A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances. The application will store highly sensitive user data in A...

A company is developing a highly resilient application to be hosted on multiple Amazon EC2 instances. The application will store highly sensitive user data in Amazon RDS tables.
The application must:
- Include migration to a different AWS Region in the application disaster recovery plan.
- Provide a full audit trail of encryption key administration events.
- Allow only company administrators to administer keys.
- Protect data at rest using application layer encryption.
A Security Engineer is evaluating options for encryption key management.
Why should the Security Engineer choose AWS CloudHSM over AWS KMS for encryption key management in this situation?