Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Review Mode Set 3 Question 21 related question

Tagged: ,

  • Review Mode Set 3 Question 21 related question

  • SalientListener

    July 5, 2024 at 10:37 pm

    Category: CSAP – Continuous Improvement for Existing Solutions

    A financial services company uses hardware security modules (HSMs) to generate encryption master keys. Since the company application logs include personally identifiable information, encryption is required as part of regulatory compliance. The application logs are going to be stored on a central Amazon S3 bucket and should be encrypted at rest. The security team wants to use the company HSMs to generate the CMK material for encryption on the S3 bucket.

    Which of the following options should the solutions architect implement to meet the company requirements?

    – Using AWS CLI, create a new CMK with no key material and use EXTERNAL as the origin of the key. Generate a key from the on-premises HSMs and import it as CMK using the public key and import token from AWS. Apply an Amazon S3 bucket policy on the central logging bucket to require AWS KMS as the encryption source and deny unencrypted object uploads.

    For this the answer is correct but the explanation is confusing me. The Answer mentions “Generate Data Key in the On Premise CloudHSMs and import it into CMK”. However the entire answer explanation is delving into “Generate the Key Material in AWS Cloud HSM and AWS CloudHSM is not mentioned anywhere in the question. Question is asking how you can import the key material generated in HSMs OUTSIDE of AWS while the answer and the blog you linked explains how you can generate the keys within AWS CloudHSM.

    Can you please correct the answer explanation to reflect whats being asked in the question and let us know how keys generated outside of AWS can be imported?

  • Neil-TutorialsDojo

    July 12, 2024 at 9:52 am

    Hello SalientListener,

    Good day! Thank you for bringing this to our attention. We apologize for any confusion caused by the initial explanation. We appreciate your patience as we correct this information.

    As for your question how keys generated outside of AWS can be imported, to my knowledge, there are two ways to do this. First is using the console (Customer managed keys.) and the other one is using AWS KMS API. Please refer to these documentations for more information:, and

    We hope this clears up any confusion. Please let us know if you have any further questions or need additional assistance.

    Neil @ tutorials dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018