Which solution will meet these requirements?
Create a list of unencrypted objects by filtering an Amazon S3 Inventory report. Configure an S3 Batch Operations job to encrypt the objects from the list with a server-side encryption with a customer-provided key (SSE-C). Configure the S3 default encryption feature to use a server-side encryption with a customer-provided key (SSE-C).
Use S3 Storage Lens metrics to identify unencrypted S3 buckets. Configure the S3 default encryption feature to use a server-side encryption with AWS KMS keys (SSE-KMS).
Create a list of unencrypted objects by filtering the AWS usage report for Amazon S3. Configure an AWS Batch job to encrypt the objects from the list with a server-side encryption with AWS KMS keys (SSE-KMS). Configure the S3 default encryption feature to use a server-side encryption with AWS KMS keys (SSE-KMS).
Create a list of unencrypted objects by filtering the AWS usage report for Amazon S3. Configure the S3 default encryption feature to use a server-side encryption with a customer-provided key (SSE-C).
Explanations:
This solution correctly uses an S3 Inventory report to identify unencrypted objects, and then uses an S3 Batch Operations job to encrypt those objects with SSE-C. It also configures default encryption to ensure that future objects are encrypted with SSE-C.
SSE-KMS is not the correct encryption type as the requirement specifies a customer-provided key (SSE-C), not a KMS key. Additionally, S3 Storage Lens does not directly provide the ability to encrypt objects.
This option uses AWS KMS (SSE-KMS) for encryption, which does not meet the requirement to use a customer-provided key (SSE-C). Additionally, an AWS Batch job is not necessary for encrypting objects in this context.
Although it uses SSE-C for default encryption, it does not include a step to encrypt existing unencrypted objects, which is a key part of the requirement. There is no mechanism like Batch Operations to perform this task.
I have a feeling that the answer is:
Create a list of unencrypted objects by filtering an Amazon S3 Inventory report. Configure an S3 Batch Operations job to encrypt the objects from the list with a server-side encryption with a customer-provided key (SSE-C). Configure the S3 default encryption feature to use a server-side encryption with a customer-provided key (SSE-C).