You are tasked with constructing a fleet of EBS-optimized EC2 instances to manage the load for a new application. Given the necessity for security compliance within your organization, it is crucial that any secret strings utilized in the application are encrypted to avoid the exposure of plain text values.

The solution demands that decryption events must be auditable, and the API calls should remain simple. What are the two methods to achieve this? (select two)