A security architect at a financial institution is designing a cloud-native application using AWS. The application processes sensitive customer data and must comply with PCI DSS. Which of the following security architecture decisions best supports both compliance and operational efficiency?
CASB provides visibility and policy enforcement; CMKs meet PCI DSS encryption requirements.
Why this answer
Using a CASB provides visibility and control over cloud traffic, and encryption with customer-managed keys satisfies PCI DSS requirements. Option A is wrong because ignoring cloud risks is not acceptable. Option B is wrong because a cloud-based WAF is not specifically for data protection compliance.
Option D is wrong because VPC endpoints reduce exposure but do not address data protection requirements directly.