Answer – A and D
AWS Key Management Service (KMS) now uses FIPS 140-2 validated hardware security modules (HSM) and supports FIPS 140-2 validated endpoints, which provide independent assurances about the confidentiality and integrity of your keys.
All master keys in AWS KMS, regardless of their creation date or origin, are automatically protected using FIPS 140-2 validated HSMs.
FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4". It does not specify in detail what level of security is required by any particular application.
FIPS 140-2 Level 1, the lowest, imposes very limited requirements; loosely, all components must be "production-grade" and various egregious kinds of insecurity must be absent.
FIPS 140-2 Level 2 adds requirements for physical tamper-evidence and role-based authentication.
FIPS 140-2 Level 3 adds requirements for physical tamper-resistance (making it difficult for attackers to gain access to the sensitive information contained in the module) and identity-based authentication, and for a physical or logical separation between the interfaces by which "critical security parameters" enter and leave the module, and its other interfaces.
FIPS 140-2 Level 4 makes the physical security requirements more stringent and requires robustness against environmental attacks.
AWS CloudHSM provides you with a FIPS 140-2 Level 3 validated single-tenant HSM cluster in your Amazon Virtual Private Cloud (VPC) to store and use your keys. You have exclusive control over how your keys are used via an authentication mechanism independent from AWS. You interact with keys in your AWS CloudHSM cluster similar to the way you interact with your applications running in Amazon EC2.
Options B and C are incorrect because they cannot generate the required encryption keys.
For more information on CloudHSM, kindly visit the following URL:
https://aws.amazon.com/cloudhsm/