A company’s data lake uses Amazon S3 and Amazon Athena. The company’s security engineer has been asked to design an encryption solution that meets the company’s data protection requirements. The encryption solution must work with Amazon S3 and keys managed by the company. The encryption solution must be protected in a hardware security module that is validated to Federal information Processing Standards (FIPS) 140-2 Level 3.
Which solution meets these requirements?
A. Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK.
B. Use AWS CloudHSM to store the keys and perform cryptographic operations. Save the encrypted text in Amazon S3.
C. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM.
D. Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM.
Which solution meets these requirements?
A. Use client-side encryption with an AWS KMS customer-managed key implemented with the AWS Encryption SDK.
B. Use AWS CloudHSM to store the keys and perform cryptographic operations. Save the encrypted text in Amazon S3.
C. Use an AWS KMS customer-managed key that is backed by a custom key store using AWS CloudHSM.
D. Use an AWS KMS customer-managed key with the bring your own key (BYOK) feature to import a key stored in AWS CloudHSM.