center to AWS Redshift if it support data encryption at rest as well as key must be managed by a corporate on-premises Hardware Security Model. Which of the following option suffice the given requirement?
1. You will be using Corporate HSM by migrating that HSM to the AWS Cloud. It should be in the same VPC in which the Redshift cluster exist.
2. You will be creating a trust relationship between AWS CloudHSM and Corporate CloudHSM using the public internet connection. Once trust relationship is built you can use AWS CloudHSM.
3. You will be updating AWS CloudHSM to use the AWS KMS solution and KMS internally will use the HSM module from corporate data center. It will be done over the VPN connection.
4. You will be launching Redshift cluster in a VPC and then create a VPN connection between the VPC and corporate data center. Then you can configure Redshift KMS to use your on-premises HSM.
Correct Answer : 4 Exp : In the question it is very clear that they wanted to use the HSM solution from the on-premises data center to store the encryption keys. You can not move this key anyway to AWS Cloud, because
it breaks the defined rule. Hence, option-1 is out.
In option-2 you are still using AWS CloudHSM which is not the requirement. Hence, we can ignore that option as well.
In option-3 this is also not right and not even clear what does it mean. Hence, we can dis-regard this option.
Option-4: Create a VPN connection between VPC and on-premises data center. So it is a private encrypted connection between AWS VPC and corporate data center. Once connection is established you can use the CloudHSM
solution. Hence, this is a correct option.
4
