Which solution will meet this requirement?
Ensure that the operations team configures default bucket encryption on the S3 bucket to use server-side encryption with Amazon S3 managed encryption keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to use the encryption keys.
Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with AWS KMS keys (SSE-KMS) that are customer managed. Ensure that the security team creates a key policy that controls access to the encryption keys.
Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with Amazon S3 managed keys (SSE-S3). Ensure that the security team creates an IAM policy that controls access to the encryption keys.
Ensure that the operations team creates a bucket policy that requires requests to use server-side encryption with customer-provided encryption keys (SSE-C). Ensure that the security team stores the customer-provided keys in AWS Key Management Service (AWS KMS). Ensure that the security team creates a key policy that controls access to the encryption keys.
Explanations:
SSE-S3 uses Amazon S3 managed keys, which means there is no separation of duties between the teams since the operations team has full control over both access to the bucket and the encryption.
Using SSE-KMS with customer-managed keys allows for separation of duties. The operations team manages the S3 bucket policy, while the security team manages access to the KMS keys, ensuring no one team can access the data without the other.
SSE-S3 still uses Amazon S3 managed keys, which does not provide the level of control and separation needed between the two teams regarding key access.
SSE-C involves customer-provided keys, which are not managed by AWS KMS and complicate the separation of duties. Also, storing these keys in KMS does not align with SSE-C usage.