A development team must secure sensitive customer files in cloud-based object storage. The requirements stipulate that the encryption keys used should be under the company's direct control, with an automated process for changing these keys periodically. Which service and configuration would best fulfill these criteria?
Enable a managed key rotation service within the platform's cloud object storage
Engage a private certificate authority to apply server-side encryption policies to the cloud storage
Adopt a hardware security module service for key storage and institute a manual rotation process
Use self-managed keys in Key Management Service set to automatically rotate for object storage server-side encryption