AWS Certified Data Analytics – Specialty — Question 108

An online retail company uses Amazon Redshift to store historical sales transactions. The company is required to encrypt data at rest in the clusters to comply with the Payment Card Industry Data Security Standard (PCI DSS). A corporate governance policy mandates management of encryption keys using an on- premises hardware security module (HSM).
Which solution meets these requirements?

Answer options

• A. Create and manage encryption keys using AWS CloudHSM Classic. Launch an Amazon Redshift cluster in a VPC with the option to use CloudHSM Classic for key management.
• B. Create a VPC and establish a VPN connection between the VPC and the on-premises network. Create an HSM connection and client certificate for the on- premises HSM. Launch a cluster in the VPC with the option to use the on-premises HSM to store keys.
• C. Create an HSM connection and client certificate for the on-premises HSM. Enable HSM encryption on the existing unencrypted cluster by modifying the cluster. Connect to the VPC where the Amazon Redshift cluster resides from the on-premises network using a VPN.
• D. Create a replica of the on-premises HSM in AWS CloudHSM. Launch a cluster in a VPC with the option to use CloudHSM to store keys.

Correct answer: B

Explanation

Option B is correct because it allows for the use of an on-premises HSM for key management while ensuring a secure connection via VPN, meeting both encryption and governance requirements. Option A uses AWS CloudHSM Classic, which does not satisfy the on-premises HSM requirement. Option C modifies an existing cluster but does not establish a new cluster with the required key management setup. Option D suggests duplicating the HSM in the cloud, which also contradicts the need for on-premises key management.