Ravi Tek
Having seen the blog How to BYOK (bring your own key) to AWS KMS for less than$15.00 a year using AWS CloudHSM I wanted to check whether doing this would be considered secure enough when transferring the keys to KMS rather than leaving them in the AWS Cloud HSM custom key store. Is using the wrapper and token sufficient? CHSM is FIP140-2 level 3 and KMS is FIPS140-2 level 2.
Does anyone have any views on the pro and cons of the method in this blog?