Question #1935
A company is developing a healthcare application on AWS that handles protected health information (PHI) for various clients. Compliance mandates require that each client's data be encrypted at rest using distinct keys managed through a centralized, secure service. The company intends to use AWS Key Management Service (KMS) for encryption while minimizing operational complexity.
Which approach fulfills these requirements with the LEAST operational overhead?
Generate unique keys for each client and store them in an Amazon DynamoDB table with encryption enabled.
Integrate an on-premises hardware security module (HSM) with AWS KMS to manage client-specific encryption keys.
Use a single AWS KMS key to encrypt all PHI across the application.
Create individual AWS KMS keys for each client, each with detailed access policies and audit logging.
Explanation
Answer D is correct because:
- Distinct Keys per Client: AWS KMS allows creating separate keys for each client, ensuring compliance with encryption requirements.
- Centralized Management: KMS provides a secure, managed service for key storage, rotation, and access policies, reducing operational complexity.
- Audit Logging: KMS integrates with AWS CloudTrail to log key usage, aiding compliance audits.
Why other options are incorrect:
- A: Storing keys in DynamoDB adds operational overhead and security risks, as keys are not managed by KMS.
- B: Integrating an on-premises HSM introduces complexity and maintenance, conflicting with the goal of minimal overhead.
- C: A single KMS key violates the requirement for client-specific encryption.
Key Points:
- Use AWS KMS to manage encryption keys centrally.
- Create separate keys per client for compliance.
- KMS automates key management, reducing operational effort.
Answer
The correct answer is: D