Home › Forums › AWS › AWS Certified Solutions Architect Associate › cloudHSM zeroised doubt about the correct answer
-
cloudHSM zeroised doubt about the correct answer
Neil-TutorialsDojo updated 3 weeks, 4 days ago 2 Members · 2 Posts -
question from timed set 5: “You have launched the CloudHSM cluster but after just a few hours, a support staff mistakenly attempted to log in as the administrator three times using an invalid password in the Hardware Security Module. This has caused the HSM to be zeroized, which means that the encryption keys on it have been wiped. Unfortunately, you did not have a copy of the keys stored anywhere else.
How can you obtain a new copy of the keys that you have stored on Hardware Security Module?”
correct answer according to system: keys are lost permanently.
However, the referenced link https://aws.amazon.com/premiumsupport/knowledge-center/stop-cloudhsm/ is for cloudHSM classic, not cluster. On cluster, the keys are always sync’ed to at least one other device. In addition, as explained in faq and the other link https://d1.awsstatic.com/whitepapers/Security/security-of-aws-cloudhsm-backups.pdf encrypted backups are taken daily, and can be decrypted by a combination of the AKBK and MKBK both of which, as far as I can tell, should still be available. Therefore I submit the correct answer is “restore a snapshot”.
-
Hello Aryeh,
Good day!
Thank you for your feedback. You’ve raised some important points about CloudHSM clusters and their backup capabilities. However, let me clarify a few things regarding the specific scenario presented in the question.
The scenario explicitly states, “you did not have a copy of the keys stored anywhere else.” This indicates that no backups or synchronization to other devices were available at the time. Lastly, while it’s true that CloudHSM clusters feature daily automated encrypted backups, the short timeframe described (“You have launched the CloudHSM cluster but after just a few hours“) in the scenario suggests that no backup had yet been created, as AWS takes these backups every 24 hours. ( https://aws.amazon.com/cloudhsm/faqs/#:~:text=AWS%20takes%20automatic%20encrypted%20backups,adding%20or%20removing%20an%20HSM). )
Therefore, the correct answer is, “The keys are lost permanently if you do not have a copy.”
I hope this helps.
Regards,
Neil @ tutorials dojo
Log in to reply.