AWS Certified Machine Learning – Specialty — Question 182

A company will use Amazon SageMaker to train and host a machine learning (ML) model for a marketing campaign. The majority of data is sensitive customer data. The data must be encrypted at rest. The company wants AWS to maintain the root of trust for the master keys and wants encryption key usage to be logged.
Which implementation will meet these requirements?

Answer options

• A. Use encryption keys that are stored in AWS Cloud HSM to encrypt the ML data volumes, and to encrypt the model artifacts and data in Amazon S3.
• B. Use SageMaker built-in transient keys to encrypt the ML data volumes. Enable default encryption for new Amazon Elastic Block Store (Amazon EBS) volumes.
• C. Use customer managed keys in AWS Key Management Service (AWS KMS) to encrypt the ML data volumes, and to encrypt the model artifacts and data in Amazon S3.
• D. Use AWS Security Token Service (AWS STS) to create temporary tokens to encrypt the ML storage volumes, and to encrypt the model artifacts and data in Amazon S3.

Correct answer: C

Explanation

The correct answer is C because using customer managed keys in AWS KMS allows for encryption at rest while enabling AWS to manage the root of trust for the master keys and logging key usage. Option A is incorrect as AWS Cloud HSM does not provide the same level of simplicity and logging capabilities as KMS. Option B does not meet the requirement for AWS to maintain the root of trust since it uses transient keys. Option D is incorrect because AWS STS is not designed for encryption purposes.