Home › Forums › AWS › AWS Certified Security – Specialty › CloudHSM/VPC Architecture
-
In regards to the following question:
</p><p>A company is hosting its suite of financial web applications in AWS that store sensitive corporate records. It needs a solution that can easily generate and use their own encryption keys on their AWS resources. The requirement is to have a dedicated, FIPS 140-2 compliant service that is under the company's exclusive control and resides within their VPC.</p><p>What is the MOST suitable service that the Security Engineer should use?</p><p>
I understand that CloudHSM is the correct answer, but from a very technical point of view, I think there might be an opportunity to clarify some things on this question. Described in the article below, the CloudHSM doesn’t actually reside in the customers VPC, but instead resides in it’s own special CloudHSM VPC. Now again, I understand that from a functional point of view, CloudHSM is much more “isolated”, but the graphic shows an instance in the same VPC as a normal instance, and the explanation for the KMS answer indicates that “this service does not reside in your VPC, unlike CloudHSM.” which both are not technically accurate as I understand it.
AWS Link:
https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html#cluster-architecture -
Hello Hayden,
Thanks for sharing your thoughts on this item. Yes, the HSM hardware from where keys are generated does not reside in customer VPCs; customers just use software provided by AWS to interface with them. I understand that the last part of the scenario gives the wrong impression of HSMs being hosted in a customer VPC so a more appropriate statement would be along the lines of “managing HSM within their VPC”. We’ll tweak this item to make it more technically correct.
Let me know if you have further questions.
Regards,
Carlo @ Tutorials Dojo
Log in to reply.