AWS Certified Security – Specialty — Question 66

A Security Architect is evaluating managed solutions for storage of encryption keys. The requirements are:
-Storage is accessible by using only VPCs.
-Service has tamper-evident controls.
-Access logging is enabled.
-Storage has high availability.
Which of the following services meets these requirements?

Answer options

• A. Amazon S3 with default encryption
• B. AWS CloudHSM
• C. Amazon DynamoDB with server-side encryption
• D. AWS Systems Manager Parameter Store

Correct answer: B

Explanation

AWS CloudHSM is designed specifically for secure key management, meeting all the specified requirements such as VPC access, tamper-evident features, access logging, and high availability. In contrast, Amazon S3, DynamoDB, and Systems Manager Parameter Store do not provide the same level of security or control over encryption key management as AWS CloudHSM.