What should the Security Engineer use to accomplish this?
Server-side encryption with Amazon S3-managed keys (SSE-S3)
Server-side encryption with AWS KMS-managed keys (SSE-KMS)
Server-side encryption with customer-provided keys (SSE-C)
Client-side encryption with an AWS KMS-managed CMK
Explanations:
SSE-S3 uses Amazon S3-managed keys for encryption. The company cannot generate its own keys as it relies on Amazon to manage the keys, which does not meet the requirement of self-generated keys.
SSE-KMS allows the company to create and manage its own keys using AWS Key Management Service (KMS). This option enables key generation without the need for the company to manage key storage or the encryption process itself.
SSE-C allows the customer to provide their own encryption keys but requires them to manage the keys and the encryption process, which contradicts the requirement of not managing key storage.
Client-side encryption with AWS KMS-managed CMK means the data is encrypted before it is uploaded to S3. The company would need to manage the encryption process, which does not align with the requirement of not managing encryption or key storage.