Which solution will meet these requirements with the LEAST operational overhead?
Use AWS Security Token Service (AWS STS) to create temporary tokens to encrypt the storage volumes for all SageMaker instances and to encrypt the model artifacts and data in Amazon S3.
Use customer managed keys in AWS Key Management Service (AWS KMS) to encrypt the storage volumes for all SageMaker instances and to encrypt the model artifacts and data in Amazon S3.
Use encryption keys stored in AWS CloudHSM to encrypt the storage volumes for all SageMaker instances and to encrypt the model artifacts and data in Amazon S3.
Use SageMaker built-in transient keys to encrypt the storage volumes for all SageMaker instances. Enable default encryption ffnew Amazon Elastic Block Store (Amazon EBS) volumes.
Explanations:
AWS Security Token Service (STS) is not designed for managing encryption keys. It is used for temporary credentials and does not provide a root of trust for key management or key usage logging in the way AWS KMS or CloudHSM does.
Customer-managed keys in AWS KMS meet the requirement for AWS to maintain the root of trust for encryption keys. AWS KMS also provides key usage logging via CloudTrail, fulfilling both the encryption and logging requirements with minimal operational overhead.
AWS CloudHSM is a hardware security module (HSM) service that requires more operational overhead than AWS KMS, including the management of HSM appliances and key lifecycle. This adds complexity and is not necessary for this use case.
While SageMaker supports transient encryption keys, this does not provide the same level of control over key management and usage logging as KMS does. Additionally, it does not fully meet the requirement for encryption at rest for model artifacts and S3 data.