CloudHSM Flashcards

1
Q

CloudHSM

What is the major security limitation of KMS?

A

Shared hardware. HSM modules aren’t single-tenant

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CloudHSM

What is CloudHSM compared to KMS?

important

A

True single-tenant HSMs, managed by AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

CloudHSM

Major warning about CloudHSM use?

A

AWS has no access to the device. Lose access == all keys lost

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CloudHSM

What is the FIPS standard for CloudHSM?

important

A

FIPS 140-2 level 3

need to know whole thing incl “L3” at end

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

CloudHSM

How do you access a CloudHSM device?

important

A

PKCS#11, Java Crypto Extensions (JCE), Microsoft CryptoNG library

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

CloudHSM

Why not just use AWS web service APIs?

A

CloudHSM not integrated with AWS, it’s an industry standard hardware device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CloudHSM

What other system uses HSMs too?

A

KMS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CloudHSM

What overlap is there between CloudHSM and KMS?

A

Normal KMS is shared tenant HSM. Custom Key Store feature of KMS uses CloudHSM for single-tenant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CloudHSM

Is a CloudHSM device HA?

A

Nope, physical device, so lives in a single AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CloudHSM

Is CloudHSM product HA?

A

Yes(-ish), as long as your Cluster has more than 1 device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CloudHSM

How do you provision CloudHSM?

A

Create a Cluster, add 1+ devices to it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CloudHSM

How do you provision a CloudHSM device into a VPC?

A

Don’t. It’s the RDS model: devices live in Service team’s VPC, you get one ENI per device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CloudHSM

If you have two CloudHSMs, and HSMs don’t ever let keys out…

A

HSMs in a Cluster sync their keys and config

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CloudHSM

Once you have two ENIs for your 2-node CloudHSM cluster, now what?

A

Run the CloudHSM agent on every EC2 node

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CloudHSM

What AWS services does CloudHSM integrate with?

important

A

Essentially none

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CloudHSM

Concrete result of integration strategy with other AWS services?

important

A

No CloudHSM support for encrypting EBS volumes, S3 objects, …

17
Q

CloudHSM

How can CloudHSM benefit an application other than by increasing security?

important

A

Speed up a web server by offloading SSL/TLS to the CloudHSM device

18
Q

CloudHSM

How can CloudHSM benefit Oracle databases?

important

A

Enable Transparent Data Encryption (TDE): Oracle offloads data encryption to CloudHSM

19
Q

CloudHSM

What can CloudHSM do to protect certificates?

A

Store the issuing certificate in CloudHSM for a Certificate Authority

20
Q

CloudHSM

What system is best for handling keys using industry standard interfaces?

important

A

CloudHSM

21
Q

CloudHSM

How can CloudHSM benefit your custom CA?

important

A

Store private (root) keys in CloudHSM

same tech for DNS root signing ceremony