Secure Cryptographic Key Generation, Storage, and Management | AWS Key Management Service
Question
A company wants to have a secure way of generating, storing, and managing cryptographic keys, but they want to have exclusive access to the management of the keys.
Which of the following can be used for this purpose?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: D.
Options A and B are incorrect because, in these cases, the management of the key will be within AWS.
Option C is incorrect because S3 Server Side encryption does not generate or manage cryptographic keys.
Option D is CORRECT because CloudHSM allows you to securely generate, store, and manage cryptographic keys used for data encryption in a way that keys are accessible and managed only by you.
For more information on CloudHSM, please visit the following URL:
https://aws.amazon.com/cloudhsm/faqs/The most appropriate option for this scenario is D. Use Cloud HSM.
Here's why:
A. Use KMS and the normal KMS encryption keys:
AWS Key Management Service (KMS) can be used to create and manage cryptographic keys, but it is not suitable for this scenario because KMS is a shared service, which means the company would not have exclusive access to the management of the keys. AWS KMS is a fully-managed service that makes it easy to create and control encryption keys used to encrypt your data. However, all customers who use AWS KMS share a single hardware security module (HSM) cluster. Therefore, this option does not provide the exclusive access to the management of the keys that the company requires.
B. Use KMS and use an external key material:
This option is not suitable for the scenario either because it does not provide exclusive access to the management of the keys. Using an external key material involves importing keys that are created outside of AWS KMS into the service for use. However, once the keys are imported, they are subject to the same shared environment as any other key created using AWS KMS.
C. Use S3 Server Side encryption:
This option is also not suitable for the scenario because S3 Server Side encryption does not provide exclusive access to the management of the keys. When you use server-side encryption with Amazon S3-managed encryption keys (SSE-S3), Amazon S3 encrypts each object with a unique key. Amazon S3 uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data. However, the keys are managed by Amazon S3, and the customer does not have exclusive access to the keys.
D. Use Cloud HSM:
This is the most appropriate option for the scenario because Cloud HSM is a dedicated hardware security module (HSM) that provides exclusive access to the management of cryptographic keys. With Cloud HSM, the customer has complete control over the HSM and the keys stored within it. They can create and manage their own keys within the HSM and use them with any AWS service that supports customer-managed keys. Cloud HSM also provides FIPS 140-2 Level 3 validated security controls for HSMs and has been designed to meet stringent compliance requirements.
In summary, to have exclusive access to the management of cryptographic keys, the best option for the company would be to use Cloud HSM.
