A government project with strict compliance requirements for data security and hardware security module (HSM) instances should be dedicated to AWS.
Cryptographic keys used for data encryption should be accessible only by you. The HSM service needs to spread across different availability zones in an AWS region for redundancy and high availability.
Which method would you choose to meet these requirements?

Answer options:

A.Create a customer-managed key in Key Management Service (KMS). Use KMS key policy and IAM policy to ensure that the key is accessible only by the customer.
B.Configure an AWS CloudHSM cluster that contains several HSMs in different availability zones in an AWS region to achieve redundancy and high availability.
C.Set up custom key stores in Key Management Service (KMS) by creating dedicated hardware security modules.
D.Create a hardware security module (HSM) in AWS CloudHSM which is a highly available service in an AWS region. The service is not impacted even if one availability zone is unavailable.

Answer: B
Option A is incorrect because AWS Key Management Service (KMS) is not a dedicated service. It does not meet the security requirements.
Option B is CORRECT because while deploying CloudHSM Cluster, you can include multiple HSM instances in different availability zones which are automatically synchronized between each other. 
Option C is incorrect because dedicated hardware security modules (HSMs) are created through CloudHSM instead of KMS.
Option D is incorrect because a hardware security module (HSM) in CloudHSM resides in a single availability zone. A CloudHSM cluster that spreads across multiple AZs is required in this scenario.
Reference:
https://aws.amazon.com/blogs/security/understanding-aws-cloudhsm-cluster-synchronization/#:~:text=AWS%20CloudHSM%20provides%20fully%20managed,cryptographic%20operations%20and%20provide%20redundancy.