Which implementation will meet these requirements?
Use encryption keys that are stored in AWS Cloud HSM to encrypt the ML data volumes, and to encrypt the model artifacts and data in Amazon S3.
Use SageMaker built-in transient keys to encrypt the ML data volumes. Enable default encryption for new Amazon Elastic Block Store (Amazon EBS) volumes.
Use customer managed keys in AWS Key Management Service (AWS KMS) to encrypt the ML data volumes, and to encrypt the model artifacts and data in Amazon S3.
Use AWS Security Token Service (AWS STS) to create temporary tokens to encrypt the ML storage volumes, and to encrypt the model artifacts and data in Amazon S3.
Explanations:
AWS Cloud HSM is typically used for hardware security module (HSM) use cases where you need to manage keys outside of AWS Key Management Service (KMS). SageMaker doesn’t directly integrate with Cloud HSM for managing keys for training or inference jobs.
SageMaker’s built-in transient keys are used for temporary encryption during model training and inference, but they do not meet the requirement of maintaining the root of trust for the master keys and logging key usage.
Using AWS KMS customer-managed keys (CMKs) allows you to maintain the root of trust for the keys, and you can enable CloudTrail logging to track key usage. This solution meets both encryption at rest and logging requirements.
AWS STS provides temporary credentials for accessing AWS resources but does not manage encryption keys or fulfill the requirement for maintaining the root of trust or logging key usage.
I calculate that the answer is:
Use customer managed keys in AWS Key Management Service (AWS KMS) to encrypt the ML data volumes, and to encrypt the model artifacts and data in Amazon S3.
I compute that the answer is:
Use customer managed keys in AWS Key Management Service (AWS KMS) to encrypt the ML data volumes, and to encrypt the model artifacts and data in Amazon S3.