AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is required to use cryptographic keys in its on-premises key manager. The key manager is outside of the AWS Cloud because of regulatory and compliance requirements. The company wants to manage encryption and decryption by using cryptographic keys that are retained outside of the AWS Cloud and that support a variety of external key managers from different vendors.

Which solution will meet these requirements with the LEAST operational overhead?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Use AWS CloudHSM key store backed by a CloudHSM cluster.

Use an AWS Key Management Service (AWS KMS) external key store backed by an external key manager.

Use the default AWS Key Management Service (AWS KMS) managed key store.

Use a custom key store backed by an AWS CloudHSM cluster.

Explanation:

Explanation

Correct Answer: B - Use an AWS Key Management Service (AWS KMS) external key store backed by an external key manager.

Why this is correct:

External Key Store (XKS): AWS KMS external key store allows you to use cryptographic keys that are stored and managed in your own external key management infrastructure outside of AWS.
Meets regulatory requirements: Since the keys remain outside AWS Cloud in the company's on-premises key manager, this satisfies regulatory and compliance requirements.
Vendor flexibility: AWS KMS external key store supports a variety of external key managers from different vendors through a standardized interface.
Least operational overhead: AWS KMS handles the integration and management of the connection to the external key manager, reducing operational complexity compared to managing everything yourself.
AWS KMS integration: You can use AWS KMS APIs and features while the actual keys remain external, providing the best of both worlds.

Why other options are incorrect:

A. Use AWS CloudHSM key store backed by a CloudHSM cluster: This uses AWS CloudHSM which is an AWS service, not an on-premises solution. Keys would be in AWS Cloud, violating the requirement to keep keys outside AWS.
C. Use the default AWS Key Management Service (AWS KMS) managed key store: This stores keys within AWS KMS in AWS Cloud, not in the company's on-premises key manager.
D. Use a custom key store backed by an AWS CloudHSM cluster: Similar to option A, this uses AWS CloudHSM which is an AWS service, not an external on-premises key manager.

Key AWS Services:

AWS KMS External Key Store (XKS): Allows you to use keys from external key managers while leveraging AWS KMS APIs
AWS KMS: AWS Key Management Service for managing encryption keys
External Key Manager: Customer's own key management infrastructure outside AWS

Use Case: This solution is ideal for organizations with strict regulatory requirements to maintain cryptographic keys in their own infrastructure while still benefiting from AWS KMS integration and reduced operational overhead.

Powered ByGPT-5.2

Comments

Loading comments...