Using AWS Key Management Service (AWS KMS) to manage encryption keys allows for both the necessary encryption of data at rest and the automated rotation of encryption keys. AWS KMS supports automatic key rotation, where a new version of the CMK is created every year, and previous versions of the key can still be used to decrypt data that was encrypted under it, thus maintaining access while adhering to the regulatory requirements. AWS CloudHSM is a service that helps you meet corporate, contractual, and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS Cloud, but it's not specified that dedicated HSMs are required. Using S3 managed keys (SSE-S3) does not provide the capability for manual key rotation or compliance with the specific mandate for key rotation. While Server-Side Encryption with Customer-Provided Keys (SSE-C) allows you to manage the encryption key, it does not provide any mechanisms for automated rotation.