Answer: D
Amazon S3 is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Amazon S3.
CloudTrail logs successful operations and attempted calls that failed, such as when the caller is denied access to a resource. Operations on KMS keys in other accounts are logged in both the caller account and the KMS key owner account.
Option A is INCORRECT AWS Certificate Manager is not a solution for encryption at rest. It is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates. Hence it is a solution for “encryption in transit”, not an “encryption at rest.”
Option B is INCORRECT because SSE-S3 does “encryption/decryption at rest”, but it does not offer monitoring capabilities (who/when encrypts/decrypts).
Option C is INCORRECT because SSE-C does “encryption/decryption at rest”, but it does not offer monitoring capabilities (who/when encrypts/decrypts).
Option D is CORRECT because SSE-KMS does “encryption/decryption at rest” and does offer monitoring capabilities. CloudTrail captures all API calls to AWS KMS as events, including calls from the AWS KMS console, AWS KMS APIs, the AWS Command Line Interface (AWS CLI), and AWS Tools for PowerShell.
References:
https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html#sse
https://docs.aws.amazon.com/kms/latest/developerguide/logging-using-cloudtrail.html