AWS Certified Security – Specialty — Question 333

A security engineer needs to implement a solution to create and control the keys that a company uses for cryptographic operations. The security engineer must create symmetric keys in which the key material is generated and used within a custom key store that is backed by an AWS CloudHSM cluster.

The security engineer will use symmetric and asymmetric data key pairs for local use within applications. The security engineer also must audit the use of the keys.

How can the security engineer meet these requirements?

Answer options

• A. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon Athena.
• B. To create the keys, use Amazon S3 and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.
• C. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use Amazon GuardDuty.
• D. To create the keys, use AWS Key Management Service (AWS KMS) and the custom key stores with the CloudHSM cluster. For auditing, use AWS CloudTrail.

Correct answer: D

Explanation

AWS Key Management Service (AWS KMS) custom key stores backed by an AWS CloudHSM cluster allow users to generate and control symmetric keys within their own dedicated hardware. AWS CloudTrail is the standard AWS service used to audit and log AWS KMS API calls, providing a complete history of key usage. Other services like Amazon Athena, Amazon S3, and Amazon GuardDuty do not natively perform key creation management or direct cryptographic auditing in this context.