Which solution will meet these requirements?
Configure the fleet of EC2 instances to use encrypted EBS volumes to store data.
Configure the application to write all data to an encrypted Amazon S3 bucket.
Configure a custom encryption algorithm for the application that will encrypt and decrypt all data.
Configure an Amazon Machine Image (AMI) that has an encrypted root volume and store the data to ephemeral disks.
Explanations:
This option utilizes Amazon EBS encryption, which ensures that all data stored on the EBS volumes is encrypted at rest using AWS-managed keys. This approach is seamless, with minimal impact on performance due to the efficiency of AWS encryption mechanisms.
While using an encrypted S3 bucket does provide data encryption, it does not meet the requirement of storing data on EBS volumes, as specified in the scenario. This solution would require changes to the application architecture and could introduce additional latency, affecting performance.
Implementing a custom encryption algorithm increases the complexity of the application and may introduce performance overhead. Furthermore, managing encryption keys securely can be challenging, and it doesn’t guarantee encryption at rest like AWS EBS does.
Using an Amazon Machine Image (AMI) with an encrypted root volume addresses the root volume but does not encrypt the attached data volumes or ephemeral disks. Additionally, ephemeral disks are not persistent and may not be suitable for storing sensitive information.