Exam AWS Certified Security - Specialty topic 1 question 147 discussion

D https://aws.amazon.com/about-aws/whats-new/2018/07/aws-cloudhsm-backups-can-now-be-copied-across-regions/

Ans: B Ref: https://aws.amazon.com/about-aws/whats-new/2021/06/kms-multi-region-keys/

The explanation provided seems to imply that AWS staff can administer customer keys in AWS KMS, which is not accurate. AWS KMS is designed in a way that prevents AWS staff from having access to unencrypted customer keys, and all usage of keys is logged in CloudTrail. The security of your AWS KMS keys is important. AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext keys. AWS KMS uses FIPS 140-2 validated hardware security modules to protect the confidentiality and integrity of your keys. Therefore, the key difference in this question is about the ability to manage and replicate keys across different regions, which is possible with AWS CloudHSM but not with AWS KMS. Hence, answer choice D, "CloudHSM provides the ability to copy keys to a different Region, whereas AWS KMS does not." is the more accurate answer.

I think this question is deprecated as there are multi-Region keys available now. But i guess the answer was D originally. Don't expect that one to come up in an Exam now.

Answer is D https://aws.amazon.com/about-aws/whats-new/2018/07/aws-cloudhsm-backups-can-now-be-copied-across-regions/ AWS CloudHSM now allows you to copy backups of your CloudHSM Cluster from one region to another for disaster recovery purposes. You can use the copied backup to create a clone of the original cluster in the new region. This simplifies the development of globally distributed or cross-region redundant workloads.

I don't think B is correct answer: Q: How does AWS secure the KMS keys that I create? AWS KMS is designed so that no one, including AWS employees, can retrieve your plaintext KMS keys from the service. https://aws.amazon.com/kms/faqs/

only reason why i didnt go with B is because its wrong https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html

what kind of question is ? since when do AWS staff manage any keys , this question needs to be washed in a washing machine

Ancient question. KMS does support multiregion key! And aws stuff DON'T have any access to customer keys!

B, reasons for selecting CloudHSM over KMS: - need to store keys in dedicated 3rd party validated hardware - need to integrate with apps using: PKCS#11, java JCE, Microsoft CNG - need to have high-performance in-VPC crypto acceleration - org admin can export and share keys as needed - only support staff can manage encr keys (in kms aws can manage keys too)

D is good answer

Answer is B, Keys can be MultiRegion

KMS now supports multi-Region keys : https://aws.amazon.com/blogs/security/encrypt-global-data-client-side-with-aws-kms-multi-region-keys/

I think answer D i the right answer. Role chaining seems to be limited to API's or CLI calls. See https://aws.amazon.com/premiumsupport/knowledge-center/iam-role-chaining-limit/ `You can use role chaining to assume a role with temporary security credentials using the AWS Command Line Interface (AWS CLI). Role chaining limits your AWS CLI or AWS API role session to a maximum of one hour and can't be increased.`

D for sure.

I totally agree with akbntc, AWS staff can't access to your Keys and AWS KMS in is considered as a service. AWS Exp. "AWS KMS is designed so that no one, not even AWS employees, can retrieve your plain text CMKs on the service..."

D. The most critical difference between CloudHSM & KMS.