A company is using Amazon S3 to store critical data. The security team requires that all data at rest be encrypted using AWS KMS with automatic rotation of the customer master key (CMK) every year. What should a solutions architect do to meet this requirement?
This ensures all objects are encrypted at rest with a rotating KMS key.
Why this answer
Option A is correct because using S3 default encryption with an AWS KMS CMK and enabling automatic key rotation meets the requirement. Option B is wrong because SSE-S3 uses Amazon S3-managed keys, not KMS. Option C is wrong because SSE-C uses customer-provided keys, not KMS.
Option D is wrong because client-side encryption does not use S3 server-side encryption.