AWS Certified Security - Specialty (#106)

The Security Engineer has discovered that a new application that deals with highly sensitive data is storing Amazon S3 objects with the following key pattern, which itself contains highly sensitive data. Pattern: "randomID_datestamp_PII.csv" Example: "1234567_12302017_000-00-0000 csv" The bucket where these objects are being stored is using server-side encryption (SSE). Which solution is the most secure and cost-effective option to protect the sensitive data?

Remove the sensitive data from the object name, and store the sensitive data using S3 user-defined metadata.
Add an S3 bucket policy that denies the action s3:GetObject
Use a random and unique S3 object key, and create an S3 metadata index in Amazon DynamoDB using client-side encrypted attributes.
Store all sensitive objects in Binary Large Objects (BLOBS) in an encrypted Amazon RDS instance.