Which solution will meet these requirements with the LEAST operational overhead?
Migrate the data to the S3 bucket. Use server-side encryption with Amazon S3 managed keys (SSE-S3). Use the built-in key rotation behavior of SSE-S3 encryption keys.
Create an AWS Key Management Service (AWS KMS) customer managed key. Enable automatic key rotation. Set the S3 bucket’s default encryption behavior to use the customer managed KMS key. Migrate the data to the S3 bucket.
Create an AWS Key Management Service (AWS KMS) customer managed key. Set the S3 bucket’s default encryption behavior to use the customer managed KMS key. Migrate the data to the S3 bucket. Manually rotate the KMS key every year.
Use customer key material to encrypt the data. Migrate the data to the S3 bucket. Create an AWS Key Management Service (AWS KMS) key without key material. Import the customer key material into the KMS key. Enable automatic key rotation.
Explanations:
SSE-S3 does not support key rotation because it uses Amazon-managed keys, which are managed by AWS and do not allow for manual or automatic rotation by the user.
This option uses AWS KMS with a customer managed key that allows for automatic key rotation. By setting the S3 bucket’s default encryption to this KMS key, the data is encrypted at rest and the key will be automatically rotated every year, meeting the requirements with minimal operational overhead.
While this option does use a customer managed KMS key for encryption, it requires manual key rotation every year, which increases operational overhead and does not meet the requirement for automatic key rotation.
This option involves more complexity by using customer key material and importing it into KMS. Although it allows for key rotation, it adds operational overhead since the user must manage the key material and does not provide the simplicity of automatic rotation as required.