Regulations require that encryption keys be managed on a company-owned dedicated physical hardware security module (HSM). Which AWS service meets this requirement?
A question asking to identify the service that manages keys on a dedicated physical HSM.
AWS KMS
AWS KMS is a service that creates and manages encryption keys in a managed fashion and satisfies many encryption requirements.
However, standard KMS uses AWS-managed shared HSM infrastructure, so it does not meet this question's regulatory requirement for a dedicated physical HSM (CloudHSM) and is incorrect.
AWS Secrets Manager
AWS Secrets Manager is a service that stores and rotates secrets such as database credentials and API keys.
It handles confidential information such as passwords, not the management of encryption keys on a dedicated physical HSM, so this is incorrect.
AWS Certificate Manager
AWS Certificate Manager (ACM) is a service that issues and renews TLS/SSL certificates.
Its purpose is managing certificates for communication encryption, not managing general-purpose encryption keys on a dedicated HSM, so this is incorrect.
AWS CloudHSM
This is correct. AWS CloudHSM is a service that provides customer-dedicated hardware security modules (HSMs) in the cloud. It allows encryption keys to be managed on dedicated hardware, satisfying strict compliance requirements (such as key management on a company-owned HSM). It offers higher exclusivity and control than KMS.
'Dedicated physical HSM' and 'strict compliance' point to AWS CloudHSM. Standard managed key management uses KMS; when dedicated hardware is required, use CloudHSM. Choose based on the strictness of the requirement.