Which managed service centrally creates and manages the encryption keys used to encrypt data in Amazon S3, Amazon EBS, and other services, while also providing access control and auditing capabilities?
A question asking to identify the managed service for managing encryption keys.
AWS CloudHSM
AWS CloudHSM is a service for managing keys using a company-owned dedicated physical HSM, designed for strict compliance requirements.
For the purpose of this question — easily performing managed key creation, management, access control, and auditing integrated with Amazon S3 and Amazon EBS — KMS is more appropriate, so this is incorrect.
AWS KMS (Key Management Service)
This is correct. AWS KMS is a managed service that centrally creates and manages encryption keys. It integrates with many services such as Amazon S3, Amazon EBS, and Amazon RDS, controls access to keys with IAM, and audits usage history with AWS CloudTrail. It enables simple and secure data encryption.
AWS Secrets Manager
AWS Secrets Manager is a service that stores and rotates secrets such as database credentials and API keys.
Its target is confidential information such as passwords and it is not the infrastructure for creating and managing the encryption keys themselves used for Amazon S3 and Amazon EBS data encryption, so this is incorrect.
AWS Certificate Manager
AWS Certificate Manager (ACM) is a service that issues and renews TLS/SSL certificates.
Its role is managing certificates for communication encryption; KMS is appropriate for centrally managing data encryption keys, so this is incorrect.
'Creating and managing encryption keys' points to AWS KMS. It integrates with many services, controls access with IAM, and audits with CloudTrail. If dedicated hardware is required, use CloudHSM.