A government agency is migrating to AWS. They require dedicated hardware for cryptographic key generation and storage to meet FIPS 140-2 Level 3 compliance. They must have exclusive control over the cryptographic keys.<br/><br/>Which TWO statements about the appropriate AWS service are correct? (Select TWO.)

Answer options:

The agency should use AWS KMS.

The agency should use AWS CloudHSM.

AWS manages the key rotation automatically.

AWS does not have access to the keys stored in the service.

The service is serverless and scales automatically per request.

How to approach this question

Identify the service that provides dedicated hardware and single-tenant key control.

Full Answer

The agency should use AWS CloudHSM.<br/>AWS does not have access to the keys stored in the service.

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. It provides exclusive, single-tenant control over keys and meets FIPS 140-2 Level 3 compliance. AWS has no access to your keys.

Common mistakes

Confusing KMS (managed, multi-tenant) with CloudHSM (dedicated, single-tenant).

Question 18 All questions Question 20

Practice the full AWS SAA-C03 Practice Exam 6

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team wants...Medium Q02A company has two AWS accounts: Account A for development and Account B for production. Developer...Medium Q03A mobile application needs to authenticate users using their social media accounts (Facebook, Goo...Easy Q04A company is running an application on Amazon EC2 instances. The application needs to connect to ...Medium Q05A company has 50 AWS accounts managed by AWS Organizations. The IT team wants to implement a cent...Easy

View all 65 questions →