AWS - KMS

Question 1

What level of compliance does KMS provide by default?

Answer 1

FIPS 140-2 (L2)
FIPS = Federal Information Processing Standard

Question 2

What is an HSM?

Answer 2

Hardware security modules (HSMs)
- Hardened, tamper-resistant hardware devices that secure cryptographic processes by generating, protecting, and managing keys used for encrypting and decrypting data and creating digital signatures and certificates.

Question 3

What is CloudHSM?

Answer 3

• Similar to KMS, but gives you a higher level of security compliance.
• With CloudHSM, AWS manages the hardware, but they have NO ACCESS to the part of the hardware where keys are stored and managed. It’s actually a physically tamper-resistant piece of hardware that only YOU have access to.

Question 4

What level of security compliance does CloudHSM provide?

Answer 4

CloudHSM is FIPS 140-2 Level 3 compliant, vs KMS by itself which is only Level 2 compliant.

Question 5

What API standards do you use to communicate with CloudHSM?

Answer 5

With CloudHSM, you use industry-standard APIs, such as PKCS#11, Java Cryptography Extensions (JCE), or Microsoft CryptoNG (CNG) libraries

Question 6

How should you configure CloudHSM if you need high availability?

Answer 6

• AWS deploys CloudHSMs are inside their own VPC - not in any VPC that you control.
• AWS deploys one CloudHSM in each AZ to provide high availability, since one HCM device is not a highly available device.
• These HSMs get configured as a cluster, so keys, policies, configurations, etc. get auto-replicated between them.
• AWS provides you with one Elastic Network Interface (ENI) for each HSM (one per AZ).
• If you want high availability, you have to configure each of your interfaces to load-balance across the various ENIs.
• Note that you also have to install the CloudHSM client on each EC2 instance to use CloudHSM.