Question #1664
A financial institution must maintain cryptographic keys within an on-premises key management system to adhere to data sovereignty regulations. The institution needs to handle encryption and decryption using keys stored outside the AWS Cloud while supporting integration with multiple third-party external key managers. Which solution meets these requirements with the LEAST operational overhead?
Use AWS CloudHSM key store with a dedicated CloudHSM cluster hosted on-premises.
Use AWS Key Management Service (AWS KMS) external key store integrated with the existing external key manager.
Use the default AWS Key Management Service (AWS KMS) key store with AWS-managed keys.
Use a custom key store backed by an on-premises AWS CloudHSM cluster managed by the institution.
Explanation
Answer B is correct because AWS KMS external key store (XKS) integrates with third-party external key managers, allowing the financial institution to retain keys on-premises to meet data sovereignty requirements. AWS KMS handles the cryptographic operations via API calls, reducing operational effort compared to managing HSMs (Options A/D).
- Why not A/D? CloudHSM requires managing a dedicated HSM cluster (on-premises or AWS), increasing operational overhead.
- Why not C? AWS-managed keys are stored in AWS, violating data sovereignty requirements.
- Key Points: XKS enables external key storage, integrates with third-party managers, and leverages AWS KMS for simplified operations without managing HSMs.
Answer
The correct answer is: B