Exam AWS Certified Developer Associate topic 1 question 297 discussion

Choosing B

The correct solution is B. Implement server-side encryption with customer-provided encryption keys (SSE-C). Use AWS CloudHSM to generate the KMS key and manage the data keys that the company will use to read and write objects to Amazon S3. This solution meets all of the company's requirements: It uses SSE-C to encrypt the data with the company's own encryption keys. It uses AWS CloudHSM to generate the KMS key and manage the data keys. This gives the company total control over its keys. It allows the company to move its key management to AWS.

Difficult one. I would say A because we need to manage company's keys and AWS Keys (since there are also AWS Keys, I am excluding SSE-C). Then, we need to generate the key using hw and we can do that with CloudHSM .

D, the company simply wants to move the key management to AWS. Whilst CloudHSM will provide similar features to their on premise HSM, KMS provides similar features to CloudHSM and easily scalable whilst CloudHSM is not easily maintainable in addition to its high cost compared to KMS.

D To meet the requirements of retaining total control over the company's AWS KMS key and the company’s data keys, and using an on-premises HSM solution to generate and manage those keys, the best solution would be to use the AWS KMS custom key store feature. Therefore, the correct answer is: D. Implement server-side encryption with AWS KMS managed keys (SSE-KMS). Use the AWS KMS custom key store feature to manage the data keys. Then read or write objects to Amazon S3 as normal. By using AWS KMS with the custom key store feature, the company can keep its existing on-premises HSM solution while still taking advantage of AWS KMS to generate and manage the data keys that are used to encrypt and decrypt the sensitive data stored in Amazon S3. This solution allows the company to retain complete control over its keys while still taking advantage of the benefits of using AWS KMS.

https://www.youtube.com/watch?v=BLnuUtjJNLE https://docs.aws.amazon.com/kms/latest/developerguide/create-cmk-keystore.html https://aws.amazon.com/kms/faqs/

Question states "retain total control over the company's AWS Key Management Service (AWS KMS) key and the company’s data keys" This rules out A and C. Checking this resource "generated by AWS KMS, generated within an AWS CloudHSM cluster or external key manager (through the custom key store), or import your own key material" : https://aws.amazon.com/kms/faqs/ If total control is required then D seems the best fit

The correct answer is D. Please see the AWS FAQ for CloudHSM: https://docs.aws.amazon.com/cloudhsm/latest/userguide/best-practices.html Q: Can other AWS services use CloudHSM to store and manage keys? AWS services integrate with AWS Key Management Service, which in turn is integrated with AWS CloudHSM through the KMS custom key store feature. If you want to use the server-side encryption offered by many AWS services (such as EBS, S3, or Amazon RDS), you can do so by configuring a custom key store in AWS KMS.

The correct solution is option A. Implementing server-side encryption with AWS KMS managed keys (SSE-KMS) will allow the company to encrypt sensitive data stored in Amazon S3 using keys that are managed by AWS KMS. Using AWS CloudHSM to generate the KMS key and data keys to use with AWS KMS will allow the developer to retain total control over the keys. This solution will meet the company's requirement of retaining control over their keys and encrypting their sensitive data in Amazon S3.

Vote for D