Which solution meets these requirements and is the MOST operationally efficient?
Server-side encryption with customer-provided keys (SSE-C)
Server-side encryption with Amazon S3 managed keys (SSE-S3)
Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with manual rotation
Server-side encryption with AWS KMS (SSE-KMS) customer master keys (CMKs) with automatic rotation
Explanations:
SSE-C requires the user to manage encryption keys manually and does not provide automatic logging of key usage or automatic key rotation. This increases operational overhead and complexity.
SSE-S3 uses Amazon S3-managed keys, which simplifies management but does not allow for key usage logging or compliance auditing as required. It also does not support customer-controlled key rotation.
While SSE-KMS with manual key rotation meets the encryption and logging requirements, the manual key rotation process is less operationally efficient than automatic rotation, requiring more administrative effort and management.
SSE-KMS with automatic key rotation provides encryption at rest, logs key usage for compliance auditing, and automates the key rotation process every year, making it the most operationally efficient option.