AWS Certified Security – Specialty (SCS-C03) — Question 42
A company uses AWS Organizations. The company has learns that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.
How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?
Answer options
- A. Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
- B. Use AWS Identity and Access Management (IAM) to create a cross-account role to access the CloudHSM cluster that is in the central account. Create a new IAM user in the new dedicated account. Assign the cross-account role to the new IAM user.
- C. Use AWS IAM Identity Center to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.
- D. Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the now dedicated account.
Correct answer: D
Explanation
The correct answer is D because AWS RAM allows for sharing resources like the HSM between accounts while ensuring proper security group configurations for network access. Options A and D both mention AWS RAM, but only D correctly identifies sharing the HSM ID specifically. Option B does not address the resource sharing directly and instead focuses on IAM roles, which is not the optimal method for HSM access. Option C introduces unnecessary complexity with STS tokens when straightforward sharing is possible.