Which solution will meet these requirements?
Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS Key Management Service (AWS KMS) custom key store that is backed by AWS CloudHSM for key management.
Host the database on Amazon RDS. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use an AWS managed CMK in AWS Key Management Service (AWS KMS) for key management.
Host the database on an Amazon EC2 instance. Use Amazon Elastic Block Store (Amazon EBS) for encryption. Use a customer managed CMK in AWS Key Management Service (AWS KMS) for key management.
Host the database on an Amazon EC2 instance. Use Transparent Data Encryption (TDE) for encryption and key management.
Explanations:
Amazon RDS supports encryption at rest, and using a KMS custom key store backed by AWS CloudHSM ensures compliance with FIPS 140-2 Level 3 validation for cryptographic material. This solution minimizes operational overhead as it uses RDS and offloads management to AWS services.
While Amazon RDS supports encryption at rest, AWS managed CMKs in KMS do not meet the requirement for FIPS 140-2 Level 3 validation. AWS managed CMKs are not compliant with this standard.
Hosting on an EC2 instance requires manual management of encryption and key management. While EBS encryption and KMS are supported, the solution does not minimize operational overhead compared to Amazon RDS. Additionally, KMS does not automatically satisfy FIPS 140-2 Level 3 unless specifically configured with a FIPS-validated key store.
Transparent Data Encryption (TDE) is a feature for on-premises databases or self-managed databases on EC2. It requires manual management of keys and is not directly tied to FIPS 140-2 Level 3 compliance unless properly configured. It also increases operational overhead compared to managed services like RDS.