Which solution meets these requirements?
Store sensitive data in an Amazon Elastic Block Store (Amazon EBS) volume. Use EBS encryption to encrypt the data. Use an IAM instance role to restrict access.
Store sensitive data in Amazon RDS for MySQL. Use AWS Key Management Service (AWS KMS) client-side encryption to encrypt the data.
Store sensitive data in Amazon S3. Use AWS Key Management Service (AWS KMS) server-side encryption to encrypt the data. Use S3 bucket policies to restrict access.
Store sensitive data in Amazon FSx for Windows Server. Mount the file share on application servers. Use Windows file permissions to restrict access.
Explanations:
While EBS encryption protects data at rest, it does not prevent database administrators from accessing the unencrypted data stored in the EBS volume. IAM roles provide access control, but do not ensure that sensitive data is protected from administrators.
Using AWS KMS client-side encryption ensures that sensitive customer data is encrypted before it is sent to Amazon RDS, meaning that even database administrators cannot access the unencrypted data. This method provides strong protection for sensitive information during storage and transit.
AWS KMS server-side encryption encrypts data at rest in S3, but it does not prevent access to unencrypted data from users or applications that have permission to access the S3 bucket. This means that administrators can potentially access the decrypted data.
Although using Windows file permissions can restrict access to the file share, it does not encrypt the sensitive data. Database administrators can still access the unencrypted data if they have the necessary permissions, which does not meet the requirement for protecting sensitive customer data.