AWS Certified Security – Specialty — Question 351
A company uses AWS Organizations. The company has teams that use an AWS CloudHSM hardware security module (HSM) that is hosted in a central AWS account. One of the teams creates its own new dedicated AWS account and wants to use the HSM that is hosted in the central account.
How should a security engineer share the HSM that is hosted in the central account with the new dedicated account?
Answer options
- A. Use AWS Resource Access Manager (AWS RAM) to share the VPC subnet ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
- B. Use AWS Identity and Access Management (IAM) to create a cross-account role to access the CloudHSM cluster that is in the central account. Create a new IAM user in the new dedicated account. Assign the cross-account role the new IAM user.
- C. Use AWS Single Sign-On to create an AWS Security Token Service (AWS STS) token to authenticate from the new dedicated account to the central account. Use the cross-account permissions that are assigned to the STS token to invoke an operation on the HSM in the central account.
- D. Use AWS Resource Access Manager (AWS RAM) to share the ID of the HSM that is hosted in the central account with the new dedicated account. Configure the CloudHSM security group to accept inbound traffic from the private IP addresses of client instances in the new dedicated account.
Correct answer: A
Explanation
To share an AWS CloudHSM cluster across different accounts, you must share the VPC subnets containing the HSMs using AWS Resource Access Manager (AWS RAM). This allows client instances in the consumer account to establish direct network connectivity to the HSMs, as long as the security groups are configured to permit inbound traffic from the clients' private IP addresses. Standard IAM roles, STS tokens, or sharing individual HSM resource IDs directly are not valid methods for enabling cross-account network connectivity to CloudHSM clusters.