Exam AWS Certified Security - Specialty topic 1 question 246 discussion

D is the answer Q: Why would I need to use a custom key store? A: Since you control your AWS CloudHSM cluster, you have the option to manage the lifecycle of your CMKs independently of AWS KMS. There are four reasons why you might find a custom key store useful. Firstly, you might have keys that are explicitly required to be protected in a single tenant HSM or in an HSM over which you have direct control. Secondly, you might have keys that are required to be stored in an HSM that has been validated to FIPS 140-2 level 3 overall (the HSMs used in the standard AWS KMS key store are either validated or in the process of being validated to level 2 with level 3 in multiple categories). Thirdly, you might need the ability to immediately remove key material from AWS KMS and to prove you have done so by independent means. Finally, you might have a requirement to be able to audit all use of your keys independently of AWS KMS or AWS CloudTrail. https://aws.amazon.com/kms/faqs/

D is the correct answer. KMS + custom key store in CloudHSM.

A is the answer. CloudHSM only supports S3 and DynamoDB, also custom key store is for storing encrypted keys and they mentioned just data.

Because "allow only authorized applications to perform encryption and decryption " is answer A How implement "allow only authorized applications?" only SDK do it.

D. Use AWS Key Management Service (AWS KMS) and create an AWS CloudHSM custom key store. Use CloudHSM to generate and store a new CMK for each customer. Option D is the best answer because it combines the secure key storage and cryptographic operations provided by AWS CloudHSM with the key management capabilities of AWS KMS. This allows for the generation and storage of customer-specific CMKs, ensuring secure storage of data and control over encryption and decryption operations. Additionally, the ability to revoke or delete CMKs in AWS KMS provides a mechanism for immediate destruction of customer data when requested. Option B (AWS KMS with service-managed keys) may not provide the required granularity and flexibility for generating and storing customer-specific keys and ensuring immediate destruction when requested.

the question did not specifically state that a high level of security is required, however, the requirement to immediately destroy data when a customer requests it, suggests that the data is sensitive and requires a secure storage solution. In such case, AWS CloudHSM is a service that provides a high level of security for storing and managing encryption keys, which is well suited for this use case. It allows for the creation of a custom key store for each customer and ensures that only authorized applications can access the customer's data and that the data can be immediately destroyed when the customer requests it. Option D, using AWS KMS and creating an AWS CloudHSM custom key store, is a suitable solution that would meet the requirements of the question.

Why would I need to use a custom key store? ---you might need the ability to immediately remove key material from AWS KMS and to prove you have done so by independent means

I also have a problem with quick data deletion" instead of of "quick key deletion", but I will go for D

I would go for D.

``` When to use AWS CloudHSM When Do I Use Something Else? If you need to secure your encryption keys in a service backed by FIPS-validated HSMs, but you do not need to manage the HSM ``` src: https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-hsm.html The question doesn't mention FIPS or HSM requirements. ``` A default implementation that adheres to cryptography best practices By default, the AWS Encryption SDK generates a unique data key for each data object that it encrypts. This follows the cryptography best practice of using unique data keys for each encryption operation. ``` src: https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/introduction.html encryption SDK generates secure data keys

B is not a wrong answer. However, D is a more stringent encryption approach. Could "quick data deletion" is the typo of "quick key deletion"?

D is the answer

B https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-sdk.html

D >> https://aws.amazon.com/kms/faqs/#Custom_Key_Store

D is my answer.!

Is this one B or D?

Dis the answer: My rationale for this is that the keyword is Government, remember FIPS 140-2/3 compliancy. Answer D is the one that speaks about HSM. I suspect joining these dots makes the answer so obvious. I would go with D.