Answer – A
AWS Documentation mentions the following.
Server-side encryption is about protecting data at rest. Using server-side encryption with customer-provided encryption keys (SSE-C) allows you to set your own encryption keys. With the encryption key you provide as part of your request, Amazon S3 manages both the encryption, as it writes to disks, and decryption, when you access your objects. Therefore, you don`t need to maintain any code to perform data encryption and decryption. The only thing you do is manage the encryption keys you provide.
In short,
SSE-S3 requires that Amazon S3 manage the data and master encryption keys.
SSE-C requires that you manage the encryption key.
SSE-KMS requires that AWS manage the data key, but you manage the master key in AWS KMS.
For more information, please refer to the following URL.
https://docs.aws.amazon.com/kms/latest/developerguide/services-s3.html
Option B is incorrect because when you do client-side encryption, data goes to s3 in an encrypted format. Again when you download, it is the client who has to decrypt the data. But question specifies customer should not manage the encryption/decryption process.
Option C is incorrect since you will still not manage the complete lifecycle of the keys.
Option D is incorrect because the maximum key policy document size is 32kb.
Reference:
https://docs.aws.amazon.com/kms/latest/developerguide/limits.html
https://aws.amazon.com/blogs/aws/new-bring-your-own-keys-with-aws-key-management-service/
https://docs.aws.amazon.com/AmazonS3/latest/dev/ServerSideEncryptionCustomerKeys.html