Ends in
00
hrs
00
mins
00
secs
SHOP NOW

⏲️ 24-Hour Bonus Sale: Get eBooks for as LOW as $2.99 each and enjoy 25% OFF on any product. Use Coupon code: TD-NY2025

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Associate cloudHSM zeroised doubt about the correct answer

  • cloudHSM zeroised doubt about the correct answer

  • Aryeh Abramovitz

    Member
    December 19, 2024 at 12:13 am

    question from timed set 5: “You have launched the CloudHSM cluster but after just a few hours, a support staff mistakenly attempted to log in as the administrator three times using an invalid password in the Hardware Security Module. This has caused the HSM to be zeroized, which means that the encryption keys on it have been wiped. Unfortunately, you did not have a copy of the keys stored anywhere else.

    How can you obtain a new copy of the keys that you have stored on Hardware Security Module?”

    correct answer according to system: keys are lost permanently.

    However, the referenced link https://aws.amazon.com/premiumsupport/knowledge-center/stop-cloudhsm/ is for cloudHSM classic, not cluster. On cluster, the keys are always sync’ed to at least one other device. In addition, as explained in faq and the other link https://d1.awsstatic.com/whitepapers/Security/security-of-aws-cloudhsm-backups.pdf encrypted backups are taken daily, and can be decrypted by a combination of the AKBK and MKBK both of which, as far as I can tell, should still be available. Therefore I submit the correct answer is “restore a snapshot”.

  • Neil-TutorialsDojo

    Member
    December 23, 2024 at 9:34 am

    Hello Aryeh,

    Good day!

    Thank you for your feedback. You’ve raised some important points about CloudHSM clusters and their backup capabilities. However, let me clarify a few things regarding the specific scenario presented in the question.

    The scenario explicitly states, “you did not have a copy of the keys stored anywhere else.” This indicates that no backups or synchronization to other devices were available at the time. Lastly, while it’s true that CloudHSM clusters feature daily automated encrypted backups, the short timeframe described (“You have launched the CloudHSM cluster but after just a few hours“) in the scenario suggests that no backup had yet been created, as AWS takes these backups every 24 hours. ( https://aws.amazon.com/cloudhsm/faqs/#:~:text=AWS%20takes%20automatic%20encrypted%20backups,adding%20or%20removing%20an%20HSM). )

    Therefore, the correct answer is, “The keys are lost permanently if you do not have a copy.”

    I hope this helps.

    Regards,

    Neil @ tutorials dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now
Skip to content