AWS Certified Advanced Networking - Specialty (#34)

An organization processes consumer information submitted through its website. The organization’s security policy requires that personally identifiable information (PII) elements are specifically encrypted at all times and as soon as feasible when received. The front-end Amazon EC2 instances should not have access to decrypted PII. A single service within the production VPC must decrypt the PII by leveraging an iAM role. Which combination of services will support these requirement? (Select two.)

Amazon Aurora in a private subnet
Amazon CloudFront using AWS Lambda@Edge
Customer-managed MySQL with Transparent Data Encryption
Application Load Balancer using HTTPS listeners and targets
AWS Key Management Services