AWS CloudHSM | Security Flashcards
Is there an SLA for CloudHSM?
Security
AWS CloudHSM | Security, Identity & Compliance
At the present time, there is no SLA for CloudHSM.
Do I share my CloudHSM with other AWS customers?
Security
AWS CloudHSM | Security, Identity & Compliance
No. As part of the service you receive single-tenant access to the HSM. Underlying hardware may be shared with other customers, but the HSM is accessible only to you.
How does AWS manage the HSM without having access to my encryption keys?
Security
AWS CloudHSM | Security, Identity & Compliance
Separation of duties and role-based access control is inherent in the design of CloudHSM. AWS has a limited credential to the HSM that permits us to monitor and maintain the health and availability of the HSM, take encrypted backups, and to extract and publish audit logs to your CloudWatch Logs. AWS is unable to see, access or use your keys, or cause your HSM to perform any cryptographic operation using your keys.
Please see the CloudHSM User Guide for more information on the separation of duties, and the capabilities each class of user has on the HSM.
Can I monitor my HSM?
Security
AWS CloudHSM | Security, Identity & Compliance
Yes. CloudHSM publishes multiple CloudWatch metrics for CloudHSM Clusters and for individual HSM instances. You can use the AWS CloudWatch Console, API or SDK to obtain or alarm on these metrics.
What is the ‘entropy source’ (source of randomness) for CloudHSM?
Security
AWS CloudHSM | Security, Identity & Compliance
Each HSM has a FIPS-validated Deterministic Random Bit Generator (DRBG) that is seeded by a True Random Number Generator (TRNG) within the HSM hardware module that conforms to SP800-90B. This is a high-quality entropy source capable of producing 20Mb/sec of entropy per HSM.
What happens if someone tampers with the HSM hardware?
Security
AWS CloudHSM | Security, Identity & Compliance
CloudHSM has both physical and logical tamper detection and response mechanisms that trigger key deletion (zeroization) of the hardware. The hardware is designed to detect tampering if its physical barrier is breached. HSM instances are also protected against brute-force login attacks. After a fixed number of unsuccessful attempts to access an HSM with Crypto Officer (CO) credentials, the HSM instance will zeroise itself. After a fixed number of unsuccessful attempts to access an HSM with Crypto User (CU) credentials, the user will be locked and must be unlocked by a CO.
What happens in case of failure?
Security
AWS CloudHSM | Security, Identity & Compliance
Amazon monitors and maintains the HSM and network for availability and error conditions. If an HSM fails or loses network connectivity, the HSM will be automatically replaced. You can check the health of an individual HSM using the CloudHSM API, SDK, or CLI Tools, and you can check the overall health of the service at any time using the AWS Service Health Dashboard.
Could I lose my keys if a single HSM instance fails?
Security
AWS CloudHSM | Security, Identity & Compliance
Yes. It is possible to lose keys that were created since the most recent daily backup if the CloudHSM cluster that you are using fails and you are not using two or more HSMs. Amazon strongly recommends that you use two or more HSMs, in separate Availability Zones, in any production CloudHSM Cluster to avoid loss of cryptographic keys.
Can Amazon recover my keys if I lose my credentials to my HSM?
Security
AWS CloudHSM | Security, Identity & Compliance
No. Amazon does not have access to your keys or credentials and therefore has no way to recover your keys if you lose your credentials.
How do I know that I can trust CloudHSM?
Security
AWS CloudHSM | Security, Identity & Compliance
CloudHSM is built on hardware that is validated at Federal Information Processing Standard (FIPS) 140-2 Level 3. You can find the FIPS 140-2 Security Profile for the hardware used by CloudHSM here: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2850.pdf
Does the CloudHSM service support FIPS 140-2 Level 3?
Security
AWS CloudHSM | Security, Identity & Compliance
Yes, CloudHSM provides FIPS 140-2 Level 3 validated HSMs. You can follow the procedure in the CloudHSM User Guide under Verify the Authenticity of Your HSM to confirm that you have an authentic HSM on the same model hardware specified in the NIST Security Policy described in the previous question.
How do I operate a CloudHSM in FIPS 140-2 mode?
Security
AWS CloudHSM | Security, Identity & Compliance
CloudHSM is always in FIPS 140-2 mode. This can be verified by using the CLI tools as documented in the CloudHSM User Guide and running the getHsmInfo command, which will indicate the FIPS mode status.
How can I securely distribute an HSM partition credential to my instances?
Security
AWS CloudHSM | Security, Identity & Compliance
Please refer to the following AWS Security Blog post which describes Using IAM roles to distribute non-AWS credentials to your EC2 instances.
Can I get a history of all CloudHSM API calls made from my account?
Security
AWS CloudHSM | Security, Identity & Compliance
Yes. AWS CloudTrail records AWS API calls for your account. The AWS API call history produced by CloudTrail lets you perform security analysis, resource change tracking, and compliance auditing. Learn more about CloudTrail at the CloudTrail home page, and turn it on via CloudTrail’s AWS Management Console.
