Your company is using S3 for the storage of data in the cloud. They want to ensure that all data in the bucket is encrypted. Compliance policy specifies that the encryption key must be rotated every year. Which option meets this requirement with the least overhead?

Answer options:

A.All S3 data is encrypted by default with a key rotation policy of one year.
B.Enable AES-256 encryption.
C.Enable AWS-KMS encryption and specify aws/s3 as the key.
D.Enable AWS-KMS Client-Side Encryption and specify the customer master key ARN.
E.Enable AWS-KMS server-side encryption in S3 and specify the customer master key ARN. Enable key rotation for the customer master key in KMS.
F.Enable AWS-KMS server-side encryption in S3 and specify the customer master key ARN. Manually rotate the key on a one-year schedule.

Answer: E
Option A is incorrect because S3 is not encrypted by default.
Option B is incorrect because you cannot control the key rotation of AWS owned keys.
Option C is incorrect because AWS managed keys are rotated every 3 years.
Option D is incorrect because it should be Server Side Encryption. Client-Side Encryption is incorrect.
Option E is correct because AWS customer master keys with key rotation are rotated every year.
Option F is incorrect because users have to rotate the AWS customer master key every year manually. Option E is better.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html