Exam AWS Certified Security - Specialty topic 1 question 189 discussion

Answer: C https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html A. Doesn't work because KMS by default can't replicate across regions. B. Doesn't work at the very least because storing a key in S3 violates the FIPS 140 requirement. D. Doesn't work because it violates the 'server-side encryption' requirement. Using JCE and PKCS11 would be client-side encryption.

C - must be - since we want to use S3 that works only with KMS and can not work directly with HSM 1. S3 - AWS Key Management Service key (SSE-KMS) 2. Choose from your AWS KMS keys 3. Key material origin 4. Custom key store (CloudHSM)

Both A & C are actually correct. CloudHSM support clone and sync to another region. And KMS support multi-region key (MRK). Both of them are FIPS 140-2 Level 3 now.

KMS is now FIPS 140-2 Security Level 3 compliant and supports Multi-Region keys. https://aws.amazon.com/kms/features/ "All key material for KMS keys generated within AWS KMS HSMs and all operations that require decrypted KMS key material occur strictly within FIPS 140-2 Security Level 3 boundary of these HSMs." (they talking about KMS's multi-tenant HSMs not the dedicated CloudHSM) https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html "AWS KMS supports multi-Region keys, which are AWS KMS keys in different AWS Regions that can be used interchangeably – as though you had the same key in multiple Regions.... Like all KMS keys, multi-Region keys never leave AWS KMS unencrypted."

A - now KMS is 140-2 Level 3 compliant + Multi-Region key support (Check this in KMS key creation process)

The answer is now A, KMS is 140-2 Level 3 compliant and supports multi-region replication.

As of 2023 you use a KMS multi-region key, so the answer has changed to A https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html

The question states that key material must be replicated between regions and use (FIPS) 140-2 Level 3 encryption. Therefore C fits the bill.

Answer: C Update (not relevant to the question): KMS supports multi-region now.

Option C...

C is correct

C is correct

"key material must be created and kept on a FIPS 140-2 Level 3 certified computer" --> CloudHSM. Due to data size --> KMS Envelope Encryption

C is not relevant now as KMS allows copies of KMS keys in DynamoDB global tables.

https://aws.amazon.com/es/blogs/security/aws-key-management-service-now-offers-fips-140-2-validated-cryptographic-modules-enabling-easier-adoption-of-the-service-for-regulated-workloads/ ANS: C

Should it be D. Use AWS CloudHSM to generate the key material and backup keys across Regions.... ? KMS is FIPS 140-2 and Cloud HSM is FIPS 140-3 https://aws.amazon.com/kms/faqs/?nc1=h_ls "Q: What geographic region are my keys stored in? Keys generated by AWS KMS are only stored and used in the region in which they were created. They cannot be transferred to another region."

I'll go with C