Exam AWS Certified Security - Specialty topic 1 question 213 discussion

Answer: C You can configure AWS Key Management Service (KMS) to use your AWS CloudHSM cluster as a custom key store rather than the default KMS key store. With a KMS custom key store you benefit from the integration between KMS and AWS services that encrypt data while retaining control of the HSMs that protect your KMS master keys. KMS custom key store gives you the best of both worlds, combining single-tenant HSMs under your control with the ease of use and integration of AWS KMS. https://aws.amazon.com/cloudhsm/

Correct answer is C.

This option combines the use of AWS KMS customer-managed keys with a custom key store backed by AWS CloudHSM. It provides the required FIPS 140-2 Level 3 validation by utilizing the HSM capabilities of CloudHSM. The custom key store acts as a hardware security module that securely stores and manages the encryption keys.

C. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM.

I think it's A because AWS KMS Currently supports FIPS-140-2 Level 3. https://aws.amazon.com/es/blogs/security/aws-key-management-service-now-offers-fips-140-2-validated-cryptographic-modules-enabling-easier-adoption-of-the-service-for-regulated-workloads/

A custom key store is a logical key store within AWS KMS that is backed by a key manager outside of AWS KMS that you own and manage. Custom key stores combine the convenient and comprehensive key management interface of AWS KMS with the ability to own and control the key material and cryptographic operations. When you use a KMS key in a custom key store, the cryptographic operations are performed by your key manager using your cryptographic keys. As a result, you assume more responsibility for the availability and durability of cryptographic keys, and for the operation of the HSMs. Answer C is the most secure and flexible.

Answer C

What about D? customer managed KMS with BYOK = Importoted key materials backed by HSM

Though I like the rationale of Answer B, however, for S3+Athena solution, this will make it very expensive data lake solution and I am siding with C which is more aligned to the best practice.

C (key: "custom key store") https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html

C and the key word is that the key must be stored by a hardware security module#HSM

If the answer is expected to be C then this is a misleading question. The statement "the encryption solution must be protected in hardware" implies that the crypto is done within the bounds of an HSM. Using S3 backed by KMS - even with CloudHSM - won't do this, as S3 does the encryption directly with a DEK (it's not using the HSM to encrypt/decrypt the data). I deal with this weekly in my line of work, and an S3-like solution does not meet the requirement of ensuring both keys and crypto are always managed by an HSM. Rather, you have to interface directly with the HSM to do the encryption and then store the encrypted text at rest (S3 in this case). That would more closely align with answer B.

Ans C since we want to use S3 that works only with KMS and can not work directly with HSM, use aws-key-management-service-kms-custom-key-store 1. S3 - AWS Key Management Service key (SSE-KMS) 2. Choose from your AWS KMS keys 3. Key material origin 4. Custom key store (CloudHSM) https://aws.amazon.com/about-aws/whats-new/2018/11/announcing-aws-key-management-service-kms-custom-key-store/

CloudHSM provides FIPS 140-2 Level 3 validated HSMs.

AWS KMS HSMs are validated at level 2 overall and at level 3 in the following areas: Cryptographic Module Specification Roles, Services, and Authentication Physical Security Design Assurance https://aws.amazon.com/blogs/security/aws-key-management-service-now-offers-fips-140-2-validated-cryptographic-modules-enabling-easier-adoption-of-the-service-for-regulated-workloads/#:~:text=AWS%20Key%20Management%20Service%20(KMS,and%20integrity%20of%20your%20keys.

This question is the same as question 189.

C. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM. B is incorrect since saving keys in S3 makes no sense.