Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances. The application will store highly sensitive user data in Amazon RDS tables

The application must

• Include migration to a different IAM Region in the application disaster recovery plan.

• Provide a full audit trail of encryption key administration events

• Allow only company administrators to administer keys.

• Protect data at rest using application layer encryption

A Security Engineer is evaluating options for encryption key management

Why should the Security Engineer choose IAM CloudHSM over IAM KMS for encryption key management in this situation?
A . The key administration event logging generated by CloudHSM is significantly more extensive than IAM KMS.
B . CloudHSM ensures that only company support staff can administer encryption keys, whereas IAM KMS allows IAM staff to administer keys
C . The ciphertext produced by CloudHSM provides more robust protection against brute force decryption attacks than the ciphertext produced by IAM KMS
D . CloudHSM provides the ability to copy keys to a different Region, whereas IAM KMS does not

View Answer

Answer: B