AWS KMS
Managed encryption keys for data at rest everywhere.
❓ What is it?
A managed key service that creates and controls cryptographic keys, integrates with 100+ AWS services for at-rest encryption, and logs every key use to CloudTrail.
💡 Why does it exist?
Training data, model artifacts, and transcripts are business secrets. Customer-managed keys give you control (rotation, revocation, per-key access policy) and auditors the evidence they require.
⏱️ When should you use it?
Encrypt S3 training buckets, SageMaker volumes and artifacts, Bedrock customisation outputs, and transcripts; choose customer-managed keys when compliance demands key-level control.
🗺️ Where does it fit?
Woven into the storage layer: services request data keys from KMS at read/write time; key policies decide which roles may decrypt what.
🔌 How do you integrate it?
Create a customer-managed key, reference its ARN in service encryption settings (e.g. SSE-KMS on S3, SageMaker KmsKeyId), enable rotation, and monitor usage via CloudTrail.
🧩 Commonly integrated with
🎯 Exam angle (AIF-C01)
- AWS-managed keys = zero effort; customer-managed keys = control + auditability. Compliance wording pushes toward customer-managed.
- Every ML data-protection answer pairs encryption in transit (TLS) with at rest (KMS).