What is the MOST operationally efficient solution that meets these requirements?
Turn on SSE-S3 on both S3 buckets. Use S3 Batch Operations to copy and encrypt the objects in the same location.
Create an AWS Key Management Service (AWS KMS) key in each account. Turn on server-side encryption with AWS KMS keys (SSE-KMS) on each S3 bucket by using the corresponding KMS key in that AWS account. Encrypt the existing objects by using an S3 copy command in the AWS CLI.
Turn on SSE-S3 on both S3 buckets. Encrypt the existing objects by using an S3 copy command in the AWS CLI.
Create an AWS Key Management Service, (AWS KMS) key in each account. Turn on server-side encryption with AWS KMS keys (SSE-KMS) on each S3 bucket by using the corresponding KMS key in that AWS account. Use S3 Batch Operations to copy the objects into the same location.
Explanations:
Turning on SSE-S3 enables server-side encryption with Amazon S3 managed keys with minimal configuration. S3 Batch Operations is the most operationally efficient way to apply encryption to millions of existing objects in place without needing to move them.
Although SSE-KMS provides server-side encryption, it is more complex to manage than SSE-S3 and requires the additional setup and management of KMS keys in each account. Using the AWS CLI to copy and encrypt millions of objects is less efficient operationally than S3 Batch Operations.
While SSE-S3 is correctly enabled for encryption, using the AWS CLI to copy millions of objects for encryption is not operationally efficient compared to S3 Batch Operations.
Using SSE-KMS requires additional setup and key management. S3 Batch Operations would work, but this solution is more complex and operationally burdensome than the SSE-S3 option with Batch Operations.
I categorize that the answer is:
Turn on SSE-S3 on both S3 buckets. Use S3 Batch Operations to copy and encrypt the objects in the same location.