A company is storing sensitive documents in an Amazon S3 bucket and wants to implement a solution where the development team can upload encrypted files without managing the encryption keys directly. The encryption should allow the use of different keys for each S3 object and enable the automatic rotation of those keys. Which of the following should the development team implement to meet these requirements?
Implement Server-Side Encryption with Customer Provided Keys (SSE-C) and manage key rotation using a cron job on an EC2 instance.
Enable Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3) and schedule an AWS Lambda function to rotate the keys regularly.
Utilize AWS Secrets Manager to generate data keys for S3 object encryption and configure automatic rotation.
Apply an S3 Bucket Policy that requires uploads to be encrypted with a specific AWS KMS Customer Master Key (CMK) without enabling key rotation.
Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS) and enable automatic key rotation.
Store and manage encryption keys in AWS CloudHSM and manually rotate the keys by creating new HSM-backed keys when required.