 2)

Question 15

I need Fips140-3 compliant HSM from an on-prem application, I already have DirectConenct in place, what option do I have and explain the architecture?

Answer 15

You can use DirectConnetc to access the AWS CloudHSM service, you will need to set up a VOPC and create a two-node CloudHSM cluster for high availability. This will place two HSM in two separate AZ and two ENIs are created, one in each of the VPC subnets in separate AZ. You will then use existing direct connect to access the Cloud HSM.

Question 16

I have a specialized physical HSM used in my DC and I am wanting to move my application to AWS cloud, how can I get AWS to host my physical HSM device?

Answer 16

You can, AWS will not host it, you can use DirectConnect to access the HSM form the AWS cloud.

Question 17

You are setting up access to an AWS CloudHSM cluster and want to follow best practices for securely managing credentials and restricting key access. Which of the following approaches best aligns with AWS security best practices?

A) Store the CloudHSM user credentials in plaintext within the application code and restrict code access using IAM roles.

B) Manage CloudHSM access directly through IAM policies by assigning user roles.

C) Securely store the CloudHSM username and password in an SSM parameter, then restrict access to that parameter using an IAM policy.

D) Hard-code the CloudHSM username and password into environment variables and restrict EC2 instance access.

Answer 17

Correct Answer: C