🔥 3-day streak
AWS Certified Machine Learning Engineer - Associate122 / 194
Question 122 of 194

A healthcare company runs a real-time SageMaker endpoint that serves patient risk scores. Compliance requires that all inference request and response payloads captured to Amazon S3 be encrypted with a customer-managed KMS key, and that data captured from this specific endpoint can be cryptographically distinguished from data captured by other endpoints in audit logs. The security team also wants CloudTrail records to show which endpoint triggered each KMS decrypt operation without decrypting the data itself. What is the MOST appropriate way to meet these requirements?

Reviewed for accuracy · Report an issueNext question