Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

ALL AWS Specialty Practice Exams for only $17.99 $13.99 each!

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty CloudHSM/VPC Architecture

  • CloudHSM/VPC Architecture

  • hayden_cardwell

    Member
    October 7, 2022 at 9:09 am

    In regards to the following question:

    </p><p>A company is hosting its suite of financial web applications in AWS that store sensitive corporate records. It needs a solution that can easily generate and use their own encryption keys on their AWS resources. The requirement is to have a dedicated, FIPS 140-2 compliant service that is under the company's exclusive control and resides within their VPC.</p><p>What is the MOST suitable service that the Security Engineer should use?</p><p>

    I understand that CloudHSM is the correct answer, but from a very technical point of view, I think there might be an opportunity to clarify some things on this question. Described in the article below, the CloudHSM doesn’t actually reside in the customers VPC, but instead resides in it’s own special CloudHSM VPC. Now again, I understand that from a functional point of view, CloudHSM is much more “isolated”, but the graphic shows an instance in the same VPC as a normal instance, and the explanation for the KMS answer indicates that “this service does not reside in your VPC, unlike CloudHSM.” which both are not technically accurate as I understand it.

    AWS Link:
    https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html#cluster-architecture

  • Carlo-TutorialsDojo

    Administrator
    October 13, 2022 at 5:37 am

    Hello Hayden,

    Thanks for sharing your thoughts on this item. Yes, the HSM hardware from where keys are generated does not reside in customer VPCs; customers just use software provided by AWS to interface with them. I understand that the last part of the scenario gives the wrong impression of HSMs being hosted in a customer VPC so a more appropriate statement would be along the lines of “managing HSM within their VPC”. We’ll tweak this item to make it more technically correct.

    Let me know if you have further questions.

    Regards,

    Carlo @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now