What managed service helps you create and control encryption keys for your data?

The correct answer is AWS KMS (Key Management Service) because it is specifically designed for the creation, management, and control of encryption keys used to encrypt and decrypt data across your AWS services and applications. With AWS KMS, users can create their own keys (customer-managed keys) or use keys that are managed by AWS (AWS-managed keys). It provides a secure and centralized way to handle keys, enabling you to enforce encryption policies and audit key usage.

AWS KMS integrates seamlessly with other AWS services, allowing for easy encryption of data in services like Amazon S3, Amazon EBS, and Amazon RDS, among others. In addition, it offers features such as key rotation, access control policies using AWS Identity and Access Management (IAM), and integration with AWS CloudTrail for logging key usage, enhancing data security and compliance efforts.

The other options relate to security, but they focus on different areas of protection. AWS Shield Advanced is a managed DDoS protection service, Amazon GuardDuty provides threat detection through continuous monitoring of AWS accounts and workloads, and Amazon Detective helps to analyze and investigate security issues. None of these services directly deal with the management of encryption keys, which is the specific purpose of AWS KMS.