undefined | Better HN

0 pointsUltraSane7mo ago0 comments

AWS in China also doesn't have the Key Management Service, which leads to me to conclude it must be pretty secure.

I added an A record for subdomain and pointed it at Chinese IP addresses. I wonder if I will get that angry email?

0 comments

Or they just dont want to be put in the position of having to give out keys.

I think the real paranoid people use cloudHSM.

Both KMS and CloudHSM are FIPS 140-2 Level 3 and AWS claims they cannot read private keys from KMS. The main difference is KMS uses IAM and the AWS REST API while CloudHMS uses PKCS #11/JCE and a separate permissions system.

nijave7mo ago

The docs say both use HSM. Under "Secure" in the accordion menu https://aws.amazon.com/kms/features/#topic-0

1 more reply

Faaak7mo ago

Actually, they wouldn't really know unless this domain is used. I guess they check the `Host` header to get the domain that targeted this IP and then check where the MX are hosted.

j / k navigate · click thread line to collapse