A company requires strict data residency and encryption controls. They must use AWS KMS for encryption, but the key material must be generated and stored in an on-premises Hardware Security Module (HSM). Which TWO steps are required to implement this? (Select TWO)

Answer options:

Create a KMS key with no key material (external key store).

Use AWS CloudHSM to generate the key material and link it to KMS.

Establish a VPC Peering connection to the on-premises data center.

Download the public key and import token from KMS, encrypt the key material on-premises, and upload it to KMS.

Configure KMS to use AWS Direct Connect to fetch the key dynamically for every encryption request.

Enable S3 Server-Side Encryption with Customer-Provided Keys (SSE-C).

How to approach this question

Identify the Bring Your Own Key (BYOK) process for AWS KMS.

Full Answer

A,D

To use on-premises generated key material in KMS (BYOK), you create a KMS key with no material, download the wrapping key and import token, encrypt your material on-premises, and import it.

Common mistakes

Confusing AWS CloudHSM with on-premises HSM requirements.

Question 12 All questions Question 14

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

75 questions · hints · full answers · grading

More questions from this exam

Q01A company is setting up a multi-account AWS environment using AWS Organizations. They need to ens...Easy Q02An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, priv...Easy Q03A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their A...Easy Q04An architect needs to design a highly available database architecture that spans multiple AWS Reg...Easy Q05A global financial institution is migrating its core banking application to AWS. The application ...Medium

View all 75 questions →