The requirement has two separate controls: customer-controlled cryptographic root of trust and preventive regional governance. AWS KMS external key store (XKS) is the correct encryption model because AWS KMS forwards cryptographic operations to an external key manager that the customer controls outside AWS, such as an in-country HSM environment. That satisfies the requirement to operate the HSMs and retain control of the key root. AWS Control Tower Region deny control is the correct preventive governance control because it denies access to unlisted operations outside approved governed Regions for the selected organizational scope. AWS Config is detective, not preventive. AWS KMS multi-Region keys and standard customer managed keys do not keep the cryptographic root in customer-operated in-country HSMs. AWS CloudHSM custom key stores still use AWS CloudHSM clusters, not external in-country HSMs.