What should a solutions architect recommend as a solution?
Use AWS Secrets Manager with customer master keys (CMKs) to store master key material and apply a routine to create a new CMK periodically and replace it in AWS Secrets Manager.
Use AWS Key Management Service (AWS KMS) with customer master keys (CMKs) to store master key material and apply a routine to re-create a new key periodically and replace it in AWS KMS.
Use an AWS CloudHSM cluster with customer master keys (CMKs) to store master key material and apply a routine to re-create a new key periodically and replace it in the CloudHSM cluster nodes.
Use AWS Systems Manager Parameter Store with customer master keys (CMKs) to store master key material and apply a routine to re-create a new key periodically and replace it in the Parameter Store.
Explanations:
AWS Secrets Manager is primarily used for managing secrets like database credentials, not for key management or encryption directly. It does not provide native support for creating or rotating encryption keys for S3 or EBS volumes.
AWS Key Management Service (AWS KMS) is specifically designed for managing encryption keys. It allows you to create customer master keys (CMKs), which can be used to encrypt S3 buckets and EBS volumes. AWS KMS also supports automatic key rotation, aligning with the company’s requirements for periodic key rotation by security specialists.
AWS CloudHSM is a hardware security module that allows you to manage your own encryption keys, but it requires more operational overhead and is not specifically designed for automatic rotation of keys for S3 and EBS. It is less suitable than AWS KMS for this use case.
AWS Systems Manager Parameter Store is not designed for managing encryption keys. While it can store parameters securely, it does not provide the comprehensive key management and rotation features needed for managing CMKs used in S3 and EBS encryption.