An enterprise uses AWS KMS to manage encryption keys. They have a strict regulatory requirement that the cryptographic material must be generated and stored in a FIPS 140-2 Level 3 validated hardware appliance that they exclusively control. Which solution meets this requirement?

Answer options:

Use standard AWS KMS Customer Managed Keys.

Use AWS CloudHSM to generate the keys. Configure KMS to use a custom key store backed by the CloudHSM cluster.

Import key material generated on-premises into AWS KMS.

Use AWS Secrets Manager to store the keys.

How to approach this question

Look for the single-tenant HSM service in AWS.

Full Answer

B.Use AWS CloudHSM to generate the keys. Configure KMS to use a custom key store backed by the CloudHSM cluster.✓ Correct

Use AWS CloudHSM to generate the keys. Configure KMS to use a custom key store backed by the CloudHSM cluster.

AWS CloudHSM provides dedicated, FIPS 140-2 Level 3 validated HSMs. By using a KMS custom key store, you get the integration benefits of KMS while keeping the keys in your dedicated HSMs.

Common mistakes

Thinking standard KMS meets the 'exclusive control' requirement.

Question 34 All questions Question 36

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 6

75 questions · hints · full answers · grading

More questions from this exam

Q01A global enterprise requires highly available hybrid connectivity between its on-premises data ce...Hard Q02An organization has 50 VPCs across two AWS Regions connected via Transit Gateways (TGW). The TGWs...Hard Q03A company uses AWS Organizations. The network team wants to share a central Transit Gateway (TGW)...Medium Q04An enterprise has on-premises data centers in the US and Europe. They want to use the AWS global ...Hard Q05A company requires that all API calls to Amazon S3 from their VPC must not traverse the public in...Medium

View all 75 questions →