Q238.A solutions architect must enable an AWS CloudHSM M of N access control—also named a quorum authentication mechanism-to allow security officers to make administrative changes to a hardware security module(HSM). The new security policy states that at least three of the five security officers must authorize any administrative changes to CloudHSM.Which well-architected design ensures the security officers can authenticate as a quorum?
A.Create a static website on Amazon S3 integrated with Amazon API Gateway to allow an officer to initiate a quorum request. Use Amazon SNS to notify the officers of a quorum request. Allow the officers to download the CloudHSM quorum token sign the token offline and upload the signed token through the website.Use Amazon DynamoDB to store the quorum token and additional officer responses with their signed quorum tokens. Configure an AWS Step Functions workflow to orchestrate officer notifications count signed tokens in Amazon DynamoDB and notify the initiating officer once at least three officers have signed the token. Use the signed quorum token to administer CloudHSM. B.Create a static website on Amazon S3 integrated with Amazon API Gateway to allow an officer to initiate a quorum request. Use the website to redirect the officers to sign in to CloudHSM with their federated identity credentials. Once at least three officers are signed in to CloudHSM initiate a synchronous quorum token signing process. Use the signed quorum token to administer CloudHSM. C.Create a quorum signing application hosted on multiple Amazon EC2 instances behind an Application Load Balancer to allow an officer to initiate a quorum request. Require officers to log in to the application with their federated identity credentials. Each officer will then use the application to approve the正确答案D
Quorum signing request. Configure the application to use AWS STS to sign the CloudHSM quorum token on behalf of the officers. Once at least three officers have approved the quorum signing request use EC2 IAM service roles to administer CloudHSM with the signed quorum token. D.Create an Amazon Cognito authenticated Amazon API Gateway API endpoint with an AWS Lambda proxy integration.Allow an officer to create a CloudHSM quorum token and post it to the API Gateway API after signing in with Amazon Cognito. Configure the Lambda function to perform a signing procedure on the quorum token using the officer's Amazon Cognito IAM role and store the signed token in Amazon DynamoDB. Once at least three officers have signed the quorum token allow a POST method to administer CloudHSM with the signed token.
