Which combination of steps must a security engineer take to meet these requirements?

Explanations:

Creating a new customer-managed CMK (Customer Master Key) in AWS KMS allows the company to control the encryption keys used for encrypting S3 objects, meeting the requirement of controlling all encryption keys.

SSE-C (server-side encryption with customer-provided keys) requires the customer to manage the encryption keys themselves during each upload. This is not aligned with the requirement of using customer-managed keys, which is better fulfilled by SSE-KMS.

This option is not valid as SSE-S3 is managed by AWS, and the company cannot encrypt data using SSE-S3 encryption keys. The company must use KMS-managed keys (SSE-KMS) to maintain control over encryption keys.

An AWS managed CMK is managed by AWS and does not give the company control over the encryption keys. This option does not meet the requirement of the company controlling all encryption keys.

Changing the S3 bucket configuration to use SSE-KMS allows the company to control the encryption keys through a customer-managed CMK, thus fulfilling the requirement to use a key that the company controls.

Changing all S3 objects in the bucket to use the new encryption key ensures that existing data is encrypted with the customer-managed key, thus complying with the new security requirements.