SAP-C02 · Question #370
SAP-C02 Question #370: Real Exam Question with Answer & Explanation
The correct answer is C: Create a CMK in AWS KMS with no key material and an origin of EXTERNAL. Import the key. https://aws.amazon.com/blogs/security/how-to-byok-bring-your-own-key-to-aws-kms-for-less- than-15-00-a-year-using-aws-cloudhsm/ https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html
Question
A financial services company logs personally identifiable information 10 its application logs stored in Amazon S3. Due to regulatory compliance requirements, the log files must be encrypted at rest. The security team has mandated that the company's on-premises hardware security modules (HSMs) be used to generate the CMK material. Which steps should the solutions architect take to meet these requirements?
Options
- ACreate an AWS CloudHSM cluster. Create a new CMK in AWS KMS using AWS_CloudHSM as
- BProvision an AWS Direct Connect connection, ensuring there is no overlap of the RFC 1918
- CCreate a CMK in AWS KMS with no key material and an origin of EXTERNAL. Import the key
- DCreate a new CMK in AWS KMS with AWS-provided key material and an origin of AWS_KMS.
Explanation
https://aws.amazon.com/blogs/security/how-to-byok-bring-your-own-key-to-aws-kms-for-less- than-15-00-a-year-using-aws-cloudhsm/ https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-create-cmk.html
Community Discussion
No community discussion yet for this question.