AWS Certified Solutions Architect – Associate (SAA-C03) — Question 609

A company is required to use cryptographic keys in its on-premises key manager. The key manager is outside of the AWS Cloud because of regulatory and compliance requirements. The company wants to manage encryption and decryption by using cryptographic keys that are retained outside of the AWS Cloud and that support a variety of external key managers from different vendors.

Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Use AWS CloudHSM key store backed by a CloudHSM cluster.
• B. Use an AWS Key Management Service (AWS KMS) external key store backed by an external key manager.
• C. Use the default AWS Key Management Service (AWS KMS) managed key store.
• D. Use a custom key store backed by an AWS CloudHSM cluster.

Correct answer: B

Explanation

An AWS KMS external key store (XKS) allows AWS KMS to use cryptographic keys maintained in an external key manager outside of the AWS Cloud, perfectly matching the compliance needs with the lowest operational overhead. AWS CloudHSM options (A and D) require managing dedicated hardware security modules in AWS, which increases overhead and doesn't natively leverage the on-premises key manager. The default AWS KMS key store (C) stores keys within AWS, which directly violates the requirement to keep keys outside of the AWS Cloud.