Exam AWS Certified Security - Specialty topic 1 question 230 discussion

It says this. "Any encryption key must be created on a hardware security module." KMS is not an HSM. Wouldn't you have to go with C?

Option A is the most efficient choice as it meets regulatory requirements by setting a maximum key age of 10 days and maximum number of encrypted objects. It utilizes AWS KMS to generate keys on a FIPS-validated HSM, ensuring security. By using the AWS Encryption SDK with data key caching, it optimizes performance by reusing keys, while being cost-conscious as the SDK is free and open-source.

both options A and C are valid approaches, but option A using the AWS Encryption SDK with AWS KMS is generally considered more efficient and easier to implement in a cost-conscious environment.

AWS Encryption SDK is a client side encryption library that is provided free of charge. On the other hand AWS CloudHSM requires organizations to pay by the hour. The business requirement states that cost effective security controls for encryption need to be implemented. A

Answer is A : AWS KMS uses FIPS compliant HSM

The most efficient approach that meets the company's needs is A. Here's why: AWS KMS is FIPS-validated and can generate both master keys and data keys. The AWS Encryption SDK can be used to encrypt data and set the maximum age and number of objects per key. Data key caching can also help reduce the number of requests to KMS. Option B involves the automatic rotation of AWS KMS-managed customer master keys (CMKs), but it does not meet the requirement for the key to be generated on an HSM. Option C, while it meets the regulatory requirements, adds complexity to the application design, and data key rotation must be handled carefully to ensure that all data is recoverable. Using server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and automatic key rotation (D) can be a simpler option but would not meet the regulatory requirements related to key exhaustion. Therefore, A is the best choice.

Selected A

A command line is better than 1000 words. https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/implement-caching.html # Security thresholds # Max entry age is required. # Max messages (and max bytes) per entry are optional # MAX_ENTRY_AGE_SECONDS = 60.0 MAX_ENTRY_MESSAGES = 10 # Create a caching CMM caching_cmm = CachingCryptoMaterialsManager( master_key_provider=key_provider, cache=cache, max_age=MAX_ENTRY_AGE_SECONDS, max_messages_encrypted=MAX_ENTRY_MESSAGES )

C - Any encryption key must be created on a hardware security module (CloudHSM)

C is overkilled. KMS satisfies the request of 'certified by FIPS (HSM)' as it uses FIPS 140-2 validated hardware security modules (HSM) and supports FIPS 140-2 validated endpoints (backed by CloudHSM) KMS on level 2, CouldHSM on Level3

A: AWS Encryption SDK, you can configure data key caching to allow just enough data key reuse to meet your cost and performance targets while conforming to the security requirements of your application.

the answer is A

A ----https://aws.amazon.com/blogs/security/aws-encryption-sdk-how-to-decide-if-data-key-caching-is-right-for-your-application/

Option A only Valid Option

A -- https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/data-key-caching.html

Answer is C Encrypt Data on-premises