AWS Certified Solutions Architect – Associate (SAA-C02) — Question 146

A company wants to migrate a workload to AWS. The chief information security officer requires that all data be encrypted at rest when stored in the cloud. The company wants complete control of encryption key lifecycle management.
The company must be able to immediately remove the key material and audit key usage independently of AWS CloudTrail. The chosen services should integrate with other storage services that will be used on AWS.
Which services satisfies these security requirements?

Answer options

• A. AWS CloudHSM with the CloudHSM client
• B. AWS Key Management Service (AWS KMS) with AWS CloudHSM
• C. AWS Key Management Service (AWS KMS) with an external key material origin
• D. AWS Key Management Service (AWS KMS) with AWS managed customer master keys (CMKs)

Correct answer: D

Explanation

The correct answer is D because AWS KMS with AWS managed customer master keys (CMKs) allows for encryption at rest and provides integrated key management capabilities. Options A and B do not offer the same level of integration with other AWS storage services as required. Option C does allow for external key management but does not meet the complete control and integration needs specified by the company.