ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A financial services company runs its workloads in AWS. Regulators require that the private keys used for digitally signing customer loan documents be stored in hardware validated to at least FIPS 140-2 Level 3 and that an approved escrow agent can recover those keys if the institution ceases operations. Which solution best satisfies these requirements while minimizing ongoing operational overhead?
Import the private key into AWS Certificate Manager (ACM) as part of a public certificate and grant the escrow agent IAM read access to the certificate.
Provision an AWS CloudHSM cluster, generate the signing keys inside the HSMs, and provide an encrypted CloudHSM backup to the designated escrow agent for recovery purposes.
Create a customer-managed symmetric CMK in AWS KMS, enable annual automatic rotation, and share the key ARN with the escrow agent.
Store the private keys as encrypted plaintext files in Amazon S3, protected by server-side encryption with an AWS-managed KMS key and cross-Region replication.
AWS CloudHSM meets FIPS 140-2 Level 3 because each HSM appliance is independently validated to that standard. Keys that are generated and stored inside a CloudHSM cluster can be securely backed up in encrypted form and restored to another CloudHSM cluster under the control of an escrow agent, providing the mandated key-escrow capability. Customer-managed KMS keys do not allow key material export, so an escrow agent could not recover the private keys. Storing keys in AWS Secrets Manager or S3-even if encrypted with KMS-does not place them inside FIPS 140-2 Level 3 hardware. Importing a certificate into AWS Certificate Manager does not address hardware security or escrow requirements. Therefore, deploying AWS CloudHSM and exporting a secure backup for the escrow agent is the only option that fulfills both the FIPS Level 3 storage and key-escrow mandates with minimal ongoing maintenance once the managed HSM cluster is provisioned.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is FIPS 140-2 and why is Level 3 compliance important?
Open an interactive chat with Bash
How does AWS CloudHSM ensure compliance with FIPS 140-2 Level 3?
Open an interactive chat with Bash
What is key escrow and how does it work with AWS CloudHSM?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .