What should a solutions architect do to reduce the operational burden?
Use multi-factor authentication (MFA) to protect the encryption keys.
Use AWS Key Management Service (AWS KMS) to protect the encryption keys.
Use AWS Certificate Manager (ACM) to create, store, and assign the encryption keys.
Use an IAM policy to limit the scope of users who have access permissions to protect the encryption keys.
Explanations:
While MFA can enhance security for accessing the key management system, it does not directly protect or manage encryption keys themselves. MFA is primarily about authenticating users rather than managing keys, and therefore does not reduce the operational burden of key management.
AWS Key Management Service (AWS KMS) is designed specifically for managing encryption keys. It provides a fully managed service that simplifies the creation, management, and control of cryptographic keys used to encrypt data. By using AWS KMS, the company can offload much of the operational complexity associated with key management, allowing developers to focus on their applications rather than the underlying infrastructure.
AWS Certificate Manager (ACM) is used for managing SSL/TLS certificates for securing websites, not for creating or managing encryption keys for data encryption. It does not provide the functionalities necessary for a scalable key management infrastructure.
While using IAM policies to limit access to encryption keys is a good security practice, it does not address the scalability and operational management of the key management infrastructure itself. This option focuses on access control rather than the management of keys, which does not sufficiently reduce the operational burden.
From what I’ve seen, the answer is:
Use AWS Key Management Service (AWS KMS) to protect the encryption keys.