AWS Certified Security – Specialty — Question 216

A large government organization is moving to the cloud and has specific encryption requirements. The first workload to move requires that a customer's data be immediately destroyed when the customer makes that request.
Management has asked the security team to provide a solution that will securely store the data, allow only authorized applications to perform encryption and decryption, and allow for immediate destruction of the data.
Which solution will meet these requirements?

Answer options

• A. Use AWS Secrets Manager and an AWS SDK to create a unique secret for the customer-specific data.
• B. Use AWS Key Management Service (AWS KMS) and the AWS Encryption SDK to generate and store a data encryption key for each customer.
• C. Use AWS Key Management Service (AWS KMS) with service-managed keys to generate and store customer-specific data encryption keys.
• D. Use AWS Key Management Service (AWS KMS) and create an AWS CloudHSM custom key store. Use CloudHSM to generate and store a new CMK for each customer.

Correct answer: D

Explanation

The correct answer is D because using AWS KMS with a CloudHSM custom key store allows for secure key management, enabling immediate destruction of customer-specific encryption keys upon request. This meets the organization's requirement for immediate data erasure and control over encryption processes. The other options do not provide the same level of key management and immediate destruction capability needed for compliance with the specified encryption requirements.