A financial institution requires encrypted storage of customer records with stringent control over encryption keys, including the need for automated rotation and the ability to invalidate obsolete keys. Which cloud service feature should be implemented to fulfill these requirements?
Cloud-managed service for storage encryption providing default encryption keys, requiring periodic manual regeneration of keys by replicating the encrypted objects.
A cloud-based key management service with customer managed keys and configuration options for automatic rotation and manual key invalidation.
Cloud-based managed service for storage encryption using default managed keys without automated rotation settings.
On-premises management of encryption keys and manual encryption processes prior to transmission to the cloud, with administrative key rotation protocols.