Which solution will meet these requirements?
Provision an AWS Certificate Manager (ACM) certificate for each customer. Encrypt the data client-side. In the private certificate policy, deny access to the certificate for all principals except an IAM role that the customer provides.
Provision a separate AWS Key Management Service (AWS KMS) key for each customer. Encrypt the data server-side. In the S3 bucket policy, deny decryption of data for all principals except an IAM role that the customer provides.
Provision a separate AWS Key Management Service (AWS KMS) key for each customer. Encrypt the data server-side. In each KMS key policy, deny decryption of data for all principals except an IAM role that the customer provides.
Provision an AWS Certificate Manager (ACM) certificate for each customer. Encrypt the data client-side. In the public certificate policy, deny access to the certificate for all principals except an IAM role that the customer provides.
Explanations:
ACM certificates are used for SSL/TLS encryption in transit, not for encrypting data at rest. Additionally, certificate policies are not designed to restrict access to data in Amazon S3.
While a KMS key can be created for each customer and used for server-side encryption, S3 bucket policies cannot restrict KMS decryption operations directly; key policies should be used instead.
A separate KMS key for each customer allows encryption at rest, and the KMS key policy can specify access only for an IAM role provided by the customer, ensuring company employees cannot access the data.
ACM public certificates are used for public SSL/TLS encryption, not client-side encryption of data at rest. Certificate policies cannot control decryption in S3 or KMS encryption policies.
I structure that the answer is:
Provision a separate AWS Key Management Service (AWS KMS) key for each customer. Encrypt the data server-side. In each KMS key policy, deny decryption of data for all principals except an IAM role that the customer provides.