Which of the following solutions should the Solutions Architect recommend?
Deploy the storage gateway to AWS in file gateway mode. Use Amazon EBS volume encryption using an AWS KMS key to encrypt the storage gateway volumes.
Use Amazon S3 with a bucket policy to enforce HTTPS for connections to the bucket and to enforce server-side encryption and AWS KMS for object encryption.
Use Amazon DynamoDB with SSL to connect to DynamoDB. Use an AWS KMS key to encrypt DynamoDB objects at rest.
Deploy instances with Amazon EBS volumes attached to store this data. Use EBS volume encryption using an AWS KMS key to encrypt the data.
Explanations:
The storage gateway in file gateway mode primarily serves as a bridge between on-premises environments and AWS, but it does not meet the requirement for the company to manage encryption keys. Additionally, EBS volume encryption is more suited for block storage rather than the needs of managing large documents directly.
Amazon S3 provides high durability and availability for stored data, meeting the requirement. It allows for server-side encryption with AWS KMS keys, where the company can manage the encryption keys, and bucket policies can enforce HTTPS and encryption, fulfilling the criteria of encryption at rest and in transit.
Amazon DynamoDB is a highly durable and available NoSQL database, but the requirement specifies storing large documents. While it supports SSL and encryption at rest via AWS KMS, it may not be the best fit for large document storage compared to S3, especially since the primary use case is not for document storage.
While using EBS volumes with encryption via AWS KMS meets the encryption requirements, EBS volumes are not designed for storing large amounts of data in a highly durable and available manner like S3. Additionally, the management of keys and rotation is less flexible compared to S3’s KMS capabilities.