AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A financial institution must comply with a regulation that states: "Encryption keys used to protect customer data at rest must reside only in customer-managed, single-tenant hardware security modules (HSMs) that have been validated to at least FIPS 140-2 Security Level 3." The institution plans to build its workloads on AWS and needs a managed service that meets these key-storage requirements while still allowing it to control each HSM directly. Which AWS service should the company use?
AWS CloudHSM provides dedicated, single-tenant HSM appliances that are validated to FIPS 140-2 (and FIPS 140-3) Security Level 3. Because the HSMs run inside the customer's VPC and the customer alone controls key generation, storage, and deletion, CloudHSM satisfies regulations that require customer-managed, validated hardware for key storage and cryptographic operations.
AWS Key Management Service (AWS KMS) also uses FIPS-validated HSMs but operates them as a multi-tenant, AWS-managed fleet; customers do not have direct, administrative control of the underlying hardware, so it may not fulfill regulations that demand single-tenant or customer-managed HSMs. AWS Secrets Manager and Amazon S3 server-side encryption do not provide customer-controlled HSMs and therefore do not meet the stated requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is FIPS 140-2 Security Level 3 validation?
Open an interactive chat with Bash
How does AWS CloudHSM provide customer control over keys?
Open an interactive chat with Bash
What is the difference between AWS CloudHSM and AWS KMS?