Which solution should a solutions architect recommend to meet this requirement with the LEAST amount of changes to the infrastructure?

Explanations:

AWS Certificate Manager is primarily used for managing SSL/TLS certificates for secure communication, not for encrypting database volumes or at-rest data. Therefore, this option does not fulfill the requirement to encrypt PII at rest.

AWS CloudHSM provides hardware security modules for managing cryptographic keys but does not directly encrypt database volumes. Using CloudHSM would require significant changes to the current architecture to manage keys effectively, making it less desirable for minimal changes.

Configuring SSL encryption using AWS KMS does not encrypt data at rest; SSL is for securing data in transit. While AWS KMS can manage encryption keys, this option fails to address the requirement for encrypting data at rest.

Configuring Amazon EBS encryption and Amazon RDS encryption with AWS KMS keys directly encrypts the data at rest with minimal changes to the existing infrastructure. This approach meets the compliance requirement for encrypting PII and is the simplest solution for achieving encryption at rest.