Which solution meets these requirements?
Store sensitive data in an Amazon Elastic Block Store (Amazon EBS) volume. Use EBS encryption to encrypt the data. Use an IAM instance role to restrict access.
Store sensitive data in Amazon RDS for MySQL. Use AWS Key Management Service (AWS KMS) client-side encryption to encrypt the data.
Store sensitive data in Amazon S3. Use AWS Key Management Service (AWS KMS) server-side encryption to encrypt the data. Use S3 bucket policies to restrict access.
Store sensitive data in Amazon FSx for Windows Server. Mount the file share on application servers. Use Windows file permissions to restrict access.
Explanations:
EBS encryption protects data at rest, but it doesn’t provide granular control over access to the data by database administrators. IAM instance roles can restrict access at the EC2 level, but database administrators with access to the EC2 instance can still access sensitive data in unencrypted form.
Using Amazon RDS with AWS Key Management Service (KMS) client-side encryption ensures that the encryption keys are managed by KMS, and even database administrators cannot decrypt the data without the correct key. This meets the requirement to protect sensitive data from database administrators.
S3 with KMS server-side encryption protects data at rest but doesn’t allow for the fine-grained control over access to data based on user roles or database-level access. S3 is primarily used for object storage, not transactional data such as that used in an e-commerce platform.
Amazon FSx for Windows Server is a file system service, and Windows file permissions can be used to restrict access. However, this option does not address encryption of sensitive data at rest in a way that prevents database administrators from accessing it. Additionally, FSx is not ideal for structured transactional data like that used in e-commerce.