A and C are correct. Aurora PostgreSQL can store patient data in an encrypted database and can enforce TLS for encrypted connections in transit. For tamper-resistant auditing, Aurora Database Activity Streams are the stronger choice because they monitor database activity and send the stream to Amazon Kinesis for external consumption. AWS documentation states that activity streams monitor and report activities and that the activity stream is collected and transmitted to Kinesis. Sending those audit records to Amazon S3 and enabling S3 Object Lock in compliance mode provides immutable retention. Compliance mode prevents protected object versions from being overwritten or deleted by any user, including the root user, during the retention period. pgAudit logs in CloudWatch are useful, but they do not provide the same database activity stream control and immutability pattern.