1
Q
CloudHSM
A
- is a dedicated physical machine/appliance isolated in order to store security keys and other types of encryption keys used within an application.
- the key is used within the domain of the HSM appliance instead of being exposed outside the appliance.
2
Q
Special security mechanisms to make them more secure:
A
- security key is used only within HSM
- an HSM Client is used to expose the APIs of the HSM.
- so an application can communicate with HSM to do the encryption or decryption of the data that we are requesting.
- is physically isolated from other resources
- Tamper resistance(build to notify via advanced logging).
- on AWS, engineers have NO access to the keys.
- If the keys are lost or reset, you will never be able to access the data stored in the appliance.
3
Q
Some types of keys that might be stored on HSMs
A
keys used to encrypt file systems
keys used to encrypt databases
keys used to provide DRM
used with S3 encryption.
4
Q
When to use CloudHSM instead of somethign like key management service?
A
- when it is required.
- - not even AWS engineers have access to the keys in the cloudHSM applicance, only access to “manage” the appliance.
Decks in class (31)
# Cards
-
Account/Physical Organization18
-
VPC15
-
EC231
-
Lambda3
-
CloudWatch/CloudTrail/SNS3
-
Advanced Networking17
-
Troubleshooting24
-
S316
-
Route 5311
-
VPN14
-
CLI1
-
Databases11
-
SQS4
-
API Gateway9
-
Monitoring15
-
Deployment Service5
-
Analytics16
-
EC2 Container Service12
-
How to Design CLoud Services and Best Pratice2
-
Monitoring your AWS environment3
-
Architectual Trad-off Decisions3
-
Elasticity & Saclability6
-
Shared Security Responsibility Model2
-
AWS Platform compliance and security services12
-
DDoS Mitigation2
-
Encryption solutions3
-
Complex Access COntrol2
-
Cloud Watch for the security Architect1
-
CloudHSM4
-
Disaster Recovery6
-
Review98
