A company is using S3 to store data in the cloud, and they want to ensure that all the data in the bucket is encrypted. Which option meets this requirement with the least overhead? (Select TWO.)

Answer options:

A. All S3 data is encrypted by default.
B.Use AWS SSE-S3.
C.Enable AWS-KMS encryption and specify aws/s3 (AWS KMS-managed CMK) as the key for the Client-Side Encryption.
D.Use Custom AWS KMS customer master key (CMK).

Answer: B and D
Option A is incorrect because S3 bucket encryption is not encrypted by default. You need to use AWS SSE-S3 or KMS for its encryption.
Option B is CORRECT because encryption on S3 bucket objects can be completed using Server Side Encryption SSE-S3 with AES-256(Encryption type).
Option C is incorrect because Server Side Encryption should be used instead of Client-Side Encryption.
Option D is CORRECT because custom AWS KMS customer master key (CMK) provides encryption of S3 bucket objects and also allows managing the key policy and its rotation to the customer and satisfies the expectation as per the ask.
 References:
For more information on AWS S3 Encryption options, refer to the URL provided below
https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html
For information on Custom AWS KMS Customer Master Key (CMK) and AWS Managed CMK, refer to the URL below:
https://aws.amazon.com/premiumsupport/knowledge-center/s3-object-encrpytion-keys/