AWS Certified Security – Specialty — Question 179

A company's data lake uses Amazon S3 and Amazon Athena. The company's security engineer has been asked to design an encryption solution that meets the company's data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated to Federal Information Processing Standards (FIPS) 140-2 Level 3.
Which solution meets these requirements?

Answer options

• A. Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK.
• B. Use AWS CloudHSM to store the keys and perform cryptographic operations. Save the encrypted text in Amazon S3.
• C. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM.
• D. Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM.

Correct answer: C

Explanation

Option C is correct because it utilizes a custom key store in AWS CloudHSM, ensuring that the keys are managed by the company while complying with FIPS 140-2 Level 3. Option A does not use AWS CloudHSM for key management, which is a requirement. Option B, while utilizing AWS CloudHSM, does not mention the necessary integration with AWS KMS customer-managed keys. Option D, although it mentions AWS CloudHSM, is focused on importing a key rather than using a custom key store, which does not meet the requirements.