SAA-C03 - Design Secure Architectures - Section 1.7

Design encryption at rest and key management using AWS KMS, envelope encryption and AWS CloudHSM.

Explain how AWS KMS uses envelope encryption, encrypting a data key with a KMS key and using that data key to encrypt the data itself, and distinguish AWS-managed keys from customer managed keys on rotation control and auditability. Choose AWS CloudHSM when regulation demands dedicated hardware security modules under exclusive customer control rather than the shared, managed KMS model.

Examworthy is not affiliated with or endorsed by Amazon Web Services. Original, blueprint-aligned practice material only.