Exam AWS Certified Solutions Architect - Professional topic 1 question 465 discussion

My preference "B" & "D". A: customer can not control the keys! B: AWS-KMS managed keys, allow the user to create Master keys, and control them. It is high available as it is a managed service by AWS. C: CloudHSM can be high available by including a second instance in different AZ. D: Meet the requirement of management and high availability. E: Managing the keys by CloudHSM client, not IAM user!!

I would choose b d

The correct answers are B and D. Solution B meets the requirements because it uses AWS KMS-managed keys, which are highly available and can be controlled on a per-user basis using key policies. Solution D also meets the requirements because it uses customer-managed keys that are stored in two AWS CloudHSM instances configured in high-availability mode. The CloudHSM client software can be used to control access to the keys that are generated.

Question only asks to control access to the keys but not management of the keys. So keys can be managed by AWS as long as access to the keys can be restricted. A: seems perfectly valid and is highly available. B: we do not need control over the master key but access restriction per user. D: We need access restriction on a per user basis. Client does not fulfill the per user per user. E: highly available and one can use IAM to restrict access on a per user base. fulfills requirement. Based in that I do not see the question asking for control over key generation but only for access restriction on user base: for me its AE

I have to say that this is a really bad question with several inaccurate wordings. Firstly, the "KMS-managed keys" in option B actually refers to KMS keys stored in KMS(i.e. SSE-KMS), customer managed keys or AWS managed keys. Otherwise B can't be right, because the key policy of AWS managed keys cannot be changed. So to make B a valid answer, "KMS-managed keys" have to refer to customer managed keys, which is the same as CDE, but using a completely different wording. B have to be right answer, otherwise there aren't 2 correct answers for this question.

Don't know why the community disregards E. You can create KMS key with CloudHSM-backed custom-key store. The keys can then be managed by regular IAM and key policies. https://docs.aws.amazon.com/kms/latest/developerguide/manage-cmk-keystore.html No need to use CloudHSM client, because KMS connects to CloudHSM on our behalf. https://docs.aws.amazon.com/kms/latest/developerguide/disconnect-keystore.html

Based on all comments

In AWS CloudHSM, use any of the following to manage keys on the HSMs in your cluster: - PKCS #11 library - JCE provider - CNG and KSP providers - key_mgmt_util

CD B is wrong as multiple doesn't mean each user has unique key

A doesn't fit the bill at all. C is wrong because we need more than 1 HSM instance in a cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html) E is wrong because CloudHSM doesn't support IAM (https://docs.aws.amazon.com/cloudhsm/latest/userguide/hsm-users.html) What we have left? B and D. Now referring to the https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html, it becomes clear, that we can use either a "Customer managed key" or a "AWS managed key" which in turn creates "Data Keys". Taking this into account, B doesn't make sence at all! B) "Use Amazon S3 server-side encryption with AWS KMS-managed keys, create multiple customer master keys". If we choose "AWS KMS-managed key" there's no such thing as "customer master keys". Moreover according to the link above: "However, you cannot manage these AWS KMS-managed keys, rotate them, or change their key policies." which violates the stipulations. So B is wrong as well. The only answer which makes sence and fits the stipulation as D. Correct me if I'm wrong.

e is wrong because with IAM you can only do: "cloudhsm:DescribeClusters", "cloudhsm:DescribeBackups", "cloudhsm:CreateCluster", "cloudhsm:CreateHsm", "cloudhsm:RestoreBackup", "cloudhsm:CopyBackupToRegion", "cloudhsm:InitializeCluster", "cloudhsm:ListTags", "cloudhsm:TagResource", "cloudhsm:UntagResource",

B and D.

B & C for me. As well as creating 2 instances for HA, you will also need to manage keys using CloudHSM software. Not IAM

Should be B,D

KMS 99.9%, HSM 99.95%, if B is ok, why need two HSM in D or E?

B and D, not E as CloudHSM can be used only with HSM client Q: How do I set up a high availability (HA) configuration? High availability is provided automatically when you have at least two HSMs in your CloudHSM Cluster. No additional configuration is required. In the event an HSM in your cluster fails, it will be replaced automatically, and all clients will be updated to reflect the new configuration without interrupting any processing. Additional HSMs can be added to the cluster via the AWS API or SDK, increasing availability without interrupting your application.

Today I tried to create Cloud HSM and there is an option to choose subnet (upto 3 as I am in SGP region). But I am able to choose only one region. So I can create HSM with 1 instance. Although Cloud HSM is managed service. Creating HSM with 1 won't give HA. So, I would choose D as one of the answer over C.