A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion. The encryption key can be no more than 10 days old or encrypt more than 2^16 objects. Any encryption key must be generated on a FIPS-validated hardware security module (HSM). The company is cost-conscious, as it plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers.
Which approach MOST efficiently meets the company's needs?
The most efficient approach to meet the regulatory requirements and maintain cost-effectiveness is to use the AWS Encryption SDK with AWS Key Management Service (AWS KMS). AWS KMS can generate the necessary master and data keys on a FIPS-validated hardware security module (HSM). The SDK allows you to set the maximum age for the keys and limit the number of objects encrypted per key, complying with the regulatory requirements. Additionally, using data key caching with the SDK optimizes the performance and reduces costs by reusing keys, making this solution efficient and cost-effective for encrypting a high volume of objects.
It says this. "Any encryption key must be created on a hardware security module." KMS is not an HSM. Wouldn't you have to go with C?
KMS uses an FIPS HSM that has been validated under FIPS 140-2. link: https://aws.amazon.com/kms/faqs/#:~:text=The%20service%20uses%20an%20FIPS,the%20security%20of%20your%20keys.
KMS uses HSM FIPS validated hardware.
Answer is C Encrypt Data on-premises
agree C - its the only FIPS compliant option as well.
That isn't true. KMS is FIPS compliant, albeit to Level2 only. The question doesn't mention a specific FIPS level, it just mentions being FIPS compliant. Also, the question mentions cost as a concern and CloudHSM is far more expensive per hr than KMS. Therefore, A is correct.
But it mentions "Any encryption key must be created on a hardware security module." KMS is not an HSM.
KMS Uses a HSM in the backend to create Keys but is multi-tenant where as CloudHSM is dedicated and you manage thekey creation process. The question here says that the HSM has to be FIPS compliant, doesn't mention about who maintains the HSM . https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html
KMS Uses a HSM in the backend to create Keys but is multi-tenant where as CloudHSM is dedicated and you manage thekey creation process. The question here says that the HSM has to be FIPS compliant, doesn't mention about who maintains the HSM . https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html
But it mentions "Any encryption key must be created on a hardware security module." KMS is not an HSM.
KMS Uses a HSM in the backend to create Keys but is multi-tenant where as CloudHSM is dedicated and you manage thekey creation process. The question here says that the HSM has to be FIPS compliant, doesn't mention about who maintains the HSM . https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html
KMS Uses a HSM in the backend to create Keys but is multi-tenant where as CloudHSM is dedicated and you manage thekey creation process. The question here says that the HSM has to be FIPS compliant, doesn't mention about who maintains the HSM . https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html
That isn't true. KMS is FIPS compliant, albeit to Level2 only. The question doesn't mention a specific FIPS level, it just mentions being FIPS compliant. Also, the question mentions cost as a concern and CloudHSM is far more expensive per hr than KMS. Therefore, A is correct.
But it mentions "Any encryption key must be created on a hardware security module." KMS is not an HSM.
KMS Uses a HSM in the backend to create Keys but is multi-tenant where as CloudHSM is dedicated and you manage thekey creation process. The question here says that the HSM has to be FIPS compliant, doesn't mention about who maintains the HSM . https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html
KMS Uses a HSM in the backend to create Keys but is multi-tenant where as CloudHSM is dedicated and you manage thekey creation process. The question here says that the HSM has to be FIPS compliant, doesn't mention about who maintains the HSM . https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html
But it mentions "Any encryption key must be created on a hardware security module." KMS is not an HSM.
KMS Uses a HSM in the backend to create Keys but is multi-tenant where as CloudHSM is dedicated and you manage thekey creation process. The question here says that the HSM has to be FIPS compliant, doesn't mention about who maintains the HSM . https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html
KMS Uses a HSM in the backend to create Keys but is multi-tenant where as CloudHSM is dedicated and you manage thekey creation process. The question here says that the HSM has to be FIPS compliant, doesn't mention about who maintains the HSM . https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html
A -- https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-caching.html
Option A is correct. Caching can reduce your use of cryptographic services, such as AWS Key Management Service (AWS KMS). If you are hitting your AWS KMS requests-per-second limit, caching can help. Your application can use cached keys to service some of your data key requests instead of calling AWS KMS.
Option A is the most efficient choice as it meets regulatory requirements by setting a maximum key age of 10 days and maximum number of encrypted objects. It utilizes AWS KMS to generate keys on a FIPS-validated HSM, ensuring security. By using the AWS Encryption SDK with data key caching, it optimizes performance by reusing keys, while being cost-conscious as the SDK is free and open-source.
Option A only Valid Option
the answer is A
C - Any encryption key must be created on a hardware security module (CloudHSM)
A command line is better than 1000 words. https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/implement-caching.html # Security thresholds # Max entry age is required. # Max messages (and max bytes) per entry are optional # MAX_ENTRY_AGE_SECONDS = 60.0 MAX_ENTRY_MESSAGES = 10 # Create a caching CMM caching_cmm = CachingCryptoMaterialsManager( master_key_provider=key_provider, cache=cache, max_age=MAX_ENTRY_AGE_SECONDS, max_messages_encrypted=MAX_ENTRY_MESSAGES )
Answer is A : AWS KMS uses FIPS compliant HSM
both options A and C are valid approaches, but option A using the AWS Encryption SDK with AWS KMS is generally considered more efficient and easier to implement in a cost-conscious environment.
A ----https://aws.amazon.com/blogs/security/aws-encryption-sdk-how-to-decide-if-data-key-caching-is-right-for-your-application/
A: AWS Encryption SDK, you can configure data key caching to allow just enough data key reuse to meet your cost and performance targets while conforming to the security requirements of your application.
C is overkilled. KMS satisfies the request of 'certified by FIPS (HSM)' as it uses FIPS 140-2 validated hardware security modules (HSM) and supports FIPS 140-2 validated endpoints (backed by CloudHSM) KMS on level 2, CouldHSM on Level3
Selected A
The most efficient approach that meets the company's needs is A. Here's why: AWS KMS is FIPS-validated and can generate both master keys and data keys. The AWS Encryption SDK can be used to encrypt data and set the maximum age and number of objects per key. Data key caching can also help reduce the number of requests to KMS. Option B involves the automatic rotation of AWS KMS-managed customer master keys (CMKs), but it does not meet the requirement for the key to be generated on an HSM. Option C, while it meets the regulatory requirements, adds complexity to the application design, and data key rotation must be handled carefully to ensure that all data is recoverable. Using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and automatic key rotation (D) can be a simpler option but would not meet the regulatory requirements related to key exhaustion. Therefore, A is the best choice.
AWS Encryption SDK is a client side encryption library that is provided free of charge. On the other hand AWS CloudHSM requires organizations to pay by the hour. The business requirement states that cost effective security controls for encryption need to be implemented. A