AWS Certified Cloud Practitioner

Explanation

AWS Key Management Service (AWS KMS) is the correct service for managing encryption keys in AWS. Here's why:

Why AWS KMS is correct:

1. Purpose-built for key management: AWS KMS is specifically designed to create and control encryption keys used to encrypt data across AWS services.
2. Integration with Amazon Bedrock: Amazon Bedrock supports using AWS KMS keys to encrypt model artifacts and other data.
3. Company-managed keys: AWS KMS allows you to create and manage your own encryption keys (Customer Managed Keys - CMKs) rather than using AWS-managed keys.
4. Granular control: With AWS KMS, you can define key policies, rotation schedules, and access controls for your encryption keys.

Why other options are incorrect:

• B. Amazon Inspector: This is an automated security assessment service that helps improve security and compliance of applications deployed on AWS. It doesn't manage encryption keys.
• C. Amazon Macie: This is a security service that uses machine learning to discover, classify, and protect sensitive data in AWS. It's not designed for encryption key management.
• D. AWS Secrets Manager: This service helps protect secrets needed to access applications, services, and IT resources. While it can store and manage secrets, it's not designed for managing encryption keys for data encryption at rest.

Key AWS KMS features relevant to this scenario:

• Create Customer Managed Keys (CMKs)
• Define key policies and access controls
• Enable automatic key rotation
• Audit key usage via AWS CloudTrail
• Integrate with various AWS services including Amazon Bedrock

When customizing models in Amazon Bedrock, you can specify a KMS key to encrypt the model artifacts, ensuring that your company maintains control over the encryption keys used to protect your intellectual property.