Which solution will meet these requirements with the LEAST operational overhead?
Use AWS CloudHSM key store backed by a CloudHSM cluster.
Use an AWS Key Management Service (AWS KMS) external key store backed by an external key manager.
Use the default AWS Key Management Service (AWS KMS) managed key store.
Use a custom key store backed by an AWS CloudHSM cluster.
Explanations:
AWS CloudHSM requires managing the hardware security module (HSM) infrastructure, which increases operational overhead. It is designed for secure key storage but does not provide direct support for external key managers outside of the AWS Cloud.
AWS KMS external key store allows integration with external key managers, which can manage encryption and decryption keys while remaining outside of AWS. This solution minimizes operational overhead as it simplifies key management within the AWS environment while meeting compliance requirements.
The default AWS KMS managed key store stores keys within AWS and does not meet the requirement for retaining cryptographic keys outside of the AWS Cloud. This option fails to comply with the company’s regulatory and compliance needs.
A custom key store backed by an AWS CloudHSM cluster also requires managing the underlying HSM infrastructure and is primarily used for storing keys within AWS. Like option A, this option does not support the requirement for an external key manager and introduces additional operational complexity.
I would say the answer is:
Use an AWS Key Management Service (AWS KMS) external key store backed by an external key manager.