The correct choice is AWS Private Certificate Authority. It is a managed private CA that integrates with IAM for access control and records API activity in AWS CloudTrail for auditing. It issues private X.509 certificates and supports hierarchical trust with subordinate certificate authorities.

AWS Private Certificate Authority is a fully managed service that removes the operational burden of running your own PKI. It lets you use IAM policies to control who can create and manage CAs and certificates. It also emits CloudTrail events for API calls so you can audit certificate issuance and configuration changes.

AWS Certificate Manager is not sufficient by itself because it provisions and manages certificates for AWS services and integrated endpoints and it does not act as a private CA or create subordinate CAs without the private CA service.

AWS Key Management Service manages cryptographic keys and supports signing and encryption operations and it does not issue X.509 certificates or provide CA lifecycle and hierarchy features.

AWS Secrets Manager is designed to store and rotate application secrets and credentials and it is not a PKI or certificate issuance service.

Full AWS Practitioner Certification Question