AWS Certified Security - Specialty Exam: Generating Encryption Keys Based on FIPS 140-2 Cryptographic Module Validation Program

Generating Encryption Keys Based on FIPS 140-2 Cryptographic Module Validation Program

Question

You need to have a cloud security device that would allow generating encryption keys based on the FIPS 140-2 Cryptographic Module Validation Program.

Which of the following can be used for this purpose? Please select 2 Options.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and D.

AWS Key Management Service (KMS) now uses FIPS 140-2 validated hardware security modules (HSM) and supports FIPS 140-2 validated endpoints, which provide independent assurances about the confidentiality and integrity of your keys.

All master keys in AWS KMS, regardless of their creation date or origin, are automatically protected using FIPS 140-2 validated HSMs.

FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4"

It does not specify in detail what level of security is required by any particular application.

FIPS 140-2 Level 1, the lowest, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent.

FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.

FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to the sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.

FIPS 140-2 Level 4 makes the physical security requirements more stringent and requires robustness against environmental attacks.

AWS CloudHSM provides you with a FIPS 140-2 Level 3 validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPC) to store and use your keys.

You have exclusive control over how your keys are used via an authentication mechanism independent from AWS.

You interact with keys in your AWS CloudHSM cluster similar to the way you interact with your applications running in Amazon EC2.

Options B and C are incorrect because they cannot generate the required encryption keys.

For more information on CloudHSM, kindly visit the following URL:

https://aws.amazon.com/cloudhsm/

The correct answers are A. AWS KMS and D. AWS Cloud HSM.

Explanation:

The Federal Information Processing Standards (FIPS) Publication 140-2 is a US government standard that specifies the security requirements for cryptographic modules used by federal agencies and contractors to protect sensitive information. This standard is widely recognized as a benchmark for cryptographic security and is often required for sensitive applications.

AWS KMS (Key Management Service) is a managed service that allows you to create and control the encryption keys used to encrypt your data. It uses the FIPS 140-2 validated cryptographic module for generating and storing keys. AWS KMS also integrates with other AWS services such as S3, EBS, RDS, and Redshift to provide seamless encryption and decryption of data.

AWS Cloud HSM (Hardware Security Module) is a dedicated hardware device that provides FIPS 140-2 Level 3 certified security for your key management needs. It is a fully managed service that enables you to generate and store your own encryption keys within an HSM appliance in the AWS Cloud. AWS Cloud HSM is integrated with other AWS services such as Amazon S3, Amazon EBS, and Amazon Redshift for seamless encryption and decryption of data.

AWS Certificate Manager is a managed service that makes it easy to provision, manage, and deploy SSL/TLS certificates for use with AWS services. It is not used for generating encryption keys based on the FIPS 140-2 Cryptographic Module Validation Program.

Secrets Manager is a service that enables you to store and retrieve secrets such as database credentials, API keys, and other sensitive information. It is not used for generating encryption keys based on the FIPS 140-2 Cryptographic Module Validation Program.

In summary, AWS KMS and AWS Cloud HSM are the two AWS services that can be used for generating encryption keys based on the FIPS 140-2 Cryptographic Module Validation Program.