AWS Certified Security – Specialty — Question 146

A company has decided to use encryption in its AWS account to secure the objects in Amazon S3 using server-side encryption. Object sizes range from 16,000 B to 5 MB. The requirements are as follows:
✑ The key material must be generated and stored in a certified Federal Information Processing Standard (FIPS) 140-2 Level 3 machine.
✑ The key material must be available in multiple Regions.
Which option meets these requirements?

Answer options

• A. Use an AWS KMS customer managed key and store the key material in AWS with replication across Regions.
• B. Use an AWS customer managed key, import the key material into AWS KMS using in-house AWS CloudHSM, and store the key material securely in Amazon S3.
• C. Use an AWS KMS custom key store backed by AWS CloudHSM clusters, and copy backups across Regions.
• D. Use AWS CloudHSM to generate the key material and backup keys across Regions. Use the Java Cryptography Extension (JCE) and Public Key Cryptography Standards #11 (PKCS #11) encryption libraries to encrypt and decrypt the data.

Correct answer: A

Explanation

Option A is correct because it utilizes AWS KMS, which can manage keys within certified FIPS 140-2 Level 3 environments and allows for key replication across multiple Regions. Option B does not meet the requirement of being stored in a FIPS-compliant machine, and option C, while using CloudHSM, may not provide the same level of integration as AWS KMS for key management. Option D involves a more complex setup and does not explicitly ensure that the key material is managed by AWS KMS.