Comment by UltraSane

Comment by UltraSane 4 days ago

6 replies

View on Hacker News

AWS in China also doesn't have the Key Management Service, which leads to me to conclude it must be pretty secure.

I added an A record for subdomain and pointed it at Chinese IP addresses. I wonder if I will get that angry email?

bawolff 4 days ago

Or they just dont want to be put in the position of having to give out keys.

I think the real paranoid people use cloudHSM.

Reply View 4 replies

UltraSane 3 days ago

Both KMS and CloudHSM are FIPS 140-2 Level 3 and AWS claims they cannot read private keys from KMS. The main difference is KMS uses IAM and the AWS REST API while CloudHMS uses PKCS #11/JCE and a separate permissions system.

Reply View | 3 replies
- nijave 3 days ago
  
  The docs say both use HSM. Under "Secure" in the accordion menu https://aws.amazon.com/kms/features/#topic-0
  
  Reply View | 2 replies
  
  UltraSane 3 days ago
  
  My understanding is that AWS KMS uses AWS designed HSMs and are tightly integrated with all AWS services while while CloudHSM uses LiquidSecurity 2 Cloud HSM adapters and use more conventional APIs
  https://www.marvell.com/products/security-solutions/liquidse...
  
  Reply View | 1 reply
  
  nijave 2 days ago
  
  >My understanding is that AWS KMS uses AWS designed HSMs
  That's my take as well reading about how they handle firmware (sounds like they're using their own chips, presumably similar to how they use other hardware acceleration and offload)
  
  Reply View | 0 replies

Faaak 4 days ago

Actually, they wouldn't really know unless this domain is used. I guess they check the `Host` header to get the domain that targeted this IP and then check where the MX are hosted.

Reply View 0 replies