Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 142 discussion

This is a difficult one. But I think option B is the right choice here. https://aws.amazon.com/blogs/security/are-kms-custom-key-stores-right-for-you/

Ans: B Took a bit of reading. Key points in question: "The company must be able to immediately remove the key material and audit key usage independently" "The chosen services should integrate with other storage services that will be used on AWS" Point 1: Q: Can I use CloudHSM to store keys or encrypt data used by other AWS services? Ans: Yes. You can do all encryption in your CloudHSM-integrated application. In this case, AWS services such as Amazon S3 or Amazon Elastic Block Store (EBS) would only see your data encrypted. Point 2: AWS manages the hardware security module (HSM) appliance, but does not have access to your keys. You control and manage your own keys Ref: https://aws.amazon.com/cloudhsm/features/ Ref: https://aws.amazon.com/cloudhsm/faqs/

AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. Source:- https://aws.amazon.com/cloudhsm/ For Monitoring AWS CloudHSM:- for audit logs of keys usage no need of cloudtrail logs, directly cloudhsm logs can be used in closuwatch logs. Source:- https://docs.aws.amazon.com/cloudhsm/latest/userguide/get-logs.html

since AWS manages controls lifecycle management so the option is A

C. AWS Key Management Service (AWS KMS) with an external key material origin With AWS KMS, you can create and control encryption keys that encrypt your data. AWS KMS is integrated with other AWS services, allowing you to easily encrypt data stored in various AWS services like Amazon S3, Amazon EBS, and Amazon RDS. By choosing an external key material origin, you have complete control over the key lifecycle management. You can import your own key material into AWS KMS, ensuring that your keys are generated and managed outside of AWS. This option allows you to immediately remove the key material if needed and audit key usage independently of AWS CloudTrail, meeting the security requirements outlined by the chief information security officer.

HSM is wrong

B is the answer

Integrated with other AWS services: AWS CloudHSM can be integrated with other AWS services, such as Amazon S3 and Amazon RDS, to provide secure and compliant storage and access to sensitive data.

Guys check this > The company wants complete control of encryption key lifecycle management < Quest not say they need to bring owen key ! just lifecycle management so for me ans = D

i think the answer is B here

https://aws.amazon.com/kms/ Question states independent from Cloudtrail. https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html

"(...) complete control of encryption key lifecycle management" --> https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html

B is the answer.

The KMS keys that you create are customer managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion. https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk

https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html The question is saying that the key life cycle must be managed by the organization. There is no mentioned requirement for managing the HSM. KMS with CMK will be enough for having full control over the keys' life cycle.

D is the best answer

Ans is A AWS CloudHSM - Encryption at rest CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs. the organization must be able to promptly delete key material and audit key use - CloudHSM client for keys management