Which solution will meet these requirements with the LEAST operational overhead?
Move the data to the S3 bucket. Use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Use the built-in key rotation behavior of SSE-S3 encryption keys.
Create an AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Set the S3 bucket’s default encryption behavior to use the customer managed KMS key. Move the data to the S3 bucket.
Create an AWS Key Management Service (AWS KMS) customer managed key. Set the S3 bucket’s default encryption behavior to use the customer managed KMS key Move the data to the S3 bucket. Manually rotate the KMS key every year
Encrypt the data with customer key material before moving the data to the S3 bucket. Create an AWS Key Management Service (AWS KMS) key without key material. Import the customer key material into the KMS key. Enable automatic key rotation.
Explanations:
SSE-S3 uses Amazon S3 managed keys which do not provide automatic key rotation. The keys are managed by AWS and do not have a built-in key rotation feature.
Creating a KMS customer managed key with automatic key rotation and setting the S3 bucket to use this key meets both encryption and automatic rotation requirements with minimal operational overhead.
Although a KMS customer managed key can be used for encryption, this option requires manual key rotation every year, which increases operational overhead.
This option involves encrypting the data before it is stored in S3 and requires importing customer key material into KMS. While it provides control over encryption, it adds complexity and does not fulfill the automatic key rotation requirement without manual intervention.