ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 189 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 189
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has decided to use encryption in its AWS account to secure the objects in Amazon S3 using server-side encryption. Object sizes range from 16,000 B to 5 MB. The requirements are as follows:
✑ The key material must be generated and stored in a certified Federal Information Processing Standard (FIPS) 140-2 Level 3 machine.
✑ The key material must be available in multiple Regions.
Which option meets these requirements?

  • A. Use an AWS KMS customer managed key and store the key material in AWS with replication across Regions.
  • B. Use an AWS customer managed key, import the key material into AWS KMS using in-house AWS CloudHSM, and store the key material securely in Amazon S3.
  • C. Use an AWS KMS custom key store backed by AWS CloudHSM clusters, and copy backups across Regions.
  • D. Use AWS CloudHSM to generate the key material and backup keys across Regions. Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by DayQuil at March 12, 2021, 10:38 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
EricR17
Highly Voted 3 years, 8 months ago
Answer: C https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html A. Doesn't work because KMS by default can't replicate across regions. B. Doesn't work at the very least because storing a key in S3 violates the FIPS 140 requirement. D. Doesn't work because it violates the 'server-side encryption' requirement. Using JCE and PKCS11 would be client-side encryption.
upvoted 24 times
...
DerekKey
Highly Voted 3 years, 8 months ago
C - must be - since we want to use S3 that works only with KMS and can not work directly with HSM 1. S3 - AWS Key Management Service key (SSE-KMS) 2. Choose from your AWS KMS keys 3. Key material origin 4. Custom key store (CloudHSM)
upvoted 9 times
...
Raphaello
Most Recent 1 year, 4 months ago
Selected Answer: C
Both A & C are actually correct. CloudHSM support clone and sync to another region. And KMS support multi-region key (MRK). Both of them are FIPS 140-2 Level 3 now.
upvoted 1 times
...
Salah21
1 year, 9 months ago
Selected Answer: A
KMS is now FIPS 140-2 Security Level 3 compliant and supports Multi-Region keys. https://aws.amazon.com/kms/features/ "All key material for KMS keys generated within AWS KMS HSMs and all operations that require decrypted KMS key material occur strictly within FIPS 140-2 Security Level 3 boundary of these HSMs." (they talking about KMS's multi-tenant HSMs not the dedicated CloudHSM) https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html "AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions.... Like all KMS keys, multi-Region keys never leave AWS KMS unencrypted."
upvoted 4 times
...
addy_prepare
1 year, 10 months ago
Selected Answer: A
A - now KMS is 140-2 Level 3 compliant + Multi-Region key support (Check this in KMS key creation process)
upvoted 5 times
...
mamila
1 year, 10 months ago
Selected Answer: A
The answer is now A, KMS is 140-2 Level 3 compliant and supports multi-region replication.
upvoted 2 times
...
freddyman
2 years, 1 month ago
As of 2023 you use a KMS multi-region key, so the answer has changed to A https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html
upvoted 1 times
...
ITGURU51
2 years, 2 months ago
The question states that key material must be replicated between regions and use (FIPS) 140-2 Level 3 encryption. Therefore C fits the bill.
upvoted 1 times
...
haris14
2 years, 7 months ago
Answer: C Update (not relevant to the question): KMS supports multi-region now.
upvoted 2 times
...
dcasabona
2 years, 11 months ago
Selected Answer: C
Option C...
upvoted 2 times
...
lotfi50
3 years ago
Selected Answer: C
C is correct
upvoted 2 times
...
RaySmith
3 years, 4 months ago
C is correct
upvoted 1 times
...
Radhaghosh
3 years, 5 months ago
"key material must be created and kept on a FIPS 140-2 Level 3 certified computer" --> CloudHSM. Due to data size --> KMS Envelope Encryption
upvoted 1 times
...
dumma
3 years, 7 months ago
C is not relevant now as KMS allows copies of KMS keys in DynamoDB global tables.
upvoted 2 times
argol
3 years, 7 months ago
??? Explain Please
upvoted 1 times
...
munish3420
3 years, 7 months ago
Can you please paste link of refernce here?
upvoted 2 times
...
...
Joanale
3 years, 8 months ago
https://aws.amazon.com/es/blogs/security/aws-key-management-service-now-offers-fips-140-2-validated-cryptographic-modules-enabling-easier-adoption-of-the-service-for-regulated-workloads/ ANS: C
upvoted 2 times
...
eskimolander
3 years, 8 months ago
Should it be D. Use AWS CloudHSM to generate the key material and backup keys across Regions.... ? KMS is FIPS 140-2 and Cloud HSM is FIPS 140-3 https://aws.amazon.com/kms/faqs/?nc1=h_ls "Q: What geographic region are my keys stored in? Keys generated by AWS KMS are only stored and used in the region in which they were created. They cannot be transferred to another region."
upvoted 2 times
rhinozD
3 years, 8 months ago
"However, if you require even more control of the HSMs, you can create a custom key store that is backed by FIPS 140-2 Level 3 HSMs in an AWS CloudHSM cluster that you own and manage." https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html
upvoted 1 times
...
...
sanjaym
3 years, 8 months ago
I'll go with C
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel