AWS Certified Security – Specialty (SCS-C03) — Question 28

A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a custom key store that is backed by an AWS CloudHSM cluster.
The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys.
How can the security engineer meet these requirements?

Answer options

• A. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena.
• B. To create the keys, use Amazon S3 and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.
• C. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.
• D. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.

Correct answer: D

Explanation

The correct answer is D because AWS Key Management Service (AWS KMS) is designed specifically for key management, and AWS CloudTrail provides comprehensive auditing capabilities for the keys used with the CloudHSM cluster. Options A and C incorrectly suggest Amazon Athena and Amazon GuardDuty, which are not suitable for auditing key usage, while option B uses Amazon S3, which is not intended for key creation in this context.