Which solution will meet these requirements?
Use default server-side encryption with Amazon S3 managed encryption keys (SSE-S3) to store the sensitive data.
Create a customer managed key by using AWS Key Management Service (AWS KMS). Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMS keys (SSE-KMS).
Create an AWS managed key by using AWS Key Management Service (AWS KMS). Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMS keys (SSE-KMS).
Download S3 objects to an Amazon EC2 instance. Encrypt the objects by using customer managed keys. Upload the encrypted objects back into Amazon S3.
Explanations:
SSE-S3 uses Amazon S3 managed keys for encryption, which does not provide the company with full control over key management, such as creating, rotating, or disabling keys.
Using a customer managed key (CMK) with AWS KMS allows the company to fully control the encryption keys, including creation, rotation, and disabling. This meets the requirement for minimal effort while ensuring sensitive data is encrypted.
AWS managed keys are controlled by AWS, which means the company does not have full control over the keys, conflicting with the requirement to manage keys independently.
Downloading objects, encrypting them on EC2, and then re-uploading them is cumbersome and inefficient. This process does not align with the requirement for minimal effort and does not utilize the native capabilities of S3 encryption effectively.
I would say the answer is:
Create a customer managed key by using AWS Key Management Service (AWS KMS). Use the new key to encrypt the S3 objects by using server-side encryption with AWS KMS keys (SSE-KMS).