Question 303 - SCS-C01 discussion

AWS Key Management Service (KMS) now uses FIPS 140-2 validated hardware security modules

(HSM) and supports FIPS 140-2 validated endpoints, which provide independent assurances about the confidentiality and integrity of your keys. All master keys in AWS KMS regardless of their creation date or origin are automatically protected using FIPS 140-2 validated HSMs. defines four levels of security, simply named "Level 1'' to "Level 4". It does not specify in detail what level of security is required by any particular application.

• FIPS 140-2 Level 1 the lowest, imposes very limited requirements; loosely, all components must be "production-grade" anc various egregious kinds of insecurity must be absent • FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.

• FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.

• FIPS 140-2 Level 4 makes the physical security requirements more stringent and requires robustness against environmental attacks. AWSCIoudHSM provides you with a FIPS 140-2 Level 3 validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPQ to store and use your keys. You have exclusive control over how your keys are used via an authentication mechanism independent from AWS. You interact with keys in your AWS CloudHSM cluster similar to the way you interact with your applications running in Amazon EC2. AWS KMS allows you to create and control the encryption keys used by your applications and supported AWS services in multiple regions around the world from a single console. The service uses a FIPS 140-2 validated HSM to protect the security of your keys. Centralized management of all your keys in AWS KMS lets you enforce who can use your keys under which conditions, when they get rotated, and who can manage them. AWS KMS HSMs are validated at level 2 overall and at level 3 in the following areas:

• Cryptographic Module Specification

• Roles, Services, and Authentication

• Physical Security

• Design Assurance

So I think that we can have 2 answers for this question. Both A & D.

• https://aws.amazon.com/blo15s/security/aws-key-management-service- now-ffers-flps-140-2-validated-cryptographic-m< enabling-easier-adoption-of-the-service-for-regulated-workloads/ • https://a ws.amazon.com/cloudhsm/faqs/

• https://aws.amazon.com/kms/faqs/

• https://en.wikipedia.org/wiki/RPS

The AWS Documentation mentions the following

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. CloudHSM offers you the flexibility to integrate with your applications using industry-standard APIs, such as PKCS#11, Java Cryptography Extensions ()CE). and Microsoft CryptoNG (CNG) libraries. CloudHSM is also standardscompliant and enables you to export all of your keys to most other commercially-available HSMs. It is a fully-managed service that automates time-consuming administrative tasks for you, such as hardware provisioning, software patching, high-availability, and backups. CloudHSM also enables you to scale quickly by adding and removing HSM capacity on-demand, with no up-front costs. All other options are invalid since AWS Cloud HSM is the prime service that offers FIPS 140-2 Level 3 compliance For more information on CloudHSM, please visit the following url https://aws.amazon.com/cloudhsm;The correct answers are: AWS KMS, AWS Cloud HSM Submit your Feedback/Queries to our Experts