An industry regulatory body requires a healthcare insurance company to fully control cryptographic key management locally to ensure the safeguarding of sensitive patient data. How can the organization achieve this, given that all their workloads are in the cloud?

Answer options:

A.AWS Key Management Service (KMS)
B.AWS Certificate Manager (ACM)
C.AWS CloudHSM
D.Server-Side Encryption (SSE)

Correct Answer:C
AWS CloudHSM allows the administrator to have full and exclusive control over the generation and management of cryptographic keys on actual hardware security modules that are physically stored in AWS data centers.
https://aws.amazon.com/cloudhsm/
Option A is INCORRECT because AWS Key Management Service (KMS) is a fully-managed AWS service. This makes the service an ineligible option since the prerequisite of the use case is for the company to retain full control and administrator of the keys.
Option B is INCORRECT because AWS Certificate Manager (ACM) is primarily for issuing verified security certificates for SSL/HTTPS on AWS resources such as Elastic Load Balancer or Web Application Firewall (WAF).
Option D is INCORRECT because server-side encryption (SSE) is typically encryption of objects or data within the bucket in Amazon S3. The data is encrypted at the object level as it is saved on AWS storage infrastructure and then decrypted when it is accessed.