🔥 3-day streak
AWS Certified CloudOps Engineer - Associate105 / 159
Question 105 of 159

A financial services company must comply with a regulation that requires them to retain full control over the cryptographic key material used to encrypt sensitive data stored in Amazon S3. Their compliance policy mandates that the key material be generated in their on-premises hardware security module (HSM) and that they retain the ability to permanently delete the key material from AWS on demand. A CloudOps engineer must configure AWS KMS to meet these requirements. Which approach should the engineer take?

Reviewed for accuracy · Report an issueNext question