Your company wants to enable encryption of services such as S3 and EBS volumes so that the data it maintains is encrypted at rest. They want to have complete control over the keys and the entire lifecycle around the keys. Morever, the company needs to create and manage the hardware security modules that store the encryption keys. How can you accomplish this?

Answer options:

A.Use the AWS CloudHSM
B.Use the KMS service
C.Enable S3 server-side encryption
D.Enable EBS Encryption with the default KMS keys

Answer – A
This is mentioned in the AWS Documentation
AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs
KMS is a shared hardware tenancy - your keys are in their own partition of an encryption module shared with other AWS customers, each with their own isolated partition. Cloud HSM gives you your own hardware module, so the most likely reason to choose Cloud HSM is if you had to ensure your keys were isolated on their own encryption module.
Options B, C, and D are incorrect since they have shared hardware tenancy.
For more information on cloud HSM and Encryption Tools, please refer to the below URL
https://aws.amazon.com/cloudhsm/
https://docs.aws.amazon.com/crypto/latest/userguide/awscryp-choose-toplevel.html