Which of the following services meets these requirements?
Amazon S3 with default encryption
AWS CloudHSM
Amazon DynamoDB with server-side encryption
AWS Systems Manager Parameter Store
Explanations:
Amazon S3 with default encryption does not restrict access solely to VPCs, as it can be accessed over the internet if proper bucket policies are not applied. It also does not provide tamper-evident controls or guarantee high availability specifically for encryption key storage.
AWS CloudHSM meets all the requirements: it is accessible only within VPCs, provides tamper-evident controls, has access logging features, and is designed for high availability and durability of encryption keys.
Amazon DynamoDB with server-side encryption can store data securely but does not exclusively meet the requirement of being accessible only through VPCs unless additional network configurations (e.g., VPC endpoints) are established. It also lacks specific tamper-evident controls for encryption key management.
AWS Systems Manager Parameter Store does offer encryption and can be accessed from VPCs, but it does not provide the same level of tamper-evident controls as a dedicated key management service, and it does not guarantee high availability for encryption key storage specifically.