Answer: AWS Key Management Service (AWS KMS)

## Detailed Explanation ### Understanding the Requirement The question asks which AWS service should be used to encrypt custom model artifacts created by Amazon Bedrock model customization jobs using a **customer-managed encryption key**. This requirement specifically involves: 1. **Encryption of model artifacts** - Data at rest protection for the custom models 2. **Customer-managed key** - The company wants control over the encryption key lifecycle and policies 3. **Integration with Amazon Bedrock** - The service must work seamlessly with Bedrock's model customization feature ### Analysis of Each Option **A. AWS Key Management Service (AWS KMS)** - **CORRECT** - **Primary Purpose**: AWS KMS is AWS's dedicated service for creating and managing encryption keys - **Customer-Managed Keys (CMKs)**: AWS KMS allows creation of CMKs where customers have full control over key policies, rotation schedules, and access permissions - **Integration with Amazon Bedrock**: Amazon Bedrock natively supports using AWS KMS CMKs to encrypt model artifacts during customization jobs - **Best Practice Alignment**: Using KMS CMKs for sensitive AI model artifacts follows AWS security best practices for data protection at rest **B. Amazon Inspector** - **INCORRECT** - **Primary Purpose**: Vulnerability management service that scans AWS resources for security vulnerabilities - **Key Limitation**: Does not provide encryption key management capabilities - **Misalignment**: While important for security posture, Inspector cannot encrypt data or manage encryption keys **C. Amazon Macie** - **INCORRECT** - **Primary Purpose**: Data security and privacy service that uses machine learning to discover and protect sensitive data - **Key Limitation**: Focuses on data discovery and classification, not encryption key management - **Misalignment**: Macie helps identify sensitive data but does not provide encryption key management for protecting that data **D. AWS Secrets Manager** - **INCORRECT** - **Primary Purpose**: Service for managing secrets like passwords, API keys, and database credentials - **Key Limitation**: While it can store encrypted secrets, it's not designed for managing encryption keys used to encrypt other data - **Critical Distinction**: Secrets Manager manages the secrets themselves, not the encryption keys used to protect other resources like model artifacts ### Why AWS KMS is the Optimal Choice 1. **Direct Fit for Purpose**: AWS KMS is specifically designed for encryption key management, which is exactly what the requirement calls for 2. **Customer Control**: KMS CMKs give organizations full control over key policies, including who can use the keys and under what conditions 3. **Native Integration**: Amazon Bedrock has built-in support for AWS KMS encryption, making implementation straightforward 4. **Compliance Benefits**: Using KMS CMKs helps meet regulatory requirements for data encryption and key management 5. **Lifecycle Management**: KMS provides comprehensive key lifecycle management including rotation, enabling, disabling, and auditing ### Security Architecture Context When using Amazon Bedrock for custom model development, the model artifacts represent valuable intellectual property that requires strong protection. AWS KMS provides: - **FIPS 140-2 validated** hardware security modules for key storage - **Granular access control** through IAM policies and key policies - **Comprehensive audit trails** via AWS CloudTrail integration - **Automatic key rotation** capabilities for enhanced security This approach ensures that even if the underlying storage is compromised, the model artifacts remain protected by strong encryption with keys controlled exclusively by the company.