Which combination of steps must a security engineer take to meet these requirements?
(Choose three.)
Create a new-customer managed CMK in AWS Key Management Service (AWS KMS).
Change the SSE-S3 configuration on the S3 bucket to server-side encryption with customer-provided encryption keys (SSE-C).
Configure the PHP SDK to use the SSE-S3 key to encrypt the data before the data is uploaded to Amazon S3.
Create an AWS managed CMK for Amazon S3 in AWS Key Management Service (AWS KMS).
Change the SSE-S3 configuration on the S3 bucket to server-side encryption with AWS KMS managed encryption keys (SSE-KMS).
Change all the S3 objects in the bucket to use the new encryption key.
Explanations:
Creating a new customer-managed CMK (Customer Master Key) in AWS KMS allows the company to control the encryption keys used for encrypting S3 objects, meeting the requirement of controlling all encryption keys.
SSE-C (server-side encryption with customer-provided keys) requires the customer to manage the encryption keys themselves during each upload. This is not aligned with the requirement of using customer-managed keys, which is better fulfilled by SSE-KMS.
This option is not valid as SSE-S3 is managed by AWS, and the company cannot encrypt data using SSE-S3 encryption keys. The company must use KMS-managed keys (SSE-KMS) to maintain control over encryption keys.
An AWS managed CMK is managed by AWS and does not give the company control over the encryption keys. This option does not meet the requirement of the company controlling all encryption keys.
Changing the S3 bucket configuration to use SSE-KMS allows the company to control the encryption keys through a customer-managed CMK, thus fulfilling the requirement to use a key that the company controls.
Changing all S3 objects in the bucket to use the new encryption key ensures that existing data is encrypted with the customer-managed key, thus complying with the new security requirements.