The requirement is to encrypt personally identifiable information (PII) at rest for an application running on Amazon EC2 and its Amazon RDS database, with minimal infrastructure changes. Amazon EBS encryption is a native feature that encrypts data at rest for volumes attached to EC2 instances. Similarly, Amazon RDS encryption encrypts the underlying database storage, automated backups, read replicas, and snapshots. Both services seamlessly integrate with AWS Key Management Service (KMS) to manage the encryption keys. Enabling these features is a straightforward configuration change, directly addressing the compliance requirement for both tiers of the application with the least operational overhead.

A. AWS Certificate Manager (ACM) provides and manages SSL/TLS certificates for securing network communications (data in transit), not for encrypting data at rest on storage volumes.

B. AWS CloudHSM provides dedicated hardware security modules. While it can be used for encryption, it is a more complex and costly solution, violating the "least amount of changes" requirement.

C. This option incorrectly combines SSL encryption, which is for data in transit, with the task of encrypting database volumes at rest. SSL does not encrypt the underlying storage.

1. Amazon EBS encryption: "Amazon EBS encryption is a feature that offers a simple encryption solution for your EBS volumes without you having to build

maintain

and secure your own key management infrastructure. It uses AWS Key Management Service (AWS KMS) keys when creating encrypted volumes and snapshots."

Source: AWS Documentation

Amazon EC2 User Guide for Linux Instances

"Amazon EBS encryption"

Section: "How EBS encryption works".

2. Amazon RDS encryption: "Amazon RDS encrypted DB instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your DB instance. After your data is encrypted

Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You don't need to modify your database client applications to use encryption... Amazon RDS uses AWS Key Management Service (AWS KMS) to manage the encryption keys for your encrypted DB instances."

Source: AWS Documentation

Amazon RDS User Guide

"Encrypting Amazon RDS resources".

3. AWS KMS Integration: "AWS KMS integrates with many AWS services to help you protect the data that you store in those services. When you use an AWS service that is integrated with AWS KMS

you can use the service to encrypt your data."

Source: AWS Documentation

AWS Key Management Service Developer Guide

"How AWS services use AWS KMS".

4. AWS Certificate Manager Purpose: "AWS Certificate Manager is a service that lets you easily provision

manage

and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and your internal connected resources."

Source: AWS Documentation

AWS Certificate Manager User Guide

"What is AWS Certificate Manager?".