Question 17
Domain 2: Security and ComplianceWhich of the following services enables you to easily generate and use your own encryption keys in the AWS Cloud?
Correct answer: C
Explanation
AWS CloudHSM is the service for an “Encryption Key Generator” that lets you “generate and use cryptographic keys on dedicated FIPS 140-2 Level 3 single-tenant HSM instances.” That matches using your own encryption keys in the AWS Cloud, unlike KMS, which is a managed key service.
Why each option is right or wrong
A. AWS Shield.
B. AWS Certificate Manager.
C. AWS CloudHSM.
AWS CloudHSM is the AWS service that provides single-tenant hardware security modules, and AWS documents it as the option to generate and use cryptographic keys on dedicated FIPS 140-2 Level 3 HSM instances. That fits the requirement to create and operate your own keys in the cloud, whereas KMS is a multi-tenant managed key service where AWS manages the key infrastructure.
D. AWS WAF.