Which solution will meet these requirements with the LEAST operational overhead?
Configure the s3-default-encryption-kms AWS Config managed rule with manual remediation to check for AWS KMS encryption on the S3 buckets. Modify the properties of the noncompliant S3 buckets to turn on AWS KMS encryption.
Configure a custom AWS Config rule with manual remediation to check for AWS KMS encryption on the S3 buckets. Modify the properties of the noncompliant buckets to turn on AWS KMS encryption.
Configure the s3-default-encryption-kms AWS Config managed rule. Create an automatic remediation script for the rule that will turn on AWS KMS encryption for any noncompliant buckets.
Configure a custom AWS Config rule to check for AWS KMS encryption on the S3 buckets. Create an automatic remediation script for the rule that will turn on AWS KMS encryption for any noncompliant buckets.
Explanations:
This option uses a managed AWS Config rule but requires manual remediation, which does not align with the requirement for automated detection and remediation of noncompliant buckets.
While this option involves creating a custom AWS Config rule, it also requires manual remediation, thus not fulfilling the requirement for automation in applying KMS encryption to noncompliant buckets.
This option utilizes a managed AWS Config rule and includes an automatic remediation script to enable KMS encryption for any noncompliant S3 buckets, meeting the requirement with minimal operational overhead.
Although this option includes a custom AWS Config rule and an automatic remediation script, it is more complex than necessary since a managed rule (option C) would suffice, making it less optimal in terms of operational overhead.
I map out that the answer is:
Configure the s3-default-encryption-kms AWS Config managed rule. Create an automatic remediation script for the rule that will turn on AWS KMS encryption for any noncompliant buckets.