A financial services company is leveraging cloud storage services to retain transaction records. These records contain privileged client information that needs to be encrypted when not in use. The company's security team must have the capability to manage encryption keys centrally, including the facilitation of periodic, automated key changes. Which configuration should be implemented to meet these encryption management requirements?
Implement managed service keys with a policy for key rotation every three years.
Rely on developers to generate and replace keys on a regular basis through a manual update process.
Create customer controlled keys with enabled automated rotation on an annual schedule.
Create customer controlled keys and use a scheduled script to change the key material manually.