AWS CloudHSM | Provisioning and operations Flashcards

1
Q

Is there a Free Tier for the CloudHSM service?

Provisioning and operations

AWS CloudHSM | Security, Identity & Compliance

A

No, there is no free tier available for CloudHSM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Are there any prerequisites for signing up for CloudHSM?

Provisioning and operations

AWS CloudHSM | Security, Identity & Compliance

A

Yes. In order to start using CloudHSM there are a few prerequisites, including a Virtual Private Cloud (VPC) in the region where you want CloudHSM service. Refer to the CloudHSM User Guide for more details.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Do I need to manage the firmware on my HSM?

Provisioning and operations

AWS CloudHSM | Security, Identity & Compliance

A

No. AWS manages the firmware on the hardware. Firmware is maintained by a third-party, and every firmware must be evaluated by NIST for FIPS 140-2 Level 3 compliance. Only firmware that has been cryptographically signed by the FIPS key (which AWS does not have access to) can be installed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How many HSMs should I have in my CloudHSM Cluster?

Provisioning and operations

AWS CloudHSM | Security, Identity & Compliance

A

AWS strongly recommends that you use at least two HSMs in two different Availability Zones for any production workload. For mission-critical workloads, we recommend at least three HSMs in at least two separate AZs. The CloudHSM client will automatically handle any HSM failures and load balance across two or more HSMs transparently to your application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who is responsible for key durability?

Provisioning and operations

AWS CloudHSM | Security, Identity & Compliance

A

AWS takes automatic encrypted backups of your CloudHSM Cluster on a daily basis, and additional backups when cluster lifecycle events occur (such as adding or removing an HSM).For the 24-hour period between backups, you are solely responsible for the durability of key material created or imported to your cluster. We strongly recommend ensuring that any keys created are synchronized to at least two HSMs in two different Availability Zones to ensure the durability of your keys. See the CloudHSM User Guide for more detail on verifying key synchronization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How do I set up a high availability (HA) configuration?

Provisioning and operations

AWS CloudHSM | Security, Identity & Compliance

A

High availability is provided automatically when you have at least two HSMs in your CloudHSM Cluster. No additional configuration is required. In the event an HSM in your cluster fails, it will be replaced automatically, and all clients will be updated to reflect the new configuration without interrupting any processing. Additional HSMs can be added to the cluster via the AWS API or SDK, increasing availability without interrupting your application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How many HSMs can be connected in a CloudHSM Cluster?

Provisioning and operations

AWS CloudHSM | Security, Identity & Compliance

A

A single CloudHSM Cluster can contain up to 32 HSMs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Can I back up the contents of a CloudHSM?

Provisioning and operations

AWS CloudHSM | Security, Identity & Compliance

A

Your CloudHSM Cluster is backed up on a daily basis by AWS. Keys can also be exported (“wrapped”) out of your cluster and stored on-premises as long as they were not generated as “non-exportable”. No other backup options are available at this time, though we expect to provide a more comprehensive on-premises backup capability soon.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly