Amazon S3 Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) automatically encrypts data at rest, using keys managed by Amazon S3. It is the best option because it requires no management on the customer side while providing strong encryption. SSE-KMS offers additional benefits such as user-defined encryption keys and an audit trail, but it's not the 'automatic' method referred to in the question, hence not the best choice here. Client-Side Encryption requires additional implementation effort from the customer, which doesn't fit the 'automatically' criteria. Using Amazon S3 bucket policies for encryption only enforces that the uploaded data must be encrypted and doesn't provide automatic encryption.