Which solution should a solutions architect recommend to meet this requirement with the LEAST amount of changes to the infrastructure?
Deploy AWS Certificate Manager to generate certificates. Use the certificates to encrypt the database volume.
Deploy AWS CloudHSM, generate encryption keys, and use the keys to encrypt database volumes.
Configure SSL encryption using AWS Key Management Service (AWS KMS) keys to encrypt database volumes.
Configure Amazon Elastic Block Store (Amazon EBS) encryption and Amazon RDS encryption with AWS Key Management Service (AWS KMS) keys to encrypt instance and database volumes.
Explanations:
AWS Certificate Manager is used for managing SSL/TLS certificates, which secure data in transit rather than at rest. It does not provide a mechanism for encrypting database volumes directly.
AWS CloudHSM provides hardware security modules for key management but requires significant changes to the application to integrate key management for encryption. This is more complex than necessary for the requirement to encrypt PII at rest.
Configuring SSL encryption using AWS KMS keys focuses on encrypting data in transit rather than at rest. While KMS keys can be used for encrypting data at rest, SSL is not the right method for volume encryption in this context.
Configuring Amazon EBS encryption and Amazon RDS encryption with AWS KMS keys allows for seamless encryption of instance and database volumes with minimal changes to the existing infrastructure, fulfilling the compliance requirement for PII encryption at rest.