AWS Certified Solutions Architect – Associate (SAA-C02) — Question 97

A company currently stores symmetric encryption keys in a hardware security module (HSM). A solutions architect must design a solution to migrate key management to AWS. The solution should allow for key rotation and support the use of customer provided keys.
Where should the key material be stored to meet these requirements?

Answer options

• A. Amazon S3
• B. AWS Secrets Manager
• C. AWS Systems Manager Parameter store
• D. AWS Key Management Service (AWS KMS)

Correct answer: D

Explanation

The correct choice is AWS Key Management Service (AWS KMS) because it is specifically designed for managing encryption keys, allowing for key rotation and supporting customer-provided keys. The other options, such as Amazon S3 and AWS Secrets Manager, do not have the specific capabilities for key management and rotation that AWS KMS offers.