AWS Certified Security – Specialty — Question 269

A company wants to encrypt data locally while meeting regulatory requirements related to key exhaustion. The encryption key can be no more than 10 days old or encrypt more than 2^16 objects. Any encryption key must be generated on a FIPS-validated hardware security module (HSM). The company is cost-conscious, as it plans to upload an average of 100 objects to Amazon S3 each second for sustained operations across 5 data producers.
Which approach MOST efficiently meets the company's needs?

Answer options

• A. Use the AWS Encryption SDK and set the maximum age to 10 days and the maximum number of messages encrypted to 2^16. Use AWS Key Management Service (AWS KMS) to generate the master key and data key. Use data key caching with the Encryption SDK during the encryption process.
• B. Use AWS Key Management Service (AWS KMS) to generate an AWS managed CMK. Then use Amazon S3 client-side encryption configured to automatically rotate with every object.
• C. Use AWS CloudHSM to generate the master key and data keys. Then use Boto 3 and Python to locally encrypt data before uploading the object. Rotate the data key every 10 days or after 2^16 objects have been uploaded to Amazon S3.
• D. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and set the master key to automatically rotate.

Correct answer: A

Explanation

Option A is correct because the AWS Encryption SDK natively supports client-side encryption and data key caching, allowing the company to enforce strict limits on key age (10 days) and message count (2^16) while drastically reducing AWS KMS API costs for high-throughput workloads. Using AWS KMS satisfies the requirement for FIPS-validated HSM key generation. Other options either perform server-side encryption instead of local encryption (Option D), incur high costs and management overhead (Option C), or lack efficient caching mechanisms for high-volume operations (Option B).