A company uses AWS KMS to manage encryption keys. They have a requirement that the cryptographic key material must be generated and stored in a single-tenant hardware security module (HSM) under their exclusive control. Which AWS service or feature should they use?

Answer options:

AWS KMS with AWS managed keys

AWS KMS with Customer Managed Keys (CMK)

AWS CloudHSM

AWS Secrets Manager

How to approach this question

Identify 'single-tenant hardware security module' and 'exclusive control'. This points directly to CloudHSM.

Full Answer

C.AWS CloudHSM✓ Correct

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud in a single-tenant environment.

Common mistakes

Thinking KMS provides single-tenant HSMs by default.

Question 18 All questions Question 20

Practice the full AWS SAA-C03 Practice Exam 7

65 questions · hints · full answers · grading

More questions from this exam

Q01A company has multiple AWS accounts in an AWS Organizations organization. The security team needs...Medium Q02An application runs on Amazon EC2 instances and needs to access an Amazon S3 bucket. What is the ...Easy Q03A company wants to implement federated access to the AWS Management Console for its employees usi...Medium Q04A company is building a mobile application that requires users to sign in using their social medi...Easy Q05A security team wants to enforce MFA for all IAM users before they can terminate EC2 instances. H...Medium

View all 65 questions →